Terms & Conditions
Last update: 13/07/2023
From audio
to knowledge
Subscribe to receive Gladia's latest news,
product updates and curated AI content
The purpose of this “Data Processing Agreement” is to define the conditions under which Gladia (hereinafter the “Processor”) undertakes to carry out in the name and on behalf of the Customer (hereinafter the “Controller” or the “Data Controller”) the personal data processing operations defined in Annex I. Annexes I to III form an integral part of the Agreement.
Personal data will be processed for the purpose of performing the services pursuant to the Agreement, in particular for the purpose of processing personal data, including audio or video files transmitted by the Data Controller to the Processor in accordance with the Agreement.
In the context of their contractual relations, the Parties undertake to comply with the regulations applicable to the processing of personal data and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 applicable from 25th May 2018, Section 5 of the Federal Trade Commission Act, the FTC Standards for Safeguarding Customer Information, best industry standards, and all other state and federal privacy and data breach notification laws and regulations (including without limitation regulations relating to the foregoing enumerated statutes) governing the collection, transfer, processing, and security of personal data (all together, the “Data Protection Laws”).
Where terms defined in the Data Protection Laws appear in this Agreement, they shall be construed as in the Data Protection Laws.
The provisions of the Agreement should be read and interpreted considering the provisions of the Data Protection Laws.
In the event of any conflict between these provisions and those of related agreements existing between the Parties at the time of the conclusion of this Agreement, the Agreement shall prevail.
Any processing of personal data under this Agreement will be carried out in accordance with the Data Protection Laws. The Processor, as a service provider, is not, however, responsible for compliance with the laws and regulations strictly applicable to the Data Controller or its industry, unless explicitly agreed otherwise between the Parties.
The details of the processing operations, and in particular the categories of personal data and the purposes of the processing for which the personal data are processed on behalf of the Controller, are specified in Annex I.
When the Controller wishes to change the subject, duration, nature and purpose of the processing of personal data, it shall inform the Processor in writing. When the Processor considers that the modification does not comply with the regulations in force, it informs the Data Controller.
Where required by regulation, the Parties will appoint privacy and data protection officers (hereinafter "Data Protection Officer" or "DPO"), and will exchange contact information.
The DPO of the Gladia Processor can be contacted at the following email address: privacy@gladia.io
a) The Processor shall only process personal data on documented instructions from the Controller, unless it is required to do otherwise under Data Protection Laws. In this case, the Processor shall inform the Controller of this legal obligation prior to processing, unless prohibited by law for important reasons of public interest. Instructions may also be given during the configuration and use of the solution or later by the Data Controller throughout the processing of personal data. These instructions must always be documented and written. The Parties acknowledge that this Agreement constitutes such documented instructions.
b) When the Processor detects an instruction that could potentially constitute a violation of Data Protection Laws, it shall immediately inform the Data Controller.
a) The Data Controller is responsible for the legality of the personal data and their processing pursuant to the Agreement. It declares and warrants that when providing personal data to the Processor for processing by the latter:
(i) it has duly informed data subjects of their rights and obligations and, in particular, informed them of the possibility that the Processor (or a category of service providers to which it belongs) may process their personal data on its behalf and in accordance with its instructions and it has obtained such data subject’s consent, to the extent required;
(ii) that it has complied with all legislation relating to the protection of personal data in the collection of such personal data and its communication to the Processor.
b) The Data Controller is responsible for the security of personal data provided to the Processor and will be liable for any harm resulting from data corruption, including damage caused by viruses or other security breaches, originating from unsafe data shared by the Data Controller.
c) The Data Controller is responsible for any misuse of IT devices by one of its agents as well as for the quality and accuracy of the personal data entered by its agents. The Data Controller shall indemnify the Processor against any claim by a third party, including the Data subject, resulting from misuse of IT devices and specific obligations of data protection regulations.
d) The Data Controller acknowledges and accepts that the Processor shall only provide analyses based on the data processed by the Controller which constitute only one of the possible means to enable the Data Controller to achieve its performance objectives. Under no circumstances may the Processor be held responsible for the decisions taken by the Controller based on the reports sent by the Processor.
