We’d love to hear more about your specific needs.
Last Updated June 5, 2026 (prior version here)
This Data Processing Addendum (“DPA”) is incorporated by reference into the Terms of Use available at https://verbit.ai/terms-and-conditions/ or other services agreement (in either case, the “Agreement”) entered by and between Customer and Verbit, Inc. or its Affiliate (“Supplier,” and together with Customer, the “Parties”) for use of the Services, and reflects the Parties’ agreement for Supplier’s Processing of Personal Data pursuant to the Agreement and solely on behalf of the Customer. “Customer” refer to the Verbit customer that is party to the Agreement that incorporates this DPA. In the event of any conflict between this DPA and the Agreement, the provisions of this DPA shall prevail solely with respect to the Processing of Personal Data.
1(a) “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control” means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity. An “Authorized Affiliate” is any Affiliate explicitly permitted to use the Services pursuant to the Agreement but that has not signed its own agreement with Supplier.
1(b) “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq., as amended (including by the CPRA), and its implementing regulations.
1(c) The terms “Controller,” “Processor,” “Processing,” and “Supervisory Authority” shall have the same meaning as in the GDPR and shall also refer to the equivalent concepts of “Business,” “Service Provider,” and related terms under the CCPA and other applicable Data Protection Laws.
1(d) “Data Protection Laws” means all applicable privacy and data protection laws, including the GDPR, the UK GDPR, the FADP, the CCPA, and other applicable U.S. state privacy laws, in each case as in effect at the time of Processing.
1(e) “Data Subject” means the identified or identifiable person to whom the Personal Data relates.
1(f) “FADP” means the Swiss Federal Act on Data Protection, as revised on 25 September 2020.
1(g) “GDPR” means Regulation (EU) 2016/679 (General Data Protection Regulation).
1(h) “Personal Data” means any information that identifies, relates to, or could reasonably be linked to an identified or identifiable natural person (and includes “Personal Information” as defined under the CCPA and materially similar terms under other Data Protection Laws), to the extent such information is processed by Supplier on behalf of Customer under this DPA and the Agreement.
1(i) “Services” has the same meaning as in the Agreement.
1(j) “Security Documentation” means the security documentation applicable to the Services, as updated from time to time and accessible via https://verbit.ai/trust/, or as otherwise made reasonably available by Supplier.
1(k) “Sensitive Data” means Personal Data protected under special legislation, including “special categories of data” under GDPR Article 9, and other materially similar categories under applicable Data Protection Laws, including (a) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) credit or debit card number; (c) financial, credit, genetic, biometric, or health information; (d) information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences; and/or (e) account passwords in unhashed form.
1(l) “Standard Contractual Clauses” means the standard contractual clauses set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
1(m) “Sub-processor” means any third party that Processes Personal Data under the instruction or supervision of Supplier.
1(n) “UK GDPR” means the GDPR as incorporated into UK law by the European Union (Withdrawal) Act 2018, as amended, together with the Data Protection Act 2018.
2(a) Roles of the Parties. Customer is the Controller (or Processor acting on behalf of a Controller, as applicable) and Supplier is the Processor (or Sub-processor, as applicable) regarding the Processing of Personal Data on behalf of Customer.
2(b) Customer’s Obligations. Customer shall comply with Data Protection Laws in its use of the Services and its instructions to the Processor. Customer shall establish all required legal bases to collect, Process, and transfer Personal Data to Processor and to authorize Processor’s Processing activities on Customer’s behalf.
2(c) Processor’s Processing of Personal Data. When Processing on Customer’s behalf, Processor shall Process Personal Data for the following purposes: (i) performing the Services in accordance with the Agreement and this DPA; (ii) complying with Customer’s reasonable documented instructions consistent with the Agreement; (iii) optimizing speech recognition accuracy, vocabulary, and configuration for Customer’s specific needs (“Service Optimization”), as an integral part of the Services; (iv) processing de-identified data derived from Customer content for general-purpose automatic speech recognition training (“General ASR Training”), subject to the requirements and restrictions in Section 2(g); (v) processing Customer data as input at inference time through AI-based analysis features (“AI Analysis Features”) without incorporating such data into any model’s training data or weights; and (vi) Processing as required under applicable law or by order of a competent authority, provided that Processor shall inform Customer of the legal requirement before Processing unless prohibited by law.
