Between the Customer ("Controller") and SoundsGoodAI, operator of verbii ("Processor"). Effective on the Customer's acceptance of the verbii Terms of Service or first use of the Services.
⚠️
Template draft. This document is a starting point and is not legal advice. Have it reviewed by qualified counsel and complete the bracketed details (legal entity, address, governing law) before relying on it. Customers may also request a counter-signed copy at
founders@soundsgood.ai.
1. Roles and scope
The Customer is the data controller and SoundsGoodAI is the data processor with respect to Personal Data contained in audio submitted to the Services and processed into transcripts. This DPA forms part of the Agreement between the parties and applies where SoundsGoodAI processes Personal Data on the Customer's behalf under applicable data protection law (including the EU GDPR, UK GDPR, and, where applicable, the CCPA/CPRA, under which SoundsGoodAI acts as a "service provider" and does not "sell" or "share" Personal Data).
2. Processing details
| Subject matter | Automated speech-to-text transcription of audio submitted by the Customer. |
|---|
| Duration | The term of the Agreement, subject to the retention and deletion terms in Section 5. |
|---|
| Nature & purpose | Receiving audio (by upload or URL), decoding it, transcribing it into text with timestamps, returning the result, and then deleting the audio. |
|---|
| Types of Personal Data | Any Personal Data contained in the audio (e.g., speakers' voices and anything spoken — which may include names, contact details, or other personal information), plus Customer account data (email). |
|---|
| Categories of data subjects | The Customer's end users and any individuals whose speech appears in submitted audio. |
|---|
3. Processor obligations
- Instructions. SoundsGoodAI processes Personal Data only on the Customer's documented instructions, which are the use of the Services as described in the documentation, unless required by law (in which case it will notify the Customer where lawful).
- No training. SoundsGoodAI does not use Customer audio, transcripts, or other Customer Personal Data to train, fine-tune, or improve any model, and does not sell or share it.
- Confidentiality. Personnel authorized to process Personal Data are bound by confidentiality.
- Security. SoundsGoodAI maintains the technical and organizational measures in Annex B.
- Data subject requests. SoundsGoodAI will, taking into account the nature of the processing, assist the Customer by appropriate measures to respond to requests to exercise data subject rights. Because audio is deleted on completion and transcripts are short-lived (Section 5), data is generally not retained long enough to require separate erasure action.
- Assistance. SoundsGoodAI will assist the Customer with security, breach notification, and data protection impact assessments, taking into account the information available to it.
- Breach notification. SoundsGoodAI will notify the Customer without undue delay (and in any case within 72 hours) after becoming aware of a personal data breach affecting Customer Personal Data, with the information reasonably available.
4. Sub-processors
The Customer authorizes SoundsGoodAI to use the sub-processors in Annex C. SoundsGoodAI imposes data-protection obligations on each sub-processor that are no less protective than this DPA, and remains responsible for their performance. SoundsGoodAI will give the Customer reasonable prior notice of any new sub-processor and a chance to object on reasonable data-protection grounds.
5. Retention and deletion (the part that matters most)
- Audio is not retained. Submitted audio is deleted automatically upon successful completion of transcription. Audio that fails to process is deleted within 24 hours.
- Transcripts are short-lived. Transcript output is retained for up to 30 days to allow retrieval, then automatically deleted. The Customer may retrieve results sooner via the API and request earlier deletion.
- No backups beyond the above. SoundsGoodAI does not maintain long-term archives of Customer audio.
- On termination, SoundsGoodAI deletes remaining Customer Personal Data within 30 days, except where retention is required by law.
6. International transfers
The Services currently process data in the United States (AWS, us-east-1). For transfers of EU/UK Personal Data, the parties rely on the applicable Standard Contractual Clauses / UK Addendum, which are incorporated by reference. EU/UK in-region processing is available on request.
7. Audits
On reasonable written request (no more than once per year, unless required by a supervisory authority), SoundsGoodAI will make available information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, subject to reasonable confidentiality and security conditions.
8. Liability and term
This DPA is subject to the liability limitations of the Agreement. It remains in effect for as long as SoundsGoodAI processes Customer Personal Data. It is governed by the law and jurisdiction stated in the Agreement [or specify: [governing law / jurisdiction]].
Annex A — Details of processing
As described in Section 2. Frequency: continuous, for the duration of the Agreement, on Customer-initiated requests.
Annex B — Technical & organizational measures
- Encryption of Customer data in transit (TLS) and at rest (AES-256).
- Storage in access-controlled, non-public cloud buckets; least-privilege IAM for all service components.
- Automatic deletion of audio on completion and time-bounded retention of transcripts (Section 5).
- API access authenticated by per-customer secret keys (stored only as hashes).
- Monitoring, logging, and alerting on the processing pipeline; logs exclude transcript content.
- No use of Customer data for model training.
Annex C — Sub-processors
| Sub-processor | Purpose | Location |
|---|
| Amazon Web Services (AWS) | Cloud compute, storage, queuing, and database for the transcription pipeline | United States (us-east-1) |
SoundsGoodAI · operator of verbii · founders@soundsgood.ai · verbii home