Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Master Services Agreement (“MSA”), Service Level Agreement (“SLA”) and all other terms and conditions available at https://goodtape.io (collectively, the “Agreement”) between the undersigned customer which is a party to such Agreement (“Customer”), and Good Tape ApS (“Provider”, “we”, “us”). Customer and Provider are each referred to as a “Party” and collectively as the “Parties”.

Except as modified below, the terms of the Agreement shall remain in full force and effect. Notwithstanding anything to the contrary in the Agreement, if there is a conflict between this DPA and the Agreement, this DPA will control. In the event of any conflict or inconsistency between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

1. DEFINITIONS

The terms used in this DPA shall have the meanings set forth in this DPA or as defined by Applicable Privacy Law, whichever is broader. Capitalized terms not otherwise defined herein or defined by Applicable Privacy Law shall have the meaning given to them in the Agreement. The following terms have the meanings set forth below:

“Affiliate” means an entity that owns or controls, is owned or controlled by, or is under common control or ownership with either Provider or Customer, respectively.

“Applicable Privacy Law” shall mean applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which Provider is subject, including, but not limited to, (a) the EU General Data Protection Regulation 2016/679 (“GDPR”) including the applicable implementing legislation of each Member State (“EU GDPR”), (b) any other applicable law with respect to any Personal Data in respect of which the Provider is subject to, and (c) any other data protection law and any guidance or statutory codes of practice issued by any relevant Privacy Authority, in each case, as amended from time to time and any successor legislation to the same.

“Customer Transcription Data” shall mean any content, in writing or audio (or any other media), provided by the Customer through the Services, including but not limited to Personal Data.

“Data Subject” shall mean an identified or identifiable natural person.

“EEA” means the European Economic Area.

“Personal Data” shall mean (i) personal data, personal information, personally identifiable information, or similar term as defined by Applicable Privacy law or (ii) if not defined by Applicable Privacy Law, any information that relates to a Data Subject; in each case, to the extent Processed by Provider, on behalf of Customer, in connection with Provider’s performance of the Services.

“Privacy Authority” shall mean any competent supervisory authority, attorney general, or other regulator with responsibility for privacy or data protection matters in the jurisdiction of the Provider.

“Process“, “Processing” or “Processed” shall mean any operation or set of operations, as defined in the Applicable Privacy Law, performed upon Personal Data whether or not by automatic means, including collecting, recording, organizing, storing, adapting or altering, retrieving, consulting, using, disclosing, making available, aligning, combining, blocking, erasing and destroying Personal Data.

“Security Breach” means a breach of Provider’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in Provider’s possession, custody or control. Security Breaches do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.

“Services” shall mean the services as described in the Agreement or any related order form or statement of work.

“Standard Contractual Clauses” means (a) with respect to restricted transfers (as such term is defined under Applicable Privacy Law) which are subject to the EU GDPR and other Applicable Privacy Laws pursuant to which the same have been adopted, the Controller-to-Processor standard contractual clauses, as set out in the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to GDPR, as may be amended or replaced by the European Commission from time to time (the “EU SCCs”).

“Subprocessor” shall mean any subcontractor (including any third party and/or Provider Affiliate) engaged by Provider to Process Personal Data on behalf of Customer.

“Supervisory Authority” shall mean: (a) in the context of the EU GDPR, shall have the meaning given to that term in Article 4(21) of the EU GDPR.

2. PROCESSING REQUIREMENTS

2.1

Provider shall comply with Applicable Privacy Law in the Processing of Personal Data and only Process Personal Data for the purposes of providing the Services and in accordance with Customer’s instructions, and as may subsequently be agreed between the Parties in writing. The details of Provider’s Processing of Customer’s Personal Data are described in Exhibit A. Provider shall promptly inform Customer if (a) in Provider’s opinion, an instruction from Customer violates Applicable Privacy Law; or (b) Provider is required by applicable law to otherwise Process Personal Data, unless Provider is prohibited by that law from notifying Customer under applicable law.

2.2

Providers shall implement and maintain reasonable and appropriate technical measures that will ensure that Customer’s reasonable and lawful instructions can be complied with, including the following:

(a) updating, amending, correcting, or providing access to the Personal Data of any Data Subject upon written request of Customer from time to time;

(b) canceling, deleting, or blocking access to any Personal Data upon receipt of written instructions from Customer;

(c) otherwise facilitating Customer’s responses to Data Subject requests as required under Applicable Privacy Law; and

(d) Provider shall promptly redirect any request from a Data Subject to exercise any of its Data Subject rights to Customer, and shall not respond directly to the Data Subject unless instructed so by Customer in writing.

