Data Processing Agreement (DPA)

Version 2026-06-15 · Between the Customer (as Controller) and Govannon, Netherlands (as Processor)

1. Parties and definitions

Controller: the organisation or individual that determines the purposes and means of the processing (you / the Customer).

Processor: Govannon, based in the Netherlands, acting on behalf of the Controller. (Full legal registration details are provided on the signed version.)

Personal Data, Processing, Data Subject, etc. have the meanings given in the GDPR.

The services covered are the hosted Lexicanon platform (the “Services”).

2. Subject matter, nature and purpose of the processing

The Processor processes Personal Data solely to provide the Services: real-time and batch speech-to-text transcription (with speaker diarization), generation of structured meeting analysis (summaries, decisions, action items, and the like), storage and retrieval of the above, and related account, billing and support functions.

Processing is limited to what is necessary for the performance of the Services.

3. Duration

This DPA is effective for the duration of the agreement for the Services. Upon termination the Processor shall, at the Controller’s choice, delete or return all Personal Data (see clause 9) and delete existing copies unless Union or Member State law requires storage.

4. Categories of data subjects and types of Personal Data

• Data subjects: meeting participants (employees, contractors, guests), account administrators and users of the Controller’s workspace.
• Types of Personal Data: voice recordings (audio), derived transcripts, speaker labels/voiceprints (mathematical embeddings), names, email addresses, organisational metadata, and any other information the Controller or participants choose to record or enter (including potentially special categories of data if present in spoken content).

5. Obligations of the Controller

The Controller warrants that it has a lawful basis for the processing and that it has provided appropriate information to Data Subjects. The Controller is responsible for the legality of the recordings (including any consent or notification requirements under national law).

6. Obligations of the Processor

The Processor shall:

• Process Personal Data only on documented instructions from the Controller (including via the product UI and API configuration such as retention settings, fallback orders and BYOK keys).
• Ensure that persons authorised to process the Personal Data are bound by confidentiality.
• Implement appropriate technical and organisational measures (see Annex B and the Data Flows page).
• Not engage sub-processors without prior specific or general written authorisation (see clause 7 and Annex A).
• Assist the Controller with Data Subject requests and with Data Protection Impact Assessments where required, taking into account the nature of the processing.
• Notify the Controller without undue delay (and in any event within 48 hours of becoming aware) of any Personal Data breach and provide reasonable assistance in investigation and mitigation.
• Make available to the Controller all information necessary to demonstrate compliance and allow for audits (including by the Controller or an independent auditor bound by confidentiality).
• Delete or return all Personal Data at the end of the provision of services (or earlier upon written request), and certify deletion on request.

7. Sub-processors

The Controller hereby grants general authorisation for the engagement of the sub-processors listed in Annex A (as updated from time to time with notice). The Processor shall impose data protection obligations on sub-processors that are no less protective than those in this DPA and shall remain fully liable to the Controller for the performance of the sub-processor.

The Processor shall inform the Controller of any intended addition or replacement of sub-processors (via in-product notice, email to the account owner, or update to the public Data Flows page) giving the Controller the opportunity to object.

8. International transfers

Where Personal Data is transferred outside the EEA, the Processor ensures appropriate safeguards are in place, primarily Standard Contractual Clauses (SCCs) approved by the European Commission (or the UK Addendum where applicable) and, where available, participation in the EU-U.S. Data Privacy Framework. Details per sub-processor are maintained in Annex A and the public Data Flows page.

9. Deletion and return

On termination of the Services (or earlier written request) the Processor will delete all Personal Data from its systems within 30 days and will, upon request, provide written confirmation of deletion. Before termination the Controller can export its meetings from the product (currently one meeting at a time; a full workspace export can be requested). Note: automatic time-based retention/expiry is not currently a product feature — data is retained until deleted.

10. Security of processing

The Processor maintains the technical and organisational measures described in Annex B and on the public Data Flows page (container hardening, tenancy isolation, BYOK, encryption of secrets at rest, TLS in transit, audit logging, circuit breakers, least-privilege access, etc.). These measures are regularly reviewed and updated.

11. Assistance and cooperation

The Processor shall provide reasonable assistance to the Controller in fulfilling its obligations under Articles 32–36 GDPR (security, breach notification, DPIA, prior consultation) and in responding to Data Subject requests.

12. Liability and indemnification

Liability is governed by the main agreement between the parties (including any liability caps). This DPA does not create additional liability beyond what is set out in the applicable terms.

13. Governing law and disputes

This DPA is governed by the laws of the Netherlands. Any dispute shall be submitted to the competent courts in the Netherlands, without prejudice to the Controller’s right to lodge a complaint with its supervisory authority.

Annex A — List of sub-processors (as of 15 June 2026)

Full current list with locations, SCC/DPF status and whether the sub-processor can be bypassed via configuration or self-hosting is published at /data-flows. The list below is a summary of the categories used when the Controller uses hosted Services.

• Infrastructure: Hetzner Cloud (Germany, EEA) — primary hosting and storage.
• DNS: Cloudflare (authoritative DNS only — it does not proxy traffic or see content).
• Transactional email: Resend (EU — Ireland / eu-west-1).
• Speech-to-text: Speechmatics (EU/Ireland), Microsoft Azure Speech (customer-selected EU region), Soniox (EU region available), Deepgram (EU endpoint; we opt out of their model-improvement program on every request), AssemblyAI (EU endpoint; a manual training opt-out is in progress), and optional local in-cluster transcription (no external transfer). The authoritative, current per-provider position — location and whether each can use data for training — is maintained on the Data Flows page.
• LLM / analysis: Anthropic, OpenAI, OpenRouter (US; per their API terms, content sent via the API is not used to train their models; BYOK available). See the Data Flows page for the current position.

Annex B — Technical and organisational measures (summary)

• Multi-tenant isolation enforced at every layer (organisation ID scoping on all queries and storage).
• Bring-Your-Own-Key for all AI providers (keys never visible to other customers; encrypted at rest with AES-256-GCM when the deployment's encryption key is configured).
• Container hardening: non-root execution (uid 1000), seccomp RuntimeDefault, all Linux capabilities dropped, privilege escalation disabled.
• TLS for all external and internal service communication.
• Comprehensive audit logging of access and changes (organisation-scoped).
• Provider circuit breakers, ordered fallbacks, and per-provider budgets to limit blast radius.
• Voiceprints and all derived artefacts scoped to the Controller’s workspace only.
• Per-meeting permanent deletion erases the meeting and everything tied to it — transcript, analysis, audio recordings and related records — in one transaction; whole-workspace erasure is carried out on request. Automatic time-based retention is not yet available.
• Staff access to customer content is strictly limited to explicit support requests or legal compulsion.

This document is provided for transparency and as a template. A signed, countersigned version (with company details, specific plan addenda, and current Annex A) is available upon request for customers on paid plans. For the most up-to-date sub-processor list and technical measures, always refer to the live Data Flows page.