Data Processing Addendum
Last updated: March 2026
This Data Processing Addendum ("DPA") forms part of the Terms of Service between VoxeNova and the Customer, and sets out the terms under which VoxeNova processes personal data on behalf of the Customer in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection legislation.
1. Parties
- Data Controller: The Customer ("Controller") — the entity that has entered into a service agreement with VoxeNova and determines the purposes and means of processing personal data through the Service.
- Data Processor: VoxeNova ("Processor") — provides the AI meeting facilitation platform and processes personal data on behalf of the Controller.
2. Subject Matter and Purpose
The Processor processes personal data on behalf of the Controller for the purpose of providing AI-powered meeting facilitation services, including:
- Joining meetings via video conferencing platforms through the Recall.ai bot platform
- Capturing and transcribing meeting audio in real-time
- Analysing meeting content using AI (Claude on AWS Bedrock) to extract structured artefacts
- Generating diagrams, visual artifacts, and meeting summaries
- Delivering extracted artefacts (requirements, decisions, action items, risks) to the Controller
3. Categories of Personal Data
The following categories of personal data are processed:
- Meeting audio: Voice recordings captured during meetings
- Transcripts: Text transcriptions of meeting conversations
- Participant names: Names of meeting participants as provided by the video conferencing platform
- Extracted artefacts: Requirements, decisions, action items, risks, and other structured data derived from meeting content
- Diagram data: AI-generated diagrams and associated metadata
4. Categories of Data Subjects
The personal data processed concerns the following categories of data subjects:
- Meeting participants (employees, contractors, and external attendees of the Controller's meetings)
- Employees and representatives of the Controller's organisation
5. Duration of Processing
The Processor shall process personal data for the duration of the service agreement between the parties, plus the applicable data retention period (default: 365 days, configurable per customer). Upon termination, the Processor shall delete all personal data within 30 days unless retention is required by applicable law.
6. Authorised Sub-processors
The Controller authorises the Processor to engage the following sub-processors. The Processor shall notify the Controller of any intended changes to sub-processors, providing the Controller an opportunity to object.
| Sub-processor | Purpose | Location |
|---|---|---|
| Recall.ai | Meeting bot platform, audio capture from video conferencing | United States |
| AWS Bedrock (Claude) | AI analysis, content extraction, diagram generation | Per customer region |
| Deepgram | Speech-to-text transcription | United States |
| Cartesia | Text-to-speech voice synthesis for AI facilitator | United States |
| Stripe | Payment processing and subscription billing | United States / Ireland |
| Hetzner Cloud | Virtual machine hosting, infrastructure | Per customer region (DE/FI/US/SG) |
7. Technical and Organisational Measures
The Processor implements the following measures to ensure the security and integrity of personal data:
7.1 Tenant Isolation
Each customer is provisioned a dedicated virtual machine with network-level isolation. Customer environments do not share compute resources, storage volumes, or database instances with other tenants.
7.2 Encryption at Rest
All customer data partitions are encrypted using LUKS (Linux Unified Key Setup) full-disk encryption. Encryption keys are unique per customer and managed through our secrets management system using Fernet symmetric encryption.
7.3 Encryption in Transit
All network communications use TLS 1.2 or higher. Internal service-to-service communications are encrypted. Certificate verification is enforced on all outbound connections.
7.4 Access Control
Infrastructure access is managed through an SSH Certificate Authority (CA). Password-based authentication is disabled. A tiered access control model governs administrative access:
- Tier 1 — Diagnostics: Read-only access to sanitised logs and system metrics
- Tier 2 — Maintenance: Service restart and configuration update capabilities
- Tier 3 — Data Access: Requires dual authorisation (two admin approvals) for any access to customer data
7.5 Audit Logging
All administrative actions are recorded in append-only audit logs with actor fingerprinting (IP address, user agent, authentication method). Audit logs are retained for the duration of the service agreement.
7.6 Data Residency
Customer data is stored exclusively in the data region selected during registration. Five regions are available (EU Germany, EU Finland, US East, US West, Asia-Pacific Singapore). GDPR data residency fields including retention period, deletion tracking, and DPA acceptance are maintained per customer record.
7.7 Log Sanitisation
Automated PII redaction is applied to all system and application logs. Email addresses, names, and other personally identifiable information are sanitised before log storage.
7.8 Secrets Management
Customer-specific secrets (API keys, database credentials, encryption keys) are encrypted using Fernet symmetric encryption with unique per-customer keys. Platform secrets and customer secrets are stored separately to prevent cross-contamination.
8. Data Breach Notification
In the event of a personal data breach, the Processor shall notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach, in accordance with Article 33 of the GDPR. The notification shall include:
- A description of the nature of the breach, including categories and approximate number of data subjects and records affected
- The name and contact details of the Processor's data protection contact
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects
9. Data Deletion
Upon termination of the service agreement, or upon the Controller's written request, the Processor shall delete all personal data within 30 days. Data deletion is performed using secure shredding methods that render the data unrecoverable. The Processor shall provide written confirmation of deletion upon request.
Where the Processor is required by applicable law to retain certain data beyond the 30-day deletion period, the Processor shall inform the Controller of such requirement and limit processing to that which is required by law.
10. Audit Rights
The Controller has the right to audit the Processor's compliance with this DPA. Audits may be conducted:
- Upon 30 days' written notice to the Processor
- During normal business hours and in a manner that does not unreasonably disrupt the Processor's operations
- At the Controller's expense, unless the audit reveals material non-compliance
The Processor shall cooperate fully with any audit and provide access to relevant documentation, systems, and personnel. The Processor may also provide the Controller with relevant third-party audit reports or certifications to satisfy audit requirements.
11. Governing Law
This DPA shall be governed by and construed in accordance with the laws of Ireland, without regard to its conflict of law provisions. For customers in the European Economic Area, the GDPR and applicable member state data protection laws shall apply. Any disputes shall be subject to the exclusive jurisdiction of the courts of Ireland.
This DPA is automatically incorporated into your service agreement when you register for VoxeNova. For questions about data processing or to request a signed copy, contact us at [email protected].