Data Processing Agreement

This Data Processing Agreement (“DPA”) describes how [Legal Entity Name] (“CapCue”) processes personal data and supplements our Terms of Service. It is intended for business and organizational customers, and for users in the EEA, UK, and Switzerland.

For most individual users, CapCue is the “controller” of the limited personal data described in our Privacy Policy. Where you use CapCue to process personal data on behalf of your organization or other individuals (for example, transcribing meetings for your company), you are the “controller” and CapCue acts as your “processor” for that data. This DPA governs that processor relationship.

Subject matter: provision of real-time captioning and related AI features. Duration: for the term of your use of the Service. Nature and purpose: capturing system audio you choose to transcribe, generating captions, and (where you invoke them) interview answers and summaries.

Types of data: audio you choose to capture during a session, the resulting transcript text, and any résumé/job-description text you provide. Note that transcripts and recordings are stored on your device, not on CapCue’s servers. Categories of data subjects: you and any individuals whose voices are present in the audio you capture.

We will: process personal data only on your documented instructions (including those given by using the Service) and as required by law; ensure persons authorized to process the data are bound by confidentiality; implement appropriate technical and organizational security measures; assist you, taking into account the nature of processing, with data-subject requests and with your security, breach-notification, and impact-assessment obligations; and notify you without undue delay after becoming aware of a personal-data breach affecting your data.

You authorize CapCue to engage the following sub-processors to deliver the Service:

AssemblyAI — real-time speech-to-text. OpenAI — interview answers and session summaries. Supabase — authentication, database, and backend functions. Google — calendar access (only if you connect it). Plus our website hosting, DNS/CDN, and transactional email providers.

We impose data-protection obligations on each sub-processor consistent with this DPA and remain responsible for their performance. We will give you a means to learn of changes to this list and an opportunity to object to a new sub-processor on reasonable data-protection grounds.

Some sub-processors process data in the United States and other countries. Where personal data is transferred out of the EEA, UK, or Switzerland, the transfer is made under an appropriate safeguard, such as the European Commission’s Standard Contractual Clauses (and the UK Addendum / Swiss amendments where applicable).

Because transcripts and recordings are stored on your device, you retain direct control over that content and can delete or export it yourself. For data we hold on your behalf, we will, on your instruction and on termination, delete or return it, except where retention is required by law.

On reasonable request, we will make available information necessary to demonstrate compliance with this DPA and contribute to audits, subject to reasonable confidentiality and frequency limits.

This page describes our standard processing terms. If your organization requires a countersigned DPA (for example, to meet GDPR Article 28 procurement requirements), contact support@capcue.ai and we will provide one for execution.