Data Processing Agreement
This Data Processing Agreement (“DPA”) is automatically incorporated into and forms part of our Terms of Service. By using our Services, you agree to this DPA, which describes how we process data through our voice recording and transcription services. This DPA should be read together with our Privacy Policy, which provides additional details about our data processing practices.
Definitions
-
“Company” refers to Gollum AI LLC, a Delaware limited liability company, also referred to in this DPA as “we,” “us,” or “our.”
-
“Customer” refers to the entity or individual that has engaged the Company to provide the Services, also referred to in this DPA as “you” or “your.”
-
“Personal Data” means any information relating to an identified or identifiable person, including but not limited to identifiers and customer records information.
-
“Processing” means any operation performed on Personal Data.
-
“Services” means our voice recording, speaker identification, and transcription services.
-
“Sub-processors” means third-party service providers who process data on our behalf.
-
“Sensitive Data” means health data, government identifiers, or other confidential details that may be incidentally captured in recordings.
Roles and Processing Details
-
For purposes of this DPA, Customer is the data controller for any Personal Data contained in voice recordings, and Company acts as the data processor. A current list of Company’s sub-processors is maintained at List of Sub-Processors.
-
For business contact information and analytics data processed to optimize our services, the Company acts as a data controller. For personal data processed in connection with voice recordings and transcriptions, the Company acts as a data processor on behalf of the Customer.
-
As the data controller, you are responsible for obtaining all necessary consents for recording and processing, ensuring the accuracy and legality of provided data, exercising appropriate caution with Sensitive Data, and complying with applicable privacy laws.
-
As the data processor, Company will process data only according to your instructions, maintain appropriate security measures, assist with data subject requests, and provide notification of any data incidents.
-
Company’s role in processing is limited to providing transcription and summary services only. Company does not analyze, identify, or review the content of the data within the transcriptions. While Company provides the transcription service, any analysis of the actual data content is performed by our third-party provider, OpenAI, and is subject to OpenAI’s data processing agreement and privacy policy. Company has no visibility into, or responsibility for, the specific types of data contained within the transcriptions beyond what is necessary to provide the transcription service.
Data Collection and Processing
-
Company processes the following categories of Personal Data: account information including names, email addresses, billing and mailing addresses, and phone numbers; voice recordings and their transcriptions; speaker identification data; uploaded documents and content; service usage data; and automatically collected information such as IP addresses, browser types, and access times.
-
Company processes this data for the purposes of providing transcription services, managing accounts and billing, optimizing our services, providing customer support, marketing communications, and maintaining legal compliance.
-
Due to the nature of our Services, Sensitive Data may be incidentally captured in recordings. Such information is processed solely for transcription purposes and is subject to our deletion controls.
-
Company utilizes third-party artificial intelligence services, specifically OpenAI, to process voice recordings for transcription, along with other subprocessors for various aspects of the Services. Voice data processing may be initiated and held either through your local device application or through Company’s cloud infrastructure located in the United States. However, processing by our sub-processors occurs in locations specified in their respective data processing agreements and privacy policies.
Security and Access Controls
-
Company implements and maintains comprehensive security measures including encryption of data in transit and at rest, access controls and authentication systems, regular security assessments, employee confidentiality agreements, incident response procedures, security monitoring, and ongoing staff training.
-
Company implements industry-standard protections and limits access to authorized personnel only. Company’s security measures include: (i) encryption of data in transit and at rest, (ii) role-based access controls and authentication systems, (iii) regular security assessments, (iv) employee confidentiality agreements, (v) incident response procedures, (vi) security monitoring, and (vii) staff security training.
-
Access to production data is strictly controlled and limited to essential personnel for development and support purposes. Company maintains regular access reviews and monitoring of system access.
Audits and Assessments
- Upon Customer’s written request at reasonable intervals, Company shall either: (i) make available documentation demonstrating Company’s compliance with this DPA, or (ii) if the provision of documentation is not sufficient, allow Customer or Customer’s independent third-party representative to conduct an audit. Such audits require Customer to provide reasonable advance written notice and may occur no more than once per year, except where required by applicable law or following a confirmed data breach involving Customer’s data. Audits must be restricted to verifying compliance with obligations under this DPA and applicable privacy law and limited to data relevant to Customer. Customer shall bear all costs associated with the audit, except that if material non-compliance is discovered, Company shall bear its own remediation costs. Audits shall be conducted in a manner that minimizes disruption to Company’s operations. Audit findings shall be treated as confidential information and disclosed only as required by law or with the prior written consent of Company.
International Data Transfers
- Company’s cloud infrastructure is located in the United States, and data may also be stored locally on Customer devices. For Customers outside the United States, Personal Data will be transferred to Company’s US infrastructure as necessary to provide the Services. Additionally, data may be transferred to and processed by our sub-processors according to their respective data processing agreements and privacy policies. Company ensures that appropriate safeguards, such as the implementation of recognized mechanisms for international data transfers (including Standard Contractual Clauses where applicable), are in place for any such transfers in compliance with applicable data protection laws.
