Data Processing Agreement
This Data Processing Agreement ("DPA") is included with every Prodius Professional and Office subscription. It forms an integral part of the subscription agreement between the Controller and the Processor and takes effect upon activation of a qualifying subscription.
No separate signature is required. By subscribing to a qualifying plan, the Controller accepts this DPA. If the Controller requires a bilaterally signed copy naming the Controller entity, the Processor will provide one upon request to privacy@prodius.ai.
1. Parties
Processor (Verwerker):
- Zenocritus B.V.
- Hendrick Goltziusstraat 5, 7425 PJ Deventer, Netherlands
- Chamber of Commerce (KvK): 65524829
- VAT: NL856147370B01
- Contact: privacy@prodius.ai
Controller (Verwerkingsverantwoordelijke):
The legal entity or natural person that has subscribed to a Prodius Professional or Office plan, as identified by the account registration and billing details.
2. Definitions
Terms not defined here have the meaning given in the General Data Protection Regulation (EU) 2016/679 ("GDPR" / "AVG").
- Personal Data (Persoonsgegevens): Any information relating to an identified or identifiable natural person processed through the Service.
- Processing (Verwerking): Any operation performed on Personal Data, including collection, transmission, use, and erasure.
- Data Subject (Betrokkene): The identified or identifiable natural person to whom the Personal Data relates.
- Sub-processor (Sub-verwerker): A third party engaged by the Processor to process Personal Data on behalf of the Controller.
- Service: The Prodius voice transcription and AI text enhancement service as described in the Terms of Service.
- Subscription Agreement: The Prodius Terms of Service and the active Professional or Office subscription together.
- Security Incident (Beveiligingsincident): A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
3. Subject Matter, Duration, and Purpose of Processing
3.1 Subject Matter
The Processor provides the Controller with a cloud-based voice transcription service. Audio spoken by the Controller's users is transmitted through an EU-based gateway to an EU-based AI provider, converted to text, optionally enhanced by an AI language model, and returned to the user's device. The Processor processes Personal Data solely to deliver this service.
3.2 Duration
This DPA is effective for the duration of the Controller's active Professional or Office subscription. It terminates automatically when the subscription ends, subject to the obligations in Section 12 (Return and Deletion of Data).
3.3 Purpose of Processing
The Processor processes Personal Data exclusively for the following purposes:
- Converting speech to text (transcription)
- Enhancing transcription quality through AI language models (punctuation, capitalization, formatting)
- Transforming selected text via AI commands initiated by the user
- Managing user accounts, authentication, and usage quota tracking
4. Types of Personal Data and Categories of Data Subjects
4.1 Types of Personal Data
| Data Type | Description | Retention |
|---|---|---|
| Audio recordings | Voice input captured during dictation sessions | Zero — in-memory only, never written to disk |
| Transcription text | Raw and enhanced text output from speech recognition and AI processing | Zero — returned to device, not stored server-side |
| Application context (text) | Active application name, window title, selected text — used for context-aware transcription accuracy and for grounding AI commands | Zero on Processor infrastructure — processed in real-time, not stored server-side |
| Bound-destination screenshot (sent to AI provider) | Single JPEG of the Controller's explicitly bound destination window, transmitted to the AI sub-processor to ground an AI command response. Only captured when the Controller's user has explicitly bound a destination window for the command turn. | Zero on Processor infrastructure — processed in real-time by the AI sub-processor, not stored server-side |
| Bound-destination screenshot (local cache on Controller's device) | The same JPEG above, additionally cached on the Controller's own device for user-visible provenance (the Controller's user can see which image was sent to the AI). Cache is under the Controller's own operating-system file permissions, not on Processor infrastructure. See Section 5.6.1. | Default 7 days on the Controller's device, configurable; deleted on conversation delete; can be disabled entirely in Settings. No retention on Processor infrastructure. |
| Account data | Email address, name (optional), authentication tokens | Duration of subscription + 30 days |
| Usage metrics | Word counts and action counts for quota management | Duration of subscription + 30 days |
| Billing data | Company name, billing address, VAT number, invoices | 7 years (Dutch tax law, fiscale bewaarplicht) |
Audio content may include special categories of data (bijzondere persoonsgegevens, artikel 9 AVG) or criminal-offence data (strafrechtelijke gegevens, artikel 10 AVG) depending on what the Controller's users dictate. This is particularly relevant for advocatenkantoren and notariskantoren whose work routinely involves such data.
