SpokesCoach
Sign In
# Data Processing Agreement (DPA)

**Effective Date:** [INSERT DATE]
**Last Updated:** [INSERT DATE]

---

This Data Processing Agreement ("DPA") forms part of the agreement between **SpokesCoach** ("Processor," "we," or "us") and the **Customer organization** identified in the applicable Order Form or Subscription Agreement ("Controller," "Customer," or "you") for the SpokesCoach AI Media Training Platform (the "Service").

This DPA governs the processing of personal data by SpokesCoach on behalf of the Customer in connection with the Service. It is intended to ensure compliance with applicable data protection laws, including the **EU General Data Protection Regulation (GDPR)**, the **UK GDPR**, the **California Consumer Privacy Act (CCPA/CPRA)**, and similar global privacy regulations.

---

## 1. Definitions

Unless otherwise defined herein, capitalized terms have the meanings given in applicable Data Protection Laws.

- **"Applicable Data Protection Laws"** means all laws and regulations applicable to the processing of personal data, including the GDPR, UK GDPR, CCPA/CPRA, LGPD (Brazil), PIPEDA (Canada), and similar laws.
- **"Controller"** means the Customer organization that determines the purposes and means of processing personal data.
- **"Processor"** means SpokesCoach, which processes personal data on behalf of the Controller.
- **"Personal Data"** has the meaning given in Applicable Data Protection Laws.
- **"Data Subject"** means an identified or identifiable natural person to whom Personal Data relates (e.g., Spokespeople, Trainers, Account Owners).
- **"Sub-processor"** means any third party engaged by SpokesCoach to process Personal Data on behalf of the Customer.
- **"Standard Contractual Clauses" (SCCs)** means the European Commission-approved contractual clauses for transfers of personal data to third countries.

---

## 2. Roles of the Parties

### 2.1 Controller and Processor
The parties acknowledge:
- **Customer is the Controller** of Personal Data processed through the Service, including:
  - Personal data of its employees (Trainers, Account Owners, Viewers)
  - Personal data of Spokespeople trained on the platform
  - Any other personal data uploaded to the Service
- **SpokesCoach is the Processor**, processing Personal Data only on documented instructions from the Customer.

### 2.2 SpokesCoach as Independent Controller
For limited purposes, SpokesCoach acts as an **independent Controller** for:
- Account holder data needed for billing, fraud prevention, and account management
- Aggregated, anonymized analytics used to improve the Service

These activities are governed by our [Privacy Policy](/privacy).

---

## 3. Subject Matter and Duration

### 3.1 Subject Matter
SpokesCoach processes Personal Data to provide the Service, including:
- AI-powered media interview simulation
- Speech-to-text transcription
- Video and audio recording storage
- Performance analysis and feedback generation
- Reporting and analytics
- Team and account management

### 3.2 Duration
This DPA applies for the duration of the Customer's subscription to the Service and continues until all Personal Data is deleted or returned in accordance with Section 11.

---

## 4. Categories of Data and Data Subjects

### 4.1 Categories of Data Subjects
- **Account Owners and Administrators** (employees of the Customer organization)
- **Trainers** (media coaches employed or contracted by the Customer)
- **Spokespeople** (individuals trained through the Service, often Customer's clients or executives)
- **Viewers** (additional users with read-only access)

### 4.2 Categories of Personal Data
- **Identifying data:** Name, email, job title, organization
- **Account data:** Login credentials (hashed), role, permissions
- **Communication data:** Email correspondence, support tickets
- **Audio recordings:** Speech captured during training sessions
- **Video recordings:** Visual recordings of training sessions
- **Transcript data:** Text transcriptions of speech
- **Performance data:** AI-generated scores, feedback, improvement metrics
- **Behavioral data:** Usage patterns, session frequency
- **Technical data:** IP addresses, device information, browser type

### 4.3 Special Categories (Sensitive Data)
The Service may process the following categories of sensitive personal data:
- **Biometric data:** Voice characteristics (used for transcription, not identification)
- **Inferred data:** Performance evaluations that may indirectly reveal personal characteristics

The Customer represents and warrants that it has obtained all necessary consents from Data Subjects for processing such data.

---

## 5. Customer Obligations

The Customer:

5.1 Represents and warrants that it has the lawful basis (consent, contract, legitimate interest, or other legal ground) to upload and process Personal Data through the Service.

5.2 Is responsible for obtaining all necessary consents from Spokespeople before recording or uploading their data, including consent to:
- Audio and video recording
- AI analysis and automated feedback generation
- Storage and retention per the Customer's chosen video retention policy

5.3 Will provide accurate and lawful instructions to SpokesCoach regarding the processing of Personal Data.

5.4 Will not upload or process Personal Data that:
- Violates Applicable Data Protection Laws
- Lacks lawful basis for processing
- Includes data of children under 18 without explicit parental/guardian consent

5.5 Acknowledges responsibility for handling Data Subject rights requests directly. SpokesCoach will support such requests as described in Section 8.

---

## 6. SpokesCoach Obligations

SpokesCoach:

6.1 Will process Personal Data only on documented instructions from the Customer, including those set forth in this DPA, the Terms of Service, and the Order Form.

