Agreements
Terms of ServiceData Processing AddendumService Level Agreement
Policies
Privacy Policy
Upcoming
Terms of Services (replace, 4.18.25)Data Processing Addendum (replace, 4.18.25)Business Associate Agreement (new, 4.18.25)Acceptable Use Policy (new, 4.18.25)Privacy Policy (replace, 5.4.25)Cookie Policy (replace, 5.4.25)
Sites
Trust Center
Subprocessors
Security
Support
Documentation

Data Processing Addendum (new)

Effective date:
April 18, 2025
Last modified date:
April 4, 2025

The following document goes into effect on April 18, 2025, replacing the prior version (accessible here). Continued use of the Services on or after April 18, 2025 signifies acceptance of the changes.

<div class="gray-line"></div>

THIS DATA PROCESSING ADDENDUM ("<u>DPA</u>") is hereby attached to and made part of the TOS entered into between AssemblyAI and Customer. If there is a conflict between the TOS and this DPA, the provisions of this DPA shall control. Unless otherwise expressly provided within the TOS, or mutually agreed to between the Parties in writing, this DPA is effective as of the TOS Effective Date, and will remain until expiration or termination of the TOS.

<div class="gray-line"></div>

1.<span class="indent">&nbsp;</span>DEFINITIONS

The terms used in this DPA shall have the following meanings. Capitalized terms not otherwise defined herein shall have the meaning given to them in the TOS.

1.1<span class="indent"></span><u>Affiliate</u>. “<u>Affiliate</u>” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with AssemblyAI, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.

1.2<span class="indent"></span><u>BAA</u>. The “<u>BAA</u>” is the Business Associate Agreement, as defined in the TOS.

1.3<span class="indent"></span><u>CCPA</u>. “<u>CCPA</u>” means the California Consumer Privacy Act of 2018, California Civil Code Section 1798.100, et seq., and, effective January 1, 2023, as amended by the California Privacy Rights Act of 2020 (“<u>CPRA</u>”), and its implementing regulations.

1.4<span class="indent"></span><u>Data Breach</u>. “<u>Data Breach</u>” means a breach of security leading to the accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure of, access to, or other Processing of Personal Data transmitted, stored, or otherwise Processed.

1.5<span class="indent"></span><u>Data Protection Laws</u>. “<u>Data Protection Laws</u>” means all local, national, or international laws and regulations applicable to a Party’s Processing of Personal Data under the TOS, including, where applicable, EU Data Protection Laws and the CCPA.

1.6<span class="indent"></span><u>Data Subject Request</u>. “<u>Data Subject Request</u>” means a request made by a Data Subject in accordance with the rights granted under Data Protection Laws, including requests to know, delete and opt-out under the CCPA and requests to access, rectify, erase, restrict Processing, data portability, object to Processing and not to be subject to automated individual decision making under EU Data Protection Laws.

1.7<span class="indent"></span><u>EU Data Protection Laws</u>. “<u>EU Data Protection Laws</u>” means all data protection laws and regulations applicable to Europe, including (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“<u>GDPR</u>”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) applicable national implementations of (i) and (ii); (iv) in respect of the United Kingdom (“<u>U.K.</u>”), the UK GDPR, and (v) in respect of Switzerland, the Federal Act on Data Protection of 19 June 1992 (“<u>FADP</u>”) .

1.8<span class="indent"></span><u>Europe.</u> “<u>Europe</u>” means the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom.

1.9<span class="indent"></span><u>EU Standard Contractual Clauses</u>. “<u>EU Standard Contractual Clauses</u>” means the contractual clauses set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, amended as indicated in this DPA.

1.10<span class="indent"></span><u>HIPAA</u>. “<u>HIPAA</u>” means the Health Insurance Portability and Accountability Act of 1996 (as amended, the “<u>HIPAA Act</u>”), and the Privacy Standards and Security Standards and other rules and regulations promulgated thereunder, the Health Information Technology for Economic and Clinical Health Act (“<u>HITECH Act</u>”), and the rules and regulations promulgated thereunder (HIPAA Act, HITECH Act, the Privacy Standards, the Security Standards and such other rules and regulations, collectively, “<u>HIPAA</u>”).

1.11<span class="indent"></span><u>Personal Data</U>. “<u>Personal Data</u>” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable natural person or particular household.

1.10<span class="indent"></span><u>Process or Processing</u>. “<u>Process</u>” or “<u>Processing</u>” means any operation or set of operations which is performed on Personal Data by AssemblyAI or its Subprocessors, or in connection with and for the purposes of the provision of the Services, whether or not accomplished by automatic means, including but not limited to collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction; and as defined by Data Protection Laws.

1.11<span class="indent"></span><u>Protected Health Information</u>. “<u>Protected Health Information</u>” means as defined in 45 CFR § 160.103

1.12<span class="indent"></span><u>Sensitive Data</u>. “<u>Sensitive Data</u>” means (a) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) credit or debit card number (other than the truncated (last four digits) of a credit or debit card); (c) employment, financial, credit, genetic, biometric or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, information about sexual life or sexual orientation, or criminal record; (e) account passwords; or (f) other information that falls within the definition of "special categories of data" or "special personal information" under applicable Data Protection Laws.