The Controller is responsible for ensuring a lawful basis for processing such data and for instructing its users accordingly. The Processor's technical and organizational measures — in particular zero server-side retention, EU-only processing, fail-closed architecture, and the prohibition on human review of content (Section 5.3) — are designed to be appropriate for the processing of special-category and criminal-offence data in this context.
4.2 Categories of Data Subjects
- Employees and staff of the Controller who use the Service
- Third parties whose personal data may be contained in dictated content (e.g., clients of the Controller mentioned during dictation)
5. Obligations of the Processor
5.1 Processing Instructions
The Processor shall process Personal Data only on documented instructions from the Controller (Article 28(3)(a) GDPR). The Subscription Agreement and this DPA constitute the Controller's documented processing instructions. The Processor shall immediately inform the Controller if, in the Processor's opinion, an instruction infringes GDPR or other EU/Dutch data protection law.
The Service includes configurable features (e.g., application context capture for transcription accuracy, bound-destination screenshot capture for AI command grounding, and local caching of those screenshots on the Controller's device for provenance). The Controller may enable or disable these features through the application's settings. The Controller is responsible for configuring features in accordance with its own data protection policies. The Processor recommends that Controllers subject to professional secrecy obligations review the context-capture and local-cache settings with their compliance officer and, where appropriate, disable the bound-destination screenshot capture or the local screenshot cache (see Section 5.6.1).
5.2 Confidentiality
The Processor ensures that all persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality (Article 28(3)(b) GDPR).
5.3 Professional Secrecy (Beroepsgeheim)
The Processor acknowledges that the Controller may be subject to a statutory duty of professional secrecy (beroepsgeheim), including but not limited to:
- The duty of confidentiality for lawyers under the Advocatenwet (article 11a) and the right of non-disclosure (verschoningsrecht)
- The duty of confidentiality for notaries under the Wet op het notarisambt (article 22)
- The duty of confidentiality for accountants under the VGBA (Verordening gedrags- en beroepsregels accountants)
The Processor agrees that all Personal Data processed under this DPA shall be treated with a level of confidentiality consistent with the Controller's professional obligations. In particular:
- No human review: No Prodius personnel or sub-processor personnel shall access, review, or inspect the content of audio recordings, transcription text, or application context processed for the Controller, except where strictly necessary to resolve a technical incident reported by the Controller and only with the Controller's prior written consent
- Need-to-know access: Access to systems that process Controller data is restricted to the minimum number of authorized personnel required for operational purposes
- Sub-processor restrictions: All sub-processors are contractually prohibited from using Controller data for any purpose other than providing the Service, including model training, quality review, or abuse monitoring involving human review of content (see Section 5.4)
5.4 AI Provider Abuse Monitoring
Azure OpenAI (the AI sub-processor for Professional and Office tiers) operates an automated abuse monitoring system. The Processor has confirmed with Microsoft that:
- Automated abuse monitoring does not involve human review of prompts or completions by default
- The Processor will apply for and maintain Microsoft's modified abuse monitoring program where available, which disables storage of prompts and completions for abuse review
- If modified abuse monitoring is not available or is revoked, the Processor will notify the Controller within 14 days and offer the Controller the option to terminate without penalty
5.5 Legal Process and Government Requests
If the Processor receives a subpoena, court order, or government request that relates to Personal Data processed under this DPA, the Processor shall:
- Promptly notify the Controller before disclosing any data, unless prohibited by law
- Challenge requests that the Processor reasonably considers overbroad, disproportionate, or unlawful
- Disclose only the minimum data legally required
- Not voluntarily provide data to any government authority without the Controller's prior consent
Where notification is prohibited by law, the Processor shall use reasonable efforts to challenge the prohibition and shall notify the Controller as soon as legally permitted.