Processor shall inform Customer without undue delay if an instruction for Processing infringes applicable Data Protection Laws. If Processor cannot comply with an instruction, Processor shall inform Customer, may temporarily cease Processing the affected Personal Data, and if the Parties do not resolve the issue within a reasonable period, Customer may as its sole remedy terminate the Agreement with respect to the affected Processing, subject to payment of amounts owed through the date of termination.
2(d) Details of the Processing. The subject-matter of Processing is the performance of the Services. The duration, nature, purpose, types of Personal Data, and categories of Data Subjects are further specified in Schedule 1 to this DPA.
2(e) Sensitive Data. The Parties acknowledge that audio and video content processed through the Services may incidentally contain Sensitive Data (such as health information, biometric voice data, or data revealing racial or ethnic origin). Customer is responsible for determining whether appropriate legal bases and safeguards are in place for such data. If Customer requires dedicated Sensitive Data handling procedures beyond those provided as part of the standard Services, Customer must obtain Processor’s prior written consent and enter into any additional agreements required by Processor.
2(f) CCPA. Processor shall not sell or share (as defined in the CCPA) Personal Information processed on Customer’s behalf. Processor shall not retain, use, or disclose Personal Information for any purpose other than performing the Services and as permitted under the Agreement, this DPA, and applicable law. Processor shall not combine Personal Information received from Customer with Personal Information received from or on behalf of any other person, or collected from Processor’s own interactions with individuals, except as expressly permitted under Section 2(g) with respect to de-identified data used for General ASR Training. Processor shall notify Customer if it determines that it can no longer meet its obligations under the CCPA. Processor shall, at Customer’s request, permit Customer to take reasonable and appropriate steps to help ensure that Processor uses Personal Information in a manner consistent with Customer’s obligations under the CCPA, and to stop and remediate any unauthorized use of Personal Information.
2(g) AI Processing Restrictions.
General ASR Training. Prior to using data for General ASR Training, Processor shall: (A) segment audio into short clips, each typically only a few seconds in duration, containing isolated speech fragments insufficient to identify a speaker or convey substantive content; and (B) disassociate segments from Customer’s account such that they are not attributable to Customer, any individual speaker, or any specific session or recording. Processor shall not attempt to re-identify de-identified training data. Customer may opt out of General ASR Training by written notice to Processor. Opt-out applies prospectively only and does not require Processor to retrain existing models. Opt-out does not apply to Service Optimization or AI Analysis Features.
No Generative AI Training. Processor shall not use Personal Data, whether identifiable or de-identified, to train, fine-tune, or incorporate into the weights of any generative AI model or large language model whose output is exposed to any third party, other than for the purpose of providing the Services to Customer. Where Processor engages third-party AI model providers in connection with AI Analysis Features, such providers shall be listed as Sub-processors and shall be contractually prohibited from using Customer data for model training.
AI Analysis Features. AI Analysis Features process Customer data (which may include confidential and privileged content) as input to AI models at inference time only, without incorporating such data into any model’s training data.
Legal Materials. Personal Data associated with deposition transcription, Legal Visor, or other Services provided directly to law firm Customers (“Legal Materials”) shall not be used for General ASR Training unless an authorized representative of Customer provides written opt-in. Customer is solely responsible for determining whether use of AI Analysis Features on Legal Materials is consistent with Customer’s privilege, confidentiality, and professional conduct obligations.
AI-Specific Safeguards. Processor shall maintain reasonable technical and organizational measures to: (A) prevent re-identification of de-identified training data; (B) restrict access to identifiable data to authorized personnel and approved Sub-processors; (C) ensure data processed through AI Analysis Features is encrypted in transit and not retained by third-party providers beyond the minimum period required by such providers’ applicable data processing terms; and (D) ensure automated processing does not produce legal effects concerning, or significantly affect, Data Subjects without appropriate safeguards under applicable Data Protection Laws.
2(h) Education Records. Where Customer submits education records (as defined under FERPA, 20 U.S.C. § 1232g) to the Services, Processor shall process such records consistent with the requirements applicable to a “school official” with a “legitimate educational interest” as those terms are used in 34 CFR § 99.31(a)(1). Processor shall not use or disclose identifiable education records for any purpose other than providing the Services as permitted under the Agreement and this DPA. Where required by applicable state student privacy laws, the Parties shall enter into supplemental agreements to address such requirements.
Processor shall, to the extent legally permitted, notify Customer if Processor receives a request from a Data Subject to exercise rights under applicable Data Protection Laws (“Data Subject Request”). Processor shall assist Customer, through appropriate technical and organizational measures, in fulfilling Customer’s obligation to respond to Data Subject Requests. Processor may refer Data Subjects to Customer, as appropriate.
