Skip to main content

Data Processing Agreement (DPA)

Last updated: April 2026 · Version 1.0

1. Parties and scope

This Data Processing Agreement (“DPA”) governs the processing of personal data that the customer enters into Cliptic when acting as controller in relation to third parties (for example, study participants). It supplements the Terms of Use and the Privacy Policy.

Controller (“Controller”): the legal entity or professional using Cliptic who determines the purposes and means of processing personal data of data subjects included in their projects.

Processor (“Processor”): the operator of the Cliptic service, which processes those data only on documented instructions from the Controller and as set out in this DPA, unless required otherwise by law.

Cliptic may also act as controller for certain account and service data (for example, login credentials). This DPA applies to processing on behalf of the Controller for data subjects whose data the Controller uploads or generates on the platform in the professional context described in the Terms.

2. Subject matter and duration

The Processor will process personal data solely to provide the subscribed features: technical hosting, project processing, annotation and transcription (including transmission to AI providers when the Controller enables those features), export, read-only links, operational security, and support.

The duration of processing on behalf of the Controller matches the Controller’s account lifetime plus any additional period needed to delete or anonymise data under the Privacy Policy (for example, up to about 30 days and residual backup copies as described there).

3. Nature of processing and purpose

Operations include, as applicable:

  • Storage, backup, and technical recovery
  • Indexing and processing needed to display waveforms, tiers, transcripts, and metadata in the interface
  • Running AI features (for example, Whisper, diarisation) when the Controller requests them, with the minimum data required
  • Technical and security-oriented audit logs
  • Deletion or anonymisation at the end of processing

The purpose is to enable the Controller to use Cliptic for linguistic annotation and transcription work, without the Processor using those data for unrelated commercial purposes.

4. Types of data and data subjects

Typical categories include audio files, transcripts, linguistic annotations, project metadata, technical identifiers linked to content, and any further categories the Controller introduces.

Data subjects are natural persons covered by the projects (for example, interview participants, the Controller’s clients or staff), depending on what the Controller uploads. The Controller warrants that it has lawful bases and, where required, transparency towards data subjects.

5. Processor obligations (Cliptic)

The Processor will:

  • Process data only on documented instructions from the Controller (including settings made in the app) and promptly inform the Controller if an instruction appears unlawful
  • Ensure confidentiality of persons authorised to process the data
  • Implement appropriate technical and organisational measures (for example, access controls, encryption where the infrastructure supports it, password hashing, logical separation) as further described in the Privacy Policy
  • Assist the Controller, as reasonably possible, with obligations towards data subjects’ requests where the Controller cannot fulfil them directly from the account
  • Notify the Controller of a personal data breach without undue delay under applicable law, with information then available
  • Not appoint subprocessors other than those described in the Privacy Policy without giving the Controller an opportunity to object where the law requires; subprocessors remain bound by equivalent data protection obligations
  • Delete or return data at the end of processing as described in the Privacy Policy and service configuration, unless legally required to retain data

6. Controller obligations

The Controller will:

  • Ensure that instructed processing is lawful and that it has lawful bases and, where required, transparency towards data subjects
  • Not instruct unlawful processing or processing contrary to the Privacy Policy or Terms
  • Keep credentials secure and notify relevant incidents it becomes aware of
  • Cooperate with the Processor on breaches or authority requests when needed

7. Deletion, return, and export

When processing ends (for example, account or project deletion), the Processor will erase or anonymise data under the Privacy Policy. The Controller may export projects in the formats available in the app before closure.

8. Governing law, contact, and legal review

For matters governed by this DPA, the same governing law and jurisdiction rules as in the Terms of Use apply to the relationship with the Processor, without prejudice to mandatory rules.

Questions about this DPA: soporte@cliptic.app. This text is an indicative template and should be reviewed by qualified legal counsel for your jurisdictions.