1.13<span class="indent"></span><u>Services</u>. “<u>Services</u>” means as defined in the TOS.

1.14<span class="indent"></span><u>Subprocessor</u>. "<u>Subprocessor</u>" means any person appointed by or on behalf of AssemblyAI to assist in fulfilling its obligations with respect to providing the Services pursuant to the TOS or this DPA. Subprocessors may include third parties or Affiliates of AssemblyAI but shall exclude AssemblyAI employees, contractors, or consultants.

1.15<span class="indent"></span><u>UK GDPR</u>. “<u>U.K. GDPR</u>” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)).

1.16<span class="indent"></span><u>UK Standard Contractual Clauses</u>. “<u>U.K. Standard Contractual Clauses</u>” means the International Data Transfer Addendum to the E.U. Standard Contractual Clauses issued by the United Kingdom’s Information Commissioner’s Office and laid before the U.K. Parliament in accordance with Section 119A of the Data Protection Act 2018 on 2 February 2022, as it is revised herein.

1.17<span class="indent"></span>The terms "<u>Business</u>", “<u>Commission</u>”, “<u>Controller</u>”, “<u>Data Subject</u>”, “<u>Member State</u>”, and “<u>Supervisory Authority</u>” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

2.<span class="indent">&nbsp;</span>PROCESSING OF PERSONAL DATA

2.1<span class="indent"></span><u>Roles of the Parties</u>. The parties acknowledge and agree that with respect to the Processing of Personal Data under the TOS, Customer is the Controller, and AssemblyAI is the Processor or Service Provider. The subject matter, duration, purpose of the Processing, and types of Personal Data and categories of Data Subjects under this DPA are set forth in Annex A.

2.2<span class="indent"></span><u>Customer's Obligations</u>. Customer represents and warrants that (i) it has complied, and will continue to comply, with all applicable laws, including Data Protection Laws, concerning its Processing of Personal Data; (ii) its instructions to AssemblyAI concerning the Processing of Personal Data will not cause AssemblyAI to violate any applicable law, regulation, or rule, including, without limitation, Data Protection Laws; and (iii) it has provided, and will continue to provide, all notice and has obtained, and will continue to obtain, all consents and rights necessary under Data Protection Laws for AssemblyAI to Process Personal Data for the purposes described in the TOS. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Without prejudice to the generality of the foregoing, Customer agrees that it shall be responsible for complying with all laws (including Data Protection Laws) applicable to any content created, sent or managed through the Service.

2.3<span class="indent"></span><u>AssemblyAI’s Obligations</u>. AssemblyAI shall adhere to applicable Data Protection Laws in Processing Personal Data. AssemblyAI shall Process Personal Data only in accordance with Customer’s documented written instructions. The Parties agree that the TOS sets out Customer’s complete and final instructions to AssemblyAI in relation to the Processing of Personal Data, and processing outside of the scope of these instructions (if any) shall require prior written agreement of both Parties.

2.4<span class="indent"></span><u>Details of the Processing</u>. The subject-matter of the Processing of Personal Data pursuant to the TOS, duration of such Processing, the nature and purpose of such Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA, are all as specified in Annex A hereto.

3.<span class="indent">&nbsp;</span>SUBPROCESSING

3.1<span class="indent"></span><u>Approved Subprocessors</u>. Customer hereby authorizes AssemblyAI to engage Subprocessors, listed (as of the Effective Date) in the AssemblyAI Trust Center, accessible (as of the Effective Date) at https://www.assemblyai.com/trust (“<u>Subprocessor List</u>”), to Process Personal Data for the provision of the services under the TOS (each a Subprocessor).

3.2<span class="indent"></span><u>New Subprocessors</u>. When AssemblyAI engages a new Subprocessor to Process Personal Data, AssemblyAI shall, at least thirty (30) days before the new Subprocessor begins Processing Personal Data, notify Customer by updating the Subprocessor List. Posting of Subprocessors in the locations noted in Section 3.1 constitutes adequate notice to Customers of new Subprocessors, pursuant to this Section.

3.3<span class="indent"></span><u>Communication</u>. Customer shall not directly communicate with AssemblyAI’s Subprocessors about the Services, unless agreed to in writing by AssemblyAI in AssemblyAI’s sole discretion.

3.4<span class="indent"></span><u>Subprocessor Contract</u>. AssemblyAI shall impose contractual obligations on its Subprocessors of Personal Data, subject to this DPA, that are at least as restrictive to those obligations imposed on Vendor under Data Protection laws, the DPA, and the related Annexes.