The Processor processes personal data only for the specific purpose(s) of the processing, as defined in Annex I, unless further instructed by the Controller.
Processing by the Processor shall only take place for the period specified in Annex I.
The Processor undertakes to keep personal data only for the period necessary to achieve the purposes for which they are processed, unless a legal or regulatory provision obliges it to keep them for longer periods. The Processor will destroy the personal data or return them to the Data Controller, either when the purpose for which they are processed is achieved or at the end of the legal or regulatory retention period.
a) The Processor will not disclose any personal data to any third party except (i) at the request of the Controller, (ii) as provided for in the Agreement, (iii) as required by processing by sub-processors in accordance with this Agreement or (iv) as required by law or a competent authority.
b) If the Controller instructs the Processor to transfer personal data to a third party contractually linked to the Controller, it is the sole responsibility of the Controller to enter into a written agreement with such party regarding the protection of such personal data, including, where applicable, the obligations imposed by the Data Protection Laws, including using the standard contractual clauses issued by the European Commission. The Controller shall indemnify, defend and hold harmless the Processor from any liability for any losses whatsoever arising from such transfer of data to the third party, unless and insofar as the losses are attributable to proven defects of the Processor.
c) The Processor represents and warrants that persons acting on its behalf who are authorized to process personal data undertake to protect the security and confidentiality of the personal data in accordance with the provisions of this Agreement. To this end, the Processor is obliged to inform persons acting on its behalf who have access to the personal data of the applicable requirements and to ensure compliance with such requirements through contractual or legal confidentiality obligations.
a) The Data Controller shall implement and maintain the required technical and organizational data protection measures for the components it provides or controls, including workstations connected to the Processor's services, the data transfer mechanisms used and the identifiers issued to the Controller's personnel. The Data Controller shall take all reasonable measures to keep the personal data up to date to ensure that they are accurate and complete in relation to the purpose for which they were collected.
b) The Processor shall implement the technical and organizational measures specified in Annex II to ensure the security of personal data. These measures include the protection of data against any breach of security resulting in, accidentally or unlawfully, the destruction, loss, alteration, unauthorized disclosure of or access to personal data (personal data breach). When assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risks to data subjects. During the term of the Agreement, the Data Controller may request the Processor to provide, within a reasonable time, a current description of the technical and organizational protection measures implemented.
c) When assessing appropriate technical and organizational security measures, the Parties shall take into account:
(i) state of the art,
(ii) the cost of implementing the measures,
(iii) the nature, scope, context and purposes for which the personal data are processed,
(iv) the risks posed by the processing of data to the rights and freedoms of Data subjects, resulting, inter alia, from the destruction, loss, alteration or unauthorized disclosure of, or accidental or unlawful access to, personal data transmitted, stored or otherwise processed,
(v) and the likelihood that the processing will affect the rights and freedoms of Data subjects.
d) The Processor shall grant its personnel members access to the personal data subject to the processing only to the extent strictly necessary for the execution, management and monitoring of the contract. The Processor shall ensure that persons authorized to process personal data undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality.
e) These measures shall be updated by the Parties in the light of the state of the art and any incidents.
a) The Parties shall be able to demonstrate compliance with this Agreement.
b) The Processor shall promptly and adequately process the Controller's requests for data processing in accordance with this Agreement.
c) The Processor shall make available to the Controller the information necessary to demonstrate compliance with the obligations set out in this Agreement and arising directly from the Data Protection Laws. At the request of the Controller and at its expense, the Processor shall also allow and contribute to audits of the processing activities covered by this Agreement at reasonable intervals or where there are indications of non-compliance. When deciding on an examination or audit, the Controller may take into account the relevant certifications in the Processor's possession.
