This Data Processing Addendum, including its Schedules (collectively, this "DPA"), forms part of and is incorporated into the Scribie Terms of Service and/or Scribie Master Services Agreement (as applicable) (the "Agreement") by and between the entity registering an account or purchasing services from Scribie ("Customer") and Scribie Technologies, Inc. ("Scribie"). Except to the extent expressly set forth in this DPA, this DPA is governed by the Agreement. Capitalized terms not defined in this DPA have the meanings given in the Agreement. In the event of any conflict between this DPA and the Agreement, this DPA will control with respect to Processing of Personal Data.
1. Definitions
For purposes of this DPA, the following definitions apply:
- "Affiliate" means an entity that controls, is controlled by, or is under common control with a party, where "control" means ownership of more than fifty percent (50%) of the voting securities or equivalent interests.
- "Applicable Law" means all applicable laws, regulations, binding regulatory guidance, and governmental requirements relating to privacy, data protection, confidentiality, security, and/or Processing of Personal Data, including (as applicable) GDPR, UK GDPR, Swiss data protection law, and U.S. state privacy laws (including CCPA/CPRA) (collectively, "Privacy Laws").
- "Controller" (including "Business" under certain U.S. Privacy Laws) means the entity that determines the purposes and means of Processing of Personal Data.
- "Processor" (including "Service Provider" under certain U.S. Privacy Laws) means the entity that Processes Personal Data on behalf of a Controller.
- "Subprocessor" means any third party (including Scribie Affiliates, vendors, and authorized individual contractors) engaged by Scribie to Process Personal Data in connection with the Services.
- "Personal Data" means any information relating to an identified or identifiable natural person or otherwise defined as "personal data," "personal information," or equivalent under applicable Privacy Laws.
- "Personal Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, or any other unauthorized Processing of Personal Data, as defined by applicable Privacy Laws.
- "Process" or "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, restriction, erasure, or destruction.
- "Services" means the transcription, captioning, translation (if applicable), summarization, quality review, timestamping, speaker labeling, formatting, AI-assisted processing workflows, and other related services Scribie provides under the Agreement.
- "Customer Content" means any audio, video, text, images, metadata, files, or other data submitted to the Services by or on behalf of Customer.
- "Services Output" means transcripts, captions, summaries, translations (if applicable), annotations, timestamps, speaker labels, and other outputs generated from Customer Content through the Services.
- "SCCs" means (as applicable) the EU Standard Contractual Clauses approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 ("EU SCCs") and/or the UK International Data Transfer Addendum to the EU SCCs ("UK Addendum").
- "EEA" means the European Economic Area.
- "Security Measures" means the technical and organizational measures described in Schedule 2.
2. Scope and Applicability
This DPA applies where Scribie Processes Personal Data in Customer Content or otherwise in connection with Scribie's provision of the Services to Customer irrespective of the Customer size (enterprise or individual).
The subject matter, duration, nature, and purposes of Processing, and the categories of Data Subjects and Personal Data are described in Schedule 1.
If and to the extent the SCCs apply to a transfer, the SCCs control in the event of conflict with the Agreement or this DPA to the extent of the conflict.
3. Roles of the Parties
Controller/Processor Relationship
Where Customer determines the purposes and means of Processing, Customer is the Controller and Scribie is the Processor.
Where Customer is itself a Processor acting on behalf of another Controller, Customer is the Processor and Scribie is a Subprocessor.
Customer represents and warrants that:
- It has provided all required notices and obtained all required consents or other lawful bases to provide Personal Data to Scribie for Processing; and
- Its instructions to Scribie will not cause Scribie to violate Privacy Laws.
Scribie will Process Personal Data in accordance with Customer's documented instructions, this DPA, and Privacy Laws applicable to Scribie as a Processor. Nothing herein relieves Customer of its obligations as Controller under applicable Privacy Laws.
