Data Processing Agreement

Verwerkersovereenkomst conform artikel 28 AVG/GDPR · Version 1.2 · April 24, 2026

This Data Processing Agreement ("DPA") is included with every Prodius Professional and Office subscription. It forms an integral part of the subscription agreement between the Controller and the Processor and takes effect upon activation of a qualifying subscription.

No separate signature is required. By subscribing to a qualifying plan, the Controller accepts this DPA. If the Controller requires a bilaterally signed copy naming the Controller entity, the Processor will provide one upon request to privacy@prodius.ai.

1. Parties

Processor (Verwerker):

Controller (Verwerkingsverantwoordelijke):

The legal entity or natural person that has subscribed to a Prodius Professional or Office plan, as identified by the account registration and billing details.

2. Definitions

Terms not defined here have the meaning given in the General Data Protection Regulation (EU) 2016/679 ("GDPR" / "AVG").

3. Subject Matter, Duration, and Purpose of Processing

3.1 Subject Matter

The Processor provides the Controller with a cloud-based voice transcription service. Audio spoken by the Controller's users is transmitted through an EU-based gateway to an EU-based AI provider, converted to text, optionally enhanced by an AI language model, and returned to the user's device. The Processor processes Personal Data solely to deliver this service.

3.2 Duration

This DPA is effective for the duration of the Controller's active Professional or Office subscription. It terminates automatically when the subscription ends, subject to the obligations in Section 12 (Return and Deletion of Data).

3.3 Purpose of Processing

The Processor processes Personal Data exclusively for the following purposes:

  1. Converting speech to text (transcription)
  2. Enhancing transcription quality through AI language models (punctuation, capitalization, formatting)
  3. Transforming selected text via AI commands initiated by the user
  4. Managing user accounts, authentication, and usage quota tracking

4. Types of Personal Data and Categories of Data Subjects

4.1 Types of Personal Data

Data TypeDescriptionRetention
Audio recordings Voice input captured during dictation sessions Zero — in-memory only, never written to disk
Transcription text Raw and enhanced text output from speech recognition and AI processing Zero — returned to device, not stored server-side
Application context (text) Active application name, window title, selected text — used for context-aware transcription accuracy and for grounding AI commands Zero on Processor infrastructure — processed in real-time, not stored server-side
Bound-destination screenshot (sent to AI provider) Single JPEG of the Controller's explicitly bound destination window, transmitted to the AI sub-processor to ground an AI command response. Only captured when the Controller's user has explicitly bound a destination window for the command turn. Zero on Processor infrastructure — processed in real-time by the AI sub-processor, not stored server-side
Bound-destination screenshot (local cache on Controller's device) The same JPEG above, additionally cached on the Controller's own device for user-visible provenance (the Controller's user can see which image was sent to the AI). Cache is under the Controller's own operating-system file permissions, not on Processor infrastructure. See Section 5.6.1. Default 7 days on the Controller's device, configurable; deleted on conversation delete; can be disabled entirely in Settings. No retention on Processor infrastructure.
Account data Email address, name (optional), authentication tokens Duration of subscription + 30 days
Usage metrics Word counts and action counts for quota management Duration of subscription + 30 days
Billing data Company name, billing address, VAT number, invoices 7 years (Dutch tax law, fiscale bewaarplicht)

Audio content may include special categories of data (bijzondere persoonsgegevens, artikel 9 AVG) or criminal-offence data (strafrechtelijke gegevens, artikel 10 AVG) depending on what the Controller's users dictate. This is particularly relevant for advocatenkantoren and notariskantoren whose work routinely involves such data.

The Controller is responsible for ensuring a lawful basis for processing such data and for instructing its users accordingly. The Processor's technical and organizational measures — in particular zero server-side retention, EU-only processing, fail-closed architecture, and the prohibition on human review of content (Section 5.3) — are designed to be appropriate for the processing of special-category and criminal-offence data in this context.

4.2 Categories of Data Subjects

5. Obligations of the Processor

5.1 Processing Instructions

The Processor shall process Personal Data only on documented instructions from the Controller (Article 28(3)(a) GDPR). The Subscription Agreement and this DPA constitute the Controller's documented processing instructions. The Processor shall immediately inform the Controller if, in the Processor's opinion, an instruction infringes GDPR or other EU/Dutch data protection law.

The Service includes configurable features (e.g., application context capture for transcription accuracy, bound-destination screenshot capture for AI command grounding, and local caching of those screenshots on the Controller's device for provenance). The Controller may enable or disable these features through the application's settings. The Controller is responsible for configuring features in accordance with its own data protection policies. The Processor recommends that Controllers subject to professional secrecy obligations review the context-capture and local-cache settings with their compliance officer and, where appropriate, disable the bound-destination screenshot capture or the local screenshot cache (see Section 5.6.1).

