Data Processing Addendum
Last Updated: May 26, 2026
This Data Processing Agreement (“DPA“) is entered into by and between Jumpstart Ventures FZE, operating as VoiceDash (“Processor“), and the legal entity accessing or using the VoiceDash platform (“Controller” or “Customer“).
This DPA is legally binding and is incorporated by reference into the VoiceDash Terms of Service, Master Services Agreement, or any specific commercial agreement governing the Customer’s use of VoiceDash’s real-time voice-to-text dictation and transcription platform (the “Agreement“). By subscribing to, deploying, or utilizing the Services, Customer agrees to be bound by the terms and conditions of this DPA.
This DPA governs the Processing of Personal Data in connection with the services provided under the Agreement, ensuring compliance with Article 28 of the EU General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (revFADP).
1. Definitions
- “Applicable Data Protection Law” means all laws and regulations applicable to the Processing of Personal Data under this DPA, including the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR“) and the Swiss Federal Act on Data Protection (“revFADP“), as may be amended, superseded, or replaced.
- “Personal Data” means any information relating to an identified or identifiable natural person processed by VoiceDash on behalf of the Customer in the performance of the Services.
- “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, transcription, transmission, or deletion.
- “Sub-processor” means any third-party data processor engaged by VoiceDash to assist in the performance of the Services, which involves access to or processing of Customer Personal Data.
2. Scope and Details of Processing
The details of the Processing operations carried out by the Processor under this DPA (including categories of data subjects and types of personal data) are specified in Schedule 1 below.
3. Obligations of the Processor
The Processor covenants and agrees to handle all Personal Data in accordance with the following requirements:
Data Deletion or Return: Upon termination of the Services or at the choice of the Controller, Processor shall securely delete or return all Personal Data to the Controller and delete existing copies, unless applicable law requires retention of the Personal Data.
Instructions: Processor shall process Personal Data solely on behalf of, and in accordance with, the documented instructions of the Controller, including with respect to international data transfers, unless required to do so by applicable EU, Member State, or Swiss law. The Agreement and the Customer’s configuration of the platform constitute the Controller’s complete instructions.
Confidentiality: Processor ensures that all personnel authorized to process Personal Data have committed themselves to strict confidentiality or are under an appropriate statutory obligation of secrecy.
Security Measures: Processor shall implement appropriate technical and organizational measures (TOMs) as required under GDPR Article 32 and Swiss revFADP to ensure a level of security appropriate to the risks. These measures are designed to protect data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
Assistance: Processor shall assist the Controller, taking into account the nature of the processing and the information available, in fulfilling the Controller’s obligations to respond to data subjects exercising their rights under Applicable Data Protection Law (GDPR Articles 15–22). Processor shall also assist in ensuring compliance with security obligations, data breach notifications, and data protection impact assessments (DPIAs).
Audit Rights: Processor shall make available to the Controller all information necessary to demonstrate compliance with GDPR Article 28 obligations and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, upon reasonable prior notice and no more than once per calendar year.
4. Data Breach Notification
In the event of a confirmed personal data breach affecting Customer Personal Data on systems managed or controlled by VoiceDash, the Processor shall notify the Controller without undue delay, and in any case no later than 72 hours after becoming aware of the breach. The notification will contain descriptions of the breach nature, likely consequences, and mitigation steps taken or proposed.
5. Sub-processors
- Authorization: Controller grants a general written authorization to Processor to engage Sub-processors to perform parts of the Services. A complete list of current Sub-processors utilized by VoiceDash is set forth in Schedule 2.
- Subcontractor Standards: Processor shall impose data protection obligations upon any Sub-processor it engages that are no less restrictive than those imposed on the Processor under this DPA. Processor remains fully liable to the Controller for the performance of the Sub-processor’s obligations.
