BeyondWords
Log inGet started
BeyondWords
Log inGet started

Data processing agreement

  1. Definitions

    1. In this Data Processing Agreement (“DPA”), the following definitions apply:
      1. Applicable Data Protection Laws” means, (i) to the extent the UK GDPR applies, the law of the United Kingdom or a part of the United Kingdom which relates to the protection of personal data; and (ii) to the extent EU GDPR applies, the law of the European Union or any member state of the European Union to which Company is subject, which relates to the processing of personal data;
      2. controller”, “processor”, “data subject”, “personal data”, “personal data breach” and “processing” shall have the meaning given to them in UK GDPR;
      3. EU GDPR” means the General Data Protection Regulation ((EU) 2016/679);
      4. UK GDPR” has the meaning given to it in the Data Protection Act 2018; and
      5. Customer Personal Data” means any personal data which Company processes in connection with the Agreement, in the capacity of processor on Customer’s behalf.

    Unless otherwise defined in this DPA, capitalised terms have the meaning given to them in your agreement with BeyondWords (the “Agreement”).

  2. Data Protection

    1. The Parties will comply with all applicable requirements of Applicable Data Protection Laws. This paragraph 2.1 is in addition to, and does not relieve, remove or replace, a Party’s obligations or rights under Applicable Data Protection Laws.
    2. The Parties have determined that, for the purposes of Applicable Data Protection Laws, Company shall process the personal data set out in Annex 1 to this DPA as processor on behalf of Customer.
    3. Without prejudice to the generality of paragraph 2.1, Customer will ensure that it has a lawful basis of processing under Applicable Data Protection Laws and notices in place to enable lawful transfer of the Customer Personal Data to Company and lawful processing of the same by Company for the duration and purposes of the Agreement.
    4. In relation to the Customer Personal Data, Annex 1 sets out the scope, nature and purpose of processing by Company, the duration of the processing and the types of personal data and categories of data subject.
    5. Without prejudice to the generality of paragraph 2.1 Company shall, in relation to Customer Personal Data:
      1. process that Customer Personal Data only on the documented instructions of Customer, which shall be to process the Customer Personal Data for the purposes set out in Annex 1, unless Company is required by applicable laws to otherwise process that Customer Personal Data. Where Company is relying on applicable laws as the basis for processing Customer Personal Data, Company shall notify Customer of this before performing the processing required by the applicable laws unless those applicable laws prohibit Company from so notifying Customer on important grounds of public interest. Company shall inform Customer if, in the opinion of Company, the instructions of Customer infringe Applicable Data Protection Laws;
      2. implement appropriate technical and organisational measures (the details of which are set out in Annex 3) to protect against unauthorised or unlawful processing of Customer Personal Data and against accidental loss or destruction of, or damage to, Customer Personal Data. Company shall periodically review such measures to ensure they remain current and complete and may amend them;
      3. ensure that any personnel engaged and authorised by Company to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory or common law obligation of confidentiality;
      4. assist Customer insofar as this is possible (taking into account the nature of the processing and the information available to Company), and at Customer’s cost and written request, in responding to any request from a data subject and in ensuring Customer’s compliance with its obligations under Applicable Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
      5. notify Customer without undue delay on becoming aware of a personal data breach involving Customer Personal Data; and
      6. at the written direction of Customer, delete or return Customer Personal Data and copies thereof to Customer on termination of this Agreement unless Company is required by applicable law to continue to process that Customer Personal Data. For the purposes of this paragraph 2.7(f) Customer Personal Data shall be considered deleted where it is put beyond further use by Company.
    6. Customer hereby provides its prior, general authorisation for Company to:
      1. appoint subprocessors (a list of pre-approved entities is set out in Annex 2) to process the Customer Personal Data, provided that Company:
        1. shall ensure that the terms on which it appoints such subprocessors are consistent with the obligations imposed on Company in this DPA in all material respects;
        2. shall inform Customer of any intended changes concerning the addition or replacement of subprocessors to the list in Annex 2, thereby giving Customer the opportunity to object to such changes provided that if Customer objects to the changes and the Parties cannot find a mutually agreeable solution to the objection, Company may terminate the Agreement and this DPA forthwith on written notice to Customer; and
      2. transfer Customer Personal Data outside of the UK and the EU as required for the purposes described in Annex 1. Where the subprocessor is located in a jurisdiction that does not provide the same level of data protection as the UK GDPR or EU GDPR (as applicable), the Company shall ensure appropriate safeguards, such as standard data protection clauses adopted by the EU Commission from time to time (where the EU GDPR applies to the transfer) or adopted by the UK Information Commissioner’s Office from time to time (where the UK GDPR applies to the transfer) (“SCCs”) apply in relation to the transfer. For these purposes, Customer shall promptly comply with any reasonable request of Company, including any request to enter into SCCs.
    7. Company may, at any time on not less than 10 days’ notice, revise this DPA by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when such changes are notified to Customer).
    8. For the avoidance of doubt, this DPA forms a part of the Agreement. The limitations and exclusions of liability set out in the Agreement apply to this DPA.