4. Limitations on Use and Processing Instructions
Scribie will Process Personal Data solely to:
- Provide, maintain, and support the Services;
- Perform security, fraud prevention, quality assurance, and customer support; and
- Comply with Applicable Law (subject to Section 4.3).
Scribie will not "sell" or "share" Personal Data as defined under applicable U.S. Privacy Laws, and will not retain, use, or disclose Personal Data outside the direct business relationship with Customer except as permitted by this DPA or required by Applicable Law.
If Scribie is required by Applicable Law to Process Personal Data in a manner inconsistent with Customer's instructions, Scribie will (to the extent legally permitted) notify Customer before Processing.
If Scribie reasonably believes Customer's instruction violates Privacy Laws, Scribie will notify Customer and cooperate in good faith to remediate or clarify the instruction.
Customer acknowledges that Scribie does not control the nature of Customer Content and shall not be responsible for Personal Data submitted by Customer in violation of Applicable Law, contractual restrictions, or third-party rights, including special category or sensitive personal data uploaded without a lawful basis.
5. Confidentiality
Scribie will ensure that persons authorized to Process Personal Data are subject to confidentiality obligations (contractual or statutory) and receive appropriate privacy/security training.
Scribie will restrict access to Personal Data to authorized personnel and authorized contractors with a need-to-know for provision of Services.
6. Subprocessing
Customer provides Scribie general written authorization to engage Subprocessors in accordance with this Section 6.
Scribie will impose written contractual obligations on Subprocessors that are substantially similar to and no less protective than those in this DPA, including confidentiality and security requirements.
Subprocessor List and Updates
- Scribie's current Subprocessors are listed in Schedule 3.
- Scribie will provide at least thirty (30) days' prior notice of any new Subprocessor, where required by Privacy Laws or where Scribie maintains a formal subprocessor notice program for enterprise customers.
- Customer may object to a new Subprocessor on reasonable grounds related to data protection by providing written notice within the notice period. The parties will work in good faith to resolve. If resolution is not reasonably possible, Customer may terminate the affected Services (or the Agreement, if applicable) and receive a pro-rata refund of prepaid fees for undelivered Services attributable to the termination.
Scribie remains responsible for its Subprocessors' performance of their obligations under this DPA.
7. Security
Scribie will implement and maintain appropriate Security Measures as set forth in Schedule 2, taking into account the nature, scope, context, and purposes of Processing and the risks to individuals.
Scribie will maintain role-based access controls and least-privilege access for systems that store or process Personal Data.
Where Scribie uses authorized individual contractors for transcription/review/QA, Scribie will apply contractor onboarding controls, access restrictions, confidentiality commitments, and workflow restrictions designed to prevent unauthorized disclosure.
8. Personal Data Breach Notification
Scribie shall notify Customer without undue delay after becoming aware of a Personal Data Breach, and in any event within the timeframe required by Applicable Law.
Scribie shall provide information reasonably necessary for Customer to meet its breach notification obligations, including (to the extent available) nature of incident, categories/approximate volume of affected data, mitigation steps, and contact point.
Scribie shall take reasonable steps to investigate, contain, and remediate the incident. Scribie shall cooperate reasonably with Customer in communications with supervisory authorities.
9. Assistance with Individual Rights Requests
If Scribie receives a request from a Data Subject to exercise rights under Privacy Laws relating to Personal Data Processed under the Agreement, Scribie will (to the extent legally permitted) notify Customer and will not respond except on Customer's documented instructions or as required by law.
Scribie shall provide reasonable assistance to Customer in responding to Data Subject requests, to the extent technically feasible and information is available to Scribie, taking into account the nature of the Services. Scribie may charge a reasonable fee or decline to act on requests that are manifestly unfounded, excessive, or repetitive, as permitted by Applicable Law.
10. DPIAs and Regulatory Cooperation
Upon Customer's written request and at its own cost wherever permitted, Scribie will provide reasonable assistance for Customer's data protection impact assessments and prior consultations with supervisory authorities, limited to information within Scribie's control and to the extent required by Privacy Laws.
