Terms and conditions
Last Updated: August 13, 2025
This Data Processing Agreement (“DPA”) is incorporated into the Steno.ai Terms of Service (the “Agreement”) and applies to the extent Steno.ai processes Personal Data on behalf of the Customer. By executing an Order Form, Statement of Work ("SOW"), or otherwise using the Services, Customer agrees to be bound by this DPA.
1. Definitions
• Terms defined in Regulation (EU) 2016/679 ("GDPR")—including "Personal Data," "Data Subject," "Processing," "Controller," and "Processor"—have the same meaning when used in this DPA.
• "Applicable Data Protection Laws" means all data-protection and privacy laws that apply to the Processing of Personal Data under the Agreement, including the GDPR, the UK GDPR, the Swiss Federal Act on Data Protection ("FADP"), and the California Consumer Privacy Act ("CCPA").
• Capitalized terms not defined herein have the meaning set forth in the Agreement.
2. Processing of Personal Data
2.1. Roles. For the purposes of Applicable Data Protection Laws, Customer is the Controller and appoints Steno.ai as Processor to process the Personal Data described in Annex I.
2.2. Documented Instructions. Steno.ai shall process Personal Data only on documented instructions from Customer, unless processing is required by Applicable Data Protection Laws; in such case, Steno.ai will inform Customer(unless prohibited by law).
2.3. Compliance Assistance. Taking into account the nature of the Processing, Steno.ai shall provide reasonable assistance (including with data-protection-impact assessments and supervisory-authority consultations) to Customer in complying with its obligations under Applicable Data Protection Laws.
2.4. Purpose Limitation. Steno.ai will process Personal Data solely for the purposes described in Annex I and as necessary to provide the Services.
2.5. Access and Export. During the term, Customer may obtain a copy of Customer Personal Data processed in the Services in a machine-readable, commonly used format. Steno.ai may charge reasonable fees for excessive, repetitive, or manifestly unfounded requests.
3. Confidentiality
Steno.ai shall ensure that persons authorized to process Personal Data are subject to an appropriate statutory or contractual duty of confidentiality.
4. Sub-processing
4.1. General Authorization. Customer provides a general authorization for Steno.ai to engage the sub-processors listed at the URL in Annex III. Steno.ai will provide at least 30 days’ prior notice of any new sub-processor by updating the list. Customer may object on reasonable, documented grounds relating to data protection within that 30-day period; the parties will work in good faith to find a commercially reasonable alternative. If no alternative is available within 30 days, either party may terminate the affected Services without penalty, and Steno.ai will refund any prepaid fees for the terminated portion.
4.2. Sub-processor Agreements. Steno.ai shall enter into a written contract with each sub-processor imposing obligations no less protective than those in this DPA.
4.3. Liability. Where a sub-processor fails to fulfill its data-protection obligations, Steno.ai remains fully liable to Customer for the sub-processor’s performance, subject to the limitations of liability set out in the Agreement.
5. Data-Subject Rights
Steno.ai will, to the extent legally permitted, promptly notify Customer of any request it receives from a Data Subject and will assist Customer by appropriate technical and organizational measures in fulfilling its obligation to respond.
6. Security & Personal Data Breaches
6.1. Security. Steno.ai shall maintain the security measures described in Annex II.
6.2. Breach Notification. If Steno.ai becomes aware of a Personal Data Breach, it shall notify Customer without undue delay and in any event within 72 hours of becoming aware of the Personal Data Breach.
7. Data Deletion or Return
Upon termination of the Agreement, Steno.ai shall, at Customer’s choice, delete or return all Personal Data and delete existing copies within 60days unless retention is required by law. During the term, upon Customer’s written request, Steno.ai will delete specified Personal Data from active systems within 30 days and from backups in the ordinary course of backup rotation.
