Data Processing
Addendum.

This Data Processing Addendum ("DPA") applies when an organization ("Customer") licenses AsideMe from Beat Dump Inc. ("Processor", "we", "us") and that license involves processing of personal data on the Customer's behalf. It supplements the Terms of Service and forms part of the binding agreement between Customer and Processor.

1. Definitions

• Personal Data, Controller, Processor, Sub-processor, Processing, Data Subject — as defined in the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, the California Consumer Privacy Act as amended ("CCPA"), or equivalent law applicable in Customer's jurisdiction.
• Customer Personal Data — personal data that Processor processes on behalf of Customer under the agreement.
• Authorized Sub-processor — any third party listed at /landing/subprocessors.html.

2. Roles

For Customer Personal Data, Customer is the Controller and AsideMe is the Processor. Each Party will comply with the obligations applicable to it under Applicable Data Protection Law.

3. Subject matter, duration, nature, and purpose

• Subject matter: the provision of the AsideMe service (live transcription, retrieval-augmented question answering, study-material generation, account management, billing).
• Duration: for the term of the agreement plus any retention period required by law or agreed in writing.
• Nature: automated processing including transmission, storage, retrieval, organization, and use of Customer Personal Data to provide the service.
• Purpose: to enable Customer's end users to capture lectures, ask questions, and generate study materials.
• Categories of data subjects: Customer's end users (students, employees, members) who hold AsideMe accounts under Customer's license.
• Categories of personal data: email address, account metadata, transcripts of audio chosen by the user to capture, questions asked, answers generated, uploaded materials, billing metadata.
• Special category data: not intentionally processed. Customer agrees not to upload special-category personal data or to use AsideMe to process such data without prior written agreement.

4. Processor obligations

Processor will:

1. Process Customer Personal Data only on documented instructions from Customer, including with regard to transfers, unless required to do so by applicable law. If required by law, Processor will inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
2. Ensure that persons authorized to process Customer Personal Data are under an obligation of confidentiality.
3. Implement appropriate technical and organizational measures (see §7).
4. Engage Sub-processors only as described in §6 below.
5. Assist Customer in fulfilling its obligations to respond to Data Subject requests (access, rectification, erasure, restriction, portability, objection) within the timeframes required by Applicable Data Protection Law, including providing API endpoints at POST /api/account/export and POST /api/account/delete.
6. Assist Customer in ensuring compliance with security, breach-notification, data-protection-impact-assessment, and prior-consultation obligations under Articles 32–36 GDPR.
7. At Customer's choice, delete or return all Customer Personal Data within 90 days of termination of the agreement.
8. Make available to Customer all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits as described in §9.

5. Customer obligations

Customer will:

• Have a valid lawful basis (Article 6 GDPR or equivalent) for the processing it instructs Processor to carry out.
• Comply with its own obligations as Controller, including providing notice to Data Subjects and obtaining any necessary consents (including consent to be recorded — see Terms §5).
• Not upload data subject to laws or regulations beyond GDPR/CCPA/UK GDPR (e.g., HIPAA, FERPA, COPPA) unless Processor has agreed in writing to support that regime.

6. Sub-processors

Customer authorizes Processor to engage the Authorized Sub-processors listed at /landing/subprocessors.html. Processor will:

1. Impose contractual obligations on each Sub-processor that are equivalent in material respect to the ones in this DPA.
2. Remain liable for the acts and omissions of its Sub-processors as if they were its own.
3. Notify Customer at least 30 days before adding a new Sub-processor that will process Customer Personal Data (via update to the sub-processors page and email to the contact on the DPA).
4. Allow Customer to object to a new Sub-processor in writing within 30 days of notification. If the parties cannot agree on a resolution, Customer may terminate the affected portion of the service for cause.

7. Security

Processor maintains a security program appropriate to the risk, including:

• Encryption — TLS 1.2+ for data in transit; AES-256 encryption at rest at the database-volume layer.
• Access control — role-based access; cookies signed with server-side HMAC; session-version revocation on demand.
• Authentication — passwordless magic-link via verified email; per-user rate limiting; admin-only privilege gates.
• Audit logging — append-only log of sensitive actions (email verification, sign-out, account deletion) with IP and user-agent.
• Multi-tenancy isolation — every session and resource is scoped by user_id and verified at the route layer.
• Input handling — path-traversal prevention on uploads, SSRF protection (DNS-resolved IP-range allowlist) on outbound fetches, CSP with framing disabled.
• Logging hygiene — PII (emails, queries, tokens) is redacted from server logs at the logger layer.
• Vulnerability management — dependencies audited via npm audit; security patches applied within 7 days of disclosure for high/critical severity.
• Backups — daily encrypted snapshots retained 30 days.
• Personnel — confidentiality obligations on all individuals with access to Customer Personal Data.

A copy of the current technical-and-organizational-measures detail can be requested from compliance@asideme.app.

8. Breach notification

Processor will notify Customer without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Customer Personal Data. The notice will include, to the extent known: nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, measures taken or proposed to address it, and contact for further information.

9. Audit

Processor will respond to written reasonable inquiries from Customer regarding compliance with this DPA. No more than once per year, and subject to reasonable confidentiality obligations and prior written notice of at least 30 days, Customer (or its designated qualified auditor) may conduct an audit. Audits may not unreasonably interfere with Processor's business operations and Customer bears the audit cost unless the audit reveals material non-compliance.

10. International transfers

To the extent the transfer of Customer Personal Data outside the EEA, the United Kingdom, or Switzerland to a country not deemed to provide adequate protection occurs, the parties will rely on the Standard Contractual Clauses (Module 2 or Module 3 as appropriate) adopted by the European Commission (Decision 2021/914), the UK International Data Transfer Addendum, and the Swiss FDPIC adaptation, as applicable. The SCCs are incorporated into this DPA by reference.

11. Liability

Each party's liability arising under this DPA is subject to the limitations and exclusions set forth in the main agreement.

12. Conflict

In the event of any conflict between this DPA and the main agreement, this DPA prevails as to the subject matter of Data Protection Law.

13. Term

This DPA is effective on the start date of the main agreement and continues for as long as Processor processes Customer Personal Data.

14. Governing law

This DPA is governed by the laws of the State of Tennessee, USA, except where Applicable Data Protection Law mandates otherwise.

15. Contact

For DPA execution or compliance questions: compliance@asideme.app.

Disclaimer: This document is provided as a starting point and is the standard form AsideMe will sign without modification for most B2B customers. It does not substitute for legal advice; consult your own counsel before signing.