Data Processing Agreement
Last updated: 2026-06-01
In plain English: If you use Protokol in a context where GDPR applies (e.g. you are an EU/UK-regulated financial adviser), you need a Data Processing Agreement in place before we can process personal data on your behalf. This is that agreement. Print it, sign it, and give it to your compliance officer. Version: 2026-06-01.
This Data Processing Agreement (“DPA”) is entered into between the customer identified in the Protokol account (“Controller”) and Y. VERTA HOLDINGS LTD (company no. 516052958), trading as Protokol (“Processor”), and forms part of the Protokol Terms of Service.
Download DPA as PDF§1. Definitions
- “GDPR” means the UK General Data Protection Regulation (UK GDPR) and, where applicable, the EU General Data Protection Regulation (Regulation (EU) 2016/679).
- “Personal Data”, “Data Subject”, “Processing”, “Controller”, “Processor”, and “Supervisory Authority” have the meanings given in Article 4 of the GDPR.
- “Sub-processor” means any third-party processor engaged by the Processor to carry out Processing activities on behalf of the Controller.
- “Services” means the AI meeting-intelligence platform provided by the Processor under the Terms of Service.
§2. Subject matter and duration of processing
The Processor processes Personal Data solely to deliver the Services: joining, recording, transcribing, and analysing meetings; extracting compliance answers; drafting recap emails; and filing outputs to connected third-party services (Google Drive, CRM webhooks) as instructed by the Controller. Processing continues for the duration of the Controller’s active subscription and for up to 90 days thereafter, unless the Controller requests earlier deletion.
§3. Obligations of the Processor
The Processor shall:
- Process Personal Data only on documented instructions from the Controller (including those set out in this DPA and the Terms of Service), unless required to do so by law.
- Ensure that persons authorised to process Personal Data are subject to a binding duty of confidentiality.
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR (see Annex III).
- Assist the Controller in responding to requests from Data Subjects exercising their rights under Chapter III of the GDPR, taking into account the nature of the Processing.
- Assist the Controller in ensuring compliance with Articles 32–36 of the GDPR, taking into account the nature of the Processing and the information available.
- At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of Services, and delete existing copies unless storage is required by law.
- Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections conducted by the Controller or its auditor, on reasonable prior written notice (no less than 30 days).
- Notify the Controller without undue delay (and in any event within 72 hours of becoming aware) of any Personal Data breach affecting data processed under this DPA.
§4. Sub-processors
The Controller grants the Processor general authorisation under Article 28(2) of the GDPR to engage the sub-processors listed below. The Processor shall inform the Controller of any intended addition or replacement of a sub-processor by email to the registered account address at least 30 days before the change takes effect, giving the Controller the opportunity to object. The Processor shall impose data-protection obligations on each sub-processor equivalent to those in this DPA.
| Sub-processor | Purpose | Region |
|---|
| Google | Calendar & Drive integration; Gemini AI transcription/analysis | EU / US |
| Microsoft | Outlook calendar & Teams integration | EU / US |
| Supabase | Database, auth & file storage | EU (eu-central-1) |
| Brevo | Transactional email (recaps) | EU |
| Paddle | Payments (merchant of record) | EU / US |
| Hetzner | Meeting-bot server hosting | EU (Germany) |
| Vercel | Dashboard hosting & CDN | Global edge |
§5. International transfers
Where Personal Data is transferred outside the UK or EEA, the Processor shall ensure that appropriate safeguards are in place, including (as applicable) UK-approved Standard Contractual Clauses (“SCCs”) or the UK International Data Transfer Addendum to the EU SCCs (“UK Addendum”). The primary database and file storage are located in the EU (eu-central-1). Where a sub-processor processes data outside the EEA, the Processor shall obtain SCCs or equivalent safeguards and make them available to the Controller on request.
§6. Liability and indemnification
Each party’s liability under this DPA shall be subject to the limitations and exclusions set out in the Terms of Service. In the event of a claim by a Data Subject, the parties shall cooperate in good faith to allocate responsibility. To the extent permitted by applicable law, the Processor’s aggregate liability for breaches of this DPA shall not exceed the fees paid by the Controller in the 12 months preceding the event giving rise to the claim.
§7. Governing law
This DPA is governed by the laws of England and Wales. The parties submit to the exclusive jurisdiction of the courts of England and Wales, except where another Supervisory Authority has mandatory jurisdiction. Nothing in this clause affects the data subject’s right to seek redress before a Supervisory Authority or court in their country of residence.
Annex I: Parties
Controller: The individual or organisation identified in the Protokol account. Contact: as provided during sign-up.
Processor: Y. VERTA HOLDINGS LTD (company no. 516052958), trading as Protokol. Contact: support@getprotokol.app.
Annex II: Description of Processing
- Categories of Data Subjects: financial advisers and other professionals (account holders); their clients; and other meeting participants whose voice or information appears in processed meetings.
- Categories of Personal Data: audio recordings; meeting transcripts; speaker labels; calendar event metadata (title, time, attendees, meeting link); compliance and intake questionnaire answers; account and profile data (name, email).
- Special categories (if any): none intentionally collected; the Controller is responsible for ensuring that no special category data is introduced into meetings processed by the Service unless a separate written agreement is in place.
- Purpose of Processing: AI-powered meeting intelligence — transcription, summarisation, compliance-answer extraction, follow-up drafting, and filing.
- Duration: Subscription term plus 90 days post-termination, unless the Controller requests earlier deletion or applicable law requires longer retention.
Annex III: Technical and Organisational Measures
- Encryption in transit: All data is transmitted over TLS 1.2+. API endpoints enforce HTTPS; plain-HTTP requests are redirected.
- Encryption at rest: Data at rest is encrypted using AES-256 via Supabase (backed by AWS in eu-central-1).
- Data residency: Primary database and file storage located in EU (eu-central-1, Frankfurt).
- Access controls: Row-Level Security (RLS) enforced at the database layer ensures each tenant can access only their own data. Service-role keys are never exposed to the browser.
- Audit logging: An append-only audit trail records key data-access and processing events. Audit records cannot be modified or deleted by application code.
- Personnel: Access to production data is limited to authorised personnel on a need-to-know basis. All personnel with access are subject to a duty of confidentiality.
- Incident response: The Processor maintains an incident-response procedure and will notify the Controller of a Personal Data breach within 72 hours of becoming aware, in accordance with Article 33 of the GDPR.
- Vulnerability management: Dependencies are regularly reviewed for known vulnerabilities. Security patches are applied on a risk-prioritised basis.
Questions about this DPA? Email support@getprotokol.app.
© 2026 Protokol. All rights reserved.