Data Processing Agreement

Reson8 — Speech Processing & Data Pipeline Services

Resonate Labs B.V.

Parties, scope, and status

This Data Processing Agreement (the "DPA") is a Schedule to and forms part of the Master Service Terms as referenced on the Cover Page (the "Agreement") between Customer (controller) and Resonate Labs B.V., Supplier, processor.

Capitalized terms not defined here have the meanings in the Agreement or under applicable Data Protection Legislation (incl. GDPR/UK-GDPR/Swiss FADP as applicable).

Supplier will process Personal Data only on behalf of Customer and only as documented in the Agreement, this DPA, and Customer's written instructions (including with respect to international transfers).

No model training

Supplier shall not, and shall procure that its personnel and Subprocessors do not, use the Personal Data, or any embeddings or features generated from the Personal Data, to train, fine-tune, retrain or otherwise improve any artificial-intelligence or machine-learning model or algorithm, whether directly or indirectly.

Details of processing

The subject-matter, duration, nature and purpose of processing, the types of Personal Data and categories of Data Subjects are set out in Annex I (Details of Processing).

Customer is responsible for the lawfulness of processing and for providing all required notices to Data Subjects. Where the Personal Data includes special category data (Art. 9 GDPR), including data concerning health, Customer is responsible for identifying and satisfying a valid condition under Art. 9(2) GDPR for the Processing it instructs, for providing all required information to and obtaining any consents required from Data Subjects, and for complying with any professional secrecy or other confidentiality obligations applicable to such data.

Supplier personnel & confidentiality

Supplier shall ensure that access to Personal Data is limited to personnel with a strict need-to-know and only for the purposes of this DPA.

Supplier shall ensure all authorized personnel are subject to confidentiality obligations (statutory or contractual) and receive appropriate data protection and security training.

Security

Taking into account the state of the art, costs, and risks, Supplier shall implement and maintain appropriate technical and organizational measures to protect Personal Data as required by GDPR Art. 32 and as described in Annex II (Security Measures) and the Agreement.

Supplier shall not materially reduce the protections in Annex II/Standards during the term.

Sub-processing

General authorization. Customer authorizes Supplier to engage the subprocessors listed in Annex III ("Subprocessors") and any subsequently notified Subprocessors, provided Supplier gives 30 days prior written notice (email sufficient) and Customer may object on reasonable grounds within 10 Business Days.

Supplier shall flow down to each Subprocessor data protection terms no less protective than this DPA and shall remain fully liable to Customer for each Subprocessor's performance.

Assistance to Customer

Data subject requests. Supplier shall notify Customer without undue delay of any request received from a Data Subject and shall not respond except on Customer's documented instructions (unless required by law). Supplier shall assist Customer by appropriate technical and organizational measures in fulfilling requests under Chapter III GDPR/UK-GDPR.

Security & compliance. Supplier shall assist Customer with security obligations, data protection impact assessments, and prior consultations with supervisory authorities (GDPR Arts. 32–36), taking into account the nature of processing and information available to Supplier.

Records. Supplier shall maintain the records of processing required by Art. 30(2) GDPR and make them available to Customer on request.

Personal Data Breach

Supplier shall notify Customer without undue delay, in any case within 48 hours, after becoming aware of a Personal Data Breach affecting Personal Data.

Such notice shall describe at least: (a) the nature of the breach, including categories and approximate number of Data Subjects and records concerned; (b) the likely consequences; (c) the measures taken or proposed to address the breach; and (d) a contact point for further information.

Supplier shall promptly take all necessary corrective actions and cooperate with Customer in any required notifications to regulators or Data Subjects.

International transfers

Supplier shall process Personal Data only within the EEA/UK/CH unless otherwise notified to Customer pursuant to §6/Annex I.

Government/third-party requests

If a public authority or third party demands access to Personal Data, Supplier shall notify Customer without undue delay and not disclose unless legally compelled. Where legally permitted, Supplier shall challenge unlawful or overbroad requests, disclose only the minimum necessary, and maintain documentation of the request and response.

Return and deletion

Upon termination or expiry of the Services involving processing, at Customer's choice, Supplier shall (a) return all Personal Data (and any media containing it) to Customer and then delete copies, or (b) delete all Personal Data, in each case within 30 days, unless retention is required by law, and provided that Personal Data contained in routine backups will be deleted in the ordinary course of backup rotation within 90 days of termination or expiry and will not be subject to any further active Processing in the interim.

Supplier shall certify deletion/return in writing upon Customer's request.

Audits and information

Supplier shall make available all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, by Customer or an independent auditor mandated by Customer, on reasonable notice, during normal business hours, and in a manner that respects confidentiality and security.