Rights and Retention
-
Company retains Personal Data only as long as necessary to provide the Services. Retention periods are determined by considering data sensitivity, processing purposes, legal requirements, and legitimate business needs. Customers may utilize customizable retention policies and delete data through the platform’s controls.
-
Company may decline deletion requests when retention is necessary for completing requested services, protecting against security incidents, debugging errors, legal compliance, or maintaining an ongoing business relationship. Company will provide written explanation for any declined deletion requests.
-
Customers have the right to access their data, correct inaccuracies, request deletion, limit processing, receive data in a portable format, and exercise these rights without discrimination. Company will honor these rights subject to legal and technical limitations.
-
Company will respond to all data rights requests within 30 days. Requests must be verifiable, and customers have the right to appeal any denied requests. Company will not discriminate against customers for exercising their rights.
Sub-Processors and Third Parties
-
Company utilizes various categories of sub-processors to deliver the Services, including cloud storage providers, AI transcription services, analytics providers, customer support platforms, and website hosting services.
-
Company will provide advance notice of any changes to our sub-processor list through our website or direct notification. All sub-processors are bound by contractual data protection requirements, and Company maintains oversight responsibility for their compliance with this DPA.
-
If Customer reasonably objects to the engagement of a new sub-processor based on legitimate data protection concerns within ten (10) days of receiving notice, Company will work in good faith to address the objection, including by providing a commercially reasonable alternative. If no alternative is available, and the objection cannot be resolved, Customer may discontinue the affected Services by providing written notice to Company. Discontinuation will not relieve Customer of any fees owed for Services provided prior to termination.
Data Incidents and Compliance
-
In the event of a data incident, Company will notify affected customers without undue delay of discovery. Company will conduct an impact assessment, implement appropriate mitigation measures, maintain incident documentation, and cooperate with any necessary investigations.
-
Company maintains regular compliance assessments, documentation of processing activities, and cooperation with regulatory authorities. Company will assist Customer in responding to regulatory inquiries regarding our processing of Personal Data.
-
If Company receives a legal request for Personal Data, Company will: (i) attempt to redirect the request to Customer where possible, (ii) notify Customer unless legally prohibited, (iii) disclose only the minimum required information, and (iv) use reasonable efforts to challenge overly broad requests.
Additional Protections for Sensitive Data
- Company does not intentionally process sensitive data (e.g., health data, biometric data, or other special categories of data) unless explicitly authorized by Customer in writing. If Customer provides such data, Company will process it solely as instructed and in accordance with applicable laws and the security measures outlined in this DPA. Customer is responsible for ensuring that the provision and processing of such data comply with all legal requirements.
Terms and Modifications
-
This DPA becomes effective simultaneously with the Terms of Service and terminates when use of the Services end. Certain obligations, including confidentiality and data protection requirements, survive termination.
-
Company reserves the right to modify this DPA and will provide notification of any changes through our website. Continued use of the Services following such modifications constitutes acceptance of the updated DPA.
-
In the event of any conflict, this DPA takes precedence over the Terms of Service regarding data processing matters, while the Terms of Service govern all other aspects of the relationship.
Governing Law and Jurisdiction
- This DPA shall be governed by and construed in accordance with the laws of the State of Delaware, except where applicable privacy laws require otherwise. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of Delaware unless mandatorily subject to an alternative jurisdiction due to applicable privacy laws.
Children’s Data
- Company’s Services are not intended for individuals under the age of 13. Company does not knowingly process Personal Data of children under the age of 13. If Company becomes aware of such data processing, it will notify the controller and take immediate steps to delete the data unless retention is required by law.
Use of Your Data and State Privacy Compliance
-
In providing our Services, we comply with applicable state privacy laws, including but not limited to the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), and similar comprehensive state privacy laws enacted in Virginia, Colorado, Connecticut, Utah, Montana, Oregon, and Texas.
-
When processing your voice recordings and transcription data, you act as a “business” or “controller” of the data, while we act as a “service provider” or “processor” of the data. Other data collection and sharing practices, including those related to website usage and analytics, are detailed in our Privacy Policy.
-
We assist you in fulfilling your obligations under state privacy laws through responding to verifiable consumer requests, implementing appropriate security measures, providing notice of any data breaches, enabling required assessments or audits, and maintaining records of our data processing.
-
If additional safeguards are required by state laws, we will work with you to implement them. We monitor changes in privacy laws and update our practices to maintain compliance.
Contact and Notices
For any inquiries or notices regarding this DPA, please contact Company at:
Gollum AI LLC
1111B S Governors Ave STE 26713, Dover, DE 19904
Last updated: February 12, 2025
This DPA constitutes the complete agreement between the parties regarding the processing of Personal Data through the Services.