5.6 Security Measures
The Processor implements the following technical and organizational measures (Article 32 GDPR):
Technical Measures
- Encryption in transit: TLS 1.2 or higher for all data transmission between the user's device, the Prodius Gateway, and AI providers
- Zero server-side retention: The Prodius Gateway processes all audio, transcription text, and AI requests exclusively in memory. Nothing is written to disk on Prodius-controlled production infrastructure. Note: the desktop application may write diagnostic logs to the user's local device when debug mode is explicitly enabled by the user; these logs remain under the Controller's control on the user's device and are not transmitted to the Processor.
- EU-only data processing: All Professional and Office tier data is processed within the European Union (Netherlands and Germany). US-based AI providers are not used. If the EU provider is unavailable, requests fail rather than falling back to non-EU providers (fail-closed architecture).
- Access controls: JWT-based authentication, role-based access controls
- Audit logging: Metadata-only request logs (timestamps, status codes). Content (audio, text) is never logged on Prodius infrastructure.
- No model training: Customer data is never used to train, fine-tune, or improve AI models by any party in the processing chain
Organizational Measures
- Access to production systems restricted to authorized personnel on a need-to-know basis
- Sub-processors vetted for GDPR compliance and bound by Data Processing Agreements per Article 28 GDPR
- Privacy-by-design: the Service is architected to minimize data collection and retention
- Incident response procedures documented and tested
5.6.1 Local Screenshot Cache on the Controller's Device
When the Controller's user issues an AI command with an explicitly bound destination window, the desktop application captures a single screenshot of that window, transmits it to the AI sub-processor for that single request (covered by the existing transmission chain in Section 5.6 and the sub-processor obligations in Section 6), and, by default, stores a local JPEG copy of that image on the Controller's device at:
- macOS:
~/Library/Application Support/Prodius/context_screenshots/ - Windows:
%LOCALAPPDATA%\Prodius\context_screenshots\ - Linux:
~/.local/share/prodius/context_screenshots/
Purpose: transparency and provenance. The cached file is rendered as an inline thumbnail in the Prodius conversation view so the Controller's user can verify which screenshot was sent to the AI for each command turn. This supports the Controller's own supervision and review obligations under professional secrecy and Article 5(2) GDPR (accountability).
No new data egress. The local cache introduces no new transmission to the Processor, to sub-processors, or to any third party. The JPEG is written only to the Controller's own device filesystem and read back by the same desktop application when rendering conversation history. The transmission to the AI sub-processor is the same single transmission that would occur without the cache.
Retention on the Controller's device:
- Default lifetime: 7 days after the conversation turn, configurable in application Settings
- Per-conversation cap: 50 MB (oldest files evicted first)
- Global cap: 500 MB
- Cascade delete: deleting a conversation in the Prodius UI deletes that conversation's screenshot directory from disk
- Startup sweep: files older than the configured TTL are deleted when the application starts
Controller opt-out. The Controller may disable the local cache entirely via Settings → Privacy → "Cache context screenshots locally". When disabled, the screenshot is displayed inline only during the live turn and is never written to disk; no file survives closing the Prodius modal.
Scope of storage. Because the local cache resides on the Controller's own device under standard operating-system file permissions, it is under the Controller's direct control and forms part of the Controller's own IT environment rather than Processor-controlled infrastructure. The Processor has no read, write, or remote access to this cache. The Controller is responsible for endpoint security measures (e.g., full-disk encryption, device-level access controls) covering this cache, consistent with the Controller's own Article 32 GDPR obligations for data processed on its own devices.
Recommendation for Controllers subject to beroepsgeheim: include the cache paths above in the firm's device-hygiene and endpoint-security policy alongside browser caches, recently-opened-document lists, and other local AI-assistant histories. Where the firm's risk posture requires it, disable the cache in Settings.