Annex 1

Particulars of processing

Scope
  • Processing of personal data in connection with the provision of Services, which will include: account set up and management and receiving and outputting personal data in connection with content
  • Text generation
  • Voice cloning
  • Speech generation
  • Video generation
  • Web hosting
  • Data storage
  • Compute for audio and video processing
Purpose of processing
  • The provision of the Services in accordance with the terms of Customer’s Agreement with Company
Nature of processing
  • Processing of personal data will be by computer/electronic means using Company’s (and its service providers’) IT systems
Duration of processing
  • The duration of Customer’s Agreement with Company
Types of personal data
  • Voice data
  • Article data (content and metadata)
  • Audio data
  • Video data
  • Customer personnel data (names, emails)
  • Analytics data (pseudonymous identifiers)
Categories of data subject
  • Customer personnel (including contractors e.g. voice actors)
  • End-Users (pseudonymous identifiers used for improved analytics, if applicable)

Annex 2

Subprocessors

The following subprocessors are pre-approved by the Controller, ref. clause 2.8, if any:

EntityCountry of establishmentProcessing location(s)Scope of processing
Microsoft Ireland Operations LtdOne Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521European Union and United KingdomNews article data, audio data, video data, voice data, Customer personnel data
Clickhouse, Inc.650 Castro Street, Mountain View, California, 94041, United StatesEuropean Union and United KingdomPlayer analytics data
Cloudflare, Inc.101 Townsend St., San Francisco, California 94107, United StatesEuropean Union and United KingdomAudio data, video data
Heroku, Inc.321 11th St, San Francisco, CA, 94103, United StatesEuropean Union and United KingdomNews article data, audio data, video data, voice data, Customer personnel data
OpenAI OpCo, LLC3180 18th St., San Francisco, CA 94110, United StatesUnited StatesNews article data (OpenAI has committed to the Company that it will not use Customer Personal Data for its internal purposes, including training)

Annex 3

Technical and Organisational Measures

  1. Identity, Authentication, and Authorization

    1. Company Access Controls:
      1. Implement Single Sign-On (SSO) with Role-Based Access Controls (RBAC) to secure third-party services.
      2. Enforce mandatory Multi-Factor Authentication (MFA) for all identity provider access.
      3. Assign unique login credentials to all users and conduct periodic access audits.
      4. Establish clear procedures for access request approvals, prompt revocation upon employee departure, and reporting of compromised credentials.
    2. Customer Access Controls:
      1. Provide customers with options to use either third-party identity management services or secure passwords.
      2. Enforce strict password policies for customers, including complexity requirements and periodic updates.
      3. Ensure logical separation of customer data at the organisation level, supporting unique user accounts within each organisation.

  2. Cloud Infrastructure and Network Security

    1. Infrastructure Security:
      1. Maintain separate production and non-production environments to safeguard data integrity.
      2. Secure backend resources behind a VPN and routinely perform vulnerability audits.
      3. Manage application secrets using a dedicated secrets management service.
      4. Apply network security policies with a least-privilege approach and continuously monitor service logs for potential security events.

  3. System and Workstation Security

    1. Endpoint and System Management:
      1. Enforce endpoint management for workstations and mobile devices, ensuring automatic application of security configurations.
      2. Conduct periodic testing and evaluation of software updates before deployment to production environments.
      3. Perform authenticated vulnerability scanning and address identified issues promptly.

  4. Data Protection and Access Management

    1. Data Access Control:
      1. Adhere to the principle of least privilege, granting employees access to services only as needed for their roles.
    2. Data Security and Disclosure:
      1. Utilise encryption for data at rest and in transit to protect sensitive information.
      2. Maintain comprehensive audit trails for data access and enforce full-disk encryption on all company workstations.
      3. Implement stringent controls on the use of portable media and establish procedures for data deletion upon customer request.

  5. Availability and Incident Management

    1. System Availability:
      1. Implement robust systems restoration procedures and deploy anti-malware and intrusion detection/prevention solutions to ensure continuous service availability.
    2. Incident Response:
      1. Maintain detailed logging and monitoring systems to facilitate the detection, response, and reporting of security incidents.
      2. Regularly review and test the disaster recovery plan to ensure readiness for physical or technical incidents.

  6. Data Segregation and Risk Management

    1. Data Segregation:
      1. Ensure logical segregation of customer data, with access strictly controlled based on staff roles and responsibilities.
      2. Maintain a clear separation between business and production environments to prevent cross-contamination of data.
    2. Risk Management:
      1. Conduct regular threat modelling and annual penetration testing to identify and mitigate security risks.
      2. Engage independent external auditors to perform periodic reviews of Company’s security practices, such as SOC 2 certification audits.

  7. Personnel and Physical Security

    1. Personnel Security:
      1. Perform background checks on employees with access to customer data and provide annual and supplemental security training.
    2. Physical Security:
      1. Implement physical security controls, including video surveillance and access control systems at office facilities.
      2. Establish visitor management protocols, ensuring all entries and exits are logged and monitored.

  8. Third-Party Risk Management

    1. Vendor Management:
      1. Require written contracts with third-party vendors to ensure they implement appropriate safeguards for customer data.
      2. Conduct formal vendor assessments as part of Company’s third-party risk management program.

  9. Security Evaluations and IT Governance

    1. Regular Evaluations:
      1. Perform ongoing security and vulnerability assessments to ensure compliance with industry standards and contractual obligations.
      2. Regularly test and evaluate disaster recovery plans, software updates, and conduct penetration tests.
    2. IT Governance:
      1. Implement governance processes for data minimization, quality assurance, limited retention, and accountability.
      2. Maintain clear policies and procedures for handling data subject rights requests, ensuring compliance with applicable regulations.