To the extent legally permitted, Scribie will notify Customer of legally binding requests for disclosure of Personal Data from law enforcement or regulators and will seek to limit disclosure to what is legally required.
11. Cross-Border Transfers
Where Personal Data originating in the EEA, UK, or Switzerland is transferred to a country not recognized as providing an adequate level of protection, the SCCs apply as follows:
EU SCCs (GDPR)
- If Customer is a Controller and Scribie is a Processor, Module Two (Controller to Processor) applies.
- If Customer is a Processor and Scribie is a Subprocessor/Processor, Module Three (Processor to Processor) applies.
The EU SCCs are deemed completed as follows (unless otherwise specified in an Order Form):
- Clause 7 (Docking Clause): Included.
- Clause 9 (Use of Subprocessors): Option 2 (General Authorization) with 30 days' notice.
- Clause 11 (Redress): Not used (optional clause not selected).
- Clause 17 (Governing Law): Ireland.
- Clause 18 (Forum): Ireland.
- Annexes I–III of the EU SCCs are satisfied by Schedules 1–3 of this DPA.
UK Addendum (UK GDPR)
Where UK GDPR applies, the UK Addendum is incorporated by reference and completed using the information in Schedules 1–3, and the parties are deemed to have executed it.
Switzerland
For transfers governed by Swiss law, references to "GDPR" in the EU SCCs will be interpreted to include the Swiss Federal Act on Data Protection (as applicable), and "supervisory authority" will include the relevant Swiss authority, as legally required.
Where required by European Privacy Laws, the parties will cooperate in good faith to implement supplemental measures (technical, contractual, and/or organizational) to support transfer compliance.
12. AI-Assisted Processing and Model Restrictions
Scribie may use automated speech recognition (ASR), language models, or AI-assisted tooling to generate or refine Services Output, subject to this DPA and the Agreement.
Internal Model Training
Customer acknowledges and agrees that, by default, Scribie may use Customer Content and related Personal Data to train, fine-tune, and improve Scribie's internal, proprietary machine-learning and language models, solely for purposes of improving the accuracy, quality, security, and performance of the Services. Such training shall be subject to appropriate technical and organizational safeguards and shall not involve disclosure of Customer Content to third parties for their independent use.
Customer may opt out of such internal training at any time by providing written notice to Scribie in accordance with the procedures described in the Agreement or Privacy Policy, in which case Scribie will cease such use on a going-forward basis.
For clarity, Scribie shall not use Customer Content or Personal Data to train or improve third-party models or general-purpose models offered outside the Services, except where Customer has expressly agreed otherwise in writing.
If Scribie uses third-party AI providers as Subprocessors for ASR/NLP, Scribie will contractually require restrictions consistent with this DPA (including confidentiality, security, and limits on use/training) and list such providers in Schedule 3.
Where Services involve human transcription/review, Scribie will maintain workflow controls intended to reduce risk of unauthorized retention/disclosure (e.g., controlled access, anti-exfiltration rules in the portal, and policy-based tool restrictions).
Scribie represents that outputs, weights, parameters, or learnings derived from internal model training are statistical, abstracted, and non-reversible and are not intended to reproduce or enable reconstruction of Customer Content or identification of any individual Data Subject.
The Services do not involve automated decision-making producing legal or similarly significant effects concerning Data Subjects within the meaning of Article 22 of the GDPR. Customer remains solely responsible for any decisions, actions, or outcomes based on the Services Output.
13. Audit and Compliance Information
Upon Customer's written request, Scribie will make available reasonable information necessary to demonstrate compliance with this DPA.
Where required by Privacy Laws, Customer may conduct audits subject to reasonable limitations:
- Audits no more than once per 12 months (unless triggered by a Personal Data Breach or regulator requirement);
- Reasonable advance notice (e.g., 30 days);
- Audits are limited to scope relevant to the Services and security of Personal Data; and
- Audits shall not require disclosure of Scribie's source code, proprietary algorithms, internal AI models, model weights, training datasets, internal risk assessments, or trade secrets, nor permit access to information relating to other customers.
