Data Processing Addendum (DPA)

Effective date: 2026-05-29 · Last updated:2026-05-29 · Version 1.0

This Data Processing Addendum (“DPA”) forms part of the agreement between iKingdom LLC d/b/a Acts 2(the “Processor” or “Acts 2”) and the customer identified in the relevant order form or account (the “Controller” or “Customer”) where Acts 2 processes Personal Data on the Customer's behalf.

This DPA is intended to comply with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK GDPR and the UK Data Protection Act 2018, Brazil's Lei Geral de Proteção de Dados (Law 13,709/2018, “LGPD”), India's Digital Personal Data Protection Act, 2023 (“DPDPA”), and to provide a framework consistent with the US Health Insurance Portability and Accountability Act (“HIPAA”) for healthcare customers.

1. Definitions

Capitalised terms not defined here have the meaning given in the GDPR. “Personal Data,” “Data Subject,” “Processing,” “Controller,” “Processor,” and “Personal Data Breach” have the meanings in GDPR Article 4. “Standard Contractual Clauses” or “SCCs” means the European Commission's Decision 2021/914 of 4 June 2021 modules as applicable. “UK IDTA” means the UK International Data Transfer Addendum.

2. Roles and scope

The parties agree that, in respect of Personal Data processed by Acts 2 on the Customer's behalf in connection with the Services:

• The Customer is the Controller (or Processor on behalf of a third-party Controller).
• Acts 2 is the Processor (or Sub-Processor where the Customer acts as a Processor for its end clients).
• This DPA applies only to Processing carried out under the Customer's documented instructions, which include the Terms of Service, this DPA, the Customer's configuration of the Services, and any written instructions sent to contact@acts2.io.
• Acts 2 acts as a separate Controller for billing and accounting data, for security telemetry necessary to protect the Services, and for limited internal analytics that do not single out end-users.

2.1 Processing details (Annex I summary)

• Subject matter: provision of AI translation, transcription, dubbing, and voice-cloning Services to the Customer.
• Duration: the term of the underlying agreement plus a 30-day grace period for returning or deleting Personal Data.
• Nature and purpose: storage, transmission, transcription, translation, voice-embedding generation, voice synthesis, captioning, audit logging.
• Types of Personal Data: account contact data, voice recordings, voiceprints, derived cloned-voice models, transcripts, translations, captions, technical telemetry.
• Special category data (GDPR Art. 9): voice biometric data when used for cloning, plus any sensitive content embedded in audio (which the Customer is responsible for identifying and lawful-basing).
• Categories of Data Subjects:the Customer's employees, members, congregants, students, patients, clients, end users, and any Speakers whose voice the Customer authorises Acts 2 to process.
• Retention: as set out in our Privacy Policy Section 10.

3. Processing on documented instructions

Acts 2 will process Personal Data only on the Customer's documented instructions, including with regard to transfers to third countries, unless required to do otherwise by Union or Member State law to which Acts 2 is subject, in which case Acts 2 will inform the Customer of that legal requirement before Processing, unless that law prohibits such notice on important grounds of public interest (GDPR Art. 28(3)(a)).

Acts 2 will immediately inform the Customer if, in its opinion, an instruction infringes the GDPR or applicable Union or Member State data-protection provisions (GDPR Art. 28(3)).

4. Confidentiality

Acts 2 ensures that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (GDPR Art. 28(3)(b)).

5. Security of Processing (GDPR Art. 32)

Acts 2 implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256);
• Access control— single sign-on, multi-factor authentication, role-based access, quarterly access reviews;
• Network security— segmented environments, web application firewall, DDoS mitigation;
• Logging and monitoring— audit logs retained 12 months hot and up to 7 years cold, tamper-evident;
• Vulnerability management— monthly scans, 30-day critical-patch SLA, annual third-party penetration test;
• Secure development— code review, dependency scanning, secret scanning, separation of duties;
• Personnel— background checks for production access, annual security and privacy training;
• Resilience— documented incident-response plan with annual tabletop exercise, disaster-recovery procedures;
• Certifications— SOC 2 Type II readiness in progress; HIPAA-aligned controls available to Pro-clinical tenants.

Customer acknowledges that the security measures are subject to technical progress and may be updated, provided that any change does not materially reduce the level of protection.

6. Subprocessors

Customer grants Acts 2 a general authorisation (GDPR Art. 28(2)) to engage subprocessors. Acts 2 will:

• Maintain a current list of subprocessors at the URL acts2.io/privacy#subprocessors and mirrored in this DPA;
• Provide at least 30 days' prior notice of any addition or replacement of a subprocessor, by email to the account administrator;
• Permit the Customer to object on reasonable, documented data-protection grounds within that notice period. If a good-faith resolution cannot be reached, the Customer may terminate the affected portion of the Services for the unresolved objection;
• Impose contractual data-protection obligations on each subprocessor that are no less protective than those in this DPA.