5.7 Assistance to the Controller
The Processor shall assist the Controller, taking into account the nature of processing and data available to the Processor, in:
- Responding to Data Subject requests to exercise their rights under GDPR Chapter III (access, rectification, erasure, restriction, portability, objection)
- Fulfilling obligations under Articles 32–36 GDPR (security, breach notification, data protection impact assessments, prior consultation with the Autoriteit Persoonsgegevens)
6. Sub-processors
6.1 Authorized Sub-processors
The Controller grants the Processor general written authorization to engage sub-processors, subject to the conditions in this section. The following sub-processors are authorized at the time of this DPA:
| Sub-processor | Parent Entity | Purpose | Data Location | Transfer Mechanism |
|---|---|---|---|---|
| Azure OpenAI | Microsoft Corporation (US) | Speech-to-text transcription and AI text enhancement | West Europe (Netherlands) | EU Data Boundary; DPA with Microsoft |
| Fly.io | Fly.io, Inc. (US) | Gateway hosting (API routing, zero data storage) | Amsterdam, Netherlands | SCCs (2021); data processed exclusively in EU region; no US admin access to customer data |
| Supabase | Supabase, Inc. (US) | User authentication and usage quota tracking | Frankfurt, Germany | SCCs (2021); EU-hosted project; no US admin access to customer data |
| TransIP | TransIP B.V. (NL) | Transactional email delivery | Amsterdam, Netherlands | N/A (EU entity, EU processing) |
| Sentry | Functional Software, Inc. (US) | Error monitoring and performance tracing | Frankfurt, Germany | SCCs (2021); EU-hosted project; content scrubbed at code level (no audio or transcription text transmitted) |
The current sub-processor list is always available at prodius.ai/subprocessors.
Transfer safeguards: Some sub-processors are incorporated in the United States but process data exclusively in EU data centres. Where a sub-processor's parent entity is established outside the EEA, the Processor ensures that (a) Personal Data is processed exclusively in EEA-located infrastructure, (b) EU Commission-approved Standard Contractual Clauses (SCCs, 2021 version) or an equivalent transfer mechanism is in place, and (c) the sub-processor is contractually prohibited from transferring Personal Data outside the EEA. US-based AI providers (Groq, OpenAI direct) are never used for Professional or Office tier data processing.
6.2 Obligations Regarding Sub-processors
The Processor shall:
- Impose data protection obligations on each sub-processor by contract that are no less protective than this DPA (Article 28(4) GDPR)
- Remain fully liable to the Controller for the performance of each sub-processor's obligations
6.3 Changes to Sub-processors
The Processor shall notify the Controller at least 30 days in advance before adding or replacing a sub-processor that processes Personal Data. Notification will be sent via email to the account email address.
If the Controller objects to a new sub-processor on reasonable data protection grounds, the Controller shall notify the Processor within 14 days of receiving the notification. The parties shall negotiate in good faith to resolve the objection. If no resolution is reached within 30 days, the Controller may terminate the Subscription Agreement without penalty.
7. International Data Transfers
7.1 EU-Only Processing
For Professional and Office tier subscribers, all Personal Data processing occurs exclusively within the European Economic Area:
- Gateway: Fly.io Amsterdam (Netherlands)
- AI processing: Azure OpenAI West Europe (Netherlands)
- Authentication and usage tracking: Supabase Frankfurt (Germany)
- Email delivery: TransIP Amsterdam (Netherlands)
No Personal Data is transferred to, or accessible from, countries outside the EEA. While some sub-processors have US-incorporated parent entities, all data processing occurs on EU-based infrastructure and no non-EEA personnel have access to customer data. EU Commission-approved Standard Contractual Clauses (SCCs) are in place as an additional safeguard (see Section 6.1).
7.2 Fail-Closed Architecture
If the EU-based AI provider (Azure OpenAI West Europe) is unavailable, Professional and Office tier requests return an error to the user. They are never routed to US-based providers as a fallback. This fail-closed design guarantees that the EU-only processing commitment cannot be breached by infrastructure failures.
8. Security Incidents (Data Breach Notification)
8.1 Notification to Controller
The Processor shall notify the Controller without undue delay, and in any event within 24 hours, after becoming aware of a Security Incident affecting Personal Data processed under this DPA (Article 33(2) GDPR).
8.2 Content of Notification
The notification shall include, to the extent known:
- A description of the nature of the Security Incident, including categories and approximate number of Data Subjects and records affected
- The name and contact details of the Processor's contact point for further information
- A description of the likely consequences of the Security Incident
- A description of the measures taken or proposed to address the Security Incident, including measures to mitigate adverse effects
8.3 Assistance
The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Security Incident. The Processor shall assist the Controller in meeting its obligations under Articles 33 and 34 GDPR (notification to the Autoriteit Persoonsgegevens and communication to Data Subjects).
