Effective Date: April 15, 2026 · Version: 1.0
This Data Processing Agreement ("DPA") supplements and forms part of the SpotWhisper Terms of Service (the "Agreement") between SpotWhisper LLC ("SpotWhisper," "we," "us," "Processor") and the customer identified on an order form or account registration ("Customer," "Controller," "you"). This DPA governs SpotWhisper's Processing of Personal Data on Customer's behalf.
If there is any conflict between this DPA and the Agreement, this DPA governs to the extent of the conflict for matters relating to data protection.
Capitalized terms not defined here have the meaning given in the Agreement or the applicable Data Protection Laws.
2.1 Customer is the Controller. Customer determines the purposes and means of Processing Customer Data and is solely responsible for: (a) the lawfulness of the Processing; (b) obtaining all required consents, including from parties whose voice or conversation is recorded using the Services; (c) the accuracy and legality of Customer Data; (d) ensuring Customer has the right to transmit the Customer Data to SpotWhisper; and (e) responding to Data Subject requests directed at Customer.
2.2 SpotWhisper is the Processor. SpotWhisper Processes Customer Data only on documented instructions from Customer as set out in the Agreement, this DPA, and Customer's use of the Services.
2.3 Recording consent. Customer acknowledges that in certain jurisdictions (including two-party consent U.S. states such as CA, CT, FL, IL, MD, MA, MT, NH, PA, WA, and comparable jurisdictions under the GDPR), the recording of conversations requires consent from all parties. Customer is solely responsible for obtaining such consent before initiating any recording through the Services.
3.1 Subject matter. SpotWhisper Processes Customer Data to provide the Services, including audio ingestion, automated speech-to-text transcription, AI-based extraction of structured CRM fields (contact details, objections, next steps, sentiment), storage, and — where Customer authorizes — synchronization with third-party CRM systems (e.g., HubSpot).
3.2 Duration. Processing continues for the term of the Agreement and the additional retention periods set out in Section 7.
3.3 Nature and purpose. Automated storage, transcription, analysis, and transmission of voice recordings and derived metadata to support Customer's sales and customer-relationship workflows.
3.4 Categories of Data Subjects. (i) Customer's authorized users (employees, contractors); (ii) third parties whose voice, name, contact information, or conversation content is captured in recordings made by Customer's users (e.g., Customer's prospects and clients).
3.5 Categories of Personal Data. Voice recordings, transcripts, contact identifiers (name, phone, email) if mentioned or entered, account credentials, usage metadata, IP addresses, and any other Personal Data Customer chooses to submit.
3.6 Special Category Data. Customer shall not submit special category data (as defined in GDPR Article 9) through the Services unless Customer has obtained the explicit consent of the Data Subject and has notified SpotWhisper in writing.
4.1 SpotWhisper Processes Customer Data only: (a) to provide, maintain, and improve the Services; (b) as documented in the Agreement and this DPA; (c) on written instructions from Customer, including via Customer's use of the Services' features; and (d) as required by applicable law, in which case SpotWhisper will notify Customer in advance unless legally prohibited.
4.2 SpotWhisper will promptly notify Customer if, in its opinion, an instruction from Customer violates Applicable Data Protection Laws.
4.3 SpotWhisper will not "sell" or "share" (as those terms are defined under the CCPA/CPRA) Customer Data, and will not Process Customer Data for any purpose other than the specific business purposes set out in this DPA.
4.4 No combination; deidentification. SpotWhisper will not combine Customer Data with personal information received from or on behalf of any other person, or collected from its own interaction with any individual, except as expressly permitted by the CCPA/CPRA or other Applicable Data Protection Laws. If SpotWhisper deidentifies any Customer Data, SpotWhisper will (a) not attempt to reidentify it, (b) take commercially reasonable measures to maintain it in deidentified form, and (c) contractually obligate any recipient of deidentified data to the same commitments.
4.5 Law enforcement and government requests. If SpotWhisper receives a legally binding request for disclosure of Customer Data from a law enforcement or government authority, SpotWhisper will use commercially reasonable efforts to notify Customer before disclosing the data, unless SpotWhisper is legally prohibited from doing so. SpotWhisper will disclose only the minimum Customer Data required to comply with the request.
4.6 Legally required Processing. If Applicable Data Protection Laws require SpotWhisper to Process Customer Data for a reason other than providing the Services, SpotWhisper will use commercially reasonable efforts to inform Customer in advance of such Processing, unless legally prohibited from doing so.
4.7 CCPA cessation notice. If SpotWhisper determines that it can no longer meet its obligations as a "service provider" or "processor" under the CCPA/CPRA or other Applicable Data Protection Laws, SpotWhisper will notify Customer without undue delay.
4.8 Customer-connected third-party services. Where Customer elects to connect the Services to a third-party system (for example, by authorizing a HubSpot OAuth integration), that third-party system operates under Customer's direct relationship with its provider. Such third-party providers are not Subprocessors of SpotWhisper under this DPA; Customer is responsible for the data protection terms governing its use of those services. SpotWhisper's responsibility is limited to the secure transmission of Customer-authorized data to such third-party systems.
5.1 General authorization. Customer provides general authorization for SpotWhisper to engage Subprocessors. The current list of Subprocessors is set out in Schedule 1 and maintained at spotwhisper.com/legal/subprocessors.