d) The Controller may decide to carry out the audit itself or to appoint an independent auditor. Audits may also include inspections at the Processor's premises or physical facilities and shall, where appropriate, be carried out on reasonable notice.
e) The Processor may refuse the identity of the selected auditor if it belongs to a competing company. The audit shall be carried out during working hours and in such a way as to minimize disruption of the Processor’s activity. The audit must in no way threaten (i) the technical and organizational security measures implemented by the Processor, (ii) the security and confidentiality of the data of the Processor’s other clients and (iii) the proper functioning and organization of the Processor. In addition, the Data Controller shall ensure that the auditor and, more specifically, the personnel performing the audit are subject to appropriate confidentiality obligations.
f) As far as possible, the Parties shall agree beforehand on the scope of the audit. The audit report will be sent to the Processor for written comments, which will be attached to the final version of the audit report. Each audit report will be considered confidential information.
g) The Parties shall make available to the competent supervisory authorities, upon request, the information set out in this Agreement, including the results of any audit.
a) The Processor has the general authorization of the Controller with regard to the recruitment of sub-processors on the basis of an agreed list for the provision of services (Annex III). The Processor shall specifically inform the Controller in writing of any proposed changes to this list by adding or replacing sub-processors at least fifteen (15) days in advance, thereby giving the Controller the opportunity to submit legitimate and justified objections. In the absence of notification of objections after this period, the Controller shall be deemed to have authorized the use of the sub-processor concerned. The Processor shall provide the Controller with the information necessary to enable it to exercise its right of objection. By signing this Agreement, the Data Controller authorizes the recruitment of the sub-processors established in Annex III.
b) In case of continued objections from the Data Controller, the Parties will meet in good faith and do their best to discuss a solution. Gladia may choose (i) not to hire the sub-processor or (ii) to take corrective action as requested by the Data Controller in relation to objections before hiring the sub-processor. If neither option is reasonably possible, and Gladia can’t, for legitimate reasons, hire another sub-processor for processing, either Party may terminate this Agreement upon thirty (30) days’ notice.
c) Where the Processor engages a sub-processor to carry out specific processing activities on behalf of the Controller, it does so by means of a contract that imposes on the sub-processor, in substance, the same data protection obligations as those imposed on the Processor under this Agreement. The Processor shall ensure that the sub-processor complies with the obligations to which it is itself subject under this Agreement and the Data Protection Laws.
d) At the request of the Controller, the Processor shall provide the Controller with a copy of this contract with the sub-processor and any subsequent amendments thereto. To the extent necessary to protect trade secrets or other confidential information, including personal data, the Processor may redact the text of the contract before disseminating a copy.
e) The Processor shall remain fully responsible to the Controller for the performance of the obligations of the sub-processor in accordance with the contract concluded with the sub-processor. The Processor shall inform the Controller of any breach by the sub-processor of its contractual obligations.
f) The Processor shall agree with the sub-processor a clause of the third-party beneficiary according to which — in the event that the Processor has factually disappeared, ceased to exist in law or has become insolvent — the Controller has the right to terminate the contract with the sub-processor and to instruct the sub-processor to erase or return the personal data.
a) The transfer of personal data to a country outside the European Economic Area is permitted provided that (i) such transfer is necessary under a binding legal rule under Data Protection Laws, (ii) the country or company(ies) to which the personal data are transferred guarantees an adequate level of protection, (iii) or that the transfer takes place within the framework of standard contractual clauses issued by the European Commission (iv) or that the transfer takes place within the Data Protection Framework in force and approved by the European Commission.
b) The Processor guarantees that the country or company to which the personal data is transferred guarantees an adequate level of protection.
a) The Parties undertake to provide mutual assistance to meet the requirements of the Data Protection Laws. In particular, they shall cooperate and exchange the information necessary to carry out data protection impact assessments, audits and inspections relating to the processing of personal data.
