Data Processing Addendum

Last Updated Date: May 1, 2026

This DPA is incorporated into and forms part of the Commercial Terms of Service or other agreement between the parties that governs Customer’s use of the Services (the “Agreement”). In the event of any conflict between the terms of this DPA and the Agreement, the terms of this DPA will govern with respect to the subject matter hereof. Capitalized terms used but not defined in this DPA have the meanings given in the Agreement.

1. Definitions

“Applicable Data Protection Laws” means all applicable data protection and privacy laws, including: (a) the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”); (b) the UK GDPR and Data Protection Act 2018; (c) the Swiss nFADP; and (d) applicable U.S. state privacy laws including the CCPA and similar state statutes, in each case as amended from time to time.
“Customer Personal Data” means any personal data contained within Customer Data that is submitted through the Services by or on behalf of Customer or a Customer Affiliate.
“Customer Affiliate” means an entity that (a) is permitted to use the Services pursuant to the Agreement between Plaud and Customer, and (b) directly or indirectly controls, is controlled by, or is under common control with Customer, where “control” means ownership of more than 50% of the voting interests of the subject entity.
“Data Subject Request” means a request from an individual exercising rights available under Applicable Data Protection Laws with respect to Customer Personal Data (e.g., access, correction, deletion, portability, or restriction).
SCCsmeans the Standard Contractual Clauses annexed to European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR.
“Security Incident” means a confirmed breach of Plaud’s security measures leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to Customer Personal Data.
“Subprocessor” means any third party engaged by Plaud (or Plaud’s Affiliates) to process Customer Personal Data in connection with providing the Services.
“UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner’s Office under Section 119A(1) of the Data Protection Act 2018.
The terms “personal data,” “data subject,” “processing,” “controller,” and “processor” have the meanings given to them by Applicable Data Protection Laws, or, in the absence of such definitions, by the GDPR. The terms “controller” and “processor” include “business” and “service provider,” respectively, as required by Applicable Data Protection Laws.

2. Roles and Scope

2.1 Roles. With respect to Customer Personal Data, Customer acts as the controller (or business) and Plaud acts as the processor (or service provider) on Customer’s behalf. Each party will comply with its respective obligations under Applicable Data Protection Laws.
2.2 Purpose and Instructions. Plaud will process Customer Personal Data only: (a) to provide, maintain, and support the Services; (b) to comply with applicable law; (c) to protect the security and integrity of the Services; and (d) in accordance with Customer’s other documented instructions as mutually agreed in writing. The Agreement and this DPA constitute Customer’s documented instructions as of the Effective Date. Plaud will promptly inform Customer if a processing instruction would, in Plaud’s reasonable opinion, violate Applicable Data Protection Laws.
2.3 No Training. Consistent with Section 4.4 of the Agreement, Plaud will not use Customer Personal Data to train or improve Plaud’s general-purpose AI models or those of its Subprocessors, unless Customer separately opts in writing.

3. Plaud Obligations

3.1 Confidentiality of Processing. Plaud will ensure that all personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations and are trained on data protection requirements applicable to their role.
3.2 Notification. Plaud will promptly notify Customer if it determines it can no longer comply with its obligations under this DPA, and Customer may take reasonable steps to stop or remediate unauthorized processing.
3.3 Subprocessors. Customer grants Plaud general authorization to engage the Subprocessors listed at https://global.plaud.ai/pages/trust/ (the “Subprocessor List”), as updated in accordance with this Section. Plaud will provide at least thirty (30) days’ prior written notice before engaging a new Subprocessor that will process Customer Personal Data. Customer may object within fifteen (15) days on reasonable data protection grounds. If no commercially feasible alternative is available and the objection is unresolved, Customer may terminate the affected Service for cause and receive a pro-rata refund of prepaid unused fees. Such termination right is Customer’s sole remedy for an objection to a new Subprocessor.
Plaud will impose data protection obligations on each Subprocessor no less protective than those in this DPA and remains liable for each Subprocessor’s compliance to the same extent as if Plaud performed the services directly.
3.4 Data Subject Rights. Plaud will provide reasonable technical and organizational assistance to help Customer respond to Data Subject Requests and, where required by Applicable Data Protection Laws, to conduct data protection impact assessments and related supervisory authority consultations.
3.5 Security. Plaud will implement and maintain the technical and organizational security measures described in Schedule 2, designed to protect Customer Personal Data against unauthorized access, destruction, loss, alteration, or disclosure. Plaud may update these measures provided such updates do not materially reduce the overall level of protection.