5.2 New Subprocessors. SpotWhisper maintains the current list of Subprocessors at spotwhisper.com/legal/subprocessors, and Customer agrees that this publicly-maintained list is the primary mechanism for notification of Subprocessor changes. SpotWhisper will use commercially reasonable efforts to update the list before engaging a new Subprocessor. Customer is responsible for periodically reviewing the list for material changes. If Customer has a reasonable objection to a new Subprocessor on data protection grounds, Customer may notify SpotWhisper within 30 days of the list update; if the objection cannot be resolved, Customer may terminate the affected portion of the Services with a pro-rata refund of prepaid fees.
5.3 Subprocessor obligations. SpotWhisper will impose data protection obligations on each Subprocessor that are no less protective than those in this DPA, and remains liable to Customer for each Subprocessor's performance of those obligations.
6.1 Technical and organizational measures. SpotWhisper maintains the technical and organizational security measures set out in Schedule 2, designed to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
6.2 Access controls. Access to Customer Data is restricted to personnel with a legitimate need-to-know, subject to confidentiality obligations and role-based access controls.
6.3 Encryption. Customer Data is encrypted in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent) using the facilities of SpotWhisper's infrastructure Subprocessors.
6.4 Personnel. SpotWhisper will ensure that all personnel authorized to Process Customer Data: (a) are subject to written obligations of confidentiality or are under an appropriate statutory obligation of confidentiality; (b) receive training on data protection obligations appropriate to their role; and (c) access Customer Data only on a need-to-know basis.
7.1 Retention periods.
7.2 Customer-directed deletion. Users may request earlier deletion of any of their personal information by emailing support@spotwhisper.com. SpotWhisper will honor validated deletion requests within 30 days.
7.3 Termination. On expiration or termination of the Agreement, SpotWhisper will, at Customer's option, delete or return all Customer Data within 30 days, except to the extent SpotWhisper is required by applicable law to retain it.
8.1 SpotWhisper will, taking into account the nature of the Processing, provide reasonable assistance to Customer (through appropriate technical and organizational measures, insofar as possible) to enable Customer to respond to Data Subject requests to exercise rights of access, rectification, erasure, restriction, portability, and objection under Applicable Data Protection Laws.
8.2 If SpotWhisper receives a Data Subject request directly, SpotWhisper will (unless legally prohibited) promptly forward it to Customer and will not respond except on Customer's instruction or as required by law.
8.3 Data Protection Impact Assessments. SpotWhisper will provide reasonable assistance to Customer, at Customer's expense, with any data protection impact assessments and prior consultations with supervisory authorities that Customer is required to carry out under Applicable Data Protection Laws (including GDPR Articles 35 and 36).
9.1 SpotWhisper will notify Customer without undue delay and, where feasible, within 72 hours after becoming aware of a Personal Data Breach affecting Customer Data.
9.2 The notification will, to the extent known, include: (a) a description of the nature of the breach; (b) the categories and approximate number of Data Subjects and records affected; (c) the likely consequences; (d) measures taken or proposed to address the breach and mitigate its effects; and (e) contact details for further information.
9.3 SpotWhisper will reasonably cooperate with Customer's investigation and response.
10.1 SpotWhisper primarily Processes Customer Data on infrastructure located in the United States. Customer acknowledges and consents to this processing location.
10.2 EU/UK/Swiss transfers. Where Customer transfers Personal Data of EU, UK, or Swiss Data Subjects to SpotWhisper, the parties agree that:
10.3 SpotWhisper will implement supplementary measures where required by applicable law or guidance from supervisory authorities.
11.1 SpotWhisper will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, including through its security documentation, responses to security questionnaires, and, where available, third-party audit reports.
11.2 Customer may, no more than once per 12-month period (and at Customer's expense), request an audit on 30 days' prior written notice, conducted during business hours and subject to confidentiality obligations. Audits may be conducted through a mutually-agreed independent third-party auditor.
12.1 Each party's liability under this DPA is subject to the liability limitations in the Agreement, except where mandatory Applicable Data Protection Laws provide otherwise.
13.1 Governing law. This DPA is governed by the governing law of the Agreement, except where Applicable Data Protection Laws require otherwise.
13.2 Severability. If any provision is held unenforceable, the remaining provisions remain in full force and effect.
13.3 Updates. SpotWhisper may update this DPA from time to time to reflect changes in Applicable Data Protection Laws or the Services. The current version will always be available at spotwhisper.com/legal/dpa. Material changes will be notified via email or in-product notice at least 15 days before they take effect.
Questions about this DPA may be directed to:
SpotWhisper LLCThe following Subprocessors are authorized as of the effective date of this DPA:
| Subprocessor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage | United States |
| Deepgram | Automated speech-to-text transcription | United States |
| Anthropic | AI-based extraction of structured data from transcripts | United States |
| Stripe | Payment processing and subscription billing | United States |
| Resend | Transactional email delivery | United States |
| HubSpot | CRM synchronization (only where Customer connects their HubSpot account) | United States |
| Vercel | Application hosting and content delivery | United States |
| GlitchTip | Error monitoring and diagnostics | United States |
| Termly | Legal policy management and consent banner | United States |
| Google Analytics (GA4) | Website analytics and usage metrics | United States |
| Vercel Analytics | Performance monitoring and web analytics | United States |
The current, authoritative list is maintained at spotwhisper.com/legal/subprocessors.
SpotWhisper implements the following technical and organizational measures to protect Customer Data:
SpotWhisper reviews and updates these measures periodically to maintain a level of security appropriate to the risks of the Processing.