Version 1.1 — February 27, 2026
This Data Processing Addendum ("DPA") forms part of the agreement between WhisperTyping LLC ("Provider", "we", "us") and the organisation using the WhisperTyping service ("Customer", "you"). By using the Service, Customer agrees to this DPA.
This DPA sets out the terms that apply when Provider processes Personal Data on behalf of Customer in the course of providing the Service, as required by Article 28 of the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR").
In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the processing of Personal Data.
Need a signed copy? If your organisation requires a countersigned DPA, contact and we will provide one.
1. Definitions
- "Controller" means the entity that determines the purposes and means of the Processing of Personal Data.
- "Data Subject" means an identified or identifiable natural person whose Personal Data is Processed.
- "Personal Data" means any information relating to a Data Subject that is Processed by Provider on behalf of Customer in connection with the Service.
- "Processing" (and "Process") means any operation performed on Personal Data, including collection, recording, organisation, storage, adaptation, alteration, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.
- "Processor" means the entity that Processes Personal Data on behalf of a Controller.
- "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed by Provider.
- "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021.
- "Sub-processor" means any third party engaged by Provider to Process Personal Data on behalf of Customer.
- "UK SCCs" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK Information Commissioner under Section 119A of the UK Data Protection Act 2018.
2. Scope and Roles
2.1. Customer acts as the Controller and Provider acts as the Processor with respect to Personal Data Processed under this DPA.
2.2. The subject matter, duration, nature, and purpose of the Processing, the types of Personal Data, and the categories of Data Subjects are described in Schedule 1 (Processing Description).
2.3. This DPA applies for the duration of Customer's use of the Service. Upon termination, the obligations of this DPA shall continue to apply until Provider ceases all Processing of Personal Data on behalf of Customer.
3. Processing Instructions
3.1. Provider shall Process Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law. In such a case, Provider shall inform Customer of that legal requirement before Processing, unless the law prohibits such information on important grounds of public interest.
3.2. Provider shall immediately inform Customer if, in its opinion, an instruction infringes applicable data protection law.
3.3. Customer instructs Provider to Process Personal Data for the following purposes:
- (a) Providing and maintaining the Service, including speech-to-text transcription and AI text processing;
- (b) Detecting and preventing security incidents;
- (c) Providing customer support;
- (d) Complying with applicable law.
3.4. Provider shall not Process Personal Data for any purpose other than those set out in this DPA, and shall not "sell" or "share" Personal Data as those terms are defined under applicable privacy laws.
3.5. Neither Provider nor its Sub-processors shall use Personal Data for the purpose of training or improving machine learning models without Customer's prior written consent.
4. Confidentiality
4.1. Provider shall ensure that persons authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.2. Provider shall limit access to Personal Data to those personnel who require such access to perform the Service.
5. Security Measures
5.1. Provider shall implement and maintain appropriate technical and organisational measures to protect Personal Data against Security Incidents, as described in Schedule 2 (Technical and Organisational Measures).
5.2. Provider shall regularly test, assess, and evaluate the effectiveness of these measures.
6. Sub-processing
6.1. Customer provides general authorisation for Provider to engage Sub-processors to Process Personal Data. The current list of Sub-processors is set out in Schedule 3 (Sub-processor List).
6.2. Provider shall notify Customer at least 30 days before adding or replacing a Sub-processor, giving Customer the opportunity to object on reasonable data protection grounds.
6.3. If Customer objects to a new Sub-processor within the notice period, Provider shall make reasonable efforts to make available an alternative arrangement. If no alternative is reasonably available, either party may terminate the affected part of the Service.
6.4. Provider shall impose on each Sub-processor, by way of a written contract, data protection obligations no less protective than those set out in this DPA.
6.5. Provider shall remain fully liable to Customer for the performance of each Sub-processor's obligations.
7. Data Subject Rights
7.1. Provider shall, taking into account the nature of the Processing, assist Customer by appropriate technical and organisational measures, insofar as this is possible, in fulfilling Customer's obligation to respond to requests from Data Subjects exercising their rights under applicable data protection law (including rights of access, rectification, erasure, restriction, portability, and objection).
7.2. If Provider receives a request from a Data Subject directly, Provider shall promptly forward the request to Customer and shall not respond to the Data Subject without Customer's instructions, unless required by law.
8. Security Incident Notification
8.1. Provider shall notify Customer of any Security Incident without undue delay and in any event within 72 hours of becoming aware of such incident.
8.2. The notification shall include:
- (a) The nature of the Security Incident, including the categories and approximate number of Data Subjects and Personal Data records affected;
- (b) The likely consequences of the Security Incident;
- (c) The measures taken or proposed to address the Security Incident, including measures to mitigate its possible adverse effects.
8.3. Provider shall cooperate with Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the Security Incident.
9. Data Protection Impact Assessments
9.1. Provider shall provide reasonable assistance to Customer with any data protection impact assessments and prior consultations with supervisory authorities that Customer is required to carry out under Article 35 or 36 of the GDPR, taking into account the nature of Processing and the information available to Provider.
10. International Data Transfers
10.1. Customer acknowledges that Provider is established in the United States and that Personal Data will be Processed in the jurisdictions listed in Schedule 1.
10.2. Where Personal Data originating from the European Economic Area ("EEA"), the United Kingdom, or Switzerland is transferred to a country that has not been deemed to provide an adequate level of data protection, the parties agree that such transfer shall be governed by the Standard Contractual Clauses, which are incorporated into this DPA by reference:
- (a) Module Two (Controller to Processor) shall apply where Customer is a Controller and Provider is a Processor;
- (b) Module Three (Processor to Processor) shall apply where Customer is a Processor and Provider is a Sub-processor.