4. Customer Obligations

4.1 Lawful Basis and Consents. Customer represents and warrants that it has all necessary rights, consents, notices, and authorizations required under Applicable Data Protection Laws to submit Customer Personal Data to the Services and to authorize Plaud to process it as described in this DPA. Without limiting the foregoing, Customer is solely responsible for obtaining all required recording consents and providing required notices to individuals whose voice or personal data is captured via the Services or Plaud devices.
4.2 Configuration. Customer is responsible for configuring the Services in a manner consistent with its legal obligations. Customer will not submit Customer Personal Data through unsecured channels or in technical support tickets.
4.3 Cooperation. Customer will reasonably cooperate with Plaud to assist Plaud in performing its obligations under Applicable Data Protection Laws in relation to Customer Personal Data.

5. Security Incidents

5.1 Notice. Plaud will notify Customer in writing without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Security Incident. Notification does not constitute an acknowledgment of fault or liability.
5.2 Content. To the extent information is available, notice will include: (a) the nature of the Security Incident and, where possible, the categories and approximate number of data subjects and records affected; (b) the likely consequences; and (c) measures taken or proposed to address the incident. Plaud will provide additional details as they become available.
5.3 Cooperation. Plaud will cooperate with Customer’s investigation and take reasonable steps directed by Customer to mitigate the Security Incident and support Customer’s compliance with Applicable Data Protection Laws.

6. Audits and Compliance

6.1 Certifications. Plaud is audited at least annually against recognized security standards (e.g., SOC 2 Type II) by independent third-party auditors. Upon Customer’s written request (no more than once per 12-month period, unless required by Applicable Data Protection Laws or in response to a Security Incident), Plaud will provide its most recent applicable audit report or certification. Current certifications are available at https://global.plaud.ai/pages/trust/.
6.2 Customer Audits. Customer may, upon written request and reasonable advance notice (not less than thirty (30) days), conduct or commission an audit of Plaud’s compliance with this DPA, subject to: (a) mutual agreement on scope, timing, and applicable confidentiality controls; (b) the audit being conducted during business hours with minimal operational disruption; and (c) Customer bearing all associated costs. Audit findings are the Confidential Information of both parties and may only be used to confirm compliance with this DPA.

7. Data Return and Deletion

7.1 Return and Deletion. Following termination or expiration of the Agreement, Plaud will, at Customer’s instruction, return or delete all Customer Personal Data, including all existing copies thereof.
7.2 Exceptions. Plaud may retain Customer Personal Data beyond the period in Section 7.1 only to the extent required by Applicable Data Protection Laws or other legal obligations, to resolve a dispute between the parties, or to prevent harmful or fraudulent use of the Services. Retained data remains subject to this DPA.

8. International Data Transfers

8.1 General. Customer acknowledges that Plaud and its Subprocessors may process Customer Personal Data in the United States and other countries where Plaud or its Subprocessors operate. Plaud will ensure all such transfers comply with Applicable Data Protection Laws, including by implementing appropriate transfer mechanisms.
8.2 EU/EEA Transfers. To the extent transfers of Customer Personal Data from the EEA to Plaud require a transfer mechanism under the GDPR, Module Two (Controller to Processor) of the SCCs is incorporated by reference into this DPA and deemed executed by the parties, with Customer as data exporter and Plaud as data importer. The SCCs are completed as specified in Schedule 3(A).
8.3 UK Transfers. To the extent transfers are subject to UK data protection law, the UK Addendum set out in Schedule 3(B) is incorporated by reference and deemed executed by the parties.
8.4 Swiss Transfers. To the extent transfers are subject to Swiss data protection law (nFADP), the Swiss Addendum set out in Schedule 3(C) is incorporated by reference and deemed executed by the parties.
8.5 Precedence. In the event of conflict between applicable transfer mechanisms (SCCs, UK Addendum, or Swiss Addendum), this DPA, and the Agreement, the applicable transfer mechanism prevails, followed by this DPA.

9. U.S. State Privacy Laws

To the extent U.S. state privacy laws (including the CCPA) apply, Plaud acts as a “service provider” or “processor” and certifies that it will:
  • process Customer Personal Data only for the business purposes described in this DPA and the Agreement;
  • not “sell” or “share” (as defined by the CCPA) Customer Personal Data;
  • not retain, use, or disclose Customer Personal Data outside the direct business relationship between the parties, except as required by law;
  • not combine Customer Personal Data with personal data from other sources except as permitted by applicable law or as directed by Customer;
  • provide Customer the right to take reasonable steps to ensure Plaud’s processing is consistent with Customer’s obligations under applicable law; and
  • notify Customer promptly if Plaud determines it can no longer comply with this Section 9.