5.2 Confidentiality

The Processor ensures that all persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality (Article 28(3)(b) GDPR).

5.3 Professional Secrecy (Beroepsgeheim)

The Processor acknowledges that the Controller may be subject to a statutory duty of professional secrecy (beroepsgeheim), including but not limited to:

The Processor agrees that all Personal Data processed under this DPA shall be treated with a level of confidentiality consistent with the Controller's professional obligations. In particular:

5.4 AI Provider Abuse Monitoring

Azure OpenAI (the AI sub-processor for Professional and Office tiers) operates an automated abuse monitoring system. The Processor has confirmed with Microsoft that:

5.5 Legal Process and Government Requests

If the Processor receives a subpoena, court order, or government request that relates to Personal Data processed under this DPA, the Processor shall:

  1. Promptly notify the Controller before disclosing any data, unless prohibited by law
  2. Challenge requests that the Processor reasonably considers overbroad, disproportionate, or unlawful
  3. Disclose only the minimum data legally required
  4. Not voluntarily provide data to any government authority without the Controller's prior consent

Where notification is prohibited by law, the Processor shall use reasonable efforts to challenge the prohibition and shall notify the Controller as soon as legally permitted.

5.6 Security Measures

The Processor implements the following technical and organizational measures (Article 32 GDPR):

Technical Measures

Organizational Measures

5.6.1 Local Screenshot Cache on the Controller's Device

When the Controller's user issues an AI command with an explicitly bound destination window, the desktop application captures a single screenshot of that window, transmits it to the AI sub-processor for that single request (covered by the existing transmission chain in Section 5.6 and the sub-processor obligations in Section 6), and, by default, stores a local JPEG copy of that image on the Controller's device at:

Purpose: transparency and provenance. The cached file is rendered as an inline thumbnail in the Prodius conversation view so the Controller's user can verify which screenshot was sent to the AI for each command turn. This supports the Controller's own supervision and review obligations under professional secrecy and Article 5(2) GDPR (accountability).

No new data egress. The local cache introduces no new transmission to the Processor, to sub-processors, or to any third party. The JPEG is written only to the Controller's own device filesystem and read back by the same desktop application when rendering conversation history. The transmission to the AI sub-processor is the same single transmission that would occur without the cache.

Retention on the Controller's device:

Controller opt-out. The Controller may disable the local cache entirely via Settings → Privacy → "Cache context screenshots locally". When disabled, the screenshot is displayed inline only during the live turn and is never written to disk; no file survives closing the Prodius modal.

Scope of storage. Because the local cache resides on the Controller's own device under standard operating-system file permissions, it is under the Controller's direct control and forms part of the Controller's own IT environment rather than Processor-controlled infrastructure. The Processor has no read, write, or remote access to this cache. The Controller is responsible for endpoint security measures (e.g., full-disk encryption, device-level access controls) covering this cache, consistent with the Controller's own Article 32 GDPR obligations for data processed on its own devices.

Recommendation for Controllers subject to beroepsgeheim: include the cache paths above in the firm's device-hygiene and endpoint-security policy alongside browser caches, recently-opened-document lists, and other local AI-assistant histories. Where the firm's risk posture requires it, disable the cache in Settings.

5.7 Assistance to the Controller

The Processor shall assist the Controller, taking into account the nature of processing and data available to the Processor, in:

6. Sub-processors

6.1 Authorized Sub-processors

The Controller grants the Processor general written authorization to engage sub-processors, subject to the conditions in this section. The following sub-processors are authorized at the time of this DPA:

Sub-processorParent EntityPurposeData LocationTransfer Mechanism
Azure OpenAI Microsoft Corporation (US) Speech-to-text transcription and AI text enhancement West Europe (Netherlands) EU Data Boundary; DPA with Microsoft
Fly.io Fly.io, Inc. (US) Gateway hosting (API routing, zero data storage) Amsterdam, Netherlands SCCs (2021); data processed exclusively in EU region; no US admin access to customer data
Supabase Supabase, Inc. (US) User authentication and usage quota tracking Frankfurt, Germany SCCs (2021); EU-hosted project; no US admin access to customer data
TransIP TransIP B.V. (NL) Transactional email delivery Amsterdam, Netherlands N/A (EU entity, EU processing)
Sentry Functional Software, Inc. (US) Error monitoring and performance tracing Frankfurt, Germany SCCs (2021); EU-hosted project; content scrubbed at code level (no audio or transcription text transmitted)

The current sub-processor list is always available at prodius.ai/subprocessors.

