How to Read This Document
This document is a reference version of the Vakyya Data Processing Agreement (“DPA”). It is intended to support pre-contractual review by procurement, legal, security, and data-protection teams considering Vakyya for a design partner or pilot engagement.
The reference DPA below is not, in itself, the operative agreement between Parakletos and a Customer. The operative DPA is the version executed by both parties at contract commencement, attached to the Master Services Agreement or Design Partner Agreement. The executed DPA may differ from this reference where the parties have agreed bespoke terms (additional security measures, alternative retention periods, scoped categories of special category data, customer-managed encryption keys, and similar).
A signed copy of the operative DPA is provided to the Customer at contract commencement; no separate request is required. Where a prospective Customer wishes to review the DPA in advance, this page is the reference, and the editable Word version is available from sales@vakyya.com.
1. Parties
This DPA is entered into between:
(1) Parakletos AI Limited, a company registered in England and Wales (company number 16504323) with registered address First Floor, 85 Great Portland Street, London W1W 7LT, United Kingdom (the “Processor”); and
(2) the Customer named in the Master Services Agreement, Design Partner Agreement, or Order Form to which this DPA is attached (the “Controller”),
each a “Party” and together the “Parties”.
2. Background
The Processor provides the Vakyya managed pipeline for the transcription, translation, captioning, and editorial enrichment of confidential internal media (the “Service”). In providing the Service, the Processor processes personal data on behalf of the Controller. This DPA sets out the terms on which that processing takes place, and gives effect to the requirements of the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018 (“DPA 2018”), the EU General Data Protection Regulation 2016/679 (“EU GDPR”) where applicable, and any other applicable data protection legislation (together, “Data Protection Law”).
3. Definitions
Capitalised terms not defined in this DPA have the meaning given to them in Data Protection Law or, where relevant, in the Master Services Agreement.
“Customer Content” has the meaning given in the Terms of Service.
“Customer Personal Data” means personal data within Customer Content that the Processor processes on behalf of the Controller under this DPA, together with any other personal data the Processor processes on behalf of the Controller pursuant to the Service.
“Data Subject Request” means a request from a data subject to exercise a right under Data Protection Law.
“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses approved under Article 46(2) of the EU GDPR (Commission Implementing Decision (EU) 2021/914) and, for transfers from the United Kingdom, the UK International Data Transfer Addendum to the EU SCCs issued by the Information Commissioner’s Office.
“Sub-Processor” means any third party engaged by the Processor to process Customer Personal Data.
4. Scope and Roles
4.1 Controller and Processor
Parakletos acts as processor for Customer Personal Data contained in Customer Content where the Customer determines the purposes and means of processing, subject to this DPA. Parakletos remains controller for its own account, billing, support, security, analytics, legal, and operational records. The Customer is the data controller for Customer Personal Data. The Processor processes Customer Personal Data only on the documented instructions of the Controller, as set out in this DPA, the Master Services Agreement, the Order Form, and any further written instructions reasonably given by the Controller from time to time.
The data classification is structured as:
- Customer Content (uploaded media, transcripts, translations, captions, summaries, glossaries, and review comments) is controlled by the Customer and processed by the Processor under this DPA.
- Workflow Metadata (job status, timestamps, language settings, output formats, delivery state, and usage quantities) is mixed or contract-specific.
- Operational Data (security logs, billing records, diagnostics, abuse signals, platform telemetry, and support records) is controlled by the Processor.
4.2 Processing Description
The subject matter, duration, nature, purpose, categories of personal data, and categories of data subjects of the processing are described in Annex 1.
4.3 Instructions
If the Processor reasonably believes that an instruction from the Controller infringes Data Protection Law, the Processor will inform the Controller before complying, except where Data Protection Law prohibits such notification.
5. Confidentiality
The Processor ensures that all personnel authorised to process Customer Personal Data are subject to a written confidentiality obligation (whether contractual or statutory) and have been trained in their data protection responsibilities. Access to Customer Personal Data is restricted to a named subset of personnel under the principle of least privilege.
6. Security
The Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. The security measures applicable to the Service are described in Annex 2. The Processor reviews these measures at least annually and updates them in response to material changes in the threat landscape or in the Service architecture.
7. Sub-Processors
7.1 General Authorisation
The Controller grants the Processor general authorisation to engage Sub-Processors to assist in providing the Service. The current list of Sub-Processors is published at vakyya.com/legal/sub-processors and is incorporated into this DPA by reference.
7.2 Notification of Changes
The Processor will give the Controller not less than thirty days’ written notice of any intended addition, removal, or material change to a Sub-Processor.