2.3

Provider acknowledges that (a) Customer discloses Personal Data to Provider solely for the business purpose of Customer, and (b) Provider has not and will not receive any monetary or other valuable consideration in exchange for their receipt of the Personal Data, and that any consideration paid by Customer to Provider under the Agreement relates only to Provider’s provision of the Services. Provider shall not: (i) retain, use, or disclose any Personal Data for any purpose other than for the specific purpose of providing the Services under the Agreement, including retaining, using, or disclosing Personal Data for a commercial purpose other than providing the Processing Services under the Services Agreement; (ii) combine the Personal Data with any other personal information, except as specifically instructed by Customer in writing; and (iii) include Personal Data in any product or service offered to third parties In addition, Provider shall not sell, or share, rent, transfer, purport to transfer to a third-party Personal Data with for any purpose, except as specifically instructed by Customer in writing, or otherwise disclose any Personal Data except to authorized Subprocessors needed to render the Services.

2.4

Provider shall provide to Customer such co-operation, assistance and information as Customer may reasonably request to enable it to comply with its obligations under Applicable Privacy Law and co-operate and comply with the directions or decisions of a relevant Privacy Authority, in each case (a) solely to the extent applicable to Customer’s provision of the Services, and (b) within such reasonable time as would enable Customer to meet any time limit imposed by the Privacy Authority

2.5

To the extent Provider receives deidentified Personal Data from Customer or the Services under the Agreement allow for the deidentification of Personal Data, Provider represents and warrants to not reidentify, attempt to reidentify, or direct any other party to reidentify any Personal Data that has been deidentified.

3. CONFIDENTIALITY

Without prejudice to any existing contractual arrangements between the Parties, Provider will treat all Personal Data as confidential and it will inform all its employees, agents and any approved Subprocessors engaged in processing the Personal Data of the confidential nature of the Personal Data. Provider will ensure that all such persons or parties have signed an appropriate confidentiality agreement, are otherwise bound to a duty of confidentiality, or are under an appropriate statutory obligation of confidentiality.

4. SECURITY OF PERSONAL DATA

4.1

Provider shall maintain, during the term of the Agreement, appropriate technical and organizational security measures to protect the Personal Data against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorized disclosure or access, as set forth in Exhibit B.

4.2

Provider shall ensure the reliability of any employees who Process Personal Data.

5. CUSTOMER OBLIGATIONS

5.1 Customer’s Security Responsibilities

Customer agrees that, without limitation of Provider’s obligations under Section 4 (Security of Personal Data), Customer is solely responsible for its use of the Services, including (a) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Personal Data; (b) securing the account authentication credentials, systems and devices Customer uses to access the Services; (c) securing Customer’s systems and devices that Provider uses to provide the Services; and (d) backing up Personal Data.

5.2 Prohibited Data

Customer represents and warrants that no special categories of personal data as defined in Article 9 of the GDPR, including but not limited to data revealing racial or ethnic origin, trade union membership, genetic data, biometric data processed for the purpose of uniquely identifying a natural person, or data concerning health or biometric identifiers, nor any personal data relating to criminal convictions or offenses as defined in Article 10 of the GDPR, shall be submitted to the Provider for processing under this Agreement, unless explicitly agreed by concluding this Agreement and only where the Customer has established a lawful basis for such processing in compliance with applicable data protection laws. Furthermore, Customer warrants that no data processed through the Services will contain personal data of children under the age thresholds specified by applicable Member State law without verifiable parental consent, in accordance with Article 8 of the GDPR. Customer further agrees that the Services shall not be utilized to process, transmit, or store content of a pornographic, violent, threatening, abusive, harassing, defamatory, or otherwise unlawful nature, or any content that could reasonably be expected to endanger or compromise the safety, security, or well-being of any natural person.

5.3

This DPA is valid for the full period in which Customer maintains a paid subscription to the Service and for as long as Provider processes Customer’s Personal Data under the Agreement. Should a Customer choose not to purchase a paid plan this Agreement does not come into effect, and if Customer cancels an existing paid plan, either deliberately or delinquent, this Agreement will automatically terminate. The Agreement will still be in effect as long as the Customer is in a dunning process. All Customer data provided in the period where Customer had a paid Agreement will be subject to the terms until deleted by any of the Parties.