10. Term and Amendment

10.1 Term. This DPA remains in effect for the duration of the Agreement and survives termination until Plaud completes its deletion obligations under Section 7.
10.2 Amendment. Plaud may amend this DPA on reasonable prior written notice where required by changes in Applicable Data Protection Laws or binding regulatory guidance. Substantive amendments that materially reduce Customer’s rights may be disputed within fifteen (15) days of notice; if unresolved within thirty (30) days, either party may terminate the Agreement on thirty (30) days’ written notice.
Schedule 1 Details of Processing
A. Parties
Data Exporter: Customer and/or Customer Affiliates. Contact details as specified in the Order Form.
Data Importer: Plaud, Inc., 8 The Green, Ste A, Dover, Delaware 19901. Data protection contact: privacy@plaud.ai.
B. Description of Processing
Categories of Data Subjects. (a) Authorized Users; (b) third-party individuals whose personal data is captured in audio recordings or other Customer Data submitted to the Services (e.g., meeting participants, clients, colleagues).
Categories of Personal Data. Determined by Customer; may include:
  • Contact data (names, email addresses)
  • Audio recordings and voice data captured via Plaud devices (e.g., NotePin, Note) or uploaded by Customer
  • Derived data: AI-generated transcriptions, meeting summaries, and action items
  • Meeting metadata (date, duration, participants)
  • Device and account usage data
  • Any other personal data contained in Customer Data submitted to the Services
Special Categories. Audio recordings and transcriptions may incidentally contain special category data (e.g., health information or political opinions). Customer is solely responsible for ensuring a lawful basis for processing such data.
Duration. Continuous processing for the duration of the Agreement, as determined by Customer’s configuration and use of the Services.
Nature and Purpose. Providing AI-driven transcription, summarization, and related Services. Processing activities include collection, storage, transcription, summarization, and deletion of Customer Personal Data as necessary to deliver the Services.
C. Competent Supervisory Authority
Where the data exporter is established in an EU Member State: the supervisory authority of that Member State. Where the data exporter is not established in the EU but falls within the territorial scope of the GDPR: the Irish Data Protection Commission.
Schedule 2 Technical and Organizational Security Measures
Plaud maintains a written information security program designed to protect Customer Personal Data against unauthorized access, destruction, loss, alteration, or disclosure. Plaud may update these measures provided such updates do not materially reduce overall protection. Current certifications and additional information are available at https://global.plaud.ai/pages/trust/.
Schedule 3 International Data Transfer Mechanisms
A. EU Standard Contractual Clauses (Module Two: Controller to Processor)
The EU SCCs are incorporated by reference and deemed executed by the parties, with the following elections:
• Clause 7 (Docking Clause): Does not apply.
• Clause 9 (Subprocessors): Option 2 (General Written Authorization); notice period as per Section 3.3.
• Clause 11 (Redress): Optional independent redress wording does not apply.
• Clause 17 (Governing Law): Option 1 (law of the Republic of Ireland).
• Clause 18 (Forum): Courts of the Republic of Ireland.
• Annex I.A (Parties): Schedule 1, Section A.
• Annex I.B (Description of Transfer): Schedule 1, Section B.
• Annex I.C (Supervisory Authority): Schedule 1, Section C.
• Annex II (TOMs): Schedule 2.
• Annex III (Subprocessors): https://global.plaud.ai/pages/trust/.
B. UK Addendum
The UK Addendum (version B.1.0) is incorporated by reference and deemed executed by the parties. The selected SCCs are those in Schedule 3(A). For Table 4, Plaud (as data importer) may end the UK Addendum when the Approved EU SCCs change.
C. Swiss Addendum
For transfers subject exclusively to Swiss data protection law (nFADP), the SCCs in Schedule 3(A) are amended as follows: references to the GDPR and EU/EEA are replaced with references to Swiss data protection law and Switzerland; the competent supervisory authority is the FDPIC; governing law is Swiss law; and disputes are resolved by Swiss courts. Where transfers are subject to both Swiss law and the GDPR, both sets of rules apply.
Schedule 4 Authorized Subprocessors
Plaud’s current list of authorized Subprocessors (including name, country, and processing purpose) is maintained at https://global.plaud.ai/pages/trust/.