Introduction
This Data Processing Agreement ("DPA") forms part of the agreement between the customer ("Customer", the "Controller") and Wizideo (the "Processor") governing the Customer's use of the Wizideo services (the "Services"). It reflects the parties' agreement on the processing of personal data in connection with the Services and is intended to comply with Article 28 of Regulation (EU) 2016/679 ("GDPR").
1. Definitions
Terms such as "personal data", "processing", "controller", "processor", "data subject", "sub-processor", "personal data breach" and "supervisory authority" have the meaning given to them in the GDPR. "Applicable Data Protection Law" means the GDPR and any national data protection laws applicable to the processing.
2. Roles of the parties
The Customer is the Controller of the personal data it submits to, or generates through, the Services. Wizideo acts as Processor and processes personal data only on the documented instructions of the Customer, including with regard to transfers, unless required to do so by law (in which case Wizideo will inform the Customer of that legal requirement before processing, unless the law prohibits it).
3. Subject matter, nature, purpose and duration
- Subject matter: processing of personal data necessary to provide the Services (meeting recording, transcription, summarisation, topic detection, action items and related features).
- Nature and purpose: capturing, transcribing, analysing, storing, organising and making available meeting content and derived insights at the Customer's direction.
- Duration: for the term of the agreement, until deletion or return of the data in accordance with Section 10.
4. Categories of data subjects and personal data
- Data subjects: the Customer's users, employees, and participants of meetings processed through the Services.
- Categories of personal data: account and contact details, audio/video recordings, transcripts, meeting metadata, summaries, tasks and action items, usage and technical data. The Customer must not submit special categories of personal data (Article 9 GDPR) unless expressly agreed in writing.
5. Obligations of the Processor
Wizideo shall:
- process personal data only on the Customer's documented instructions;
- ensure that persons authorised to process the data are bound by confidentiality;
- implement appropriate technical and organisational measures under Article 32 GDPR (see Section 6);
- respect the conditions for engaging sub-processors (Section 7);
- assist the Customer, taking into account the nature of the processing, in responding to data subject requests under Articles 12–23 GDPR;
- assist the Customer in ensuring compliance with Articles 32–36 GDPR (security, breach notification, impact assessments);
- at the Customer's choice, delete or return the personal data after the end of the provision of the Services (Section 10);
- make available to the Customer the information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits (Section 9).
6. Security measures
Wizideo implements appropriate technical and organisational measures to protect personal data, including: encryption of data in transit (HTTPS/TLS); access controls and the principle of least privilege; authentication via OAuth 2.0 with scoped, revocable access; network and infrastructure hardening; logging and monitoring; and regular review of its security practices. Access to Customer data through the Wizideo MCP server is scoped per user and per granted OAuth scope.
7. Sub-processors
The Customer provides general authorisation for Wizideo to engage sub-processors to support the provision of the Services. Wizideo imposes on each sub-processor data protection obligations equivalent to those in this DPA. Categories of sub-processors include cloud infrastructure and hosting providers, database and vector-search providers, and AI/model providers used for transcription, embeddings and summarisation. Wizideo will inform the Customer of intended changes concerning the addition or replacement of sub-processors and give the Customer the opportunity to object on reasonable data protection grounds.
8. International transfers
Where the provision of the Services involves the transfer of personal data to a country outside the European Economic Area, Wizideo ensures an appropriate transfer mechanism is in place, such as the European Commission's Standard Contractual Clauses or an adequacy decision, together with any supplementary measures required by Applicable Data Protection Law.
9. Audits
Wizideo will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, subject to reasonable notice, confidentiality obligations, and not more than once per year unless required by a supervisory authority or following a personal data breach.
10. Deletion and return of data
Upon termination of the Services or upon the Customer's request, Wizideo will, at the Customer's choice, delete or return the personal data processed on the Customer's behalf and delete existing copies, unless retention is required by law. Standard deletion and retention periods are described in the Privacy Policy.
11. Personal data breach
Wizideo will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer personal data, and will provide the Customer with information reasonably available to assist the Customer in meeting its own breach-notification obligations.
12. Liability and miscellaneous
The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the agreement between the parties. In the event of a conflict between this DPA and the agreement on matters of data protection, this DPA prevails. This DPA is governed by the laws applicable to the underlying agreement.
13. Contact
For questions relating to this DPA or to exercise data protection rights, contact support@wizideo.ai.
Note
This document is provided as a standard data processing agreement for the Wizideo Services. For an executed, signed DPA or for enterprise terms, contact support@wizideo.ai.