7.3 Objection
The Controller may object to a new or changed Sub-Processor on reasonable data protection grounds, in writing, within fourteen days of notification. Where the Controller objects, the Parties will discuss the objection in good faith. If the Parties cannot reach agreement, the Controller may terminate the affected part of the Service (or, where the Sub-Processor is integral to the Service as a whole, the entire engagement) without penalty, with effect from the date on which the new Sub-Processor would otherwise have come into use.
7.4 Flow-Down
The Processor enters into a written agreement with each Sub-Processor imposing data protection obligations no less protective than those in this DPA, and remains responsible to the Controller for any failure of a Sub-Processor to comply with such obligations.
8. International Transfers
The Service is designed to operate without transfers of Customer Personal Data outside the United Kingdom or the European Economic Area. Customer Personal Data is stored and processed exclusively in the UK (Google Cloud europe-west2) or Germany (Google Cloud europe-west3), and edge routing operates exclusively within Cloudflare’s EU regional infrastructure.
Where, in the narrowly scoped circumstances described in the Privacy Policy and in Annex 3, non-content personal data is transferred outside the UK or EEA, the Processor relies on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, or on the EU Standard Contractual Clauses themselves, as applicable. Transfer Risk Assessments are documented and available to the Controller on request under NDA.
9. Data Subject Requests
The Processor will assist the Controller in fulfilling its obligations to respond to Data Subject Requests, including by providing functionality to access, correct, restrict, or delete Customer Personal Data within the customer portal where reasonably available, and by responding to specific requests for assistance within the timeframes set out in Annex 2.
Where a data subject contacts the Processor directly with a request relating to Customer Personal Data, the Processor will route the request to the Controller and confirm to the data subject that it has done so, in accordance with the Privacy Policy.
10. Assistance to the Controller
The Processor will assist the Controller, taking into account the nature of the processing and the information available to the Processor, in respect of the Controller’s obligations under Data Protection Law concerning:
- security of processing (UK GDPR Article 32);
- notification of personal data breaches to the supervisory authority and affected data subjects (UK GDPR Articles 33 and 34);
- data protection impact assessments (UK GDPR Article 35); and
- prior consultation with the supervisory authority where required (UK GDPR Article 36).
11. Personal Data Breaches
The Processor notifies the Controller of any personal data breach affecting Customer Personal Data without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and where reasonably practicable within 72 hours.
The notification will include, where available: a description of the nature of the breach (including the categories and approximate number of data subjects and records concerned); the contact details of the Processor’s security representative; the likely consequences; and the measures taken or proposed to address the breach and mitigate its possible adverse effects. Phased updates are permitted where full information is not immediately available.
Any notification under this Section 11 is not an admission of liability or fault by the Processor. The Controller remains responsible for notifying the relevant supervisory authorities and affected data subjects where required by Data Protection Law, unless applicable law requires the Processor to do so directly.
The Processor cooperates with the Controller in investigating, mitigating, and remediating personal data breaches affecting Customer Personal Data.
12. Audit
The Controller (or an independent auditor mandated by the Controller and subject to confidentiality obligations) may, on reasonable written notice and not more than once in any twelve-month period (except in response to a personal data breach, a Data Subject Request, or a supervisory authority instruction), audit the Processor’s compliance with this DPA.
In the first instance, the Controller will seek to satisfy its audit requirements by reviewing: (a) the Processor’s responses to standard security questionnaires; (b) the Processor’s published Documentation and Annex 2 to this DPA; (c) the Processor’s then-current security evidence packs or certifications, where available; and (d) summaries of independent third-party audit reports.
Onsite or live audits are permitted only where required by Data Protection Law or agreed in an enterprise Order Form. Any onsite audit is conducted at the Controller’s expense, requires reasonable prior written notice, and must be scheduled to avoid disrupting the Services. Under no circumstances will the Controller or its auditors be granted access to other customers’ data, source code, trade secrets, internal security-sensitive details, or unrelated systems.
13. Return or Deletion
On termination of the Service, the Processor will, at the Controller’s election, return or delete all Customer Personal Data (which includes Customer Content and Workflow Outputs). Unless a different period is agreed in the Order Form or DPA, Customer Personal Data is deleted or returned within 30 days of contract termination, with backup copies purged within an additional 30 days, subject to backups, logs, legal holds, audit records, and security requirements. A deletion certificate is provided on request.
Where the Processor is required by Data Protection Law or other applicable law to retain Customer Personal Data after termination, the Processor will retain the minimum data necessary, will continue to apply the security measures in Annex 2 to that data, and will not process it for any other purpose.
14. Liability
The liability provisions of the Master Services Agreement (including the limitation of liability and the carve-outs to that limitation) apply to claims arising under this DPA, except where mandatory provisions of Data Protection Law require otherwise.
15. Conflict and Precedence
In the event of conflict between this DPA and any other provision of the Agreement in respect of the processing of Customer Personal Data, this DPA prevails. In the event of conflict between this DPA and any applicable mandatory provision of Data Protection Law, that mandatory provision prevails.