6.1 Current subprocessors

The following subprocessors process Personal Data on Acts 2's behalf:

• Supabase, Inc. — database, authentication, file storage (United States).
• ElevenLabs, Inc. — voice cloning and text-to-speech (United States).
• Deepgram, Inc. — real-time speech-to-text transcription (United States).
• Mux, Inc. — recorded video and audio hosting and delivery (United States).
• LiveKit, Inc. — real-time audio routing (United States).
• Anthropic, PBC — translation via Claude (United States).
• OpenAI, L.L.C. — optional transcription via Whisper (United States).
• Stripe, Inc. — payments (United States, PCI DSS).
• Vercel, Inc. — hosting, edge compute, speed insights (United States).
• Resend, Inc. — transactional email delivery (United States).

7. Assistance with Data Subject rights

Acts 2 will, taking into account the nature of Processing, assist the Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling the Customer's obligation to respond to requests for exercising Data Subject rights under GDPR Articles 15-22, equivalent LGPD Article 18 rights, and DPDPA section 12 rights (GDPR Art. 28(3)(e)).

Customer can manage most Data Subject requests via the Acts 2 dashboard (export, deletion, voice-clone revocation). For requests that cannot be self-served, the Customer should contact contact@acts2.io, and Acts 2 will respond within 14 days.

8. Data Protection Impact Assessments and consultation

Acts 2 will provide the Customer with the information reasonably required to support its Data Protection Impact Assessments under GDPR Art. 35 and consultations with supervisory authorities under GDPR Art. 36, including model cards, security descriptions, and details on watermarking and provenance signals (GDPR Art. 28(3)(f)).

9. Personal Data Breach notification

Acts 2 will notify the Customer of any Personal Data Breach affecting the Customer's data without undue delay and in any event within 72 hours of becoming aware (GDPR Art. 33(2)). The notification will include, to the extent then known, the nature of the breach, categories and approximate number of Data Subjects and records affected, likely consequences, and measures taken or proposed to address the breach and mitigate its possible adverse effects.

Acts 2's notification is not an acknowledgement of fault or liability.

10. Audit rights

Customer may, no more than once per twelve-month period (and, in addition, after any confirmed Personal Data Breach), exercise audit rights as follows:

• Acts 2 will make available to the Customer its current SOC 2 Type II report (once obtained), penetration test summary, and any relevant certifications, under NDA;
• Customer may submit a written audit questionnaire (e.g., CAIQ-Lite) and Acts 2 will respond within 30 days;
• For Enterprise-tier customers with a signed order form, on-site or remote audits may be arranged on at least 30 days' notice, at the Customer's expense, subject to commercially reasonable confidentiality and security restrictions, during normal business hours, and not exceeding two business days in duration;
• If audit findings reveal a material breach of this DPA, Acts 2 will bear the reasonable cost of remediation and of a follow-up audit.

These rights satisfy GDPR Art. 28(3)(h).

11. International transfers

Where the Customer's use of the Services causes Personal Data to be transferred from the EEA, UK, or Switzerland to a country that has not received an adequacy decision, the parties will rely on the 2021 EU Standard Contractual Clauses (Module 2: Controller to Processor, or Module 3: Processor to Sub-Processor, as applicable), incorporated by reference into this DPA and supplemented by the UK IDTA where required, and by the Swiss FDPIC guidance for Switzerland.

Acts 2 will, on request, provide a Transfer Impact Assessment (TIA) consistent with the EDPB's Recommendations 01/2020 and provide supplementary measures as appropriate (encryption-in-transit and at-rest, contractual challenges to disproportionate government access requests, transparency reports). For US-government access requests (FISA 702, EO 12333, CLOUD Act), Acts 2 will, to the extent legally permissible, notify the Customer and challenge overly broad requests.

EU/UK customers may request execution of a separately signed DPA + SCCs by emailing contact@acts2.io.

12. HIPAA framing (US healthcare customers)

Customers that are HIPAA Covered Entities or Business Associates and intend to process Protected Health Information (PHI) through the Services must execute our separate Business Associate Agreement (BAA) prior to such Processing. The BAA includes, at minimum:

• Voice and voiceprints treated as PHI when associated with patient identifiers;
• No use of PHI for model training without separate written authorization;
• Subcontractor BAA flow-down to ASR, TTS, LLM, hosting, and telephony subprocessors;
• Breach notification within 60 days (HIPAA) and within 30 days where contractually required;
• PHI deletion within 30 days of termination with cryptographic attestation;
• US-only data residency for clinical tenants.

13. Return or deletion of Personal Data

Upon the Customer's choice, at the end of the provision of the Services Acts 2 will delete or return all Personal Data to the Customer, and delete existing copies unless Union or Member State law requires storage of Personal Data (GDPR Art. 28(3)(g)). Default timeline: 30 days from termination, with cryptographic attestation on request.

14. Liability and order of precedence

Each party's liability arising under this DPA is subject to the limitation-of-liability provisions of the main agreement (see Terms of Service Section 14). In the event of conflict, the order of precedence is: (1) Standard Contractual Clauses where applicable; (2) this DPA; (3) the Terms of Service.

15. Changes to this DPA

Acts 2 may update this DPA from time to time to reflect changes in applicable law, regulatory guidance, or our processing operations. Material changes will be communicated to active customers at least 30 days before they take effect.

16. Contact

For DPA execution, SCC signature, subprocessor objections, or audit requests:
Acts 2 / iKingdom LLC — Delaware, United States
Email: contact@acts2.io (Subject: DPA)