# Data Processing Agreement (DPA) *Version 2026-06-15 · Between the Customer (as Controller) and Govannon, Netherlands (as Processor)* This is our standard GDPR Article 28 Data Processing Agreement. It applies to all hosted processing of personal data (audio recordings of meetings/sessions, transcripts, derived insights, voiceprints, and account data). Self-hosted deployments fall outside this DPA because no data is processed by us. ## 1. Parties and definitions - **Controller**: the organisation or individual that determines the purposes and means of the processing (you / the Customer). - **Processor**: Govannon, based in the Netherlands, acting on behalf of the Controller. - **Personal Data**, **Processing**, **Data Subject**, etc. have the meanings given in the GDPR. The services covered are the hosted Lexicanon platform (the "Services"). ## 2. Subject matter, nature and purpose The Processor processes Personal Data solely to provide the Services: real-time and batch speech-to-text transcription (with speaker diarization), generation of structured meeting analysis (summaries, decisions, action items), storage and retrieval of the above, and related account, billing and support functions. Processing is limited to what is necessary for the performance of the Services. ## 3. Duration This DPA is effective for the duration of the agreement for the Services. Upon termination the Processor shall, at the Controller's choice, delete or return all Personal Data and delete existing copies unless Union or Member State law requires storage. ## 4. Categories of data subjects and Personal Data - **Data subjects**: meeting participants (employees, contractors, guests), account administrators and users of the Controller's workspace. - **Types of Personal Data**: voice recordings (audio), derived transcripts, speaker labels/voiceprints (mathematical embeddings), names, email addresses, organisational metadata, and any other information the Controller or participants choose to record or enter (including potentially special categories of data if present in spoken content). ## 5. Obligations of the Controller The Controller warrants that it has a lawful basis for the processing and that it has provided appropriate information to Data Subjects. The Controller is responsible for the legality of the recordings (including any consent or notification requirements under national law). ## 6. Obligations of the Processor The Processor shall: - Process Personal Data only on documented instructions from the Controller (including via the product UI and API configuration such as retention settings, fallback orders and BYOK keys). - Ensure that persons authorised to process the Personal Data are bound by confidentiality. - Implement appropriate technical and organisational measures (see Annex B and the Data Flows page). - Not engage sub-processors without prior specific or general written authorisation (see clause 7 and Annex A). - Assist the Controller with Data Subject requests and with Data Protection Impact Assessments where required. - Notify the Controller without undue delay (and in any event within 48 hours of becoming aware) of any Personal Data breach and provide reasonable assistance. - Make available all information necessary to demonstrate compliance and allow for audits. - Delete or return all Personal Data at the end of the provision of services (or earlier upon written request), and certify deletion on request. ## 7. Sub-processors The Controller grants general authorisation for the engagement of the sub-processors listed in **Annex A** (as updated from time to time with notice). The Processor shall impose data protection obligations on sub-processors no less protective than those in this DPA and shall remain fully liable to the Controller for the performance of the sub-processor. The Processor shall inform the Controller of any intended addition or replacement of sub-processors (via in-product notice, email to the account owner, or update to the public Data Flows page), giving the opportunity to object. ## 8. International transfers Where Personal Data is transferred outside the EEA, the Processor ensures appropriate safeguards are in place, primarily Standard Contractual Clauses (SCCs) approved by the European Commission (or the UK Addendum where applicable) and, where available, participation in the EU-U.S. Data Privacy Framework. Details per sub-processor are maintained in Annex A and the public Data Flows page. ## 9. Deletion and return On termination of the Services (or earlier written request) the Processor will delete all Personal Data from its systems within 30 days and will, upon request, provide written confirmation of deletion. Automatic time-based retention/expiry is not currently a product feature — data is retained until deleted. ## 10. Security of processing The Processor maintains the technical and organisational measures described in Annex B and on the public Data Flows page (container hardening, tenancy isolation, BYOK, encryption of secrets at rest, TLS in transit, audit logging, circuit breakers, least-privilege access, etc.). ## 11. Assistance and cooperation The Processor shall provide reasonable assistance to the Controller in fulfilling its obligations under Articles 32–36 GDPR (security, breach notification, DPIA, prior consultation) and in responding to Data Subject requests. ## 12. Liability and indemnification Liability is governed by the main agreement between the parties (including any liability caps). This DPA does not create additional liability beyond what is set out in the applicable terms. ## 13. Governing law and disputes This DPA is governed by the laws of the Netherlands. Any dispute shall be submitted to the competent courts in the Netherlands, without prejudice to the Controller's right to lodge a complaint with its supervisory authority. ## Annex A — List of sub-processors (as of 15 June 2026) The full current list with locations, SCC/DPF status, and whether the sub-processor can be bypassed via configuration or self-hosting is published at [/data-flows.md](/data-flows.md). Summary of categories used on hosted Services: - **Infrastructure**: Hetzner Cloud (Germany, EEA) — primary hosting and storage. - **DNS**: Cloudflare (authoritative DNS only — it does not proxy traffic or see content). - **Transactional email**: Resend (EU — Ireland / eu-west-1). - **Speech-to-text**: Speechmatics (EU/Ireland), Microsoft Azure Speech (customer-selected EU region), Soniox (EU region available), Deepgram (EU endpoint; we opt out of their model-improvement program on every request), AssemblyAI (EU endpoint; a manual training opt-out is in progress), and optional local in-cluster transcription (no external transfer). - **LLM / analysis**: Anthropic, OpenAI, OpenRouter (US; per their API terms, content sent via the API is not used to train their models; BYOK available). ## Annex B — Technical and organisational measures (summary) - Multi-tenant isolation enforced at every layer (organisation ID scoping on all queries and storage). - Bring-Your-Own-Key for all AI providers (keys never visible to other customers; encrypted at rest with AES-256-GCM when the deployment's encryption key is configured). - Container hardening: non-root execution (uid 1000), seccomp RuntimeDefault, all Linux capabilities dropped, privilege escalation disabled. - TLS for all external and internal service communication. - Comprehensive audit logging of access and changes (organisation-scoped). - Provider circuit breakers, ordered fallbacks, and per-provider budgets to limit blast radius. - Voiceprints and all derived artefacts scoped to the Controller's workspace only. - Per-meeting permanent deletion erases the meeting and everything tied to it in one transaction; whole-workspace erasure is carried out on request. Automatic time-based retention is not yet available. - Staff access to customer content is strictly limited to explicit support requests or legal compulsion. *This document is provided for transparency and as a template. A signed, countersigned version (with company details, specific plan addenda, and current Annex A) is available upon request for customers on paid plans. For the most up-to-date sub-processor list and technical measures, always refer to the live [Data flows](/data-flows.md) page.* --- *Markdown edition for AI assistants — canonical page: [https://lexicanon.com/dpa](https://lexicanon.com/dpa) · Lexicanon.*