4.<span class="indent">&nbsp;</span>SECURITY

4.1<span class="indent"></span><u>AssemblyAI’s Personnel</u>. AssemblyAI shall ensure that any person who is authorized by AssemblyAI to process Personal Data (including its staff and agents) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

4.2<span class="indent"></span><u>Security Measures</u>. AssemblyAI shall implement and maintain commercially reasonable technical and organizational measures that are designed to protect against Data Breaches involving unauthorized or accidental destruction, loss, alteration or damage, unauthorized disclosure of or access to, Personal Data and designed to preserve the security and confidentiality of Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, in accordance with the security standards described in Annex D (the “Security Measures”).

4.3<span class="indent"></span><u>Updates to Security Measures</u>. Customer acknowledges that the Security Measures are subject to technical progress and development and that AssemblyAI may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services provides to Customer.

4.4<span class="indent"></span><u>Customer’s Obligations Regarding Security Measures</u>. Customer is responsible for ensuring its Security Measures adequately meet its obligations under applicable Data Protection Laws. Customer is further responsible for its secure use of the Services, including protecting the security of Personal Data in transit to and from the Services (including securely backing up or encrypting any such Personal Data).

5.<span class="indent">&nbsp;</span>INCIDENTS

5.1<span class="indent"></span><u>Notification</u>. In the event that AssemblyAI becomes reasonably aware of any Security Breach, AssemblyAI shall use good faith efforts to notify Customer of the Security Breach without undue delay, but in no event later than seventy-two (72) hours after AssemblyAI becomes reasonably aware of the Security Breach. The notification obligations in this Section 5 do not apply to incidents that are caused by Customer or Customer’s personnel or users or to unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, password stuffing attacks and other network attacks on firewall or networked systems.

5.2<span class="indent"></span><u>Manner of Notification</u>. Notification of a Security Breach, if any, will be delivered to one or more of Customer’s business, technical or administrative contacts by any means that AssemblyAI selects, including via electronic mail. It is Customer’s sole responsibility to ensure that it maintains accurate contact information with AssemblyAI at all times.

5.3<span class="indent"></span><u>Data Breach Management</u>. AssemblyAI shall make commercially reasonable efforts to identify the cause of a Data Breach and take those steps that AssemblyAI deems necessary and reasonable to remediate the cause of such Data Breach to the extent that remediation is within AssemblyAI’s reasonable control.

6.<span class="indent">&nbsp;</span>TERMINATION

6.1<span class="indent"></span><u>Termination</u>. This DPA shall terminate automatically upon the later of (a) the termination or expiration of the TOS, or (b) AssemblyAI’s deletion or return of the Personal Data to customer.

6.2<span class="indent"></span><u>Effect of Termination</u>. Upon termination or expiration of this DPA, AssemblyAI shall (at Customer’s election) delete or return to Customer all existing copies of Personal Data pursuant to the TOS, unless Data Protection Laws require continued retention of the Personal Data. This requirement shall not apply to Personal Data that AssemblyAI has archived on backup systems, which Personal Data shall be deleted by AssemblyAI at such time as AssemblyAI next restores to its active systems the backup that contains the Personal Data.

7.<span class="indent">&nbsp;</span>DATA SUBJECT REQUESTS

7.1<span class="indent"></span><u>Data Subject Requests</u>. In the event that a Data Subject Request is made to AssemblyAI, AssemblyAI shall not respond to the Data Subject Request directly, except to direct the Data Subject to contact Customer directly or as required by Data Protection Laws. Taking into account the nature of the Services, Processing, and technical feasibilities, AssemblyAI shall assist Customer by appropriate and reasonable technical and organizational measures for the fulfillment of Customer’s obligation to respond to a Data Subject Request, provided it is reasonably possible for AssemblyAI to assist and Customer provides the relevant information necessary for AssemblyAI to support the request (as reasonably requested by AssemblyAI). If AssemblyAI is required by Data Protection Laws to respond to the Data Subject Request, it shall notify Customer by any means that AssemblyAI selects, including via electronic mail, unless prohibited from doing so by Data Protection Laws. For the avoidance of doubt, nothing in the TOS or the DPA shall restrict or prevent AssemblyAI from responding to any Data Subject Request or request or inquiry from a Data Protection Authority in relation to Personal Data for which AssemblyAI is a Controller.

8.<span class="indent">&nbsp;</span>JURISDICTION-SPECIFIC TERMS

8.1<span class="indent"></span><u>GDPR</u>. To the extent that AssemblyAI Processes Personal Data subject to the GDPR, the terms of Annex B shall apply and are hereby incorporated into the DPA and given full effect.

8.2<span class="indent"></span><u>CCPA</u>. To the extent that AssemblyAI Processes Personal Data subject to the CCPA, the terms of Annex C shall apply and are hereby incorporated into the DPA and given full effect.

9.<span class="indent">&nbsp;</span>LIMITATION OF LIABILITY

9.1<span class="indent"></span><u>Limitation of Liability</u>. To the extent permitted by applicable Data Protection Laws, each Party’s (and all of that Party’s Affiliates’) liability taken together in the aggregate arising out of or related to this DPA (including the SCCs) shall be subject to the exclusions and limitations of liability set forth in the TOS.