b) The Processor shall promptly inform the Data Controller of any request it has received from the data subject. It does not comply with this request himself, unless the Data Controller has authorized him to do so.
c) The Processor assists the Controller in fulfilling its obligation to respond to data subjects' requests to exercise their rights, taking into account the nature of the processing. In performing its obligations in accordance with points b) and c), the Processor shall comply with the instructions of the Controller.
d) In addition to the Processor's obligation to assist the Controller, the Processor shall also assist the Controller in ensuring compliance with the following obligations, taking into account the nature of the processing and the information that the Controller has made available to its Processor:
(1) the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data ('data protection impact assessment') where a type of processing is likely to pose a high risk to the rights and freedoms of natural persons;
(2) the obligation to consult the competent supervisory authorities prior to processing where a data protection impact assessment indicates that the processing would pose a high risk if the Controller did not take measures to mitigate the risk;
(3) the obligation to ensure that the personal data are accurate and up-to-date, by informing the Controller without undue delay if the processor becomes aware that the personal data it processes are inaccurate or have become obsolete;
(4) the obligations laid down in Article 32 of Regulation (EU) 2016/679.
e) The Parties shall set out in Annex II the appropriate technical and organizational measures by which the Processor is required to assist the Controller in the application of this Agreement, as well as the scope and extent of the assistance required.
In the event of a breach of the protection of personal data, each Party shall immediately inform the other Party by telephone and email, after its detection.
In the event of a personal data breach, the Processor shall cooperate with and assist the Controller in complying with its obligations under Articles 33 and 34 of Regulation (EU) 2016/679 or Articles 34 and 35 of Regulation (EU) 2018/1725, whichever is applicable, or any other obligation under the applicable Data Protection Laws, taking into account the nature of the processing and the information available to the Processor.
As part of the relationship between the Data Controller and the Processor, in the event of a personal data breach in relation to processing managed by the Controller, the Processor shall assist the Controller:
a) for the purpose of notifying the personal data breach to the competent supervisory authorities, as soon as possible after the Controller becomes aware of it, where applicable (unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons);
b) for the purpose of obtaining the following information which, in accordance with Article 33(3) of Regulation (EU) 2016/679 and any similar provision provided in the Data Protection Laws, is to be included in the Controller's notification, and include, at least:
(i) the nature of the personal data, including, where possible, the categories and approximate number of data subjects affected by the breach and the categories and approximate number of records of personal data concerned;
(ii) the likely consequences of the personal data breach;
(iii) the measures taken or the measures that the Controller proposes to take to remedy the personal data breach, including, where applicable, measures to mitigate any negative consequences.
Where, and to the extent that, it is not possible to provide all the information at the same time, the initial notification shall contain the information available at that time and, as it becomes available, additional information shall subsequently be submitted as soon as possible.
c) for the purpose of fulfilling, in accordance with Article 34 of Regulation (EU) 2016/679 and any similar provision provided in the applicable Data Protection Laws, the obligation to communicate the personal data breach to the data subject without undue delay, where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.
In the event of a personal data breach in relation to processes managed by the Processor, the Processor shall inform the Controller as soon as possible after becoming aware of it. This notification shall contain at least:
a) a description of the nature of the breach found (including, where possible, the categories and approximate number of persons affected by the breach and records of personal data concerned);
b) the contact details of a contact point from which additional information can be obtained about the personal data breach;
c) its likely consequences and the measures taken or proposed to be taken to remedy the violation, including mitigating any negative consequences.
Where, and to the extent that, it is not possible to provide all the information at the same time, the initial notification shall contain the information available at that time and, as it becomes available, additional information shall subsequently be submitted as soon as possible.
The Parties shall set out in Annex II all other elements to be communicated by the Processor when assisting the Controller in fulfilling the Controller's obligations under Articles 33 and 34 of Regulation (EU) 2016/679 and any similar provision provided in the applicable Data Protection Laws.