In lieu of or to complement an on-site audit, Supplier may provide current third-party certifications or reports (e.g., ISO 27001) and detailed responses to reasonable security questionnaires. On-site audits shall not occur more than once in any 12-month period unless (i) required by a competent authority, (ii) following a Personal Data Breach, or (iii) there are reasonable indications of material non-compliance.

Compliance and unlawful instructions

If Supplier considers that an instruction infringes Data Protection Legislation, it shall promptly inform Customer and may suspend the instruction pending clarification.

Supplier shall make available to Customer all information necessary to demonstrate compliance with Art. 28.

Order of precedence

If there is any conflict between this DPA, the Agreement (including the Standards), and the SCCs/UK Addendum/IDTA, the following order applies: (1) SCCs/UK Addendum/IDTA, (2) this DPA (including its Annexes), (3) the Agreement.

Annex I – Details of Processing

Subject-matter & duration

  • Subject-matter: provision of audio transcription services
  • Duration: For the term of the Agreement (including any renewals/extensions).

Nature & purpose of processing

Processing audio data to transcribe speech to text, provided that no voiceprint or other biometric data is extracted or Processed for the purpose of uniquely identifying a natural person.

Categories of Data Subjects

Determined and controlled by Customer, and may include: end users, callers, patients, employees, and other natural persons whose speech is contained in audio submitted to the Services.

Types of Personal Data

As determined by Customer, and may include voice audio recordings and transcripts thereof, which may contain any category of personal data present in the submitted audio.

Given the nature of Customer's use case, the audio recordings and transcripts may contain special category data within the meaning of Art. 9(1) GDPR, in particular data concerning health.

Customer's instructions

Supplier shall process Personal Data only on documented instructions from Customer.

Retention

  • Customer Content (as defined in Annex II) is Processed only in volatile memory during processing and is not stored, backed up, or logged.
  • Operational and account data necessary to provide the Services (account information, API keys, configuration, and application/security log metadata) is retained as described in Annex II, where backups and logs are retained for 90 days.

Authorized locations

All processing is performed within the EEA/UK/CH. Any change will be notified.

Contact points

  • Customer DPO/Security Contact: As designated by Customer in the Enterprise Agreement or Cover Page, or, if none is designated, the Customer contact specified in Customer's account. Customer is responsible for keeping this contact current.
  • Supplier DPO/Security Contact: security@reson8.dev

Annex II – Technical & Organizational Measures (Art. 32 GDPR)

The audio recordings, transcripts, and any Personal Data contained in them ("Customer Content") are Processed only in volatile memory (RAM) for the duration of processing and are deleted immediately thereafter. Customer Content is never written to disk and is not included in any backup, snapshot, or log. Processing is performed on Supplier hardware co-located in a data center in the Netherlands. The co-location provider has physical access only to the servers and cannot access the software, Customer Content, or any other content, nor create snapshots of, or otherwise logically access, the systems.

Apart from Customer Content, Supplier Processes only the operational and account data necessary to provide the Services, including, without limitation, account information (such as name and email), API keys, configuration data, and application and security logs (metadata such as timestamps, request identifiers, and error messages), which do not contain, and are not applied to, Customer Content. Backups and application and security logs are retained for 90 days, after which they are deleted in the ordinary course.

Supplier and its co-location provider implement the following technical and organizational security measures:

  • Governance & Policies – documented information security policies, roles, and risk management.
  • Access Control – least privilege, strong authentication, MFA for admins, logging, joiner-mover-leaver processes.
  • Physical Security – secured facilities.
  • Encryption – encryption of data in transit, key management practices.
  • System Security – secure configuration, patching, vulnerability management, anti-malware.
  • Network Security – firewalls, segmentation.
  • Secure Development – SDLC with code review, dependency scanning.
  • Third-party Management – due diligence, contractual controls, monitoring of subprocessors.
  • Backup & Continuity – tested backups, disaster recovery, incident response planning.
  • Monitoring & Logging – centralized tamper-resistant logs, retention and monitoring.
  • Data Minimization – pseudonymization where appropriate.
  • Personnel Security – identity verification at onboarding (passport/ID), confidentiality agreements and regular training.
  • Testing & Assurance – penetration tests, control audits, ISO 27001 compliant.
  • Incident Response – documented procedures, 24/7 escalation, GDPR-compliant breach notification.

Annex III – Subprocessors

As at the date of this DPA, Supplier does not engage any Subprocessors.

Notice mechanism: Supplier will notify Customer at least 30 days before adding or replacing any Subprocessor (email sufficient), providing information necessary for Customer to assess the change. The Customer may object on reasonable grounds within 10 Business Days.

— End of Data Processing Agreement —

Resonate Labs B.V. (trading as Reson8)
Keizersgracht 264, Amsterdam, the Netherlands
KvK: 98891340 | BTW: NL868689464B01
contact@reson8.dev | reson8.dev