Scribie may satisfy audit requests by providing a recent third-party security report (e.g., SOC 2/ISO) where available, in lieu of an on-site audit for overlapping controls.
14. Return and Deletion
Upon termination/expiration of the Agreement or upon Customer's written request (where supported by the Services), Scribie will delete or return Personal Data in accordance with the Agreement and applicable retention practices, except to the extent retention is required by Applicable Law.
Scribie may retain Personal Data in encrypted backups for a limited period consistent with its business continuity and disaster recovery practices. Such data shall not be actively processed except for restoration, security testing, or compliance with Applicable Law.
15. U.S. Privacy Law Terms (Service Provider/Processor)
Where applicable, Scribie acts as a "service provider"/"processor" and will:
- Process Personal Data only for the business purposes of providing the Services;
- Not sell/share Personal Data;
- Not retain, use, or disclose Personal Data outside the direct business relationship except as permitted; and
- Upon notice, support Customer's reasonable steps to remediate unauthorized Processing, as required by U.S. Privacy Laws.
16. Miscellaneous
Sections relating to confidentiality, security, AI-assisted processing, internal model training, derived data, audit rights, cross-border transfers, and return or deletion of Personal Data shall survive termination of the Agreement to the extent permitted by Applicable Law.
If changes in Privacy Laws require modifications to this DPA, the parties will negotiate in good faith to implement necessary changes.
Except as expressly provided in the SCCs (where applicable), this DPA does not create third-party beneficiary rights.
Schedule 1 – Processing Description (Annex I / Annex IB)
List of Parties
Data Exporter(s):
- Name: Customer (the entity entering into the Agreement and this DPA)
- Address: As set out in the Agreement / account registration details
- Contact person's name, position and contact details: As set out in the Agreement / account registration details
- Activities relevant to the data transferred under these Clauses: Customer submits Customer Content to Scribie for Processing in order to receive transcription, captioning, summarization and related outputs.
- Role: Controller (or Processor, as applicable)
Data Importer(s):
- Name: Scribie Technologies, Inc.
- Activities relevant to the data transferred under these Clauses: Scribie Processes Personal Data contained in Customer Content to provide, maintain, secure, and support the Services and generate Services Output, in accordance with Customer instructions, the Agreement, and this DPA.
- Role: Processor (or Subprocessor, as applicable)
Description of Transfer
Categories of Data Subjects whose Personal Data is Processed/transferred:
Customer determines, controls, and is solely responsible for the categories of Data Subjects included in Customer Content, which may include, without limitation:
- Customer's employees, contractors, and staff;
- Customer's clients/customers/end users (including their staff);
- Meeting participants, interviewees, speakers, presenters, and attendees;
- Vendors, consultants, advisers, agents, and service providers;
- Individuals referenced within recordings (e.g., callers, patients, students) as applicable;
- Any other individuals whose Personal Data is included in audio/video submitted to the Services.
Categories of Personal Data Processed/transferred:
Customer controls the types of Personal Data submitted to the Services. Depending on use case, this may include:
- Identifiers (name, username, email address contained in spoken content);
- Voice data (audio recordings of speech) and speaker identifiers;
- Professional/employment information contained in recordings;
- Communications content and contextual data (what was said, how it was said);
- Metadata (timestamps, file IDs, job identifiers, project/team tags);
- Any personal data otherwise included in transcripts/captions/summaries/annotations.
Sensitive Data / Special Category Data:
Customer is responsible for avoiding submission of Special Category Data or other sensitive regulated data unless expressly permitted under the Agreement and appropriate safeguards are implemented. Where sensitive data is included by Customer, Scribie will apply access restrictions and Security Measures set forth in Schedule 2. (For clarity: Scribie does not seek sensitive data; Customer controls submission.)