8. Verification
Once per calendar year, upon at least 30 days’ written notice, Steno.ai will make available information reasonably necessary to demonstrate compliance with this DPA, which may include summaries of security policies, third-party audit reports or certifications (for example SOC 2 Type II or ISO 27001), and executive summaries of recent penetration-test results. Any on-site inspection is not permitted except (a) where required by Applicable Data Protection Laws for regulated customers, or (b) following a material Personal Data Breach impacting Customer, and in each case only by mutual written agreement as to scope, timing, and confidentiality. All audit costs, including Steno.ai’s internal costs, are borne by Customer. Information disclosed under this Section is Steno.ai Confidential Information.
9. International Transfers
9.1. Transfer Mechanisms. For transfers of Personal Data from the European Economic Area, the UK, or Switzerland, the parties agree to be bound by the Standard Contractual Clauses (Controller-to-Processor, Module Two) issued under Commission Implementing Decision (EU) 2021/914 (the "SCCs"), which are incorporated herein by reference. For transfers from the UK, the SCCs are deemed amended by the UK International Data Transfer Addendum. For transfers from Switzerland, the SCCs shall be interpreted to comply with the Swiss FADP.
9.2. Governing Law & Forum. For the purposes of the SCCs, Clause 17 (Governing law) shall be the law of Ireland and Clause 18 (Choice of forum)shall be the courts of Ireland.
10. Use Restrictions; No Sale or Sharing
Steno.ai acts as a “Service Provider” or “Processor” under Applicable Data Protection Laws. Steno.ai will not sell or share Customer Personal Data, will not use Customer Personal Data for targeted or cross-context behavioral advertising, and will not use Customer Personal Data other than to provide the Services, to maintain and secure the Services, or as otherwise documented by Customer’s instructions. This commitment applies globally and is not limited to any single jurisdiction.
11. Liability
The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.
12. Conflict
If there is a conflict between this DPA and the Agreement, this DPA controls with respect to data-processing matters. If there is a conflict between this DPA and the SCCs, the SCCs prevail.
13. Term & Termination
This DPA remains in force for as long as Steno.ai processes Personal Data on behalf of Customer. Sections 3, 6, 8, 10, 11, 12, and Annex II survive termination.
Annex I – Description of Processing
A. Parties: The Data Exporter is the Customer. The Data Importer is Steno.ai Inc.
B. Data Subjects: End-users of the Customer who interact with the AI agent.
C. Categories of Personal Data: "Customer Content" (text, audio, video) and "Chat Logs."
D. Sensitive Data: None intentionally processed.
E. Frequency & Nature: Continuous, real-time processing to provide conversational AI services.
F. Purpose: To configure, host, and operate the AI agent per the Agreement. Steno.ai will not use Customer Personal Data to train, retrain, or improve any generalized or foundation models without Customer’s documented opt-in. Steno.ai may use de-identified telemetry and aggregated statistics to maintain and secure the Services.
G. Retention: For the subscription term, then deleted within 60 days of termination.
H. Competent Supervisory Authority: The Irish Data Protection Commission.
Annex II – Technical and Organizational Measures
Steno.ai implements measures including:
• Access Control: Role-based access control with MFA. Administrative access is logged and reviewed.
• Encryption: Encryption at rest (AES-256) and in transit (TLS 1.2+). Encryption keys are access-controlled and rotated per policy.
• System and Data Segregation: Logical data segregation.
• Logging and Monitoring: Centralized logging and monitoring for security events.
• Vulnerability Management: Regular vulnerability scans and annual penetration tests.
• Incident Response: A documented incident response plan.
• Personnel Security: Confidentiality agreements and annual security training.
• Business Continuity & Backup: Daily encrypted backups, redundant storage, and quarterly restore testing. Backups are encrypted and subject to defined retention.
• Transfer Safeguards: A Transfer Impact Assessment (TIA) with supplementary safeguards for international transfers.
Annex III – Authorized Sub-Processors
The Customer authorizes Steno.ai to use the sub-processors listed at the following designated URL: [https://steno.ai/sub-processors] (or a successor URL). Steno.ai will provide notice of any changes to this list in accordance with Section 4.1 of this DPA. The sub-processors used will depend on the data residency option selected by the Customer in the applicable SOW.
Data Processing Agreement (v 1.1)
