Data Processing Addendum

Parties

Controller = Customer. Processor = Vexa.ai Inc.

Subject Matter & Duration

Processing of meeting/transcript data and account metadata for the term of your subscription.

Nature & Purpose

Provision of real-time transcription and related support, security, and billing operations.

Types of Data

Meeting metadata, transcript text, timestamps, user/account identifiers; no recordings stored by default.

Data Subjects

Customer's authorized users and meeting participants.

Processor Obligations

1. Process only on documented instructions from Controller.
2. Confidentiality for personnel with access; least-privilege.
3. Security measures (see Annex II).
4. Assist with data subject requests and DPIAs.
5. Notify without undue delay of personal data breach (aim ≤72h where feasible) with details and mitigation steps.
6. Delete or return personal data at end of services (Controller's choice), subject to legal holds.
7. Make available information to demonstrate compliance; reasonable audits once/year on notice.

Sub-processing

Authorized per /legal/subprocessors. Processor must flow down equivalent obligations and remain liable.

International Transfers

EU SCCs (Module 2: Controller→Processor) and UK IDTA/Addendum are incorporated by reference and apply to non-EEA/UK transfers; supplementary measures as appropriate.

Liability & Indemnity

Each party's liability under this DPA is limited as per the Terms.

Annex I – Details of Processing

As described above.

Annex II – Security Measures (summary)

See /legal/security.

Annex III – Sub-processors

See /legal/subprocessors.

Contact

For questions about this DPA, please contact us at: info@vexa.ai