Frequency of Processing/transfer:
Ad hoc or continuous, depending on Customer's use of the Services during the term of the Agreement.
Nature of the Processing:
Processing operations may include (as applicable):
- Receiving Customer Content;
- Upload, hosting, storage, organization, and structuring;
- Automated speech recognition or AI-assisted processing to generate drafts;
- Human transcription/review/QA (where enabled/required by the service type);
- Editing, formatting, speaker labeling, timestamping, summarization;
- Returning Services Output to Customer;
- Deletion and retention of data per documented retention practices and legal requirements;
- Security monitoring, logging, fraud prevention, and quality assurance.
Purpose(s) of Processing:
To provide the Services to Customer under the Agreement, including generation and delivery of Services Output, together with security, operational support, and quality assurance consistent with Section 4.1 of the DPA.
Duration of Processing / retention period:
For the duration of the Agreement and thereafter for such limited period as is reasonably necessary to:
- Provide Customer the Services (including access to outputs),
- Comply with Customer deletion/return requests as supported by the Services,
- Maintain reasonable backup/BCDR practices, and/or
- Comply with Applicable Law (including legal holds).
For transfers to (sub-)processors:
Subprocessors listed in Schedule 3, for the subject matter and purposes stated above, for the duration of their engagement.
Third countries / jurisdictions of Processing (if applicable):
Processing may occur in the United States and other locations where Scribie or its Subprocessors maintain infrastructure or personnel, subject to the SCCs and transfer safeguards where required.
Competent Supervisory Authority
For purposes of the EU SCCs (Clause 13):
- Where Customer is established in the EEA: the supervisory authority competent for Customer.
- Where Customer is not established in the EEA but SCCs apply: the supervisory authority determined under GDPR.
- Where the parties select Ireland under Clause 17/18 (as per Section 11.1 of the DPA): the Irish Data Protection Commission (to the extent legally permissible).
Schedule 2 – Technical and Organizational Security Measures (Annex II)
Scribie shall implement and maintain commercially reasonable technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. The measures below reflect a SOC2-aligned control framework, and may evolve as part of Scribie's continuous security improvement.
Governance and Security Program
- Documented information security policies and standards, reviewed periodically.
- Designated security responsibility (security lead / security function).
- Risk assessment practices proportional to service scope and data sensitivity.
Access Controls
- Role-based access control (RBAC) and least privilege access.
- Strong authentication for administrative access (including MFA where supported).
- Access provisioning/deprovisioning procedures tied to role changes and termination.
- Segregation of duties for sensitive administrative functions, where appropriate.
Workforce and Contractor Security
- Confidentiality obligations for employees and authorized contractors.
- Privacy/security awareness training appropriate to access levels.
- Contractor onboarding controls (identity verification as appropriate; policy acceptance; limited permissions).
- Workflow restrictions designed to prevent unauthorized export/retention of Customer Content.
Secure Development and Change Management
- Change management processes for material production changes.
- Secure coding practices and vulnerability management for services components.
Logging, Monitoring, and Audit Trails
- Logging of access and key security events for systems handling Personal Data.
- Monitoring to detect suspicious access patterns and policy violations.
- Retention of logs for reasonable periods consistent with operational and legal needs.
Encryption and Transmission Security
- Encryption in transit for customer-facing communications using industry-standard protocols (e.g., TLS).
- Encryption at rest for production storage where appropriate and feasible.
- Secure key management practices proportional to service architecture.
Incident Response and Breach Management
- Incident response plan with defined escalation and response procedures.
- Procedures to investigate, contain, remediate, and document security incidents.
- Customer notification process consistent with Section 8 of the DPA.
Business Continuity and Disaster Recovery
- Backup and restoration procedures.
- Business continuity and disaster recovery practices appropriate to service criticality.
- Periodic review/testing of recovery procedures where appropriate.
