Speax
Get startedSign in

© 2026 Speax. All rights reserved.

Data Processing Addendum

Last updated: 13 April 2026

This Data Processing Addendum ("DPA") forms part of the agreement between Speax ("Processor") and the customer ("Controller") who accesses the Speax platform. It governs the processing of personal data carried out on behalf of the Controller.

This page provides a summary of Speax's DPA terms. Enterprise customers requiring a countersigned, executed DPA should contact legal@speax.ai.

1. Scope and parties

This DPA applies where Speax processes personal data on behalf of a customer that is a controller within the meaning of GDPR Art. 4(7). It supplements the Terms of Service and takes precedence in the event of conflict regarding data processing.

2. Controller / Processor roles

The customer is the Controller of personal data inputted into the Service. Speax acts as the Processor when processing that data to deliver the Service. Where Speax processes data for its own purposes (e.g., platform security, billing), it acts as a Controller under its Privacy Policy.

3. Details of processing

  • Subject matter: provision of the Speax AI agent platform.
  • Duration:for the term of the customer's subscription, plus the retention period set out in the Privacy Policy.
  • Nature and purpose: processing prompts, session content, and uploaded files to operate the AI agent, execute tasks in sandboxes, and return results to the user.
  • Categories of data subjects:the customer's end users (including the customer if they are an individual user).
  • Categories of personal data: any personal data contained in prompts, files, or instructions submitted to the Service.

4. Processor obligations

Speax shall, as Processor:

  • Process personal data only on the documented instructions of the Controller (i.e., to operate the Service as described).
  • Ensure persons authorized to process data are bound by confidentiality obligations.
  • Implement appropriate technical and organizational security measures per GDPR Art. 32.
  • Not engage sub-processors without prior authorization (see Section 5).
  • Assist the Controller with data subject rights requests to the extent reasonably practicable.
  • Delete or return personal data at the end of the service relationship.
  • Provide all information necessary to demonstrate compliance and allow for audits (Section 10).

5. Subprocessors

The Controller provides general written authorization for the use of subprocessors. Speax maintains a current list of subprocessors at speax.ai/subprocessors.

Speax will provide 30 days' notice of any new subprocessor by updating the subprocessors page. The Controller may object to a new subprocessor on reasonable grounds within 14 days; if Speax cannot accommodate the objection, either party may terminate the relevant services.

6. Standard Contractual Clauses

For transfers of personal data to third countries (including the United States), Speax relies on Standard Contractual Clauses (SCCs) as adopted by the European Commission in June 2021 (Module 2: Controller to Processor). These are incorporated by reference into this DPA and apply to transfers to subprocessors in third countries.

Where the UK GDPR applies, the relevant UK International Data Transfer Addendum (IDTA) or UK SCCs apply.

7. Security measures

Speax implements and maintains the following technical and organizational measures:

  • Encryption at rest (AES-256) and in transit (TLS 1.3).
  • Access controls with principle of least privilege.
  • Regular vulnerability scanning and penetration testing.
  • Audit logging of privileged access.
  • Sandbox isolation: each agent session runs in an isolated Firecracker microVM.
  • Incident response procedures with defined escalation paths.

8. Data subject assistance

Where a data subject exercises rights (access, erasure, portability, etc.) directly against Speax, Speax will promptly notify the relevant Controller. Speax will provide reasonable technical assistance to the Controller in responding to such requests. The Controller remains responsible for responding to data subjects.

9. Breach notification

In the event of a personal data breach involving Controller data, Speax will notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach. The notification will include, to the extent available, the information required under GDPR Art. 33(3).

10. Audits

Speax will provide all information necessary to demonstrate compliance with this DPA. The Controller may request an audit no more than once per calendar year, with 30 days' notice, and at the Controller's cost. Alternatively, Speax may provide a summary of a third-party audit (e.g., SOC 2 report) to satisfy audit requirements.

11. Deletion on termination

Upon termination of the service relationship, Speax will delete all Controller personal data within 30 days, except where retention is required by law. Speax will provide written confirmation of deletion upon request.

12. Full DPA execution

Enterprise customers, businesses requiring a countersigned DPA, or customers subject to specific regulatory requirements should contact legal@speax.ai to request a full executed DPA document.

Back to home