6. SUBPROCESSORS

6.1

Customer authorizes Provider to engage the Subprocessors specified in Exhibit C and here. The list is maintained using a digital code repository so any changes are trackable and carries a timestamp. Provider will at all times remain liable for any Subprocessor’s performance when processing personal data of the Customer hereunder. Provider has informed Customer of the Subprocessors currently engaged and confirms that no other parties will have access to personal data. Provider is responsible to monitor that Subprocessors hold certifications and standards necessary to be compliant with applicable law, such as the EU-U.S. Data Privacy Framework, and Provider shall immediately inform Customer if such certifications or standards are no longer met by any Subprocessor. Provider also confirms that the relevant Subprocessors are bound by obligations at least as strict as the obligations of Provider set out in this DPA.

6.2

When engaging any new Subprocessor, Provider will enter into a written contract with such Subprocessor containing data protection obligations not less protective than those in this DPA with respect to Personal Data to the extent applicable to the nature of the services provided by such Subprocessor. Provider shall be liable for all obligations under the Agreement subcontracted to, the Subprocessor or its actions and omissions related thereto. Specifically, all existing and new data processors must be located within the jurisdiction of the European Union.

6.3

When the Provider intends to engage any new Subprocessor after the effective date of the Agreement, the Provider shall inform the Customer by written notice prior to the engagement. The Customer shall have the right to object to the engagement of the new Subprocessor by providing written notice of refusal to the Provider within 30 days of receiving the notice. The objection must be based on reasonable grounds relating to the protection of Personal Data. In the event of such an objection, the Provider and the Customer will work together in good faith to find a mutually acceptable resolution. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, the Customer may, as its sole and exclusive remedy, terminate the Agreement and cancel the Services by providing written notice to the Provider, and the Customer will pay the Provider for all amounts due and owing under the Agreement as of the date of such termination.

7. BREACH NOTIFICATION

7.1 Notification to Customer

Unless otherwise prohibited by applicable law, Provider shall notify Customer immediately and without undue delay, and in any event within 24 hours after Provider becomes aware of a Security Breach. Such notification shall include, to the extent such information is available (a) a detailed description of the Security Breach, (b) the type of data that was the subject of the Security Breach and (c) the identity of each affected person (or, where not possible, the approximate number of Data Subjects and of Personal Data records concerned), as well as other details relating to the breach as listed in Article 33(3) of the GDPR.

In addition, Provider shall communicate to Customer (i) the name and contact details of Provider’s data protection officer or other point of contact where more information can be obtained, (ii) a description of the likely consequences of the Security Breach, (iii) a description of the measures taken or proposed to be taken by Provider to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects.

7.2 Investigation

Provider shall take prompt action to investigate the Security Breach and shall use industry standard, commercially reasonable efforts to mitigate the effects of any such Security Breach in accordance with its obligations hereunder.

8. PRIVACY IMPACT ASSESSMENT

Provider shall, immediately upon receipt of written request by Customer assist the Controller in fulfilling its obligations imposed under Articles 32-36 of the GDPR and any equivalent requirements in other Applicable Privacy Law, such as (a) make available to Customer such information as is reasonably necessary to demonstrate Customer’s compliance with Applicable Privacy Law to the extent applicable to the Services, and (b) reasonably assist Customer in carrying out any privacy impact assessment and any required prior consultations with Privacy Authorities, taking into account the nature of the Processing and the information available to Provider. Provider shall reasonably cooperate with Customer to implement such mitigation actions as are reasonably required to address privacy risks identified in any such privacy impact assessment. Unless such request follows a Security Breach or is otherwise required by Applicable Privacy Law, Customer shall not make any such request more than once in any 12-month period.

9. AUDIT RIGHTS

Customer may audit Provider’s and/or its Subprocessors compliance with its obligations under this DPA up to once per year and if Customer reasonably suspects that the Provider is in breach of this DPA or Applicable Data Privacy Laws, or on such other occasions as may be required by Applicable Data Privacy Laws, including where mandated by Customer’s Supervisory Authority.

The Processor shall ensure that the Customer has equivalent rights in relation to any Subprocessor.