6.2 Will ensure that personnel authorized to process Personal Data are bound by confidentiality obligations.

6.3 Will implement appropriate technical and organizational security measures (described in Annex II).

6.4 Will engage Sub-processors only as permitted under Section 7.

6.5 Will assist the Customer in responding to Data Subject rights requests (Section 8).

6.6 Will notify the Customer of personal data breaches without undue delay (Section 9).

6.7 Will cooperate with the Customer in conducting Data Protection Impact Assessments (DPIAs) where required.

6.8 Will return or delete Personal Data upon termination (Section 11).

6.9 Will make available to the Customer information necessary to demonstrate compliance with this DPA, including audits (Section 10).

---

## 7. Sub-processors

### 7.1 Authorization
The Customer provides general authorization for SpokesCoach to engage Sub-processors necessary to deliver the Service. The current list of Sub-processors is available in Annex III and updated periodically.

### 7.2 Notification of Changes
SpokesCoach will notify the Customer at least 30 days in advance of adding or replacing any Sub-processor by updating Annex III and publishing notice. The Customer may object on reasonable data protection grounds within 30 days of such notification.

### 7.3 Sub-processor Contracts
SpokesCoach will:
- Enter into written contracts with each Sub-processor imposing data protection obligations equivalent to those in this DPA
- Remain fully liable for the acts and omissions of its Sub-processors
- Conduct due diligence on Sub-processors before engagement

---

## 8. Data Subject Rights

### 8.1 Cooperation
SpokesCoach will provide reasonable assistance to enable the Customer to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Laws, including:
- Right of access
- Right to rectification
- Right to erasure ("right to be forgotten")
- Right to restriction of processing
- Right to data portability
- Right to object
- Rights related to automated decision-making

### 8.2 Direct Requests
If SpokesCoach receives a request from a Data Subject relating to Personal Data processed on behalf of a Customer, SpokesCoach will:
- Promptly forward the request to the Customer (typically within 5 business days)
- Not respond directly unless authorized by the Customer or required by law

### 8.3 Tools and Self-Service
The Service includes tools that enable Customers to fulfill many Data Subject requests directly:
- Account management dashboard for accessing/exporting data
- Manual deletion tools for video recordings
- Audit logs for compliance documentation

---

## 9. Personal Data Breach Notification

### 9.1 Notification to Customer
SpokesCoach will notify the Customer **without undue delay, and in any event within 72 hours** of becoming aware of a Personal Data breach affecting the Customer's data.

### 9.2 Notification Content
Notifications will include, where available:
- Nature and scope of the breach
- Categories and approximate number of Data Subjects and records affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate its effects
- Contact details for further information

### 9.3 Cooperation
SpokesCoach will cooperate with the Customer in investigating, mitigating, and remediating breaches, including assisting with notifications to supervisory authorities or affected Data Subjects.

### 9.4 Customer Responsibilities
The Customer is responsible for notifying applicable supervisory authorities and Data Subjects as required by law, except where SpokesCoach is required to do so directly.

---

## 10. Audits and Inspections

### 10.1 Right to Audit
The Customer may request an audit of SpokesCoach's compliance with this DPA. Audits may be conducted:
- By the Customer (or its authorized auditor)
- No more than once per 12-month period (unless required by law or following a confirmed breach)
- With at least 30 days' written notice
- During SpokesCoach's normal business hours
- Subject to confidentiality obligations
- At the Customer's expense

### 10.2 Audit Reports
In lieu of on-site audits, SpokesCoach may provide:
- SOC 2 Type II reports (when available)
- ISO 27001 certifications (when available)
- Independent third-party audit reports
- Detailed responses to security questionnaires

### 10.3 Findings
The Customer will share audit findings with SpokesCoach. SpokesCoach will use reasonable efforts to remediate confirmed deficiencies promptly.

---

## 11. Data Return and Deletion

### 11.1 Upon Termination
Upon termination of the subscription:
- The Customer has 30 days to export its data via the Service's export tools or by request
- After 30 days, SpokesCoach will delete or anonymize all Personal Data, except as required for legal retention

### 11.2 Retention by Law
SpokesCoach may retain Personal Data after termination only to the extent required by applicable law (e.g., tax, audit, regulatory obligations). Retained data remains subject to the protection obligations in this DPA.

### 11.3 Certification
Upon written request, SpokesCoach will provide written certification of deletion within 30 days of request completion.

---

## 12. International Data Transfers

### 12.1 Cross-Border Transfers
SpokesCoach may transfer Personal Data to countries outside the country of origin, including to Sub-processors in [INSERT COUNTRIES, e.g., United States].

### 12.2 Transfer Mechanisms
For transfers from the European Economic Area, UK, or Switzerland to countries without an adequacy decision:
- The parties agree to be bound by the **EU Standard Contractual Clauses** (Module Two: Controller-to-Processor) annexed to this DPA
- For UK transfers, the **UK International Data Transfer Addendum** is incorporated by reference
- For Swiss transfers, the SCCs are amended to reflect Swiss FADP requirements

### 12.3 Supplementary Measures
SpokesCoach implements supplementary measures including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Strict access controls and authentication
- Regular security audits
- Vendor due diligence on Sub-processors

### 12.4 Transfer Impact Assessment
SpokesCoach will assist the Customer with conducting Transfer Impact Assessments (TIAs) where required by applicable law.

