Data Processing Agreement (DPA)

§ 1 Subject Matter and Duration

(1) The Processor processes personal data on behalf of the Controller in connection with the provision of the online service SpokenEdit pursuant to Art. 28 GDPR.

(2) The Processor is:

SpokenEdit
Jörg Harm
Melunder Str. 40
70569 Stuttgart
Germany
Email: [E-Mail geschützt]

(3) The duration of the processing corresponds to the term of the service agreement between the Controller and the Processor. This DPA automatically terminates upon termination of the service agreement.

§ 2 Nature and Purpose of Processing

(1) The processing is carried out solely for the purpose of providing the SpokenEdit platform for collaborative audio review. This includes in particular:

• Storage and provision of audio files
• Management of workspaces and projects
• Processing of markers and comments
• Enabling collaborative reviews within teams
• Versioning of audio files
• Provision of review links for guest users
• Export of marker data

(2) No processing beyond this scope takes place. The Processor does not use the data for its own purposes.

§ 3 Types of Personal Data

The following categories of personal data are processed under this agreement:

• Audio files: Recordings that may contain voices and speech
• Account data: Names, email addresses of team members and guest users
• Usage data: Markers, comments, timestamps, version information
• Log data: IP addresses (automatically anonymized after 90 days), access times

§ 4 Categories of Data Subjects

The processing concerns the following categories of data subjects:

• Narrators, authors, and artists (whose voices are contained in the audio files)
• Editors, directors, and reviewers (who participate as team members)
• Other employees and agents of the Controller
• Guest users (who access via review links)

§ 5 Obligations of the Controller

(1) The Controller is solely responsible for the lawfulness of data processing and for safeguarding the rights of data subjects.

(2) The Controller issues instructions to the Processor regarding data processing. The scope of processing in accordance with instructions is defined by this DPA and the Terms of Service.

(3) The Controller shall inform the Processor without undue delay if they detect errors or irregularities in the processing.

§ 6 Obligations of the Processor

(1) The Processor shall process personal data solely on the basis of documented instructions from the Controller, unless required to do so by EU or Member State law.

(2) The Processor ensures that persons authorized to process the personal data are bound by confidentiality obligations.

(3) The Processor assists the Controller in fulfilling data subject rights (Art. 15–22 GDPR) to the extent possible.

(4) The Processor assists the Controller in ensuring compliance with obligations under Art. 32–36 GDPR (security of processing, notification of data breaches, data protection impact assessments).

(5) In the event of a personal data breach, the Processor shall notify the Controller without undue delay, and in any case within 72 hours of becoming aware of the breach.

§ 7 Sub-processors

(1) The Controller agrees to the engagement of the following sub-processors:

(2) The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors. The Controller has the opportunity to object to such changes.

(3) The Processor ensures that the same data protection obligations as set out in this DPA are imposed on the sub-processors.

§ 8 Technical and Organizational Measures

The Processor implements the following measures pursuant to Art. 32 GDPR to protect personal data:

• Encryption: All data is transmitted via HTTPS/TLS encryption
• Password security: Passwords are hashed with bcrypt and never stored in plain text
• Server location: All data is stored exclusively on servers in Germany
• Access control: Access to production systems is restricted to the operator and secured by SSH keys
• IP anonymization: IP addresses in the activity log are automatically anonymized after 90 days
• Analytics: Self-hosted Matomo on own infrastructure, cookie-free, no data shared with third parties
• Local fonts: All fonts are loaded locally, no external requests
• Soft delete: Deleted data is first moved to the trash (7 days) and then permanently deleted
• Backups: Regular data backups for recovery in case of data loss

§ 9 Audit Rights

(1) The Controller has the right to verify compliance with the provisions of this DPA and applicable data protection regulations.

(2) The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR.

(3) Audits, including inspections by the Controller or an auditor mandated by the Controller, are possible upon prior arrangement and with due regard for business operations.

§ 10 Data Deletion

(1) Upon termination of the service agreement, the Processor shall delete all personal data processed on behalf of the Controller within 30 days, unless statutory retention obligations apply.

(2) Deleted projects, chapters, and audio files are first moved to the trash and can be restored upon request within 7 days. After the 7-day period, the data is automatically and irreversibly deleted.

(3) The Processor shall confirm the deletion to the Controller upon request.

§ 11 Final Provisions

(1) The law of the Federal Republic of Germany applies.

(2) Should individual provisions of this DPA be or become invalid, the validity of the remaining provisions shall not be affected.

(3) Amendments and supplements to this DPA must be made in text form.

(4) This DPA takes effect upon acceptance of the SpokenEdit Terms of Service and forms an integral part of the contractual relationship.