Provider will contribute to such audits by providing Customer or Customer’s Supervisory Authority with the information and assistance that Provider considers appropriate in the circumstances and reasonably necessary to conduct the audit.

Customer, shall be entitled to submit to the Provider, on an annual basis, an audit questionnaire for the purpose of exercising its audit rights and verifying the Provider’s compliance with the obligations stipulated under this DPA.

To request an audit, Customer must submit a proposed audit plan to Provider at least two weeks in advance of the proposed audit date and any third-party auditor must sign a customary non-disclosure agreement mutually acceptable to the parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit.

Provider will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Provider security, privacy, employment or other relevant policies).

Provider will work cooperatively with Customer to agree on a final audit plan.

Nothing in this Section 9 shall require the Provider to breach any duties of confidentiality.

If the controls or measures to be assessed in the requested audit are addressed in an SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor within twelve (12) months of Customer’s audit request and Provider has confirmed there have been no known material changes in the controls audited since the date of such report, Customer agrees to accept such report in lieu of requesting an audit of such controls or measures.

The audit must be conducted during regular business hours, subject to the agreed final audit plan and Provider’s safety, security or other relevant policies, and may not unreasonably interfere with Provider business activities.

Each Party shall bear its own costs related to the inspection or audit.

10. DELETION OF PERSONAL DATA

Provider shall delete all the Personal Data on Provider’s systems on Customer’s request and after the end of the provision of Services, and shall delete existing copies unless continued storage of the Personal Data is required by (i) applicable laws of the European Union or its Member States, with respect to Personal Data subject to European Data Protection Laws or (ii) Applicable Data Protection Laws, with respect to all other Personal Data. Provider will comply with such instruction as soon as reasonably practicable after such expiration or termination, unless Applicable Data Protection Laws require storage. Customer may choose to request a copy of such Personal Data from Provider for an additional charge by requesting it in writing at least 30 days prior to expiration or termination of the Agreement. Upon the parties’ agreement to such charge pursuant to a work order or other amendment to the Agreement, Provider will provide such copy of such Personal Data before it is deleted in accordance with this clause.

11. THIRD PARTY DISCLOSURE REQUESTS

11.1

Unless prohibited by applicable law, Provider shall promptly notify Customer of any inquiry, communication, request or complaint, to the extent relating to Provider’s Processing of Personal Data on behalf of Customer, from:

(a) any governmental, regulatory or supervisory authority, including Privacy Authorities or the U.S. Federal Trade Commission; and/or

(b) any Data Subject,

and shall, taking into account the nature of the Processing, provide reasonable assistance to enable Customer to respond to such inquiries, communications, requests or complaints and to meet applicable statutory or regulatory deadlines. Provider shall not disclose Personal Data to any of the persons or entities in (a) or (b) above unless it is legally required to do so and has otherwise complied with the obligations in this Section 11.1 and Section 11.2.

11.2

In the event that Provider is required by law, court order, warrant, or other legal judicial process (“Legal Request”) to disclose any Personal Data to any person or entity other than Customer, including any national security authority or other government body, Provider shall attempt to redirect the government request to Customer. If Provider is unable to redirect the request, Provider shall, unless prohibited by applicable law, notify Customer promptly and shall provide all reasonable assistance to Customer to enable Customer to respond or object to, or challenge, any such Legal Requests and to meet applicable statutory or regulatory deadlines. If Provider is prohibited by applicable law from providing notice to Customer of a Legal Request, Provider shall use commercially reasonable efforts to object to, or challenge, any such Legal Request to avoid or minimize the disclosure of Personal Data. Provider shall not disclose Personal Data pursuant to a Legal Request unless it is required to do so by applicable law and has otherwise complied with the obligations in this Section 11.2.

12. TRANSFERS OUT OF THE EEA

Any transfer of data to a third country or an international organization by the Provider shall be done only on the basis of documented instructions from the Customer or in order to fulfill a specific requirement under Union or Member State law to which the processor is subject and shall take place in compliance with Chapter V of Regulation (EU) 2016/679 or Regulation (EU) 2018/1725.

For the avoidance of doubt, the prohibition of transferring personal data outside of the EU/EEA without Customer’s prior written approval, is also applicable in relation to processing by any Subprocessors.