9.2<span class="indent"></span><u>Claims by Customer</u>. Any claims made against AssemblyAI or its Affiliates under or in connection with this DPA (including, where applicable, the SCCs) shall be brought solely by the Customer entity that is a party to the TOS.

9.3<span class="indent"></span><u>Exclusion</u>. In no event shall any Party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise.

9.4<span class="indent"></span><u>Amendments</u>. This DPA may not be amended or supplemented, nor shall any of its provisions be deemed to be waived or otherwise modified, except through a writing duly executed by authorized representatives of Vendor and Customer.

<div class="gray-line"></div>

ANNEX A TO DPA: DESCRIPTION OF PROCESSING

1.<span class="indent"></span>SUBJECT MATTER AND DETAILS OF PROCESSING

The Parties acknowledge and agree that (i) the subject matter of the Processing under the TOS is AssemblyAI’s provision of the Services; (ii) the duration of the Processing is from AssemblyAI’s receipt of Personal Data until deletion of all Personal Data by AssemblyAI in accordance with the TOS; (iii) the nature and purpose of the Processing is to provide the Services; (iv) the Data Subjects to whom the Personal Data pertains are individuals about whom AssemblyAI processes Personal Data in connection with the Services; and (v) the categories of Personal Data are provided by Customer or its users in connection with the Services.

2.<span class="indent"></span>TYPES OF PERSONAL DATA

Personal Data that may be included in transcripts and or video/voice files.

3.<span class="indent"></span>CATEGORIES OF DATA SUBJECTS

  • Customer’s Personnel
  • Customer’s End Users
  • Employees, agents, advisors and freelancers of Customer
  • Prospects, customers, business partners and vendors of Customer
  • Employees or contact persons of Customer’s prospects, customers, business partners and vendors

4.<span class="indent"></span>OBLIGATIONS AND RIGHTS OF DATA CONTROLLER

The obligations and rights of Customer are as set out in the TOS and the DPA.

<div class="gray-line"></div>

ANNEX B TO DPA: EU DATA PROCESSING

The provisions of this Annex B will apply to the Processing by AssemblyAI of Personal Data under the TOS, but only to the extent that the Processing of Personal Data is subject to EU Data Protection Laws. In the event of any conflict between the provisions of this Annex B and the DPA or the TOS, the provisions of this Annex B shall control.

1.<span class="indent"></span>PROCESSING OF PERSONAL DATA

1.1<span class="indent"></span><u>Roles of the Parties</u>. When Processing Personal Data that is subject to EU Data Protection Law in accordance with Customer’s instructions, the Parties acknowledge that Customer is the Controller of the Personal Data and AssemblyAI is the Processor.

1.2<span class="indent"></span><u>Legality of Processing Instructions</u>. AssemblyAI shall inform Customer in writing, including by electronic mail, if it believes that an instruction of Customer relating to the Processing of Personal Data infringes on EU Data Protection Laws.

2.<span class="indent"></span>SUBPROCESSORS

2.1<span class="indent"></span><u>Objection to New Subprocessors</u>. If Customer has a reasonable objection to the addition of a new Subprocessor to the Subprocessor List in accordance with DPA Section 3.2, Customer must notify AssemblyAI of the objection in writing within ten (10) calendar days of the addition of the new Subprocessor to the Subprocessor List. If Customer does not notify AssemblyAI in writing of an objection within ten (10) calendar days, Customer waives any objection that it may have had to the new Subprocessor. If Customer submits an objection in accordance with this Section 2.1, the Parties agree to discuss Customer’s concerns in good faith with a view toward achieving a commercially reasonable resolution. If no such resolution can be reached within thirty (30) calendar days, AssemblyAI may, at its option, either (a) withdraw the objectionable Subprocessor and either perform the Services itself, or appoint a new Subprocessor in accordance with the terms of Section 3.2 of the DPA, or (b) permit Customer to suspend or terminate the Services and the TOS in accordance with the termination provisions of the TOS without liability to either party (but Customer must pay any fees incurred for Services actually performed by AssemblyAI prior to suspension or termination in accordance with the terms of the TOS). The parties agree that by complying with this Section 2, AssemblyAI fulfills its obligations under Section 9 of the EU Standard Contractual Clauses.

2.2<span class="indent"></span><u>Liability for Acts/Omissions of Subprocessors</u>. AssemblyAI shall remain liable for the acts and omissions of its Subprocessors to the same extent that AssemblyAI would be liable if it performed the services of each Subprocessor directly under the terms of this DPA.

3.<span class="indent"></span>DATA SUBJECT REQUESTS

The Parties responses and obligations around Data Subject Requests under this Annex B will be as laid out in DPA Section 7.

4.<span class="indent"></span>DATA PROTECTION IMPACT ASSESSMENTS

To the extent required under applicable Data Protection Laws, AssemblyAI shall (taking into account the nature of the processing and the information available to AssemblyAI) provide all reasonably requested information regarding the Services to enable Customer to carry out data protection impact assessments or prior consultations with Supervisory Authorities as required by Data Protection Laws. AssemblyAI shall comply with the foregoing by: (i) complying with Section 5 (Audits) of this Annex B; (ii) providing the information contained in the TOS, including this DPA; and (iii) if the foregoing subsections (i) and (ii) are insufficient for Customer to comply with such obligations, upon request, providing additional reasonable assistance (at Customer’s expense).

