VoiceTablesBeta

Data Processing Addendum

Last updated: March 15, 2026

1. Parties

This Data Processing Addendum ("DPA") is entered into between the customer ("Controller") and inithouse s.r.o., operating VoiceTables ("Processor"), and supplements the Terms of Service.

2. Scope & Purpose

This DPA applies when the Processor processes personal data on behalf of the Controller through the VoiceTables platform. Processing activities include storing workspace content, processing AI requests, managing user accounts, and facilitating real-time collaboration.

3. Types of Data Processed

  • User account information (email, display name)
  • Workspace content (pages, databases, chat messages)
  • Voice input data (processed in real-time, not stored)
  • Usage and access logs

4. Processing Obligations

The Processor shall:

  • Process personal data only on documented instructions from the Controller
  • Ensure that persons authorized to process the data have committed to confidentiality
  • Implement appropriate technical and organizational security measures
  • Not engage another processor without prior authorization from the Controller
  • Assist the Controller in responding to data subject rights requests
  • Delete or return all personal data upon termination of the service, at the Controller's choice

5. Security Measures

We implement the following security measures:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Row-level security (RLS) for database access control
  • Regular security audits and vulnerability assessments
  • Access controls with role-based permissions
  • Audit logging of data access and modifications
  • Automated backups with point-in-time recovery

6. Sub-processors

We use the following sub-processors to deliver the Service:

  • Supabase (US): Database hosting, authentication, and real-time infrastructure
  • OpenAI (US): AI chat, voice transcription, and text generation (no model training on user data)
  • Cloudflare (US): CDN, DDoS protection, and edge delivery

We will notify the Controller before adding or replacing sub-processors, providing an opportunity to object.

7. Data Subject Rights Assistance

The Processor shall assist the Controller in fulfilling its obligations to respond to data subject requests under GDPR (access, rectification, erasure, portability, restriction, and objection). We will promptly notify the Controller of any data subject requests received directly.

8. Breach Notification

In the event of a personal data breach, the Processor shall notify the Controller without undue delay, and in any case within 72 hours of becoming aware of the breach. Notification will include the nature of the breach, categories of data affected, likely consequences, and measures taken to mitigate the breach.

9. International Data Transfers

Where personal data is transferred outside the European Economic Area, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

10. Audit Rights

The Controller may audit the Processor's compliance with this DPA upon reasonable notice. Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations.

11. Data Retention & Deletion

Upon termination of the service agreement, the Processor will delete all personal data within 30 days, unless retention is required by applicable law. The Controller may request data export before termination.

12. Contact

For DPA-related inquiries, please contact us.

inithouse s.r.o.
Czech Republic