If Customer transfers Personal Data out of the EEA to Provider in a country not deemed by the European Commission to have adequate data protection, such transfer will be governed by the EU SCCs, the terms of which are hereby incorporated into this DPA. Provider shall provide a copy of the signed version of the EU SCCs to Customer upon request. In furtherance of the foregoing, the parties agree that:

12.1

Customer will act as the data exporter and Provider will act as the data importer under the EU SCCs;

12.2

For purposes of Appendix 1 to the EU SCCs, the categories of data subjects, data, special categories of data (if appropriate), and the Processing operations shall be as set out in Section B to Exhibit A;

12.3

For purposes of Appendix 2 to the EU SCCs, the technical and organizational measures shall be the Security Measures;

12.4

Clause 7 of the EU SCCs (Docking Clause) does not apply.

12.5

Clause 9(a) Option 2 (General written authorization) is selected, and the time period to be specified is determined in clause 6.3 of the DPA.

12.6

The option in Clause 11(a) of the Standard Contractual Clauses (Independent dispute resolution body) does not apply.

12.7

With regard to Clause 17 of the Standard Contractual Clauses (Governing law), the Parties agree that option one shall apply. The Parties agree that the governing law shall be the law of Denmark.

12.8

In clause 18 of the Standard Contractual Clauses (Choice of forum and jurisdiction), the Parties submit themselves to the jurisdiction of the courts of Denmark.

12.9

The audits described in Clause 8.9 of the EU SCCs shall be performed in accordance with Section 9 of this DPA.

13. CLAIMS

Notwithstanding any limitations set out in the Agreement, if a Data Subject, competent authority, or any other third party brings a claim against the Customer based on the processing of Personal Data by the Provider, the Provider shall indemnify and hold the Customer harmless for any claims (including administrative sanctions and penalties) arising directly from the Provider’s failure to comply with the DPA or the Customer’s documented lawful instructions, provided such instructions are compliant with applicable Data Protection Laws. Any claims in this regard liability shall be limited to direct damages incurred by Customer. The Customer shall promptly inform the Provider upon receipt of any such claim. The Provider’s indemnification shall not extend to claims or penalties arising from the Customer’s own failure to comply with applicable Data Protection Laws or instructions given by the Customer that are unlawful or non-compliant with GDPR and other applicable privacy laws.

14. GOVERNING LAW AND DISPUTES

This DPA shall be applied and interpreted in accordance with the law stated in the Agreement. Notwithstanding this, the Provider must at all times process personal data in accordance with Applicable Privacy Laws.

Any dispute, controversy or claim arising out of or in connection with this DPA, or the breach, termination or invalidity thereof, shall be finally settled in accordance with the dispute resolution provision in the Agreement.

---

IN WITNESS WHEREOF, this DPA is entered into and becomes a binding part of the Agreement with effect from the date of signature of the last party to sign hereto.

Good Tape (Provider)
Lasse Finderup, CEO

[Name, Title] (Customer)

EXHIBIT A

A. LIST OF PARTIES

Data exporter(s):

Name: [Name]
Address: [Address]
Contact person’s name, position and contact details: [Contact Details]
Activities relevant to the data transferred under these Clauses:
Upload of audio files, possibly (but not necessarily) containing Personal and/or Sensitive data.
Signature: [Signature]
Date: [Date]
Role (Controller or Processor): Controller

Data importer(s):

Name: Good Tape ApS
Address: Njalsgade 21G, 3., DK-2300 Kbh S
Contact person’s name, position and contact details: Lasse Finderup, CEO
Activities relevant to the data transferred under these Clauses:
Processing and storage of uploaded data in order to deliver text transcriptions of audio files
Signature: [Signature]
Date: [Date]
Role (Controller or Processor): Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

• Individuals whose voices are recorded in audio or video files.
• Users of the Good Tape platform.

Categories of personal data transferred

• Audio and video recordings
• Transcribed text
• Metadata: such as file names, formats, duration, etc.