---

## 13. Liability

The liability of each party under this DPA is subject to the limitations and exclusions set forth in the Terms of Service. Nothing in this DPA limits liability for:
- Breach of confidentiality obligations
- Gross negligence or willful misconduct
- Liability that cannot be limited under applicable law

---

## 14. General Provisions

### 14.1 Order of Precedence
In case of conflict between this DPA and the Terms of Service, this DPA prevails for matters relating to Personal Data processing.

### 14.2 Modifications
SpokesCoach may modify this DPA to:
- Comply with changes in Applicable Data Protection Laws
- Reflect changes to the Service or Sub-processor list
- Improve clarity or operational practices

Material changes will be communicated 30 days in advance.

### 14.3 Severability
If any provision is unenforceable, the remaining provisions remain in effect.

### 14.4 Governing Law
This DPA is governed by the law specified in the Terms of Service, except where mandatory data protection laws require otherwise.

### 14.5 Counterparts and Electronic Acceptance
This DPA may be executed electronically. Acceptance through the Service interface constitutes a binding agreement.

---

## ANNEX I: Description of Processing

**Categories of Data Subjects:** See Section 4.1
**Categories of Personal Data:** See Section 4.2
**Special Categories:** See Section 4.3
**Nature and Purpose of Processing:** Provision of AI-powered media training services
**Duration of Processing:** Duration of subscription + retention periods (see Privacy Policy Section 8)

---

## ANNEX II: Technical and Organizational Security Measures

SpokesCoach implements the following measures:

### Encryption
- All data in transit encrypted with TLS 1.2 or higher
- All data at rest encrypted with AES-256
- Database connections encrypted

### Access Controls
- Role-based access control (RBAC) for all systems
- Principle of least privilege
- Multi-factor authentication required for administrative access
- Regular access reviews

### Network Security
- Web Application Firewall (WAF)
- DDoS protection
- IP-based rate limiting
- Secure VPN for administrative access

### Application Security
- Secure software development lifecycle (SSDLC)
- Regular security code reviews
- Dependency vulnerability scanning
- Static and dynamic application security testing

### Operational Security
- 24/7 security monitoring
- Incident response plan
- Regular penetration testing (annually or more frequently)
- Log retention and monitoring (SIEM)

### Personnel
- Background checks for personnel with data access
- Confidentiality agreements
- Annual security and privacy training
- Defined offboarding procedures

### Physical Security
- Data center facilities (managed by Sub-processors) certified to ISO 27001 or SOC 2

### Backup and Continuity
- Encrypted backups with geographic redundancy
- Documented disaster recovery plan
- Regular backup restoration testing

---

## ANNEX III: Authorized Sub-processors

| Sub-processor | Service Provided | Location of Processing |
|---------------|------------------|----------------------|
| **Anthropic** | AI language models for interview simulation and feedback | United States |
| **ElevenLabs** | Speech-to-text and text-to-speech | United States |
| **Stripe** | Payment processing | United States, Ireland |
| **Supabase** | Database, authentication, file storage | [INSERT REGION] |
| **Cloudflare** | Video storage (R2), CDN, security | Global edge network |
| **Resend** | Transactional email delivery | United States |
| **Sentry** | Error monitoring and diagnostics | United States |
| **Vercel** | Application hosting | Global edge network |

This list is updated periodically. Customers will be notified of changes per Section 7.2.

---

## ANNEX IV: EU Standard Contractual Clauses (SCCs)

For transfers of Personal Data from the EEA to a country without an adequacy decision, the parties hereby execute the EU Standard Contractual Clauses (Decision (EU) 2021/914, Module Two: Controller-to-Processor), incorporated by reference. The following details apply:

- **Data Exporter:** Customer (as Controller)
- **Data Importer:** SpokesCoach (as Processor)
- **Categories of Data Subjects:** As described in Section 4.1
- **Categories of Personal Data:** As described in Section 4.2
- **Special Categories:** As described in Section 4.3
- **Frequency of Transfer:** Continuous (for the duration of the subscription)
- **Nature of Processing:** Provision of media training services
- **Purpose of Processing:** As described in Section 3
- **Duration:** As described in Section 3.2 and Section 11
- **Sub-processors:** As listed in Annex III
- **Competent Supervisory Authority:** [INSERT SUPERVISORY AUTHORITY based on Customer's main establishment]

The optional clauses (e.g., docking clause, additional safeguards) apply as agreed in writing between the parties.

---

## Contact for DPA Inquiries

**SpokesCoach Privacy Team**
Email: privacy@spokescoach.com
Postal: [INSERT BUSINESS ADDRESS]

---

**By using the SpokesCoach Service, the Customer acknowledges and agrees to the terms of this Data Processing Agreement.**