Transfer safeguards: Some sub-processors are incorporated in the United States but process data exclusively in EU data centres. Where a sub-processor's parent entity is established outside the EEA, the Processor ensures that (a) Personal Data is processed exclusively in EEA-located infrastructure, (b) EU Commission-approved Standard Contractual Clauses (SCCs, 2021 version) or an equivalent transfer mechanism is in place, and (c) the sub-processor is contractually prohibited from transferring Personal Data outside the EEA. US-based AI providers (Groq, OpenAI direct) are never used for Professional or Office tier data processing.

6.2 Obligations Regarding Sub-processors

The Processor shall:

  1. Impose data protection obligations on each sub-processor by contract that are no less protective than this DPA (Article 28(4) GDPR)
  2. Remain fully liable to the Controller for the performance of each sub-processor's obligations

6.3 Changes to Sub-processors

The Processor shall notify the Controller at least 30 days in advance before adding or replacing a sub-processor that processes Personal Data. Notification will be sent via email to the account email address.

If the Controller objects to a new sub-processor on reasonable data protection grounds, the Controller shall notify the Processor within 14 days of receiving the notification. The parties shall negotiate in good faith to resolve the objection. If no resolution is reached within 30 days, the Controller may terminate the Subscription Agreement without penalty.

7. International Data Transfers

7.1 EU-Only Processing

For Professional and Office tier subscribers, all Personal Data processing occurs exclusively within the European Economic Area:

No Personal Data is transferred to, or accessible from, countries outside the EEA. While some sub-processors have US-incorporated parent entities, all data processing occurs on EU-based infrastructure and no non-EEA personnel have access to customer data. EU Commission-approved Standard Contractual Clauses (SCCs) are in place as an additional safeguard (see Section 6.1).

7.2 Fail-Closed Architecture

If the EU-based AI provider (Azure OpenAI West Europe) is unavailable, Professional and Office tier requests return an error to the user. They are never routed to US-based providers as a fallback. This fail-closed design guarantees that the EU-only processing commitment cannot be breached by infrastructure failures.

8. Security Incidents (Data Breach Notification)

8.1 Notification to Controller

The Processor shall notify the Controller without undue delay, and in any event within 24 hours, after becoming aware of a Security Incident affecting Personal Data processed under this DPA (Article 33(2) GDPR).

8.2 Content of Notification

The notification shall include, to the extent known:

  1. A description of the nature of the Security Incident, including categories and approximate number of Data Subjects and records affected
  2. The name and contact details of the Processor's contact point for further information
  3. A description of the likely consequences of the Security Incident
  4. A description of the measures taken or proposed to address the Security Incident, including measures to mitigate adverse effects

8.3 Assistance

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Security Incident. The Processor shall assist the Controller in meeting its obligations under Articles 33 and 34 GDPR (notification to the Autoriteit Persoonsgegevens and communication to Data Subjects).

8.4 Risk Context

Due to the zero server-side retention architecture, the scope of a potential Security Incident is inherently limited: audio recordings and transcription text are never stored on Prodius-controlled production servers. Account data (email, usage metrics) stored in Supabase Frankfurt represents the primary data at risk in the event of a breach.

9. Audit Rights

9.1 Right to Audit

The Controller has the right to verify the Processor's compliance with this DPA (Article 28(3)(h) GDPR). The Processor shall make available to the Controller all information necessary to demonstrate compliance and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

9.2 Audit Procedure

9.3 Third-Party Certifications

Where available, the Processor may satisfy audit requests by providing relevant third-party certifications, audit reports, or compliance documentation from its sub-processors (e.g., Microsoft Azure SOC 2 reports, ISO 27001 certifications).

10. Data Subject Rights

10.1 Assistance

The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures in fulfilling the Controller's obligation to respond to Data Subject requests under GDPR Chapter III.

10.2 Forwarding Requests

If the Processor receives a request from a Data Subject directly, the Processor shall promptly forward the request to the Controller and shall not respond to the Data Subject without the Controller's instruction, unless legally obligated to do so.

10.3 Practical Implications

Due to zero data retention for audio and transcription content:

11. Data Protection Impact Assessments

The Processor shall provide reasonable assistance to the Controller in conducting Data Protection Impact Assessments (Article 35 GDPR) and prior consultations with the Autoriteit Persoonsgegevens (Article 36 GDPR), where such assessments or consultations relate to the processing activities under this DPA.