Sensitive data transferred

Good Tape does not specifically require or request sensitive personal data. To mitigate risks, the following safeguards are applied:

1. Strict purpose limitation:
   All data is processed solely for the purpose of generating transcriptions as requested by the user.
2. Access restrictions:
   Access to personal data is strictly limited to authorized personnel who require access for operational purposes. Employees are trained in GDPR compliance and information security best practices.
3. Encryption:
   Data is encrypted both at rest and in transit using robust encryption protocols.
4. Data retention:
   Uploaded recordings and transcriptions are stored for a limited duration, as outlined in the Data Retention Policy, after which they are securely deleted unless otherwise requested by the user.
5. Secure processing environment:
   All data is processed within the EU using exclusively EU-based subprocessors to ensure compliance with GDPR standards.
6. Onward transfer restrictions:
   Good Tape does not engage in onward transfers of personal data outside the EU or to third-party subprocessors that are not explicitly authorized under the DPA.
7. Monitoring and audits:
   Access logs are maintained to monitor all access to personal data. Good Tape conducts regular audits and assessments to ensure compliance with GDPR and information security requirements.

Frequency of transfer

On a continuous basis during the term of the Agreement.

Nature of the processing

Provider and select Subprocessors will Process audio files in order to extract text transcriptions.

Purpose(s) of the data transfer and further processing

Provider will Process Personal Data for the purpose of providing services in accordance with the Services Agreement.

Data retention period

Duration of performance of the Services. If Customer opts for it, the data will be securely retained in order for customer to access it, during the term of the Agreement.

Transfers to (sub-) processors

As described in the Agreement.

C. COMPETENT SUPERVISORY AUTHORITY

The competent supervisory authority shall be the supervisory authority that has jurisdiction over the Data Exporter/Controller.

EXHIBIT B

TECHNICAL AND ORGANIZATIONAL MEASURES

The data importer has implemented and maintains comprehensive technical and organizational safeguards, which contain those safeguards described below:

• Organizational management and dedicated staff responsible for the development, implementation and maintenance of the Provider’s information security program.
• Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Provider’s organization, monitoring and maintaining compliance with the Provider’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
• Data security controls which include, at a minimum, logical segregation of data, restricted (e.g. role-based) access and monitoring, and utilization of commercially available industry standard encryption technologies for Personal Data that is transmitted over public networks (i.e. the Internet) or when transmitted wirelessly or at rest or stored on portable media (i.e. laptop computers).
• Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g. granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).
• Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords.
• Physical and environmental security of data centers, server room facilities and other areas containing Personal Data designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor and log movement of persons into and out of the Provider’s facilities, and (iii) guard against environmental hazards such as heat, fire and water damage.
• Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from the Provider’s possession.
• Change management procedures designed to test, approve and monitor all material changes to the Provider’s technology and information assets.
• Incident management procedures designed to allow Provider to investigate, respond to, mitigate and notify of events related to the Provider’s technology and information assets.
• Network security controls designed to protect systems from intrusion and limit the scope of any successful attack.
• Vulnerability assessment, patch management and threat protection technologies, and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
• Disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergencies or disasters.

Technical and Organizational Measures to Ensure Security of the Data

The data importer has implemented and maintains comprehensive technical and organizational safeguards, which include:

• Dedicated staff responsible for developing, implementing, and maintaining the Provider’s information security program.
• Regular audit and risk assessment procedures for reviewing and assessing risks to the Provider’s organization.
• Comprehensive data security controls including:
  • Logical segregation of data
  • Role-based access and monitoring
  • Industry-standard encryption for data transmission and storage
• Advanced logical access controls managing electronic access based on authority levels and job functions:
  • Need-to-know and least privilege basis access
  • Unique IDs and passwords for all users
  • Regular access review and prompt updates
• Robust password management:
  • Password strength requirements
  • Regular password expiration
  • Strict password sharing prohibitions
• Multi-layered physical and environmental security:
  • Protected data centers and server rooms
  • Monitored personnel movement
  • Environmental hazard protection
• Rigorous operational procedures including:
  • System configuration and monitoring
  • Secure data disposal protocols
  • Complete data unrecoverability measures
• Structured change management procedures covering:
  • Testing protocols
  • Approval processes
  • Asset monitoring systems
• Incident response protocols including:
  • Investigation procedures
  • Response mechanisms
  • Mitigation strategies
  • Notification systems
• Enhanced network security featuring:
  • Intrusion protection
  • Attack scope limitation
  • Regular security assessments
• Comprehensive vulnerability management including:
  • Regular assessments
  • Patch management
  • Threat protection
  • Scheduled monitoring
• Business continuity measures:
  • Disaster recovery planning
  • Emergency response procedures
  • Service maintenance protocols

EXHIBIT C

Description of the processing:

Categories of data subjects whose personal data is processed:

• Participants in recorded conversations and meetings.