5.<span class="indent"></span>AUDITS

5.1<span class="indent"></span><u>Audits Generally</u>. AssemblyAI shall make information reasonably necessary to demonstrate compliance with this DPA available to Customer. Customer may audit AssemblyAI’s compliance with its obligations under this DPA up to once per year and on such other occasions as may be required by applicable Data Protection Laws, including where mandated by Customer’s Supervisory Authority. Any audit must be conducted during regular business hours, subject to the agreed final audit plan as set forth in Section 5.3 of this Annex B and subject to AssemblyAI’s safety, security or other relevant policies, and may not unreasonably interfere with AssemblyAI’s business activities.

5.2<span class="indent"></span><u>Third Party Auditors</u>. If a third party is to conduct an audit under Section 5.1 of this Annex B, AssemblyAI may object to the auditor if the auditor is, in AssemblyAI’s reasonable opinion, a competitor of AssemblyAI. Such objection by AssemblyAI will require Customer to appoint another auditor or conduct the audit itself. Customer will be responsible for all fees charged by any auditor appointed by Customer to execute any audit under this Section 5.

5.3<span class="indent"></span><u>Audit Plan</u>. Aside from an audit of a Supervisory Authority, to request an audit, Customer must submit a detailed proposed audit plan to AssemblyAI at least thirty (30) calendar days in advance of the proposed audit date and any third party auditor must sign a customary non-disclosure agreement mutually acceptable to the Parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the scope, duration and start date of the audit. AssemblyAI shall review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise AssemblyAI’s security, privacy, employment or other relevant policies). AssemblyAI shall work cooperatively with Customer to agree on a final audit plan. Nothing in this Section 5.3 shall require AssemblyAI to disclose any information where such disclosure would result in a breach of any duty of confidentiality.

5.4<span class="indent"></span><u>Third Party Audit Reports</u>. If the controls or measures to be assessed in the requested audit are addressed in an SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor within twelve (12) months of Customer’s audit request and AssemblyAI has confirmed there are no known material changes in the controls audited, Customer agrees to accept such report in lieu of requesting an audit of such controls or measures.

5.5<span class="indent"></span><u>Subprocessor Information</u>. Nothing in this Section 5 shall be construed to require AssemblyAI to furnish more information about its Subprocessors in connection with such audits than such Subprocessors make available to AssemblyAI without restriction on further disclosure.

5.6<span class="indent"></span><u>Audit Reports</u>. Customer shall promptly notify AssemblyAI of any non-compliance discovered during the course of an audit and provide AssemblyAI any audit reports generated in connection with any audit under this Section 5 unless prohibited by applicable Data Protection Laws or otherwise instructed by a Supervisory Authority. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this DPA. If any audit reveals that AssemblyAI is not in compliance with the provisions of this DPA and/or applicable Data Protection Laws, AssemblyAI shall take commercially reasonable corrective actions including temporary work-arounds reasonably necessary to comply with the provisions of this DPA and/or applicable Data Protection Laws.

6.<span class="indent"></span>CROSS-BORDER DATA TRANSFERS

6.1<span class="indent"></span><u>Processing Location</u>. Customer acknowledges that, as of the date of this DPA, AssemblyAI’s primary Processing facilities are located in the United States of America. Notwithstanding the foregoing, Parties agree that storage and Processing by AssemblyAI of Customer Data in providing asynchronous speech-to-text transcription Services, if such Processing is going through https://api.eu.assemblyai.com/, and subject to the EU Data Protection Laws and Annex B of the DPA, will be restricted to within Europe.

6.2<span class="indent"></span><u>EU Standard Contractual Clauses</u>.  For data transfers from the European Economic Area to a country that has not been deemed by the European Commission to provide an adequate level of protection of Personal Data pursuant to Article 45 of the GDPR, Module Two of the EU Standard Contractual Clauses will apply in the following manner:

  • 6.2.1. In Clause 7, the optional docking clause will not apply;
  • 6.2.2. In Clause 9(a), Option 2 will apply, and the time period for notice of Subprocessor changes will be as set forth in Section 3.2 (Subprocessing) of the DPA;
  • 6.2.3. In Clause 11, the optional language will not apply;
  • 6.2.4. In Clause 17, Option 1 will apply, and the EU Standard Contractual Clauses will be governed by Irish law;
  • 6.2.5.In Clause 18(b), disputes will be resolved before the courts of Ireland;
  • 6.2.6. In Annex A, Part A:
    • 6.2.6.1. Data Exporter:  Customer and authorized affiliates of Customer;
    • 6.2.6.2. Contact Details:  Customer’s email address, or the email address(es) for which Customer elects to receive privacy communications.
    • 6.2.6.3. Data Exporter Role:  The Data Exporter’s role is defined in Section 2 of this DPA.
    • 6.2.6.4. Signature & Date:  By entering into this DPA, Data Exporter is deemed to have signed the EU Standard Contractual Clauses (Module 2) incorporated herein, including their Annexes, as of the date of this DPA.
    • 6.2.6.5. Data Importer:  AssemblyAI, Inc.
    • 6.2.6.6. Contact Details:  226 Market Street, #4577, San Francisco, California 94114, support@assemblyai.com.
    • 6.2.6.7. Data Importer Role:  The Data Importer’s role is outlined in Section 2 of this DPA.
    • 6.2.6.8. Signature & Date:  By entering into this DPA, Data Importer is deemed to have signed the EU Standard Contractual Clauses (Module 2) incorporated herein, including their Annexes, as of the date of this DPA.
  • 6.2.7. In Annex A, Part B:
    • 6.2.7.1. The categories of Data Subjects are described in Annex A, Section 3 to this DPA.
    • 6.2.7.2. The Sensitive Data transferred is described in Annex A, Section 4 to this DPA.
    • 6.2.7.3. The frequency of the transfer is a continuous basis for the duration of the TOS.
    • 6.2.7.4. The nature of the processing is described in Annex A, Section 1 to this DPA.
    • 6.2.7.5. The purpose of the processing is described in Annex A, Section 1 to this DPA.
    • 6.2.7.6. The period of the processing is described in Annex A, Section 1 to this DPA.
    • 6.2.7.7. For transfers to Subprocessors, the subject matter of the processing is as follows:  Data management.
  • 6.2.8. In Annex A, Part C, the competent Supervisory Authority is Ireland.
  • 6.2.9. Annex D to this DPA serves as Annex B to the EU Standard Contractual Clauses.

6.3<span class="indent"></span>U.K. Standard Contractual Clauses.  For data transfers from the United Kingdom to a country that has not been deemed by the United Kingdom Information Commissioner’s Office to provide an adequate level of protection of Personal Data pursuant to Article 45 of the U.K. GDPR, the U.K. Standard Contractual Clauses will apply. For data transfers from the United Kingdom that are subject to the U.K. Standard Contractual Clauses, the U.K. Standard Contractual Clauses will be deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:

  • 6.3.1. In Table 1 of the U.K. Standard Contractual Clauses, the parties’ details and key contact information is located in Section 6.2.6 of this Annex B;
  • 6.3.2. In Table 2 of the U.K. Standard Contractual Clauses, information about the version of the approved EU Standard Contractual Clauses, modules and selected clauses which these U.K. Standard Contractual Clauses are appended is located in Section 6.2 of this Annex B;
  • 6.3.3. In Table 3 of the U.K. Standard Contractual Clauses:
    • 6.3.3.1. The list of Parties is located in Section 6.2.6 of this Annex B;
    • 6.3.3.2. The description of the transfer is set forth in Section 1 of Annex A of this DPA;
    • 6.3.3.3. Annex B is located in Annex D to this DPA; and
    • 6.3.3.4. The list of Subprocessors is identified in the Subprocessor List
  • 6.3.4. In Table 3 of the U.K. Standard Contractual Clauses, both the Importer and the Exporter may end the U.K. Standard Contractual Clauses in accordance with the terms of the U.K. Standard Contractual Clauses.

6.4<span class="indent"></span><u>Additional Safeguards</u>. In the event of transfer of Personal Data from the European Economic Area, Switzerland or the United Kingdom to a jurisdiction that has not been deemed to provide an adequate level of protection for Personal Data by the European Commission or the United Kingdom Information Commissioner’s Office (as applicable), the Parties agree to supplement the provisions of the EU Standard Contractual Clauses and/or the U.K. Standard Contractual Clauses with the following safeguards and representations, where appropriate:

<span class="indent-2"></span>6.4.1. AssemblyAI shall implement and maintain in accordance with good industry practice measures, including the use of industry standard encryption, to protect the Personal Data from interception (including in transit from the Customer to AssemblyAI and between different systems and services). This includes having in place and maintaining network protection and industry standard encryption intended to deny attackers the ability to intercept data and encryption of Personal Data whilst in transit and at rest intended to deny attackers the ability to read data.

<span class="indent-2"></span>6.4.2. AssemblyAI will make commercially reasonable efforts to resist, subject to applicable Data Protection Laws and other Applicable Laws, any request for bulk surveillance relating to the Personal Data protected under the GDPR or the U.K. GDPR, including under Section 702 of the United States Foreign Intelligence Surveillance Act (“FISA”);

<span class="indent-2"></span>6.4.3. If AssemblyAI becomes aware that any government authority (including law enforcement) wishes to obtain access to or a copy of some or all of the Personal Data, whether on a voluntary or a mandatory basis, then unless legally prohibited or under a mandatory legal compulsion that requires otherwise:

<span class="indent-2"></span><span class="indent-2"></span>6.4.3.1. AssemblyAI shall inform the relevant governmental authority that AssemblyAI is a Processor of the Personal Data, and that Customer has not authorized AssemblyAI to disclose the Personal Data to the governmental authority, and inform the relevant governmental authority that any and all requests or demands for access to Personal Data should therefore be notified to or served upon Customer in writing.