10.3. For transfers subject to UK data protection law, the UK SCCs shall apply in addition to the EU SCCs.
10.4. For the purposes of the SCCs:
- (a) The "data exporter" is Customer;
- (b) The "data importer" is Provider (WhisperTyping LLC);
- (c) The governing law shall be the law of Ireland;
- (d) Disputes shall be resolved before the courts of Ireland;
- (e) The competent supervisory authority shall be the Irish Data Protection Commission.
10.5. In the event of any conflict between this DPA and the SCCs, the SCCs shall prevail.
11. Audit Rights
11.1. Provider shall make available to Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by Customer or a mandated third-party auditor.
11.2. Audits shall be subject to the following conditions:
- (a) Customer shall provide at least 30 days' prior written notice;
- (b) Audits shall be limited to once per 12-month period, unless a Security Incident has occurred or a supervisory authority requires an additional audit;
- (c) Customer shall ensure that auditors are bound by confidentiality obligations;
- (d) Audits shall be conducted during normal business hours and shall not unreasonably disrupt Provider's operations.
11.3. As an alternative to an on-site audit, Provider may provide:
- (a) A summary of its most recent security assessment or certification (such as SOC 2 Type II or ISO 27001 audit reports);
- (b) Written responses to reasonable audit questionnaires submitted by Customer.
12. Data Deletion and Return
12.1. Upon termination of the Service, or upon Customer's written request, Provider shall, at Customer's choice, delete or return all Personal Data and delete existing copies, unless applicable law requires continued storage.
12.2. Provider shall complete the deletion within 90 days of the request or termination, and shall provide written confirmation of deletion upon Customer's request.
12.3. Provider may retain Personal Data to the extent required by applicable law, provided that Provider shall ensure confidentiality of such data and shall not Process it for any other purpose.
13. Liability
13.1. Each party's liability under this DPA shall be subject to the limitations of liability set out in the Terms of Service.
13.2. Nothing in this DPA shall limit either party's liability with respect to any rights of Data Subjects under applicable data protection law.
14. General
14.1. This DPA shall be governed by and construed in accordance with the laws specified in the Terms of Service, without prejudice to the governing law provisions of the SCCs.
14.2. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.
Schedule 1: Processing Description
A. Parties
| Data Exporter (Controller) | Customer |
| Data Importer (Processor) | WhisperTyping LLC, 30 North Gould Street, Ste N, Sheridan, WY 82801, USA |
B. Categories of Data Subjects
- Customer's employees and authorised users of the Service
C. Types of Personal Data
| Data | Retention |
|---|---|
| Voice audio | Transient only (RAM). Not stored after transcription is complete. |
| Transcribed text | Transient only (RAM). Not stored. Remains only on the user's device. |
| AI mode input/output text | Not stored by Provider. Sub-processor (OpenAI) may retain for up to 30 days for service reliability. |
| Account information (name, email address) | Duration of the account plus 10 years for legal compliance |
| Usage logs (transcription metadata, device footprint, coarse locale, crash traces) | 5 years |
| Payment information | Processed by Stripe (PCI-DSS compliant). Provider does not store complete payment card details. |
D. Nature and Purpose of Processing
Provision of speech-to-text dictation services, AI text processing, account management, billing, and customer support.
E. Duration of Processing
For the duration of the Service agreement, plus any retention period specified above or required by applicable law.
F. Processing Locations
| Service | Locations |
|---|---|
| Standard transcription | United States, Canada, Finland, Saudi Arabia, Australia |
| Medical transcription | United States, European Union |
| AI text processing | United States |
| Account and billing data | United States |
Audio is automatically routed to the nearest available data center for lowest latency.
Schedule 2: Technical and Organisational Measures
Provider maintains the following security measures to protect Personal Data:
Encryption
- TLS 1.2+ for all data in transit
- AES-256 encryption for data at rest (account and usage data)
Access Controls
- Unique accounts with mandatory two-factor authentication for all Provider staff
- Role-based access control; access limited to personnel who require it
Endpoint Protection
- Industry-standard antivirus on all Provider workstations
Application Security
- Secure development practices, including code review and controlled deployment procedures
- Secure configuration baselines applied to all systems and services
- Only approved software permitted on production and staff systems
Operational Security
- Timely patching and vulnerability remediation
- Secure cloud configurations aligned with provider best practices
- Regular backups of essential service data with defined recovery procedures
Data Minimisation
- Audio processed transiently in memory only; never stored permanently
- Transcripts and dictation history remain only on the user's device
- Zero data retention enabled for transcription Sub-processors
Compliance Alignment
- Aligned with ISO 27001 controls
- Security practices informed by SOC 2 Trust Services Criteria
- Aligned with ACSC Essential Eight and GDPR principles
Incident Response
- Documented security incident response procedures
- 72-hour notification commitment for Security Incidents
Schedule 3: Sub-processors
Provider engages Sub-processors in the following categories to deliver the Service:
| Category | Purpose | Data Processed | Data Retention |
|---|---|---|---|
| Speech-to-text providers | Transcription of voice audio | Voice audio (transient) | Zero data retention |
| AI text processing provider | AI Modes feature | User text (when AI features used) | Up to 30 days for service reliability |
| Payment processor | Billing and subscriptions | Billing and payment information | Per processor's retention policy |
| Infrastructure provider | CDN, security, edge computing | Network metadata | Zero data retention |
All Sub-processors are contractually bound to data protection obligations no less protective than those set out in this DPA. Provider maintains Data Processing Agreements with each Sub-processor, including EU Standard Contractual Clauses where applicable.
A detailed list of Sub-processors (including entity names and processing locations) is available upon request at .