Reson8 — Speech Processing & Data Pipeline Services
Resonate Labs B.V.
This Data Processing Agreement (the "DPA") is a Schedule to and forms part of the Master Service Terms as referenced on the Cover Page (the "Agreement") between Customer (controller) and Resonate Labs B.V., Supplier, processor.
Capitalized terms not defined here have the meanings in the Agreement or under applicable Data Protection Legislation (incl. GDPR/UK-GDPR/Swiss FADP as applicable).
Supplier will process Personal Data only on behalf of Customer and only as documented in the Agreement, this DPA, and Customer's written instructions (including with respect to international transfers).
Supplier shall not, and shall procure that its personnel and Subprocessors do not, use the Personal Data, or any embeddings or features generated from the Personal Data, to train, fine-tune, retrain or otherwise improve any artificial-intelligence or machine-learning model or algorithm, whether directly or indirectly.
The subject-matter, duration, nature and purpose of processing, the types of Personal Data and categories of Data Subjects are set out in Annex I (Details of Processing).
Customer is responsible for the lawfulness of processing and for providing all required notices to Data Subjects. Where the Personal Data includes special category data (Art. 9 GDPR), including data concerning health, Customer is responsible for identifying and satisfying a valid condition under Art. 9(2) GDPR for the Processing it instructs, for providing all required information to and obtaining any consents required from Data Subjects, and for complying with any professional secrecy or other confidentiality obligations applicable to such data.
Supplier shall ensure that access to Personal Data is limited to personnel with a strict need-to-know and only for the purposes of this DPA.
Supplier shall ensure all authorized personnel are subject to confidentiality obligations (statutory or contractual) and receive appropriate data protection and security training.
Taking into account the state of the art, costs, and risks, Supplier shall implement and maintain appropriate technical and organizational measures to protect Personal Data as required by GDPR Art. 32 and as described in Annex II (Security Measures) and the Agreement.
Supplier shall not materially reduce the protections in Annex II/Standards during the term.
General authorization. Customer authorizes Supplier to engage the subprocessors listed in Annex III ("Subprocessors") and any subsequently notified Subprocessors, provided Supplier gives 30 days prior written notice (email sufficient) and Customer may object on reasonable grounds within 10 Business Days.
Supplier shall flow down to each Subprocessor data protection terms no less protective than this DPA and shall remain fully liable to Customer for each Subprocessor's performance.
Data subject requests. Supplier shall notify Customer without undue delay of any request received from a Data Subject and shall not respond except on Customer's documented instructions (unless required by law). Supplier shall assist Customer by appropriate technical and organizational measures in fulfilling requests under Chapter III GDPR/UK-GDPR.
Security & compliance. Supplier shall assist Customer with security obligations, data protection impact assessments, and prior consultations with supervisory authorities (GDPR Arts. 32–36), taking into account the nature of processing and information available to Supplier.
Records. Supplier shall maintain the records of processing required by Art. 30(2) GDPR and make them available to Customer on request.
Supplier shall notify Customer without undue delay, in any case within 48 hours, after becoming aware of a Personal Data Breach affecting Personal Data.
Such notice shall describe at least: (a) the nature of the breach, including categories and approximate number of Data Subjects and records concerned; (b) the likely consequences; (c) the measures taken or proposed to address the breach; and (d) a contact point for further information.
Supplier shall promptly take all necessary corrective actions and cooperate with Customer in any required notifications to regulators or Data Subjects.
Supplier shall process Personal Data only within the EEA/UK/CH unless otherwise notified to Customer pursuant to §6/Annex I.
If a public authority or third party demands access to Personal Data, Supplier shall notify Customer without undue delay and not disclose unless legally compelled. Where legally permitted, Supplier shall challenge unlawful or overbroad requests, disclose only the minimum necessary, and maintain documentation of the request and response.
Upon termination or expiry of the Services involving processing, at Customer's choice, Supplier shall (a) return all Personal Data (and any media containing it) to Customer and then delete copies, or (b) delete all Personal Data, in each case within 30 days, unless retention is required by law, and provided that Personal Data contained in routine backups will be deleted in the ordinary course of backup rotation within 90 days of termination or expiry and will not be subject to any further active Processing in the interim.
Supplier shall certify deletion/return in writing upon Customer's request.
Supplier shall make available all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, by Customer or an independent auditor mandated by Customer, on reasonable notice, during normal business hours, and in a manner that respects confidentiality and security.
In lieu of or to complement an on-site audit, Supplier may provide current third-party certifications or reports (e.g., ISO 27001) and detailed responses to reasonable security questionnaires. On-site audits shall not occur more than once in any 12-month period unless (i) required by a competent authority, (ii) following a Personal Data Breach, or (iii) there are reasonable indications of material non-compliance.
If Supplier considers that an instruction infringes Data Protection Legislation, it shall promptly inform Customer and may suspend the instruction pending clarification.
Supplier shall make available to Customer all information necessary to demonstrate compliance with Art. 28.
If there is any conflict between this DPA, the Agreement (including the Standards), and the SCCs/UK Addendum/IDTA, the following order applies: (1) SCCs/UK Addendum/IDTA, (2) this DPA (including its Annexes), (3) the Agreement.
Processing audio data to transcribe speech to text, provided that no voiceprint or other biometric data is extracted or Processed for the purpose of uniquely identifying a natural person.
Determined and controlled by Customer, and may include: end users, callers, patients, employees, and other natural persons whose speech is contained in audio submitted to the Services.
As determined by Customer, and may include voice audio recordings and transcripts thereof, which may contain any category of personal data present in the submitted audio.
Given the nature of Customer's use case, the audio recordings and transcripts may contain special category data within the meaning of Art. 9(1) GDPR, in particular data concerning health.
Supplier shall process Personal Data only on documented instructions from Customer.
All processing is performed within the EEA/UK/CH. Any change will be notified.
The audio recordings, transcripts, and any Personal Data contained in them ("Customer Content") are Processed only in volatile memory (RAM) for the duration of processing and are deleted immediately thereafter. Customer Content is never written to disk and is not included in any backup, snapshot, or log. Processing is performed on Supplier hardware co-located in a data center in the Netherlands. The co-location provider has physical access only to the servers and cannot access the software, Customer Content, or any other content, nor create snapshots of, or otherwise logically access, the systems.
Apart from Customer Content, Supplier Processes only the operational and account data necessary to provide the Services, including, without limitation, account information (such as name and email), API keys, configuration data, and application and security logs (metadata such as timestamps, request identifiers, and error messages), which do not contain, and are not applied to, Customer Content. Backups and application and security logs are retained for 90 days, after which they are deleted in the ordinary course.
Supplier and its co-location provider implement the following technical and organizational security measures:
As at the date of this DPA, Supplier does not engage any Subprocessors.
Notice mechanism: Supplier will notify Customer at least 30 days before adding or replacing any Subprocessor (email sufficient), providing information necessary for Customer to assess the change. The Customer may object on reasonable grounds within 10 Business Days.
— End of Data Processing Agreement —
Resonate Labs B.V. (trading as Reson8)
Keizersgracht 264, Amsterdam, the Netherlands
KvK: 98891340 | BTW: NL868689464B01
contact@reson8.dev | reson8.dev