Categories of personal data processed:

• Any information provided in the recording

Sensitive data processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:

• None expected, but cannot be precluded, nor can it be specified, as it depends on the content of the recording.

Nature of the processing:

• Transcription of recordings submitted by the Data Controller.

Purpose(s) for which the personal data is processed on behalf of the controller:

• Transcription of recordings.

Duration of the processing:

• For the duration of the transcription of the individual recording, unless the Data Controller specifically opts to store the recording with the data processor, in which case duration of the processing shall be throughout the period where one or more recordings remain stored with the data processor.

Regarding the use of cookies:

• Good Tape acts as the Data Controller in relation to the use of cookies on its platform. Certain cookies are necessary for the core functionality and security of Good Tape’s services, while others are non-essential and may be enabled or disabled at the user’s discretion. Importantly, no cookies—whether essential or non-essential—have access to or interact with any audio or video files, transcriptions, or sensitive personal data processed through Good Tape.

Importantly, we always assume that there might be sensitive data in the files you upload. That’s why we distinguish between your uploaded data and your general data, such as e-mail, name etc. Below, you’ll find the sub-processors we use for both processing purposes. The data security of your tapes and transcriptions is our number one priority.

Name	Company registration number & Address	Location of Processing	Description of Processing	Type of Processing
First Tier Subprocessors
Azure	256796 70 Sir John Rogerson’s Quay, Dublin	European Union	In the event extraordinary scaling is needed; it processes transcriptions, and temporarily stores a copy of uploaded audio files while actively processing transcription, ensuring GDPR-compliant handling of personal data.	Access and temporary storage of uploaded audio files. Processing of transcriptions.
Google	368047 1st and 2nd Floor, Gordon House, Barrow Street, Dublin 4, Ireland	European Union	Processes transcriptions, and temporarily stores a copy of uploaded audio files while actively processing transcription, ensuring GDPR-compliant handling of personal data.	Access and temporary storage of uploaded audio files. Processing of transcriptions.
Supabase	T20UF4683B San Francisco Bay Area, West Coast, Western US	European Union	We use Supabase to securely log in our users. We also use their cloudbased secure databases.	Access to personal data limited to account and access management.
Scaleway	RCS PARIS B 433 115 904 8 rue de la ville l’Evêque – 75008 Paris, FRANCE	European Union	We use Scaleway to store your uploaded files, if you tell us to.	Processing and storage of audio files if requested.
MongoDB	0001441816 1633 Broadway, 38th Floor, New York, NY	European Union	We use MongoDB to efficiently manage and store your transcription editor state, ensuring high availability and performance.	Storage of transcription text and edits.
Second Tier Subprocessors
Chargebee	990362987 340 S Lemon Ave, Suite 1537, Walnut, CA 91789	European Union	Chargebee is a recurring revenue management platform. They handle our subscriptions solution.	Access to billing information.
Stripe Payments Europe	513174 3 Dublin Landings, North Wall Quay, Dublin 1, D01C4E0, Ireland	European Union	We use Stripe to handle payment processing through Chargebee.	Processing of payments.
Make AS	NO 993555002 Sandakerveien 116, 6th floor 0484 Oslo, NO	EEA	Make sends transactional and marketing emails for us, and in doing so access personal data like e-mails and names.	Access to personal data related to transaction email. Opt-out is an option.
PostHog	E3446544202 3-6 848 N. Rainbow Blvd., Suite 8176, Las Vegas, NV 89107, USA	European Union	We use Posthog to collect data on page views and actions on goodtape.io, which we can use to analyze product usage, and in turn improve the product.	Access to page views, and events on goodtape.io.
Google	368047 1st and 2nd Floor, Gordon House, Barrow Street, Dublin 4, Ireland	European Union	Google is our email service provider. When you send us an email, Google will be able to access your address. We might also use Google for general office reporting tools, which could involve aggregate data intelligence.	Access to personal data like names and e-mails for e-mail communication.
Hubspot	20-2632791 25 First Street, 2nd Floor, Cambridge, Massachusetts 02141	European Union	We use Hubspot to keep track of existing and potential customers.	Access to personal data like name, e-mail, and billing information.
ChartMogul	HRB 197519 Kemperplatz 1, 10785 Berlin, Germany	European Union	We use ChartMogul to aggregate, analyze, and visualize our subscription metrics.	Access to subscription information.