Confidere
Legal · For firms

Data Processing Agreement

Confidere's GDPR Article 28 terms for firm and enterprise customers — the document your procurement, security and legal teams need to sign off a deployment.

Last updated: 24 June 2026 · A countersigned copy is available from [email protected]
This page summarises the DPA that forms part of your agreement with Confidere. Where you have a signed master agreement, that document and its annexes control. For a counter-signed PDF, contact [email protected] or [email protected].
Contents
  1. Roles & scope
  2. Processing instructions
  3. Confidentiality
  4. Security measures
  5. Sub-processors
  6. International transfers
  7. Data-subject requests
  8. Breach notification
  9. Audits
  10. Return & deletion
  11. Sovereign options
  12. Annexes

1. Roles & scope

This DPA applies where Confidere ([Legal entity name]) processes personal data on behalf of the Customer in providing the Service. The Customer is the controller (or processor for its own controllers) and Confidere is the processor. It covers the subject-matter, duration, nature and purpose of processing, the types of personal data and categories of data subjects set out in Annex I.

2. Processing on documented instructions

Confidere processes Customer personal data only on the Customer's documented instructions — including the configuration of the Service and its permission tiers — and as needed to provide the Service, unless required otherwise by EU or member-state law (in which case we'll inform the Customer where permitted). We do not sell personal data and do not use Customer Data to train models. We'll tell the Customer if, in our opinion, an instruction infringes data-protection law.

3. Confidentiality

Personnel authorised to process Customer personal data are bound by confidentiality obligations and access it on a least-privilege, need-to-know basis.

4. Security measures

Confidere implements appropriate technical and organisational measures under Article 32 GDPR, described in Annex II — including encryption in transit and at rest, access controls, logging and monitoring, secure development practices, and resilience measures. We assist the Customer in meeting its own obligations under Articles 32–36 (security, breach, and data-protection impact assessments) taking into account the information available to us.

5. Sub-processors

The Customer authorises Confidere to engage the sub-processors listed in Annex III. We impose data-protection obligations on each sub-processor no less protective than this DPA and remain responsible for their performance. We'll give advance notice of any intended addition or replacement of a sub-processor and allow the Customer a reasonable period to object on legitimate grounds.

6. International transfers

Confidere is EU-hosted and designed to keep Customer personal data resident in the European Union (Google Cloud, europe-west4). Where any transfer outside the EEA occurs, it is subject to an appropriate Article 46 safeguard, such as the European Commission's Standard Contractual Clauses, together with any required supplementary measures.

7. Assisting with data-subject requests

Taking into account the nature of the processing, Confidere provides reasonable assistance — including appropriate technical and organisational measures and self-service controls in the app — to help the Customer respond to requests from data subjects exercising their rights. If a request reaches Confidere directly, we'll redirect it to the Customer rather than respond ourselves (unless legally required).

8. Personal-data breach notification

Confidere notifies the Customer without undue delay after becoming aware of a personal-data breach affecting Customer personal data, with the information reasonably available to support the Customer's own notification obligations, and updates as the investigation progresses.

9. Audits

Confidere makes available the information necessary to demonstrate compliance with Article 28 and allows for and contributes to audits, including inspections, conducted by the Customer or an auditor it mandates, subject to reasonable notice, confidentiality, and frequency limits. We may satisfy audit requests through up-to-date documentation and third-party reports where appropriate.

10. Return & deletion

On termination, and at the Customer's choice, Confidere deletes or returns Customer personal data and deletes existing copies, unless EU or member-state law requires storage. Self-service export and deletion are available in the app during the term.

11. Sovereign deployment options

Beyond the EU-hosted default, regulated firms can layer additional controls: customer-held encryption keys kept outside the provider; EU-partner-operated controls for operational sovereignty (e.g. Thales / T-Systems); and a fully air-gapped, on-prem deployment that is physically isolated and cannot be remotely shut down. Our approach is designed to align with and support GDPR, DORA (ICT third-party operational resilience) and the EU AI Act (Art. 50 transparency); specific commitments are confirmed in your Order, framed as alignment and support pending formal assessment. See Sovereignty.

12. Annexes

Annex I — Details of processing

  • Subject-matter & duration: provision of the Confidere service for the term of the agreement.
  • Nature & purpose: transcription of voice notes, structuring into attributed insights, and generation of cited prep briefs.
  • Categories of data subjects: Customer's personnel (users) and the client/meeting contacts they reference.
  • Types of personal data: identification and contact data, professional/role data, and the contents of voice notes, transcripts, insights and briefs. Customers should avoid capturing special-category data unless necessary and lawful.

Annex II — Technical & organisational measures

  • Encryption of data in transit (TLS) and at rest.
  • Role-based access control, least privilege, and authentication controls (incl. SSO on eligible plans).
  • Logging, monitoring and alerting; audit trails for access.
  • Secure software development, change management and vulnerability management.
  • EU data residency; backups and resilience; documented incident response.
  • Personnel confidentiality and security training.

Annex III — Sub-processors

  • Google Cloud — cloud infrastructure and hosting (region europe-west4, EU).
  • EU-based speech & AI processing — transcription and brief generation performed within the EU.
  • [Payment processor] — billing for paid plans.

A current, itemised sub-processor list is available at [email protected].

Request a counter-signed DPA → Privacy Policy →