- Notification of Changes: Processor shall provide the Controller with notification of any intended changes concerning the addition or replacement of Sub-processors by updating Schedule 2 on this web page or via direct notification. The Controller may object to such changes on reasonable grounds within 14 days of publication. If the parties cannot resolve the objection, either party may terminate the affected Services.
6. International Data Transfers
To the extent that the performance of the Services involves a transfer of Personal Data outside the European Economic Area (EEA) or Switzerland to a country not recognized as providing an adequate level of protection, the Parties agree to rely on valid legal transfer mechanisms. Specifically, the standard contractual clauses (“SCCs“) approved by the European Commission (and adapted for Swiss revFADP compliance) are deemed incorporated into this online framework, supplemented by a Transfer Impact Assessment (TIA) where applicable, or relying on certified compliance under the EU-U.S. Data Privacy Framework.
SCHEDULE 1: DETAILS OF PROCESSING
Retention Period: Account data and metadata are retained for the duration of the subscription. For transcription data, VoiceDash employs transient processing via authorized API configurations; audio inputs and textual outputs are deleted or retained strictly based on user-driven account configurations and third-party data privacy parameters.
Data Exporter (Controller): The Customer using VoiceDash services.
Data Importer (Processor): Jumpstart Ventures FZE (VoiceDash), located at A5 Building, Dtec, Dubai Silicon Oasis, Dubai, UAE.
Categories of Data Subjects: Customer’s employees, contractors, clients, suppliers, or end-users whose voices or personal details may be included in dictations.
Types of Personal Data: Audio recordings, voice data, text transcripts, custom dictionary terms, email addresses, names, and account metadata.
Nature and Purpose of Processing: Provision of real-time voice-to-text dictation, natural language processing, automated formatting, punctuation cleanup, and custom template/snippet insertion as requested by the user.
SCHEDULE 2: APPROVED SUB-PROCESSORS
The Controller approves the use of the following Sub-processors for the delivery of VoiceDash Services:
| Sub-Processor | Purpose | Location / Processing Region |
| OpenAI Inc. | Natural Language Processing / Transcription Engine | USA |
| Groq, Inc. | High-speed Inference Architecture & Fast Transcription | USA |
| Cloudflare, Inc. | Cloud Infrastructure, WAF & Security Performance | USA |
| Hetzner Online GmbH. | Core Server Cloud Infrastructure | Germany / EU |
| Functional Software, Inc. (Sentry) | Application Performance & Error Management | USA |
| Metabase, Inc. | Internal Site and Product Analytics Platform | USA |
| Peaberry Software, Inc. (CustomerIO) | Transactional Emails & Product Lifecycle Updates | USA |
| RevenueCat Inc. | App Store Subscription & Receipt Validation | USA |
| Apple Inc. | Mobile App Deployment & Payment Infrastructure | USA |
| Stripe, Inc. | Web Core Payment Gateways & Billing Engine | USA |
Note on AI Processing Infrastructure (OpenAI and Groq): VoiceDash interfaces exclusively with verified developer and enterprise API pipelines. Data passed through these channels is processed transiently, structurally excluded from AI model training loops, and subject to contractually secure infrastructure timelines.
SCHEDULE 3: TECHNICAL AND ORGANIZATIONAL MEASURES (TOMs)
Processor maintains technical and organizational measures designed to protect the confidentiality, integrity, and availability of Personal Data, including:
- Data Encryption: All Personal Data is encrypted in transit using industry-standard Transport Layer Security (TLS 1.3) and encrypted at rest using Advanced Encryption Standard (AES-256).
- Access Control: Strict logical access control limits access to production infrastructure to authorized personnel only, enforced via Multi-Factor Authentication (MFA) and the principle of least privilege.
- Transient Audio Processing: Voice dictation audio streams are processed in real-time. Audio files are passed to infrastructure through secure endpoints and are not stored permanently on storage drives following successful text output delivery.
- Vendor Management: Annual reviews of third-party certifications and data security architectures are maintained across all platform sub-processors.
