Data Processing Addendum (DPA)
Effective Date: 2026-04-21 Version: 1.0
This Data Processing Addendum ("DPA") forms part of the Terms of Service between Theta One AI ("Processor", "we") and the customer identified in the applicable order or account ("Controller", "you") to the extent you submit personal data subject to the General Data Protection Regulation ("GDPR"), UK GDPR, or the Korean Personal Information Protection Act ("PIPA") through the Service.
If you require a counter-signed copy, email privacy@thetaone.co with your legal entity name and signatory details.
1. Definitions
Capitalized terms not defined here have the meanings in the Terms of Service. "Personal Data", "Data Subject", "Processing", "Controller", and "Processor" have the meanings given in Article 4 GDPR. For PIPA, the equivalent terms in Articles 2 and 26 apply.
2. Subject matter and roles
Theta One processes Personal Data on behalf of Customer (as a processor/수탁자) solely to provide the Service under the Terms. Customer is the Controller (or PIPA Personal Information Controller) of all Personal Data submitted to the Service.
3. Scope of Processing
| Element | Description |
|---|---|
| Subject matter | Provision of STT and pronunciation-scoring APIs and Console |
| Duration | The term of the Terms of Service |
| Nature and purpose | Returning STT/pronunciation results in response to Customer API calls; securing and operating the Service |
| Categories of Data Subjects | Customer's end users, including their speakers |
| Categories of Personal Data | Audio recordings of voices, text accompanying pronunciation requests, request metadata (timestamp, API key, IP) |
| Special categories | Audio may incidentally contain voice data; use for biometric identification is prohibited (see AUP) |
4. Documented instructions
Theta One processes Personal Data only on Customer's documented instructions, which are (a) the Terms, (b) this DPA, (c) configuration made by Customer via the Console or API, and (d) written instructions Customer may issue via privacy@thetaone.co. We will inform Customer if we consider an instruction to violate applicable data-protection law.
5. Confidentiality
Personnel authorized to process Personal Data are bound by confidentiality obligations (by contract or statute) and processed only on a need-to-know basis.
6. Security
Theta One implements appropriate technical and organizational measures in line with Article 32 GDPR and Article 29 PIPA, including:
- TLS 1.2+ encryption in transit and AES-256 encryption at rest for stored personal data;
- Role-based access controls with least privilege; MFA for employee administration consoles;
- Secret scanning and rotation for API keys and service credentials;
- Audit logging of privileged actions;
- Incident response procedures with post-incident review;
- Sub-processor due diligence (see Sub-Processors).
7. Sub-processors
7.1 Customer grants general authorization for Theta One to engage sub-processors listed at Sub-Processors. Theta One will notify Customer of changes at least thirty (30) days before a new sub-processor begins processing Personal Data.
7.2 Theta One imposes on each sub-processor data-protection obligations at least as protective as those in this DPA.
7.3 Customer may object to a new sub-processor within thirty (30) days of notice for reasonable data-protection grounds. If we cannot accommodate the objection, either party may terminate the affected part of the Service for convenience without penalty.
8. International transfers
Where Personal Data is transferred outside the EEA/UK to a country without an adequacy decision, the EU Standard Contractual Clauses 2021/914 ("SCCs") apply between the parties, with Module Two (controller-to-processor) and, where relevant, Module Three. For UK transfers, the UK International Data Transfer Addendum applies. For PIPA transfers, Customer consents to transfer as described in the Privacy Policy Section 11.2.
9. Data-Subject requests
Theta One will, taking into account the nature of the Processing, provide reasonable assistance to Customer in responding to Data-Subject requests under Articles 12–23 GDPR or PIPA Articles 35–37. If Theta One receives a Data-Subject request directly, we will forward it to Customer and will not respond substantively except to confirm receipt and direct the individual to Customer.
10. Data-protection impact assessments
On reasonable request, Theta One will provide information reasonably necessary for Customer to conduct DPIAs (Article 35 GDPR) and prior consultations.
11. Personal-data breach notification
Theta One will notify Customer without undue delay and in any event within 72 hours after becoming aware of a Personal Data Breach affecting Customer's Personal Data, with the information required under Article 33(3) GDPR to the extent then available, and will provide updates as the investigation progresses.
12. Audits
Customer may audit Theta One's compliance with this DPA, either by (a) reviewing third-party audit reports (e.g., SOC 2, ISO 27001) we make available, or (b) for material concerns, an on-site audit on reasonable notice, at Customer's expense, during business hours, and subject to confidentiality. Audits occur at most once per 12-month period unless required by a regulator or following a Personal Data Breach.
13. Deletion and return
On termination of the Terms, Theta One will delete or return Personal Data within ninety (90) days at Customer's choice, except where retention is required by law (e.g., Korean tax law).
14. Liability
The liability caps and exclusions in the Terms apply to this DPA.
15. Conflict
If this DPA conflicts with the Terms for matters of data protection, this DPA controls. For other matters, the Terms control.
16. Contact
Processor contact for data-protection matters: privacy@thetaone.co.