8.4 Risk Context
Due to the zero server-side retention architecture, the scope of a potential Security Incident is inherently limited: audio recordings and transcription text are never stored on Prodius-controlled production servers. Account data (email, usage metrics) stored in Supabase Frankfurt represents the primary data at risk in the event of a breach.
9. Audit Rights
9.1 Right to Audit
The Controller has the right to verify the Processor's compliance with this DPA (Article 28(3)(h) GDPR). The Processor shall make available to the Controller all information necessary to demonstrate compliance and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
9.2 Audit Procedure
- The Controller shall provide at least 30 days' written notice before an audit
- Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations
- The Controller shall bear the costs of any audit, unless the audit reveals material non-compliance by the Processor
- The Controller may conduct a maximum of one audit per calendar year, unless a Security Incident or regulatory investigation necessitates an additional audit
- The Controller (or its auditor) shall treat all information obtained during the audit as confidential
9.3 Third-Party Certifications
Where available, the Processor may satisfy audit requests by providing relevant third-party certifications, audit reports, or compliance documentation from its sub-processors (e.g., Microsoft Azure SOC 2 reports, ISO 27001 certifications).
10. Data Subject Rights
10.1 Assistance
The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures in fulfilling the Controller's obligation to respond to Data Subject requests under GDPR Chapter III.
10.2 Forwarding Requests
If the Processor receives a request from a Data Subject directly, the Processor shall promptly forward the request to the Controller and shall not respond to the Data Subject without the Controller's instruction, unless legally obligated to do so.
10.3 Practical Implications
Due to zero data retention for audio and transcription content:
- Right of access (Article 15): No audio or transcription data can be provided, as none is retained. Account data and usage metrics can be exported.
- Right to erasure (Article 17): Audio and transcription data requires no erasure action (never stored). Account data is deleted within 30 days of request.
- Right to portability (Article 20): Account data and usage metrics can be exported in machine-readable format (JSON).
11. Data Protection Impact Assessments
The Processor shall provide reasonable assistance to the Controller in conducting Data Protection Impact Assessments (Article 35 GDPR) and prior consultations with the Autoriteit Persoonsgegevens (Article 36 GDPR), where such assessments or consultations relate to the processing activities under this DPA.
12. Return and Deletion of Data
12.1 Upon Termination
Upon termination of the Subscription Agreement, the following applies:
Data never retained on Processor infrastructure (no action required)
Audio recordings, transcription text, application context (text), and bound-destination screenshots are processed exclusively in memory on Processor and sub-processor infrastructure and are never stored server-side. No return or deletion action is required by the Processor for these data types.
Local screenshot cache on the Controller's device
The optional local screenshot cache described in Section 5.6.1 resides on the Controller's own device and is under the Controller's direct control. On termination of the Subscription Agreement:
- The Controller may uninstall the Prodius desktop application, which leaves the cache directory in place on the device for the Controller to inspect, archive, or delete according to the Controller's own retention policy;
- The Controller may delete the cache directory directly (paths listed in Section 5.6.1);
- The Controller may disable the cache in application Settings prior to termination, which prevents new files from being written and allows the configured TTL sweep (default 7 days) to remove the remaining files automatically on application start.
Because the Processor has no access to the Controller's device, the Processor cannot remotely delete this cache. This is consistent with the cache being a Controller-device artifact rather than Processor-held data.
Exportable data (Controller's choice)
For account data and usage metrics, the Controller may choose to:
- Export data in a commonly used, machine-readable format (JSON) before the end of the subscription; or
- Request deletion of all account data and usage metrics
The Controller shall communicate its choice within 30 days of termination. If no instruction is received, the Processor shall delete all exportable data.
Legally retained data
Billing data (company name, billing address, VAT number, invoices) is retained for 7 years per Dutch tax law (fiscale bewaarplicht) and deleted thereafter. This retention obligation applies regardless of the Controller's instructions.