Processor shall ensure that its personnel and advisors engaged in the Processing of Personal Data have committed themselves to confidentiality.
5(a) Customer hereby grants Supplier a general authorization to engage Sub-processors to Process Personal Data on behalf of Customer. Sub-processors shall be bound by written agreements imposing data protection obligations substantially similar to those under this DPA. Supplier shall remain liable to Customer for the performance of its Sub-processors’ obligations subject to the Agreement’s limitations of liability.
5(b) Customer may subscribe to notifications of new Sub-processors by emailing privacy@verbit.ai. Supplier will make its then-current list of Sub-processors available to Customer upon request. Supplier shall provide notification of any new Sub-processor before authorizing it to Process Personal Data. Customer may object to a new Sub-processor on reasonable grounds by written notice to privacy@verbit.ai within 5 business days of Supplier’s notification. The Parties shall make good-faith efforts to resolve any objection. If no resolution is reached, Supplier will make commercially reasonable efforts to provide the Services without using the objected-to Sub-processor.
6(a) Controls for the Protection of Personal Data. Processor shall maintain industry-standard technical and organizational measures for protection of Personal Data, including protection against unauthorized or unlawful Processing and against accidental loss, destruction, or damage, as further described in the Security Documentation. Upon Customer’s reasonable request and at Customer’s cost, Processor will assist Customer in ensuring compliance with Articles 32 to 36 of the GDPR to the extent such information is available to Processor.
6(b) Audits and Inspections. Upon 14 days’ prior written notice and no more than once every 12 months, subject to confidentiality undertakings, Processor shall make available to Customer (or Customer’s independent third-party auditor that is not a competitor of Processor) information necessary to demonstrate compliance with this DPA. Customer may conduct audits and inspections, provided that: (i) audit results shall be used solely to assess DPA compliance and shall not be disclosed to third parties without Processor’s prior written approval; (ii) Customer shall return all Processor documentation upon request; and (iii) Customer shall minimize disruption to Processor’s business during any audit. These audit rights apply only to the extent the Agreement does not otherwise provide Customer with audit rights meeting the requirements of applicable Data Protection Laws.
Processor shall maintain security incident management policies and shall notify Customer without undue delay after becoming aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed on Customer’s behalf (a “Data Incident”). Processor shall take reasonable steps to remediate the cause of a Data Incident to the extent within Processor’s reasonable control. Processor shall provide Customer with sufficient information about the Data Incident to enable Customer to meet any applicable notification obligations under Data Protection Laws. These obligations do not apply to incidents caused by Customer or its authorized users. Customer shall not make any public disclosure or regulatory notification that identifies Processor by name in connection with a Data Incident, other than with Processor’s prior written approval or to the extent required by applicable law.
Within 30 days following termination of the Agreement, Processor shall, at Customer’s choice (indicated through the Services or in written notice), delete or return all Personal Data it Processes on behalf of Customer, and delete existing copies unless required to retain them by applicable law. Processor may retain one copy of Personal Data solely for evidence purposes and for the establishment, exercise, or defense of legal claims.
9(a) Adequate Jurisdictions. Personal Data may be transferred from the EEA, the UK, and Switzerland to countries subject to applicable adequacy decisions without further safeguard.
9(b) Other Transfers. If Processing includes a transfer from the EEA, the UK, or Switzerland to a country not subject to an adequacy decision, and no alternative recognized transfer mechanism applies, then: (i) Part 1 of Schedule 2 (EEA Transfers) shall apply to EEA transfers; (ii) Part 2 of Schedule 2 (UK Transfers) shall apply to UK transfers; (iii) Part 3 of Schedule 2 (Swiss Transfers) shall apply to Swiss transfers; and (iv) Part 4 of Schedule 2 (Additional Safeguards) shall apply to all such transfers.
10(a) Contractual Relationship. By executing this DPA, Customer enters into the DPA on behalf of itself and its Authorized Affiliates. Each Authorized Affiliate is bound by Customer’s obligations under this DPA to the extent Processor Processes Personal Data on such Affiliate’s behalf. Any violation by an Authorized Affiliate shall be deemed a violation by Customer.
10(b) Communication. Customer shall coordinate all communication with Processor under this DPA on behalf of its Authorized Affiliates.