Following the termination of the Agreement and according to the choice of the Controller, the Processor (i) deletes all personal data processed on its behalf and certifies to the Controller that it has carried out this deletion, (ii) or send all personal data back to him and destroy existing copies, unless Union or national law requires that they be kept longer. The Processor shall continue to ensure compliance with this Agreement until the data is deleted or returned.
List of Annexes:
- Annex I: Description of processing
- Annex II: Technical and organizational measures, including technical and organizational measures to ensure data security
- Annex III: List of sub-processors
| Categories of data subjects | Users of the API |
|---|---|
| Categories of personal data processed | Contact information (name, date of birth, address) Video imaging, voice |
| Nature of processing In particular, the Data Controller shall define the nature of the processing when importing data on the Processor’s services and configures the solution. |
Collection Structuring Storage Adaptation or modification Recovery Consultation Use Disclosure by transmission Alignment or combination [cite_start]Erasure or destruction |
| Purpose(s) for which the data are processed on behalf of the Data Controller | Processing personal data, including audio or video files transmitted by the Data Controller to the Processor to use the API in accordance with the Agreement. |
| Duration of processing | Duration of the Agreement + 5 years |
| Data localization | Europe, USA |
Description of the technical and organizational security measures implemented by the Processor(s) (including any relevant certification) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, as well as the risks to the rights and freedoms of natural persons.
The Processor shall use the following sub-processors:
| Description | Sub-processor 1 |
|---|---|
| Identity of the Processor | Amazon Web Services (AWS) Inc, P.O. Box 81226 Seattle, WA 98108-1226, United-States |
| Contact details | Hadrien Halmela, Sr Account Manager almela@amazon.fr |
| Type(s) of operation(s) outsourced by Gladia |
- AWS Cognito (customer identity and access management) - AWS Cloudwatch (service to observe and monitor AWS resources and applications) - AWS S3 (object storage) |
| Categories of personal data and data subjects in the context of outsourced operations | First Name, Last Name, Email |
| Data Location | USA and Europe |
| Description | Sub-processor 2 |
|---|---|
| Identity of the Processor | OVH Cloud Adress: 2 rue Kellermann - 59100 Roubaix - France RCS Lille Métropole 424 761 419 00045 VAT number: FR 22 424 761 419 |
| Contact details | Louis Vallette Viallard, Sales and Business Developper louis.vallette-viallard@ovhcloud.com |
| Type(s) of operation(s) outsourced by Gladia |
- OVH Instance (cloud infrastructure services – Gravelines, France) - OVH Object Storage (object storage – Gravelines, France) |
| Categories of personal data and data subjects in the context of outsourced operations | API usage (number of calls, audio length,...) Audio files, logs, transcription, emails, |
| Data Location | Gravelines, France (European Union) and USA |
| Description | Sub-processor 3 |
|---|---|
| Identity of the Processor | Shadow Adress: 42 avenue de la Porte de Clichy, 75017 Paris RCS Paris 891 586 299 |
| Contact details | dpo@shadow.tech |
| Type(s) of operation(s) outsourced by Gladia |
- Storage - Processing |
| Categories of personal data and data subjects in the context of outsourced operations | Voice, logs, transcription |
| Data Location | France (European Union) and USA |
| Description | Sub-processor 4 |
|---|---|
| Identity of the Processor | Pyannote Adress: 2 allée de l’Autan, 31320 Auzeville-Tolosane RCS Paris 924 837 636 |
| Contact details | vincent@pyannote.ai |
| Type(s) of operation(s) outsourced by Gladia |
- Storage - Processing |
| Categories of personal data and data subjects in the context of outsourced operations | Voice, logs, transcription |
| Data Location | France (European Union) |
| Description | Sub-processor 5 |
|---|---|
