DPA Overview

Role designation between Controller and Processor is determined per engagement based on the nature of the data processing activities and contractual requirements.

Processor engagements: YPAI processes personal data on behalf of the client organization according to documented instructions. The client remains the Controller.

Independent Controller engagements: In certain arrangements, YPAI may act as an Independent Controller for specific processing activities. This is documented in the engagement agreement.

Role definitions and responsibilities are specified in the DPA and reviewed during scoping. Specific obligations are defined contractually.

Speech data collection workflows involve processing of audio recordings and associated metadata. Data categories processed include:

• Voice recordings (audio files)
• Transcripts and annotations
• Speaker metadata (anonymized identifiers, demographic categories as defined per project)
• Consent records and provenance documentation
• Technical metadata (sample rate, format, duration)

Purpose limitation: Data is processed for the purposes of collection, validation, quality assurance, and delivery as defined in the engagement agreement.

Specific data categories and processing purposes are documented in the DPA Annex and defined during scoping.

All data collection occurs within our controlled platform. This enables verifiable consent and traceable provenance for each recording.

Consent: Consent is obtained from contributors before recording begins. Consent records are maintained and can be produced for internal review.

Provenance: Each recording is associated with provenance metadata including contributor identifier, timestamp, and consent reference.

Audit trail: Full audit documentation is available for legal and compliance review. Provenance is verifiable for long-term production use.

Audit trail requirements and access procedures are defined contractually. Specific documentation is provided upon request during scoping.

Sub-processors engaged in data processing activities are disclosed as part of the DPA terms.

• Sub-processor list or categories provided during scoping
• Sub-processor governance procedures defined in DPA
• Update notification and approval mechanisms agreed contractually

Sub-processors are disclosed contractually and updated as required per the agreed notification procedure.

Retention periods and deletion procedures are defined contractually during scoping.

• Retention windows vary by engagement and are specified in the DPA
• Deletion procedures aligned with GDPR requirements
• Ability to support enterprise retention policies as defined per project

Post-engagement: Data handling after engagement completion is documented in the DPA, including return or deletion options.

Specific retention periods and deletion timelines are provided for internal review during scoping.

Internal controls and security measures are implemented to protect data during collection, processing, and delivery.

Access control: Access to data is limited to authorized personnel. Access control policies are documented and available for review.

Audit readiness: Full audit documentation is available for legal and compliance review. We can provide documentation of security practices upon request.

Specific security documentation and audit artifacts are provided during scoping upon request.