Compliance

Data Processing Agreement

Framework for Business Customers.

This Data Processing Agreement ("DPA") forms part of the Terms of Service between TokTalk (the "Data Processor") and business subscribers (the "Data Controller"). It reflects the parties' agreement regarding the processing of personal data.

1. Nature and Purpose of Processing

The Data Processor receives audio input from the Data Controller's authorized users and processes this audio via speech-to-text artificial intelligence models to generate text output.

Critical Provision: The Data Processor explicitly guarantees that audio input is never permanently stored on disk and is processed exclusively in transient memory (RAM), purged immediately after transcription. The resulting text output (transcriptions) is stored persistently in the user's account to provide transcription history functionality, and can be deleted by the user at any time. Neither audio input nor text output is utilized to train, fine-tune, or otherwise improve the Data Processor's or its sub-processors' underlying artificial intelligence models.

2. Categories of Data

  • Transient Data: Audio voice recordings (processed amnesically in RAM, without persistent storage).
  • User Content: Raw transcriptions and enhanced text output, stored persistently in the user's account for history and retrieval purposes. Deletable by the user at any time.
  • Persistent Data: User account credentials, application settings, custom dictionaries ("DictionaryEntries"), and text expansions ("Snippets") created by the user.

3. Controller Obligations

The Data Controller warrants that it has the necessary lawful basis to process the personal data transmitted to TokTalk. The Data Controller bears sole responsibility for the accuracy, quality, and legality of the personal data and the means by which it acquired the data.

4. Processor Obligations

  • Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country (TokTalk guarantees all primary processing occurs within the EEA).
  • Ensure that persons authorized to process the personal data have committed themselves to strict confidentiality.
  • Implement appropriate technical and organizational measures ensuring a level of security appropriate to the risk, including TLS 1.3 encryption in transit and AES-256 encryption at rest for persistent metadata.
  • Assist the Controller by appropriate technical and organizational measures in fulfilling its obligation to respond to requests for exercising the data subject's GDPR rights.

5. Sub-processors

The Data Controller grants the Data Processor general authorization to use sub-processors. The current list of sub-processors includes:

  • Mistral AI (France): AI model hosting and processing.
  • Vercel / Supabase: Next.js edge-function hosting and secure PostgreSQL database hosting.
  • Mollie (Netherlands): Secure payment and invoicing orchestration.
  • Resend (United States): Transactional email delivery for account-related communications. Governed by Standard Contractual Clauses (SCCs) for EU data protection compliance.

The Data Processor explicitly restricts its sub-processors from utilizing any data flowing through TokTalk to train their own respective AI models (zero-data-retention agreements are enforced).

6. Execution

Business customers who require a signed, formalized copy of this DPA for their compliance registry can email us to receive a digitally signable version via DocuSign.

Legal Inquiries: info@toktalk.co