<span class="indent-2"></span><span class="indent-2"></span>6.4.3.2. AssemblyAI will use commercially reasonable legal mechanisms to challenge any such demand for access to Personal Information which is under AssemblyAI’s control. Notwithstanding the above, (a) Customer acknowledges that such challenge may not always be reasonable or possible in light of the nature, scope, context and purposes of the intended governmental authority access; and (b) if, taking into account the nature, scope, context and purposes of the intended governmental authority access to Personal Data, AssemblyAI has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual or entity, this Section 6.4.3.2 shall not apply. In such event, AssemblyAI shall notify Customer, as soon as practicable, following the access by the governmental authority, and provide Customer with relevant details of the same, unless and to the extent AssemblyAI is legally prohibited from doing so.

<span class="indent-2"></span>6.4.4. Except to the extent prohibited by law, once every 12-month period, AssemblyAI shall inform Customer, at Customer’s written request, of the types of binding legal demands for Personal Data it has received and solely to the extent such demands have been received, including national security orders and directives, which shall encompass any process issued under Section 702 of FISA.

<span class="indent-2"></span>6.4.5. If AssemblyAI is prohibited by law from disclosing to Customer the existence of a request for information by a law enforcement entity under Section 702 of FISA or other similar legal process, AssemblyAI shall take all reasonable steps to attempt to have the prohibition on disclosure removed, and shall promptly notify Customer of the request as soon as legally permitted.

6.5<span class="indent"></span><u>Conflicts</u>. To the extent there is any conflict between the EU Standard Contractual Clauses or the U.K. Standard Contractual Clauses and any other terms in this DPA, including Section 8.1 (Jurisdiction Specific Terms), the provisions of the EU Standard Contractual Clauses or the U.K. Standard Contractual Clauses will prevail, but only to the extent that the EU Standard Contractual Clauses and/or the U.K. Standard Contractual Clauses apply.

6.6<span class="indent"></span><u>Amendments to EU Standard Contractual Clauses or U.K. Standard Contractual Clauses</u>. If the European Commission, the United Kingdom Information Commissioner’s Office or a Supervisory Authority amends the EU Standard Contractual Clauses or the U.K. Standard Contractual Clauses, the parties shall promptly discuss the proposed amendments and negotiate in good faith with a view toward agreeing and implementing those amendments as soon as is reasonably practicable.

<div class="gray-line"></div>

ANNEX C TO DPA: CALIFORNIA DATA PROCESSING

The provisions of this Annex C will apply to the Processing by AssemblyAI of Personal Data under the TOS, but only to the extent that the Processing of Personal Data is subject to the CCPA. In the event of any conflict between the provisions of this Annex C and the DPA or the TOS, the provisions of this Annex C will control.

1.<span class="indent"></span>DEFINITIONS

As used in this Annex C, the terms “<u>Business Purpose</u>”, “<u>Person</u>”, “<u>Personal Information</u>”, “<u>Sale</u>”, “<u>Sell”</u>, “<u>Share</u>”, and “<u>Service Provider</u>” shall have the same meaning as in the CCPA (California Civil Code Section 1798.140), and their cognate terms shall be construed accordingly.

2.<span class="indent"></span>ROLES OF THE PARTIES

The Parties acknowledge and agree that, with regard to the Processing of Personal Data that constitutes Personal Information performed solely on behalf of Customer, AssemblyAI is a Service Provider and receives Personal Data pursuant to the Business Purpose of providing the Services to Customer under the TOS.

3.<span class="indent"></span>NO SALE OR SHARE OF PERSONAL INFORMATION TO ASSEMBLYAI

Customer and AssemblyAI hereby acknowledge and agree that in no event shall the transfer of Personal Data that constitutes Personal Information from Customer to AssemblyAI pursuant to the TOS constitute a Sale or Share of Personal Information to AssemblyAI, and that nothing in the TOS shall be construed as providing for the Sale or Share of Personal Information. The Parties acknowledge and agree that AssemblyAI’s access to Personal Data that constitutes Personal Information does not constitute part of the consideration exchanged by the Parties in respect of the TOS.

4.<span class="indent"></span>LIMITATIONS ON USE AND DISCLOSURE

AssemblyAI will not Sell or Share the Personal Data that constitutes Personal Information Processed under this DPA and will not retain, use or disclose the Personal Data that constitutes Personal Information for any purposes other than the specific purpose of performing the Services as provided in the TOS, the Business Purposes specified in the TOS, and as required under the CCPA, unless otherwise provided under the TOS. AssemblyAI shall not retain, use or disclose Personal Data that constitutes Personal Information outside of the direct business relationship between AssemblyAI and Customer, unless otherwise provided under the TOS. AssemblyAI hereby certifies that it understands the foregoing restriction and will comply with it in accordance with the requirements of the CCPA.