| Identity of the Processor | OpenAI Ireland Limited Adress: 1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland |
| Contact details | privacy.openai.com dsar@openai.com |
| Type(s) of operation(s) outsourced by Gladia |
- Storage - Processing |
| Categories of personal data and data subjects in the context of outsourced operations | Voice, logs, transcription |
| Data Location | USA and European union |
| Description | Sub-processor 6 |
|---|---|
| Identity of the Processor | DeepL SE Adress : Maarweg 165 50825 Köln, Germany |
| Contact details | dhpg IT-Services GmbH, Bunsenstr. 10a, 51647 Gummersbach, Germany datenschutz@dhpg.de |
| Type(s) of operation(s) outsourced by Gladia |
- Storage - Processing |
| Categories of personal data and data subjects in the context of outsourced operations | Voice, logs, transcription, translation |
| Data Location | USA and European union |
| Description | Sub-processor 7 |
|---|---|
| Identity of the Processor | Together Computer Inc Adress : 801 El Camino Real, Menlo Park, CA 94025 (USA) |
| Contact details | privacy@together.ai |
| Type(s) of operation(s) outsourced by Gladia |
- Storage - Processing |
| Categories of personal data and data subjects in the context of outsourced operations | Voice, logs, transcription, translation |
| Data Location | USA and European union |
| Description | Sub-processor 8 |
|---|---|
| Identity of the Processor | Meta Platforms Ireland Limited Adress : Privacy Operations, Merrion Road, Dublin 4, D04 X2K5, Irlande |
| Contact details | https://www.facebook.com/help/contact/540977946302970 |
| Type(s) of operation(s) outsourced by Gladia |
- Storage - Processing |
| Categories of personal data and data subjects in the context of outsourced operations | Voice, logs, transcription, translation |
| Data Location | USA and European union |
| Description | Sub-processor 9 |
|---|---|
| Identity of the Processor | Mistral AI Adress: 15 rue des Halles, 75001 Paris |
| Contact details | privacy@mistral.ai |
| Type(s) of operation(s) outsourced by Gladia |
- Storage - Processing |
| Categories of personal data and data subjects in the context of outsourced operations | Voice, logs, transcription, translation |
| Data Location | USA and European union |
| Description | Sub-processor 10 |
|---|---|
| Identity of the Processor | Private AI Adress: 428-192 Spadina Ave., Toronto, ON M5T 2C2, Canada |
| Contact details | info@private-ai.com |
| Type(s) of operation(s) outsourced by Gladia |
- Storage - Processing |
| Categories of personal data and data subjects in the context of outsourced operations | Voice, logs, transcription, translation |
| Data Location | USA, Canda and European union |
| Description | Sub-processor 11 |
|---|---|
| Identity of the Processor | Intercom R&D Unlimited Company Adress: 124 St Stephen’s Green, Dublin 2, DC02 C628, Ireland |
| Contact details | https://www.intercom.com/privacy-form |
| Type(s) of operation(s) outsourced by Gladia |
- Storage - Processing |
| Categories of personal data and data subjects in the context of outsourced operations | Identity, requests |
| Data Location | USA, Australia, United Kingdom and European union |
| Description | Sub-processor 12 |
|---|---|
| Identity of the Processor | Stripe Adress: Corporation Trust Center, 1209 Orange Street, Wilmington, New Castle, DE 19801, USA |
| Contact details | Contact details: Stripe Privacy Team, privacy@stripe.com dpo@stripe.com |
| Type(s) of operation(s) outsourced by Gladia | Facilitating payment transactions |
| Categories of personal data and data subjects in the context of outsourced operations | Process Payment Account Details, bank account details, billing/shipping address, name, date/time/amount of transaction, device ID, email address, IP address/location, order ID, payment card details, tax ID/status, unique customer identifier, identity information including government issued documents (e.g., national IDs, driver’s licenses and passports) |
| Data location | France and United-States |
Last update: 13/07/2023
Subscribe to receive Gladia's latest news,
product updates and curated AI content