Physical Security
- Where Scribie uses third-party data centers/cloud providers: reliance on provider physical security controls and certifications.
- Restricted physical access to systems containing Personal Data (directly or via provider controls).
Subprocessor Security
- Due diligence and contractual security obligations for Subprocessors.
- Requirement that Subprocessors implement security controls no less protective than those in this DPA, proportionate to processing risk.
Schedule 3 – List of Subprocessors (Annex III)
Customer authorizes Scribie to engage the following categories of Subprocessors (and the specific providers listed below where applicable). Scribie may update this list in accordance with Section 6.3 of the DPA.
Data in connection with the Services
| Sub-processor | Purpose | Location |
|---|---|---|
| AssemblyAI | Speech-to-text transcription | United States |
| Google (Gemini) | AI-powered proofreading | United States |
| Render | Cloud hosting infrastructure | United States |
| Amazon Web Services (S3) | File storage | United States |
| Braintree (PayPal) | Payment processing | United States |
| Google Workspace | Email communications | United States |
| Zendesk | Customer support | United States |
Authorized Individual Contractors (Human Transcription / Review / QA)
- Type: Authorized individual contractors (transcribers/reviewers/QA personnel)
- Jurisdiction: Potentially multiple jurisdictions depending on contractor location
- Processing: Access to Customer Content strictly within Scribie's controlled workflow to produce Services Output (human transcription/review), subject to confidentiality obligations and access restrictions
- Affected products: Human transcription / QA / review workflows (where enabled)
Annexure A – EU Standard Contractual Clauses (EU SCCs)
The parties agree that the EU SCCs (Commission Implementing Decision (EU) 2021/914 of 4 June 2021) apply to transfers of Personal Data subject to GDPR from the EEA to third countries not subject to an adequacy decision, and are incorporated into and form part of this DPA on the following basis:
1. Modules
- Module Two (Controller to Processor) applies where Customer is a Controller and Scribie is a Processor.
- Module Three (Processor to Processor) applies where Customer is a Processor and Scribie is a Processor/Subprocessor.
2. Optional Clauses and Selections
- Clause 7 (Docking Clause): Included.
- Clause 9 (Use of Sub-processors): Option 2 (General written authorization). Subprocessor notice period: 30 days, as set out in DPA Section 6.3.
- Clause 11 (Redress): Not selected.
- Clause 17 (Governing law): Ireland.
- Clause 18 (Choice of forum and jurisdiction): Ireland.
3. Annexes
- Annex I (List of Parties / Description of Transfer): Schedule 1.
- Annex II (Technical and Organizational Measures): Schedule 2.
- Annex III (List of Sub-processors): Schedule 3.
4. Signatures
By entering into the Agreement and/or executing the DPA, the parties are deemed to have signed these EU SCCs (including Annexes), as completed above.
Annexure B – UK International Data Transfer Addendum (UK Addendum)
Where the UK GDPR applies to a transfer, the UK Addendum (International Data Transfer Addendum to the EU SCCs) applies and is incorporated into this DPA on the following basis:
Table 1 – Parties
- Exporter: Customer (as set out in Schedule 1)
- Importer: Scribie Technologies, Inc. (as set out in Schedule 1)
Table 2 – Selected SCCs
The Approved EU SCCs are the EU SCCs referenced in Annexure A.
Table 3 – Appendix Information
- Annex 1A / 1B: Schedule 1
- Annex II: Schedule 2
- Annex III: Schedule 3
Table 4 – Termination
Either party may terminate the UK Addendum as set out in Section 19 of the UK Addendum where applicable.
By entering into the Agreement and/or executing the DPA, the parties are deemed to have executed the UK Addendum as completed above.
Contact Information
If you have questions, concerns, or requests regarding this Data Processing Addendum, please contact:
Scribie Technologies, Inc.
2261 Market Street, #22612, San Francisco, CA 94114, United States
Email: support@scribie.com
Website: Contact Us