5.<span class="indent"></span>CCPA COMPLIANCE

AssemblyAI shall comply with applicable obligations under the CCPA and to provide the same level of privacy protection to Personal Data that constitutes Personal Information as required by the CCPA. If AssemblyAI determines that it can no longer meet its obligations under the CCPA, it shall notify Customer in writing (including by email).

6.<span class="indent"></span>MONITORING COMPLIANCE WITH THE CCPA

Customer shall have the right to take reasonable and appropriate steps to help to ensure that AssemblyAI uses the Personal Data that constitutes Personal Information in a manner that is consistent with Customer’s obligations under the CCPA. The Parties agree that those reasonable and appropriate steps includes those listed in Section 5 of Annex B to this DPA.

7.<span class="indent"></span>COMBINING PERSONAL INFORMATION

AssemblyAI shall not combine Personal Data that constitutes Personal Information that AssemblyAI receives from, or on behalf of, Customer with Personal Information that it receives from, or on behalf of, another Person or Persons, or collects from its own interaction with the Data Subject (except to perform a Business Purpose as defined in regulations adopted pursuant to the CCPA).

<div class="gray-line"></div>

ANNEX D TO DPA: SECURITY MEASURES

The technical and organizational measures implemented by AssemblyAI pursuant to Section 4.2 of the DPA shall be as follows:

CATEGORY DESCRIPTION
1. SECURITY STAFFING AND BACKGROUND
  • Organizational management and dedicated staff responsible for the development, implementation and maintenance of AssemblyAI’s information security program.
  • Employees are subject to background checks prior to employment.
  • Employees must complete management-approved security training during onboarding and revisit such training annually throughout their tenure.
2. AUDIT AND RISK ASSESSMENT
  • Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to AssemblyAI’s organization, monitoring and maintaining compliance with AssemblyAI’s policies and procedures, and reporting the condition of AssemblyAI’s information security and compliance to internal management.
3. SECURITY CONTROLS
  • Data security controls which include, at a minimum:
    • Logical segregation of data;
    • Restricted (e.g. role-based) access and monitoring; and
    • Utilization of encryption technologies for Personal Data that is transmitted over public networks (i.e. the Internet) or when transmitted wirelessly or at rest or stored on portable or removable media (i.e. laptop computers, CD/DVD, USB drives, back-up tapes).
4. ACCESS CONTROLS
  • Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g. use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).
5. PASSWORD SECURITY
  • Password controls designed to manage and control password strength, expiration and usage, including prohibiting users from sharing passwords and requiring that AssemblyAI’s passwords that are assigned to its employees:
    • Be at least eight (8) characters in length;
    • Not be stored in readable format on AssemblyAI’s computer systems; and
    • Newly issued passwords must be changed after first use.
6. SYSTEM EVENT LOGGING
  • System audit or event logging and related monitoring procedures to proactively record user access and system activity.
7. PHYSICAL SECURITY
  • Physical and environmental security of areas containing Personal Data managed by AssemblyAI that are designed to:
    • Protect information assets from unauthorized physical access;
    • Manage, monitor and log movement of persons into and out of AssemblyAI’s facilities; and
    • Guard against environmental hazards such as heat, fire and water damage.
8. OPERATIONAL PROCEDURES
  • Operational procedures and controls designed to provide for configuration, monitoring and maintenance of technology and information systems, including secure disposal of systems and media designed to render data contained therein as undecipherable or unrecoverable prior to final disposal or release from AssemblyAI’s possession.
9. CHANGE MANAGEMENT
  • Change management procedures and tracking mechanisms designed to test, approve and monitor all material changes to AssemblyAI’s technology and information assets.
10. INCIDENT RESPONSE
  • Incident response management procedures designed to allow AssemblyAI to investigate, respond to, mitigate and notify of events related to AssemblyAI’s technology and information assets.
11. NETWORK SECURITY
  • Network security controls that utilize firewalls and segregated access, and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
12. VULNERABILITY MANAGEMENT PROCESSES
  • Vulnerability assessment, patch management and threat protection technologies, and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code; and
  • Third party vulnerability assessments are conducted periodically, and vulnerabilities are remediated as appropriate in accordance with AssemblyAI’s internal risk assessment policies.
13. BUSINESS CONTINUITY / DISASTER RECOVERY
  • Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergencies or disasters. AssemblyAI Business Continuity and Disaster Recovery procedures (including restoration from backups) are reviewed and tested annually.
14. POLICY REVIEW
  • AssemblyAI’s security and privacy policies are reviewed and approved annually for AssemblyAI’s business operations.
Table of contents
1. Definitions

Heading 1

Heading 2

Heading 3

Heading 4

Heading 5
Heading 6

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.

Block quote

Ordered list

  1. Item 1
  2. Item 2
  3. Item 3

Unordered list

  • Item A
  • Item B
  • Item C

Text link

Bold text

Emphasis

Superscript

Subscript