11(a) Data Protection Impact Assessment. Upon Customer’s reasonable request and at Customer’s cost, Processor shall provide reasonable cooperation and assistance for data protection impact assessments and prior consultations with Supervisory Authorities related to Customer’s use of the Services, to the extent required under applicable Data Protection Laws.
11(b) Limitation of Liability. Each Party’s aggregate liability under this DPA shall be subject to the limitations of liability set forth in the Agreement.
11(c) Modifications. Either Party may, by 45 days’ prior written notice, request modifications to this DPA required by changes in Data Protection Laws. The Parties shall negotiate in good faith to implement such modifications. If the Parties cannot reach agreement within 30 days, either Party may terminate the Agreement to the extent it relates to the affected Services.
Nature and Purpose of Processing. As described in Section 2(c) of this DPA.
Duration of Processing. Processor will Process Personal Data for the duration of the Agreement.
Type of Personal Data. Customer may submit the following categories of Personal Data to the Services: audio and video recordings containing voice data; transcript and caption text; speaker names and identifying information present in recordings; and other Personal Data contained in Customer’s files as determined by Customer.
Categories of Data Subjects:
1. The Standard Contractual Clauses are incorporated by reference and apply to EEA transfers.
2. Module Two (Controller to Processor) applies where Customer is the controller and Supplier is the processor. Module Three (Processor to Processor) applies where Customer is a processor and Supplier is a sub-processor.
3. Clause 7 (Docking Clause) shall not apply.
4. Option 2 (General Written Authorization) in Clause 9 applies. The notification method and time period for Sub-processor changes are as set forth in Section 5(b) of this DPA.
5. In Clause 11, the optional language will not apply.
6. In Clause 17, Option 1 applies; the Standard Contractual Clauses shall be governed by the laws of the Republic of Ireland.
7. In Clause 18(b), disputes will be resolved before the courts of the Republic of Ireland.
8. Annex I shall be completed as follows: Data Exporter is Customer (controller under Module Two; processor under Module Three). Data Importer is Supplier (processor under Module Two; sub-processor under Module Three). Contact details are as set forth in the Agreement. The categories of data subjects, categories of personal data, nature and purpose of processing, and retention period are as described in Schedule 1 of this DPA. Sensitive Data may be incidentally present in audio and video content as set forth in Section 2(e). Transfers occur on a continuous basis for the duration of the Agreement. For Sub-processor transfers, details are as set forth in Supplier’s Sub-processor list made available under Section 5(b) of this DPA.
9. The competent supervisory authority under Clause 13 is the supervisory authority of the Republic of Ireland.
10. The Security Documentation serves as Annex II.
11. To the extent there is any conflict between the Standard Contractual Clauses and this DPA or the Agreement, the Standard Contractual Clauses prevail.
The International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK Information Commissioner under S119A(1) of the Data Protection Act 2018 (the “UK Addendum”), is incorporated by reference and applies to UK transfers. The UK Addendum Tables shall be completed as follows:
The UK Addendum overrides the Standard Contractual Clauses except that the Standard Contractual Clauses govern where they provide greater rights to Data Subjects. This Part 2 shall be governed by the laws of England and Wales, and disputes shall be resolved by the courts of England and Wales. The UK Data Protection Laws will prevail over this Part 2 in case of any conflict.
UK amendments to the Standard Contractual Clauses. Unless the Parties agree in writing to alternative amendments that meet the requirements of UK Data Protection Laws, the following prescribed amendments apply for UK Transfers:
ICO revision mechanism. From time to time, the ICO may issue a revised UK Addendum that makes reasonable and proportionate changes (including correcting errors) and/or reflects changes to UK Data Protection Laws. The revised UK Addendum will specify the start date from which it is effective and whether the Parties need to review this Part 2 (including the Appendix Information). This Part 2 is automatically amended as set out in the revised UK Addendum from that start date. If, as a direct result of the revised UK Addendum, either Party will have a substantial, disproportionate, and demonstrable increase in its direct costs of performing its obligations under this Part 2 and/or its risk under this Part 2 (after first taking reasonable steps to reduce such costs or risks), then that Party may end this Part 2 at the end of a reasonable notice period by providing written notice for that period to the other Party before the start date of the revised UK Addendum.
The Standard Contractual Clauses as set forth in Part 1 of this Schedule 2 apply to Swiss transfers, with the following adjustments:
For EEA, UK, and Swiss transfers, the Parties agree to the following supplemental safeguards: