VOICEPING
Data Processing Agreement (DPA)
GDPR Compliance Documentation
Version 2.1 Effective Date: April 25, 2025 VoicePing Corporation Omodaka Bldg. 4F, 1-9-7 Shibaura, Minato-ku, Tokyo 105-0023, Japan CONFIDENTIALDATA PROCESSING AGREEMENT
This Data Processing Agreement (“DPA”) forms part of the agreement between VoicePing Corporation (“Processor” or “VoicePing”) and the entity identified as the customer (“Controller” or “Customer”), collectively referred to as the “Parties”. This DPA sets out the terms that apply when Personal Data is processed by VoicePing on behalf of the Customer in the course of providing the VoicePing service pursuant to the General Data Protection Regulation (EU) 2016/679 (“GDPR”).1. DEFINITIONS
“Personal Data” means any information relating to an identified or identifiable natural person as defined in Article 4(1) of the GDPR. “Data Subject” means the identified or identifiable natural person to whom the Personal Data relates. “Processing” means any operation or set of operations performed on Personal Data, as defined in Article 4(2) of the GDPR. “Sub-processor” means any third party appointed by VoicePing to process Personal Data on behalf of the Customer. “Standard Contractual Clauses (SCCs)” means the standard contractual clauses approved by the European Commission for the transfer of Personal Data to third countries. “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data. “Supervisory Authority” means an independent public authority established by an EU Member State pursuant to Article 51 of the GDPR.2. SCOPE AND ROLES
2.1 The Customer acts as the Data Controller and determines the purposes and means of processing Personal Data. VoicePing acts as the Data Processor and processes Personal Data only on behalf of and in accordance with the documented instructions of the Customer. 2.2 This DPA applies to all Processing of Personal Data by VoicePing in connection with the provision of the VoicePing service, including but not limited to: real-time voice translation, transcription, meeting summarization, virtual office, time tracking, and business intelligence features.3. DETAILS OF DATA PROCESSING
3.1 Subject Matter: The provision of VoicePing’s real-time AI voice translation, transcription, meeting summarization, video translation, virtual office, time tracking, and business intelligence services. 3.2 Duration: Processing shall continue for the duration of the service agreement between the Parties, plus any period required for data deletion as specified in this DPA. 3.3 Nature and Purpose: Collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure by transmission, alignment, combination, restriction, erasure, and destruction of Personal Data as necessary to provide the VoicePing service. 3.4 Types of Personal Data Processed:- User account information (name, email address, company name, position, telephone number)
- Voice data (audio recordings during meetings and translations)
- Voice text data (transcriptions generated from voice data)
- Meeting metadata (date, time, duration, participants)
- AI-generated meeting summaries and minutes
- IP addresses and log data
- Device information (type, OS, browser)
- Usage data (feature usage, login status, active time)
- Time tracking data (project names, working time, task information)
- QR code scan/listener mode session data
- Customer’s employees and authorized users
- Guest participants in meetings and events
- Attendees of seminars and events using VoicePing’s interpretation services
4. OBLIGATIONS OF VOICEPING AS PROCESSOR
4.1 VoicePing shall process Personal Data only on documented instructions from the Customer, unless required to do so by European Union or Member State law to which VoicePing is subject. In such a case, VoicePing shall inform the Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. VoicePing shall immediately inform the Customer if, in VoicePing’s opinion, an instruction from the Customer infringes the GDPR or other European Union or Member State data protection provisions. 4.2 VoicePing shall ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. 4.3 VoicePing shall take all measures required pursuant to Article 32 of the GDPR (security of processing), including but not limited to:- Encryption of Personal Data in transit using TLS 1.3 (HTTPS and WSS)
- Encryption of Personal Data at rest using AES-256 for databases and file storage
- Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems
- ISO/IEC 27001:2022 / JIS Q 27001:2023 certified information security management (Certificate: IS 820960, issued by BSI; effective 2025-04-25, valid until 2028-04-24)
- Access controls and authentication mechanisms including two-factor authentication via email token
- Event logging for security-related operations
- IP address whitelist filtering (Enterprise plan)
- Continuous unauthorized activity detection via AWS GuardDuty
- Database and server access restricted to specific IP addresses via AWS Security Groups
5. DATA SUBJECT RIGHTS
5.1 VoicePing shall assist the Customer, by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the Data Subject’s rights under Chapter III of the GDPR, including:- Right of access (Article 15)
- Right to rectification (Article 16)
- Right to erasure / right to be forgotten (Article 17)
- Right to restriction of processing (Article 18)
- Right to data portability (Article 20)
- Right to object (Article 21)
- Rights related to automated decision-making and profiling (Article 22)
6. DATA BREACH NOTIFICATION
6.1 VoicePing shall notify the Customer without undue delay, and in any event within 48 hours of becoming aware of a Data Breach affecting the Customer’s Personal Data. This accelerated timeline is intended to provide the Customer with sufficient time to meet its own 72-hour notification obligation to the relevant Supervisory Authority under Article 33 of the GDPR. 6.2 Such notification shall include:- A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned
- The name and contact details of VoicePing’s data protection contact point
- A description of the likely consequences of the Data Breach
- A description of the measures taken or proposed to address the Data Breach, including measures to mitigate its possible adverse effects
7. INTERNATIONAL DATA TRANSFERS
7.1 VoicePing processes and stores Customer Personal Data on cloud infrastructure as described in the transfer map below. The infrastructure includes Amazon Web Services (AWS), Google Cloud Platform (GCP), and Cloudflare CDN. 7.2 Transfer Map — Data flows and legal bases:| Data Route | Sub-processor | Processing Location | Legal Basis for Transfer |
|---|---|---|---|
| EEA → Japan (VoicePing entity) | VoicePing Corporation | Tokyo, Japan | EU adequacy decision for Japan (Art. 45 GDPR; adopted Jan 2019, renewed Apr 2023) |
| EEA → Japan (core infrastructure) | AWS, GCP | Tokyo, Japan (AWS ap-northeast-1; GCP asia-northeast1) | EU adequacy decision for Japan (Art. 45 GDPR) |
| EEA → United States (AI processing) | OpenAI | United States | EU-US DPF; SCCs; OpenAI DPA (zero-retention API configuration verified) |
| EEA → United States (notifications) | Slack, Discord | United States | EU-US DPF; respective platform DPAs with SCCs |
| EEA → Japan (notifications) | Chatwork | Japan | EU adequacy decision for Japan (Art. 45) |
| EEA → Global (CDN edge) | Cloudflare | Global edge servers | EU-US DPF; Cloudflare DPA with SCCs |
- Encryption in transit using TLS 1.3 (HTTPS and WSS)
- Encryption at rest using AES-256 for databases, file storage, and backups
- Access restricted to specific IP addresses via AWS Security Groups
- Continuous threat detection via AWS GuardDuty
8. SUB-PROCESSORS
8.1 The Customer provides general authorization for VoicePing to engage the sub-processors listed in Annex B of this DPA. 8.2 VoicePing shall notify the Customer in writing of any intended additions or replacements of sub-processors at least 30 days prior to the engagement, giving the Customer the opportunity to object. 8.3 If the Customer objects to a new sub-processor on reasonable grounds relating to data protection, VoicePing shall use commercially reasonable efforts to make available an alternative arrangement. If no alternative is available, either Party may terminate the affected service. 8.4 VoicePing shall impose the same data protection obligations as set out in this DPA on any sub-processor by way of a contract.9. DATA RETENTION AND DELETION
9.1 VoicePing retains Personal Data only for as long as necessary to provide the service and fulfil the purposes described in this DPA. 9.2 Specific retention periods:- Audio files (conversation history): Encrypted at server side (AES-256) and retained for up to 3 months (maximum), depending on the Customer’s plan and settings. Data exceeding the retention period is deleted.
- Transcription and meeting summary data: Retained for the duration of the service agreement. Customers may delete individual transcripts and recordings through the platform at any time.
- User account data (name, email, profile): Retained for the duration of the service agreement. After service termination, deleted when an authorized Customer-side user (e.g., administrator) or the relevant User performs account/data deletion through the platform or submits a deletion request.
- Log data (IP addresses, access logs): Server access logs are stored in AWS S3 for security monitoring, incident investigation, and compliance purposes. VoicePing’s application logs are designed not to output direct personal data (such as names, email addresses, or transcription content). If any identifier that may relate to an individual is present in log records (e.g., IP addresses), such identifiers are deleted or irreversibly anonymized within 30 days after a deletion request or deletion action by an authorized Customer-side user (e.g., administrator) or the relevant User (including actions performed after service termination). Logs are retained only for the minimum operational/security period and are not retained long-term.
- Usage and analytics data: Personally identifiable usage data is deleted within 30 days after a valid deletion request by an authorized Customer-side user (e.g., administrator) or the relevant User (including requests made after service termination). VoicePing may retain truly anonymized and aggregated statistical data (from which no individual can be re-identified, in accordance with Recital 26 of the GDPR) for service improvement purposes; such irreversibly anonymized data is no longer Personal Data and falls outside the scope of this DPA.
10. AUDIT RIGHTS
10.1 VoicePing shall make available to the Customer, upon reasonable request and subject to confidentiality obligations, relevant information and documentation to demonstrate compliance with this DPA, including ISO/IEC 27001:2022 certification (IS 820960, valid 2025-04-25 to 2028-04-24) and BSI surveillance audit reports. 10.2 The Customer may conduct an audit or appoint an independent third-party auditor to verify VoicePing’s compliance with this DPA, upon reasonable notice (at least 30 days) and during normal business hours. Such audits shall be limited to once per calendar year, except that additional audits may be conducted in the following circumstances:- A Data Breach has occurred affecting the Customer’s Personal Data;
- A Supervisory Authority requests or mandates an audit;
- There is a substantiated, good-faith concern of material non-compliance with this DPA;
- A material security incident (even if not qualifying as a Data Breach) has been reported by VoicePing.
11. EU REPRESENTATIVE
11.1 In accordance with Article 27 of the GDPR, VoicePing shall designate a representative in the European Union as its point of contact for data protection authorities and Data Subjects. EU Representative: [To be appointed — Name, Address, Contact Details]⚠ COMPLIANCE BLOCKER: This DPA shall not be executed until an EU representative has been appointed and this section has been completed. Under Article 27 GDPR, the designation of an EU representative is mandatory for non-EU controllers/processors offering services to EU Data Subjects. VoicePing is in the process of engaging an EU representative service and will complete this section prior to execution.11.2 Once appointed, the EU representative’s details will be communicated to the Customer, included in VoicePing’s privacy policy, and made publicly available on VoicePing’s website at https://voiceping.net.
12. DATA PROTECTION IMPACT ASSESSMENT
12.1 VoicePing shall provide reasonable assistance to the Customer with any data protection impact assessments (“DPIA”) required under Article 35 of the GDPR, and prior consultations with Supervisory Authorities under Article 36 of the GDPR, in each case solely in relation to the Processing of the Customer’s Personal Data. 12.2 VoicePing shall provide, upon request, information about the Processing activities, technical and organizational measures, and any other information reasonably necessary for the Customer to conduct a DPIA.13. DATA PROTECTION CONTACT
For any questions or concerns regarding this DPA or data protection matters, please contact: VoicePing Corporation Personal Information Protection Manager: Akinori Nakajima (中島明紀) Address: Omodaka Bldg. 4F, 1-9-7 Shibaura, Minato-ku, Tokyo 105-0023, Japan Contact: Via inquiry form at https://manual.voiceping.net/en/support14. LIABILITY
14.1 Subject to Section 14.2 and 14.3, each Party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the main service agreement between the Parties. 14.2 Mandatory GDPR liability (no contractual cap): Notwithstanding any limitation of liability in the main service agreement, nothing in this DPA limits or excludes either Party’s liability to Data Subjects under Article 82 of the GDPR. Each Party’s obligations to compensate Data Subjects for material or non-material damage resulting from an infringement of the GDPR shall apply in full, without reduction by any contractual liability cap. 14.3 Inter-party allocation: Where both VoicePing and the Customer are involved in Processing that caused damage to a Data Subject, each Party shall be held liable for the entire damage in order to ensure effective compensation of the Data Subject, in accordance with Article 82(4) of the GDPR. Where a Party has paid full compensation for the damage suffered, that Party shall be entitled to claim back from the other Party the part of the compensation corresponding to the other Party’s part of responsibility for the damage. VoicePing shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage, in accordance with Article 82(3) of the GDPR. 14.4 Indemnification: Each Party shall indemnify the other Party against all claims, actions, third-party claims, losses, damages, and expenses (including reasonable legal fees) arising from the indemnifying Party’s breach of this DPA or infringement of the GDPR, to the extent attributable to the indemnifying Party’s acts or omissions.15. GOVERNING LAW AND JURISDICTION
15.1 This DPA shall be governed by the laws of the European Union Member State where the Customer is established, to the extent required by the GDPR. For all other matters, this DPA shall be governed by the laws of Japan. 15.2 In the event of conflict between this DPA and the main service agreement, this DPA shall prevail with respect to matters of data protection.16. SIGNATURES
This DPA is effective as of the date last signed below.| DATA CONTROLLER (Customer) | DATA PROCESSOR (VoicePing) |
|---|---|
| Company Name: ___________________ | Company Name: VoicePing Corporation |
| Authorized Signatory: ___________________ | Authorized Signatory: ___________________ |
| Title: ___________________ | Title: ___________________ |
| Date: ___________________ | Date: ___________________ |
| Signature: ___________________ | Signature: ___________________ |
ANNEX A: DESCRIPTION OF PROCESSING
| Item | Description |
|---|---|
| Data Exporter (Controller) | The Customer entity identified in the service agreement |
| Data Importer (Processor) | VoicePing Corporation, Tokyo, Japan. Processing infrastructure for AWS/GCP is located in Tokyo, Japan (AWS ap-northeast-1 and GCP asia-northeast1), with other sub-processors as detailed in Annex B and the transfer map in Section 7.2. |
| Subject Matter | Provision of real-time AI voice translation, transcription, meeting summarization, virtual office, time tracking, and business intelligence services |
| Duration | For the term of the service agreement, and after termination until deletion is requested by an authorized Customer-side user (e.g., administrator) or the relevant User; once requested, deletion/anonymization processing is completed within up to 30 days (unless legal retention obligations apply). |
| Nature of Processing | Collection, storage, transcription, translation, summarization, analysis, and deletion of voice and user data |
| Purpose | To enable multilingual communication, meeting documentation, productivity tracking, and business intelligence as part of the VoicePing service |
| Categories of Data Subjects | Customer employees, authorized users, guest meeting participants, seminar/event attendees |
| Types of Personal Data | Names, email addresses, voice recordings, transcriptions, meeting summaries, IP addresses, device info, usage logs, time tracking data |
| Sensitive Data (Art. 9) | VoicePing does not intentionally process special categories of Personal Data. However, voice recordings and transcriptions may incidentally capture sensitive information (e.g., health status, political opinions, religious beliefs) depending on meeting content spoken by Data Subjects. The Customer is responsible for instructing its users accordingly. Where the Customer determines that Art. 9 data may be processed, the Customer shall ensure a lawful basis (e.g., explicit consent under Art. 9(2)(a)) and shall notify VoicePing so that additional safeguards can be agreed upon. VoicePing applies the same encryption, access control, and retention measures to any incidentally captured sensitive data. |
| Frequency of Transfer | Continuous during service usage |
| Retention Period | Audio data: retained up to 3 months (maximum). Transcription/summary data: duration of service, and after termination until deletion request by an authorized Customer-side user (e.g., administrator) or the relevant User. Account data: duration of service, and after termination until deletion request by an authorized Customer-side user (e.g., administrator) or the relevant User. Following a valid deletion request, Personal Data is deleted within 30 days. Application logs are designed not to contain direct personal data; if identifiers that may relate to an individual are present (e.g., IP addresses), they are deleted or irreversibly anonymized within 30 days after deletion request. |
ANNEX B: LIST OF SUB-PROCESSORS
The following sub-processors are authorized to process Personal Data on behalf of VoicePing in connection with the provision of the VoicePing service:| Sub-processor | Purpose | Location | Data Types | Transfer Mechanism |
|---|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure: load balancer, compute, S3 storage, CloudWatch monitoring, GuardDuty security, ElastiCache | Tokyo, Japan (ap-northeast-1) | All data types listed in Annex A | EU Adequacy Decision (Japan); AWS DPA |
| Google Cloud Platform (GCP) | Cloud infrastructure: Cloud SQL database, Cloud Storage (static hosting) | Tokyo, Japan (asia-northeast1) | All data types listed in Annex A | EU Adequacy Decision (Japan); Google Cloud DPA |
| Cloudflare | Content Delivery Network (CDN), DDoS protection | Global (edge servers) | IP addresses, request metadata, cached content | EU-US Data Privacy Framework; Cloudflare DPA with SCCs |
| OpenAI (ChatGPT API) | AI processing for meeting summaries and text analysis. Zero data retention policy: API inputs/outputs are not stored or used for model training. | United States | Voice text data, meeting transcriptions (no audio data) | EU-US Data Privacy Framework; SCCs; OpenAI DPA |
| Slack | Notification delivery (meeting data summaries) | United States | Meeting summaries, notification content | EU-US Data Privacy Framework; Slack DPA with SCCs |
| Chatwork | Notification delivery (meeting data summaries) | Japan | Meeting summaries, notification content | EU Adequacy Decision (Japan) |
| Discord | Notification delivery (meeting data summaries) | United States | Meeting summaries, notification content | EU-US Data Privacy Framework; SCCs |
- This list is current as of the effective date of this DPA. VoicePing will notify the Customer of any changes to this list in accordance with Section 8 of this DPA.
- Transfer mechanisms listed above are based on VoicePing’s current contractual agreements with each sub-processor and their published data processing terms. VoicePing maintains documented evidence of each sub-processor’s DPA, SCC incorporation, and DPF certification status. Copies are available to the Customer upon written request.
- The OpenAI zero-retention policy applies to VoicePing’s specific API configuration (API platform, not consumer products). VoicePing has verified that its OpenAI API account is configured for zero data retention and that inputs/outputs are not used for model training, in accordance with OpenAI’s Enterprise Privacy terms.
- Where a sub-processor’s DPF certification is invalidated or revoked, VoicePing shall ensure that SCCs or an alternative valid transfer mechanism under Chapter V of the GDPR remains in place, and shall notify the Customer within 14 days of becoming aware of such change.
ANNEX C: TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
VoicePing implements the following technical and organizational measures to protect Personal Data in accordance with Article 32 of the GDPR:Encryption
- All communications encrypted in transit using HTTPS and WSS secured with TLS 1.3
- Databases and file storage encrypted at rest using AES-256 server-side encryption
- Audio files encrypted at server side with AES-256
- HTTPS communication enforced via AWS Elastic Load Balancer (ELB)
Access Control
- Authentication required for all workspace access
- Two-factor authentication via email token supported
- Role-based access: Administrators control member access, floor permissions, and feature availability
- Session token management with real-time revocation capability
- IP address whitelist filtering available (Enterprise plan)
- SSO integration supported (Microsoft Entra ID, HENNGE One)
- Database and server access restricted to specific IP addresses via AWS Security Groups
- One account per user with physical deletion capability upon departure
Infrastructure Security
- Hosted on AWS (ELB, S3, CloudFront, CloudWatch, GuardDuty, Security Groups) and Google Cloud (Cloud SQL, Cloud Storage)
- ISO/IEC 27001:2022 / JIS Q 27001:2023 certified (Certificate: IS 820960, issued by BSI — British Standards Institution; initial registration: 2025-04-25, valid until: 2028-04-24)
- Scope: “The development and operation of business communication tools and associated AI” (Statement of Applicability Ver.3, issued 2025-03-18)
- Regular BSI surveillance audits (next scheduled: April 2026)
- OWASP security risk mitigation implemented across all application layers (11 vulnerability categories addressed — see security checklist)
- Continuous unauthorized activity detection via AWS GuardDuty
- 99.9% SLA commitment (actual track record: 99.99%+)
Monitoring and Logging
- Event logs track security-related operations (member additions/removals, authority grants, password settings, transcription/recording toggles)
- Comprehensive log data collection (IP, browser, access times, pages accessed)
- All server processes and system states visualized via AWS CloudWatch or proprietary alert system
- Administrative controls for monitoring user activity and status
- Alert notifications for any system downtime
Data Minimization and Retention
- Audio conversation history retained up to 3 months (maximum), then deleted
- Data collected limited to what is necessary for service provision
- User data is not used for AI model training (confirmed for both VoicePing and OpenAI API)
- Account deletion functionality available to users and administrators
- Logical data separation between customer organizations via database
Web Application Security
- SQL injection prevention: ORM-based database operations with placeholder-only SQL assembly
- OS command injection prevention: No shell execution; verified-safe libraries only
- XSS prevention: Frontend library escaping, HttpOnly cookies, charset specification
- CSRF prevention: POST method access control, Referer verification, email notifications for critical operations
- Session management: Unpredictable random session IDs, Secure cookie attributes, TLS-only
- Clickjacking prevention: X-Frame-Options headers, keyboard confirmation for destructive operations
- Buffer overflow prevention: Node.js runtime (no direct memory access), automated vulnerability scanning via GitHub
Organizational Measures
- Designated Personal Information Protection Manager (Akinori Nakajima, Representative Director)
- Confidentiality obligations for all personnel with access to Personal Data
- Contractual obligations imposed on all sub-processors
- ISO/IEC 27001:2022 information security management system with regular BSI surveillance audits (certificate valid through 2028-04-24)
- Enterprise customers: NDA and GDPR SCC agreements available separately
END OF DATA PROCESSING AGREEMENT