Annex 1: Processing Description
| Item | Description |
|---|---|
| Subject matter of processing | Provision of the Vakyya Service to the Controller, including ingest, transcription, glossary application, translation, captioning, and delivery of Customer Content. |
| Duration of processing | The term of the Master Services Agreement or Design Partner Agreement, plus the retention period set out in the Privacy Policy and any extensions agreed in writing. |
| Nature of processing | Storage, transmission, automated transcription, automated translation, automated terminology preservation, captioning, and delivery. Logging of processing operations for audit purposes. Limited human review where contracted. |
| Purpose of processing | To provide the Service to the Controller in accordance with the Master Services Agreement and Order Form. |
| Categories of data subjects | Employees, contractors, presenters, customers, patients, training subjects, and other individuals appearing in or referenced by Customer Content; Controller’s authorised users of the Service. |
| Categories of personal data | Voice recordings, video recordings, transcripts, translations, captions, names and identifiers appearing in content, and any other personal data the Controller submits. Special category data only where scoped in the Order Form. |
| Special category data | Only where expressly scoped in writing. The scoped category, the Article 9(2) condition relied on by the Controller, and any supplementary safeguards are recorded in the Order Form. |
| Processing of criminal convictions and offences data | Only where expressly scoped in writing, with the lawful basis identified by the Controller. |
Annex 2: Technical and Organisational Security Measures
The following is a summary. The full set of security measures applicable to the Service is set out in the Documentation provided at contract commencement.
Hosting and Residency
- Service hosted on Google Cloud Platform, in
europe-west2(London) oreurope-west3(Frankfurt). Customer routing assigned at contract. - Inference and storage of Customer Content remain in the assigned region throughout the pipeline. No cross-region movement of Customer Content in the ordinary course of operation.
- Cloudflare used for edge routing, DDoS protection, and TLS termination at points of presence serving the Vakyya zone. Cloudflare’s Data Localisation Suite with Regional Services for the EU/UK is planned but not yet operational; transit through Cloudflare in the meantime is covered by the UK International Data Transfer Addendum to the EU Standard Contractual Clauses.
Encryption
- TLS 1.3 for all customer-facing and inter-service traffic.
- AES-256 at rest for stored Customer Content, transcripts, translations, captions, glossaries, and audit logs.
- Customer-Managed Encryption Keys (CMEK) are not currently offered. Enterprise key-management arrangements may be scoped separately on request, subject to technical validation and the Order Form.
Access Control
- Single sign-on with hardware-key second factor for all personnel with production access.
- Role-based access control, least privilege, quarterly access reviews.
- All personnel with production access subject to written confidentiality obligations.
Logging and Monitoring
- Centralised log aggregation, including audit logs of access to Customer Content.
- Security monitoring with alerting on anomalous access patterns.
- Logs retained per the Retention provisions of the Privacy Policy.
Incident Management
- Documented incident response plan, reviewed at least annually.
- Personal data breach notification within seventy-two hours of becoming aware, in accordance with Section 11.
Personnel
- Pre-engagement background checks for personnel with production access, where lawful.
- Annual data protection and security training for all personnel.
Sub-Processors
- Sub-Processors engaged under written agreements imposing data protection obligations no less protective than this DPA.
- Sub-Processor list maintained and published at vakyya.com/legal/sub-processors.
No Training Use
- Customer Personal Data is not used to train, fine-tune, or evaluate any artificial intelligence or machine learning model. This obligation is flowed down to all AI processing Sub-Processors and is not subject to opt-in, opt-out, or service-improvement carve-outs.
Annex 3: International Transfers
In the ordinary course of operation, no Customer Personal Data is transferred outside the United Kingdom or the European Economic Area.
Limited transfers of non-content personal data may occur in narrowly scoped circumstances:
| Transfer | Recipient | Safeguard |
|---|---|---|
| Card payment processing | Stripe Payments Europe Limited (Ireland) and Stripe Inc. (United States), where strictly necessary | UK International Data Transfer Addendum + EU SCCs |
| Cloudflare global threat intelligence (aggregated, non-Customer Content metadata) | Cloudflare Inc. (United States) | UK International Data Transfer Addendum + EU SCCs |
Transfer Risk Assessments are documented for each transfer and are available to the Controller on request under NDA.
Contact
Data Protection Contact
Parakletos AI Limited
First Floor, 85 Great Portland Street
London W1W 7LT
United Kingdom
privacy@vakyya.com
Commercial and Contract
sales@vakyya.com
This reference Data Processing Agreement was last updated on 22 May 2026. This is a first draft and is subject to legal review before use in a commercial engagement. The operative DPA between Parakletos and a Customer is the version executed alongside the Master Services Agreement or Design Partner Agreement.