Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between Loquira ("Processor") and the customer ("Controller") for the use of the Loquira realtime translation Service. This DPA sets out the terms governing the processing of personal data by the Processor on behalf of the Controller, as required by Article 28 of the General Data Protection Regulation (GDPR) (EU) 2016/679.

1. Definitions

Capitalised terms used but not defined in this DPA have the meanings given in the GDPR. "Personal Data" means any information relating to an identified or identifiable natural person processed under this DPA. "Processing" means any operation performed on Personal Data, including collection, recording, organisation, storage, adaptation, retrieval, use, disclosure, and erasure.

2. Subject Matter and Duration

The subject matter of the processing is the provision of the Loquira realtime speech-translation service. The duration of the processing corresponds to the term of the agreement between the Controller and the Processor, plus the retention periods specified in the Privacy Policy.

3. Nature and Purpose of Processing

The Processor processes Personal Data for the following purposes:

• Transcribing speech into text via Deepgram STT services
• Translating transcribed text into the target language via Google Cloud Translation API
• Synthesising translated text into speech via Google Cloud TTS
• Processing subscription payments via Lemon Squeezy

4. Types of Personal Data

The Processor may process the following categories of Personal Data on behalf of the Controller:

• Account identifiers (email address, display name)
• Speech audio data (processed transiently for realtime transcription)
• Transcribed and translated text content
• Session metadata (timestamps, language selections, listener counts)
• Device and connection data (IP address, browser type, connection metrics)

5. Categories of Data Subjects

The Processing concerns the following categories of data subjects:

• Account holders authorised by the Controller to create sessions
• Session attendees (listeners) who join sessions created by the Controller
• Any individual whose speech is transmitted through the Service

6. Obligations of the Processor

The Processor agrees to:

• Process Personal Data only on documented instructions from the Controller, unless required to do so by EU or member state law
• Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality
• Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk
• Not engage another processor without prior specific or general written authorisation of the Controller
• Assist the Controller by appropriate technical and organisational measures to fulfil the Controller's obligation to respond to data subject requests
• Assist the Controller in ensuring compliance with Articles 32–36 of the GDPR
• At the choice of the Controller, delete or return all Personal Data after the end of the processing services
• Make available to the Controller all information necessary to demonstrate compliance with Article 28

7. Sub-Processors

The Controller authorises the Processor to engage the following sub-processors:

• Deepgram — speech-to-text (USA)
• Google Cloud Translation — translation (global)
• Google Cloud TTS — text-to-speech (global)
• Lemon Squeezy — payment processing (global)

The Processor will notify the Controller of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance. The Controller may object to such changes within 14 days of notification.

8. Data Subject Rights

The Processor shall promptly notify the Controller if it receives a request from a data subject to exercise their rights under Chapter III of the GDPR. The Processor shall not respond to such a request without the Controller's prior authorisation, except where required by law. The Processor shall assist the Controller in fulfilling its obligations to respond to data subject requests, including the rights of access, rectification, erasure, restriction, portability, and objection.

9. Security Measures

The Processor maintains the following technical and organisational security measures:

• Encryption in transit: TLS 1.3 for all external communications
• Encryption at rest: AES-256 for database storage
• Network security: Kubernetes NetworkPolicies implementing default-deny rules
• Access control: role-based access with least-privilege principles
• Regular security updates and patch management
• Incident response procedures

10. International Transfers

Where processing involves the transfer of Personal Data to countries outside the European Economic Area, the Processor ensures that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as adopted by the European Commission. The Controller may request a copy of the relevant safeguards.

11. Data Breach Notification

The Processor shall notify the Controller without undue delay upon becoming aware of a personal data breach affecting Personal Data processed under this DPA. The Processor shall provide the Controller with sufficient information to allow the Controller to meet its obligations to notify the supervisory authority and affected data subjects under Articles 33 and 34 of the GDPR.

12. Contact

For questions about this DPA or to exercise any rights, contact the Processor at support@loquira.com.