12.2 Deletion Timeline
- Audio, transcription, application context, and bound-destination screenshots on Processor infrastructure: No action required (never stored server-side)
- Local screenshot cache on the Controller's device: Under the Controller's control; defaults to a 7-day TTL sweep by the application; the Controller may delete the cache directories directly or disable the cache in Settings (see Section 5.6.1)
- Account data and usage metrics: Deleted within 30 days of termination
- Billing data: Retained for 7 years per Dutch tax law (fiscale bewaarplicht), then deleted
12.3 Confirmation
The Processor shall provide written confirmation of deletion upon request.
13. Liability
13.1 General Limitation
Except as set out in Section 13.2, the liability of each party under this DPA is subject to the limitations and exclusions set out in the Subscription Agreement (Terms of Service).
13.2 DPA-Specific Liability
Notwithstanding the general limitation above, the Processor's aggregate liability for damages arising from a breach of this DPA — including breaches of confidentiality (Section 5.2–5.3), unauthorized processing, failure to comply with the Controller's lawful instructions, or failure to meet the breach notification obligations (Section 8) — shall be limited to the greater of:
- (a) the total fees paid by the Controller under the Subscription Agreement in the 12 months preceding the event giving rise to the claim, multiplied by a factor of two (2×); or
- (b) €25,000 (twenty-five thousand euros)
13.3 Unlimited Liability
Neither party limits its liability for:
- Wilful misconduct (opzet) or gross negligence (grove nalatigheid)
- Either party's liability to Data Subjects under Article 82 GDPR
- Liability that cannot be excluded under applicable Dutch law
14. Term and Termination
- This DPA takes effect upon activation of a Professional or Office subscription and remains in force for the duration of the Subscription Agreement
- Obligations regarding confidentiality, data deletion, and cooperation with audits survive termination
- The Controller may terminate this DPA and the Subscription Agreement without penalty if the Processor materially breaches this DPA and fails to remedy the breach within 30 days of written notice
15. Governing Law and Disputes
This DPA is governed by the laws of the Netherlands. Any dispute arising from or in connection with this DPA shall be submitted to the competent court in the Netherlands.
This DPA does not affect the rights of Data Subjects under GDPR, including the right to lodge complaints with the Autoriteit Persoonsgegevens.
16. Amendments
The Processor may update this DPA to reflect changes in law, regulatory guidance, or processing activities. Material changes will be notified to the Controller at least 30 days in advance via email. The Controller's continued use of the Service after the effective date of the amended DPA constitutes acceptance. If the Controller objects to a material change, the Controller may terminate the Subscription Agreement without penalty before the change takes effect.
17. Relationship to Other Agreements
In the event of a conflict between this DPA and the Subscription Agreement regarding the processing of Personal Data, this DPA shall prevail.
Quick Reference
| Topic | Guarantee |
|---|---|
| Processor | Zenocritus B.V. (KvK 65524829) |
| Data processing location | EU only (Netherlands, Germany) |
| Audio retention | Zero — in-memory only, never stored server-side |
| Transcription retention | Zero — not stored server-side |
| Context screenshot (server-side) | Zero — processed in-memory by the AI sub-processor, not stored on Processor infrastructure |
| Context screenshot (Controller's device) | Optional local cache, default 7 days, configurable; cache can be disabled in Settings; no Processor access — see §5.6.1 |
| Human review of content | Never — unless Controller consents for incident resolution |
| Model training | Never — no party in the chain trains on customer data |
| US data transfers | None — EU-only processing, fail-closed architecture, SCCs in place |
| Professional secrecy | Recognized — Advocatenwet, Wna, VGBA obligations acknowledged |
| Breach notification | Within 24 hours |
| DPA liability cap | €25,000 or 2× annual fees (whichever is greater) |
| Sub-processor changes | 30 days advance notice, right to object |
| Audit rights | Once per year, 30 days notice |
| Data deletion on termination | Within 30 days (billing data: 7 years per tax law) |
| Governing law | Netherlands |
| Sub-processors | prodius.ai/subprocessors |
Version 1.2 · April 24, 2026 · Questions: privacy@prodius.ai
Changes in v1.2: Clarified the distinction between Processor-held data (zero retention) and the optional local screenshot cache on the Controller's device introduced with the bound-destination AI command feature. Added Section 5.6.1 (Local Screenshot Cache on the Controller's Device) and associated rows to Sections 4.1, 12.1, 12.2, and the Quick Reference table. No new sub-processors, no new data egress.
