Data Processing Addendum

How Gizmo Labs Inc. (OpenWhispr) processes personal data on behalf of its customers. Customer content is never used to train AI models (Section 3).

Effective July 17, 2026 · Version 1.0

About this Addendum

This Data Processing Addendum ("DPA") forms part of, and is incorporated by reference into, the OpenWhispr Terms of Service or, where one exists, the master services or enterprise agreement between the customer that has entered into it (the "Customer", "Controller") and Gizmo Labs Inc. (the "Agreement"). It applies whenever Gizmo Labs Inc., a company incorporated in Delaware, with its registered address at 221 W 9th Street, Wilmington, Delaware 19801 ("OpenWhispr", "Processor"), processes Personal Data on behalf of the Customer in the course of providing the OpenWhispr services (the "Services"). No signature is required for this DPA to take effect; signature blocks are provided for customers whose procurement requires an executed copy. Where this DPA conflicts with the Agreement on data protection matters, this DPA prevails; where this DPA conflicts with the SCCs (or the UK Addendum) in respect of a Restricted Transfer, the SCCs (or the UK Addendum) prevail to the extent of the conflict. Notices under this DPA go to the parties' account contacts and, for OpenWhispr, to support@openwhispr.com.

1. Definitions

Capitalised terms not defined here have the meaning given in Data Protection Law. "Data Protection Law" means all laws applicable to the processing of Personal Data under the Agreement, including the EU GDPR (Regulation (EU) 2016/679), the UK GDPR and Data Protection Act 2018, the Swiss FADP, and applicable US state privacy laws (including the CCPA/CPRA). "SCCs" means the Standard Contractual Clauses in Commission Implementing Decision (EU) 2021/914. "UK Addendum" means the ICO's International Data Transfer Addendum to the EU SCCs. " Restricted Transfer" means a transfer of Personal Data to a third country lacking an adequacy decision. "Sub-processor" means a third party engaged by OpenWhispr to process Personal Data on the Controller's behalf.

2. Scope and roles

OpenWhispr processes Personal Data only as a processor on behalf of the Customer. The subject-matter, duration, nature and purpose of processing, the types of Personal Data and categories of data subjects are set out in Annex 1. For clarity: where end users run OpenWhispr in local-only mode or with their own model API keys ("bring your own key"), audio and transcription/inference content are sent directly from the user's device to the user's chosen provider or processed on-device; those content flows are directed by the user, and the third-party providers involved act on the user's instructions, not as OpenWhispr Sub-processors. Account data, cloud sync (where enabled), usage and billing data remain processed by OpenWhispr and its Sub-processors under this DPA in all modes. OpenWhispr may also process data that has been aggregated and de-identified so that it is no longer Personal Data (for example, service performance metrics) to operate, secure and improve the Services, and will not attempt to re-identify it.

3. No AI training on Customer Data

OpenWhispr will not use Customer Personal Data — including voice audio, transcriptions, notes, prompts and AI-agent conversations — to train, retrain or improve any artificial intelligence or machine learning model, whether OpenWhispr's own or a third party's, and does not permit its Sub-processors to do so. The model providers listed in Annex 3 process such content solely to provide the Services, with training disabled or opted out for OpenWhispr's accounts. This restriction survives termination of the Agreement.

4. Processor obligations

OpenWhispr will:

  1. process Personal Data only on documented instructions from the Customer (the Agreement, this DPA, and the Customer's configuration of the Services constitute such instructions), including for transfers, unless required by law to which OpenWhispr is subject — in which case OpenWhispr informs the Customer of that legal requirement before processing, unless legally prohibited;
  2. ensure persons authorised to process Personal Data are bound by confidentiality obligations;
  3. implement the technical and organisational security measures set out in Annex 2 and keep them under periodic review;
  4. assist the Customer, taking into account the nature of processing, with data-subject requests, security, breach notification, data protection impact assessments and prior consultation (Sections 6–9);
  5. at the Customer's choice, delete or return all Personal Data at the end of the Services and delete existing copies within 30 days, unless law to which OpenWhispr is subject requires retention;
  6. make available information reasonably necessary to demonstrate compliance and allow and contribute to audits per Section 10; and
  7. immediately inform the Customer if, in OpenWhispr's opinion, an instruction infringes Data Protection Law.

5. Sub-processing

The Customer grants OpenWhispr general written authorisation to engage Sub-processors. The current list is set out in Annex 3 and published on the OpenWhispr trust center at trust.openwhispr.com (Subprocessors section). OpenWhispr imposes data protection obligations on each Sub-processor equivalent to those in this DPA (including transfer obligations) and remains liable for their performance. OpenWhispr gives the Customer at least 30 days' prior written notice of intended additions or replacements (by email to the Customer's account owner, and by updating the published list), during which the Customer may object on reasonable, documented data-protection grounds. If the parties cannot resolve an objection, the Customer may terminate the affected Services and receive a pro-rata refund of any prepaid fees for the terminated Services.

6. Security

OpenWhispr maintains the measures in Annex 2, appropriate to the risk, taking account of the state of the art and the nature of the Personal Data. Voice audio processed through the cloud transcription path is processed in real time and not persisted by OpenWhispr after transcription.

7. Personal data breach

OpenWhispr notifies the Customer without undue delay, and in any event within 72 hours, of becoming aware of a Personal Data breach affecting the Customer's Personal Data, providing the information the Customer reasonably needs to meet its own notification obligations, and cooperates on remediation.

8. Data-subject requests

Taking into account the nature of the processing, OpenWhispr assists the Customer by appropriate technical and organisational measures in responding to requests to exercise data-subject rights (access, rectification, erasure, restriction, portability, objection). End users can self-serve export and deletion in-product; requests received directly by OpenWhispr that identify the Customer's organisation are forwarded to the Customer without undue delay.

9. DPIAs and prior consultation

OpenWhispr provides reasonable assistance with data protection impact assessments and prior consultation with supervisory authorities, to the extent the required information is available to OpenWhispr.

10. Audit

OpenWhispr makes available on request its current compliance documentation (SOC 2 Type 2: audit complete and observation period passed, with the final report available under NDA once issued; GDPR and HIPAA attestations issued via its compliance platform, 2026; ISO 27001-aligned information security programme) via its trust center, subject to confidentiality. Where Data Protection Law grants the Customer a mandatory audit right that cannot be satisfied by such reports, OpenWhispr allows an audit by the Customer or an independent auditor not more than once in any 12-month period, and additionally following a confirmed Personal Data breach affecting the Customer's Personal Data, in each case on at least 30 days' notice, subject to confidentiality and OpenWhispr's security policies. The Customer bears its own costs of any such audit. For Restricted Transfers, this Section applies without prejudice to the audit rights in the SCCs.

11. Customer obligations and warranties

The Customer warrants that its instructions and its provision of Personal Data to OpenWhispr comply with Data Protection Law, including having a lawful basis, providing required notices to data subjects, and — where end users may dictate or process special categories of personal data (for example health information) — ensuring an appropriate legal basis and any required agreements are in place (see Section 14 for HIPAA).

12. International transfers

This Section governs transfers of Personal Data originating from the EEA, the UK or Switzerland to a country outside those areas, including any Restricted Transfer. OpenWhispr and its Sub-processors process Personal Data primarily in the United States (per-Sub-processor locations: Annex 3). The parties rely on the first applicable mechanism below for each transfer:

  1. Adequacy. Where the destination benefits from an adequacy decision, the transfer proceeds on that basis.
  2. Standard Contractual Clauses. For any Restricted Transfer from the EEA, the parties enter into the SCCs, Module Two (Controller → Processor)with the Customer as data exporter and OpenWhispr as data importer, which are incorporated into this DPA by reference and completed as follows: Clause 7 (docking) not included; Clause 9 Option 2 (general authorisation, 30 days' notice); Clause 11 optional redress body not included; Clause 13 / Annex I.C competent supervisory authority: the Irish Data Protection Commission; Clause 17 governing law: the law of Ireland; Clause 18 forum: the courts of Ireland; Annexes 1–3 of this DPA populate SCC Annexes I–III. Onward transfers to Sub-processors are governed by Clauses 8.8 and 9(b) of the Module Two SCCs (same-obligations flow-down).
  3. UK and Swiss transfers. For UK Personal Data the parties enter into the UK Addendum to the EU SCCs, completed using the details in the Annexes; for Swiss Personal Data the SCCs apply as modified by the FADP.

Should OpenWhispr self-certify under the EU–US Data Privacy Framework in the future, transfers may additionally rely on that certification.

Where a transfer impact assessment identifies that supplementary measures are required, the parties implement them, and OpenWhispr supports the Customer's assessment. OpenWhispr agrees to the obligations in the SCCs, including notifying the Customer of any inability to comply.

13. Government access requests

If OpenWhispr receives a legally binding request from a public authority for the Customer's Personal Data, it will, to the extent legally permitted: notify the Customer promptly; review the legality of the request and challenge it where there are reasonable grounds; and disclose only the minimum amount of data legally required. OpenWhispr keeps records of such requests for the Customer's review.

14. HIPAA

This DPA is not a Business Associate Agreement. Where the Customer is a Covered Entity or Business Associate under HIPAA, end users must not process protected health information through the cloud Services unless a separate Business Associate Agreement is in place between the parties — OpenWhispr offers a BAA on request via support@openwhispr.com. Where executed, that BAA governs PHI in place of this DPA to the extent of any conflict.

15. US state privacy laws

To the extent the CCPA/CPRA or another US state privacy law applies, OpenWhispr acts as a "service provider"/"processor": it does not sell or share Personal Data, does not retain, use or disclose it other than to provide the Services or as permitted by law, and certifies that it understands and will comply with these restrictions.

16. Liability and term

Liability for data protection matters is as set out in the Agreement, subject to any caps therein. This DPA continues for as long as OpenWhispr processes Personal Data for the Customer.

Signatures (optional — for customers requiring an executed copy)

Name & roleSignatureDate
For the Customer (Controller)______________________________________________
For Gizmo Labs Inc. (Processor)Gabriel Stein, CEO___________________________

Annex 1 — Details of processing

A. Parties (SCC Annex I.A). Data exporter: the Customer (controller) — name, address and contact person as set out in the Agreement or Order Form. Data importer: Gizmo Labs Inc. (processor), 221 W 9th Street, Wilmington, Delaware 19801, USA, contact: support@openwhispr.com; activities: provision of the Services described below.

B. Description of processing (SCC Annex I.B).

FieldDetail
Subject-matterProvision of the OpenWhispr voice-dictation and AI note-taking services (desktop applications and API)
DurationTerm of the Agreement, plus the post-termination deletion/return period under Section 4(e)
Nature & purposeReal-time speech-to-text transcription; AI-assisted text generation, formatting and reasoning; note storage, search and sharing; account management; billing; transactional email
Categories of Personal DataAccount and identity data (name, email, authentication identifiers); voice audio (processed in real time in the cloud path, not persisted by OpenWhispr); transcribed text and notes (may contain any personal data the end user dictates); conversation history with AI features; usage and device metadata; billing data (handled by the payment Sub-processor)
Special category dataPossible incidentally: dictated content is user-directed free text and may contain health or other special-category data. Safeguards: encryption in transit and at rest, no audio persistence, local-only and BYOK modes, BAA required for PHI (Section 14)
Categories of data subjectsThe Customer's end users (employees, contractors); persons mentioned in dictated content or notes
FrequencyContinuous, for the duration of the Services

Annex 2 — Technical and organisational measures

Summary of OpenWhispr's security programme (current detail: OpenWhispr trust center — trust.openwhispr.com, Security Controls section):

  • Encryption of Personal Data in transit (TLS 1.2+) and at rest.
  • Cloud voice audio processed in real time and not persisted by OpenWhispr after transcription (transcription/inference Sub-processors handle audio transiently under their agreements); local-only and bring-your-own-key modes route content around OpenWhispr's cloud entirely.
  • Access control on least-privilege with MFA and logging/monitoring across production systems; session and login monitoring with monthly review.
  • Vulnerability and patch management; secure development practices.
  • Resilience and backup with documented recovery objectives (RTO ≤ 4h / RPO ≤ 1h for the primary datastore) and contingency-plan testing on an annual cadence.
  • Personnel confidentiality obligations and security training.
  • Sub-processor governance: contractual flow-down (Section 5), public listing, and BAAs executed with the primary content-storing Sub-processors (database; cloud transcription/LLM), with coverage of the remaining HIPAA-path Sub-processors in progress.
  • Independently examined: SOC 2 Type 2 audit complete with the observation period passed; final report available under NDA once issued. Compliance attestations: GDPR and HIPAA (2026, via OpenWhispr's compliance platform). Information security programme aligned to ISO 27001:2022, all 93 Annex A controls implemented (certification audit not yet undertaken).

Annex 3 — Sub-processors

Authorised Sub-processors as of 2026-07-17 (live list: OpenWhispr trust center, trust.openwhispr.com, Subprocessors section). Legal entity names and processing locations verified 2026-07-17 against each vendor's terms/DPA. "US (primary)" means the vendor's terms name the United States as the primary processing location while permitting processing in other countries by their own sub-processors. "Clause 9(b) flow-down" means the same-obligations Sub-processor contract under Clauses 8.8 and 9(b) of the Module Two SCCs, where a Restricted Transfer applies.

Sub-processorServiceData categoriesCountryOnward-transfer safeguard
Neon, LLC (an affiliate of Databricks, Inc.)Primary database and authentication storeAccount data, notes, transcribed text, conversation historyUS (AWS US region, fixed at project creation)Clause 9(b) flow-down
Vercel Inc.Application hosting and deliveryAll data in transit through the ServicesUS (primary)Clause 9(b) flow-down
OpenAI OpCo, LLCCloud speech-to-text, language models, embeddings (training opted out)Voice audio (transient), prompts, textUS (primary)Clause 9(b) flow-down
Parasail, Inc.Cloud AI inference (default reasoning; zero-data-retention inference)Prompts, text (in transit)US (primary)Clause 9(b) flow-down
Groq, Inc.Cloud AI inference and transcription failoverVoice audio (transient), prompts, text (in transit)US (primary)Clause 9(b) flow-down
Embedchain, Inc. d/b/a Mem0AI memory for agent featuresConversation content keyed to user IDUSClause 9(b) flow-down
Exa Labs, Inc.Web search for agent featuresSearch query textUS (AWS)Clause 9(b) flow-down
Stripe, LLCPayment processingBilling and payment dataUS (primary)Clause 9(b) flow-down
Plus Five Five, Inc. (d/b/a Resend)Transactional emailEmail address, message content (incl. shared-note titles)US (AWS us-east-1)Clause 9(b) flow-down
Slack Technologies, LLC (Salesforce)Internal operations and support communicationsSupport-related data (policy: no PHI)US (default residency)Clause 9(b) flow-down

This annex lists the Sub-processors that process Customer Personal Data within the product Services. Google (OAuth sign-in and the optional Calendar integration) is not a Sub-processor: sign-in is provided by Google as an independent controller, and calendar data is cached only on the user's device. OpenWhispr's broader vendor transparency list (including marketing-site and operational vendors such as RB2B, lemlist and GitHub, for which Gizmo Labs acts as controller or which do not receive Customer Personal Data) is published on the OpenWhispr trust center.