12. Return and Deletion of Data

12.1 Upon Termination

Upon termination of the Subscription Agreement, the following applies:

Data never retained on Processor infrastructure (no action required)

Audio recordings, transcription text, application context (text), and bound-destination screenshots are processed exclusively in memory on Processor and sub-processor infrastructure and are never stored server-side. No return or deletion action is required by the Processor for these data types.

Local screenshot cache on the Controller's device

The optional local screenshot cache described in Section 5.6.1 resides on the Controller's own device and is under the Controller's direct control. On termination of the Subscription Agreement:

  1. The Controller may uninstall the Prodius desktop application, which leaves the cache directory in place on the device for the Controller to inspect, archive, or delete according to the Controller's own retention policy;
  2. The Controller may delete the cache directory directly (paths listed in Section 5.6.1);
  3. The Controller may disable the cache in application Settings prior to termination, which prevents new files from being written and allows the configured TTL sweep (default 7 days) to remove the remaining files automatically on application start.

Because the Processor has no access to the Controller's device, the Processor cannot remotely delete this cache. This is consistent with the cache being a Controller-device artifact rather than Processor-held data.

Exportable data (Controller's choice)

For account data and usage metrics, the Controller may choose to:

  1. Export data in a commonly used, machine-readable format (JSON) before the end of the subscription; or
  2. Request deletion of all account data and usage metrics

The Controller shall communicate its choice within 30 days of termination. If no instruction is received, the Processor shall delete all exportable data.

Legally retained data

Billing data (company name, billing address, VAT number, invoices) is retained for 7 years per Dutch tax law (fiscale bewaarplicht) and deleted thereafter. This retention obligation applies regardless of the Controller's instructions.

12.2 Deletion Timeline

12.3 Confirmation

The Processor shall provide written confirmation of deletion upon request.

13. Liability

13.1 General Limitation

Except as set out in Section 13.2, the liability of each party under this DPA is subject to the limitations and exclusions set out in the Subscription Agreement (Terms of Service).

13.2 DPA-Specific Liability

Notwithstanding the general limitation above, the Processor's aggregate liability for damages arising from a breach of this DPA — including breaches of confidentiality (Section 5.2–5.3), unauthorized processing, failure to comply with the Controller's lawful instructions, or failure to meet the breach notification obligations (Section 8) — shall be limited to the greater of:

13.3 Unlimited Liability

Neither party limits its liability for:

14. Term and Termination

15. Governing Law and Disputes

This DPA is governed by the laws of the Netherlands. Any dispute arising from or in connection with this DPA shall be submitted to the competent court in the Netherlands.

This DPA does not affect the rights of Data Subjects under GDPR, including the right to lodge complaints with the Autoriteit Persoonsgegevens.

16. Amendments

The Processor may update this DPA to reflect changes in law, regulatory guidance, or processing activities. Material changes will be notified to the Controller at least 30 days in advance via email. The Controller's continued use of the Service after the effective date of the amended DPA constitutes acceptance. If the Controller objects to a material change, the Controller may terminate the Subscription Agreement without penalty before the change takes effect.

17. Relationship to Other Agreements

In the event of a conflict between this DPA and the Subscription Agreement regarding the processing of Personal Data, this DPA shall prevail.

Quick Reference

TopicGuarantee
ProcessorZenocritus B.V. (KvK 65524829)
Data processing locationEU only (Netherlands, Germany)
Audio retentionZero — in-memory only, never stored server-side
Transcription retentionZero — not stored server-side
Context screenshot (server-side)Zero — processed in-memory by the AI sub-processor, not stored on Processor infrastructure
Context screenshot (Controller's device)Optional local cache, default 7 days, configurable; cache can be disabled in Settings; no Processor access — see §5.6.1
Human review of contentNever — unless Controller consents for incident resolution
Model trainingNever — no party in the chain trains on customer data
US data transfersNone — EU-only processing, fail-closed architecture, SCCs in place
Professional secrecyRecognized — Advocatenwet, Wna, VGBA obligations acknowledged
Breach notificationWithin 24 hours
DPA liability cap€25,000 or 2× annual fees (whichever is greater)
Sub-processor changes30 days advance notice, right to object
Audit rightsOnce per year, 30 days notice
Data deletion on terminationWithin 30 days (billing data: 7 years per tax law)
Governing lawNetherlands
Sub-processorsprodius.ai/subprocessors

Version 1.2 · April 24, 2026 · Questions: privacy@prodius.ai

Changes in v1.2: Clarified the distinction between Processor-held data (zero retention) and the optional local screenshot cache on the Controller's device introduced with the bound-destination AI command feature. Added Section 5.6.1 (Local Screenshot Cache on the Controller's Device) and associated rows to Sections 4.1, 12.1, 12.2, and the Quick Reference table. No new sub-processors, no new data egress.