THE UNDERSIGNED:
[Name of Controller], having its registered office at [address], [city], registered with the Dutch Chamber of Commerce under number [KvK-number], duly represented by [name and position], hereinafter referred to as the “Controller”;
and
Pamela AI Holding B.V., having its registered office at Concertgebouwplein 15, 1071 LL in Amsterdam, The Netherlands, duly represented by its managing director, Samuel Ehren, hereinafter referred to as the “Processor”;
Hereinafter collectively referred to as the “Parties” and individually as a “Party”.
WHEREAS:
(a) Processor provides services to the Controller under a Main Agreement, of which this Data Processing Agreement forms a part;
(b) These services involve the processing of personal data;
(c) Processor shall only process such data on behalf of the Controller and not for its own purposes;
(d) The processing falls within the scope of the General Data Protection Regulation (GDPR);
(e) The Parties wish to lay down their arrangements regarding the processing of personal data in this Agreement;
(f) If applicable, this Agreement replaces any previous data processing agreements between the Parties.
Article 1. Definitions
The definitions used in this Agreement shall have the same meaning as set forth in Article 4 of the GDPR.
Article 2. Subject of the Agreement
This Agreement governs the processing of personal data by the Processor on behalf of the Controller in the performance of the Main Agreement.
The following annexes form an integral part of this Agreement:
Annex 1: Description of the Processing
Annex 2: Security Measures
Annex 3: Contact Details
In the event of conflict between this Agreement and the Main Agreement, the provisions of this Agreement shall prevail.
Article 3. Obligations of the Processor
Processor shall only process personal data to the extent that:
it is necessary for the performance of the Main Agreement as described in Annex 1; or
Controller has provided further written instructions, as set out in Annex 1.
Processor shall comply with all reasonable instructions issued by Controller regarding the processing of personal data. Processor shall inform the Controller immediately if it believes that an instruction infringes applicable data protection law.
Processor may process personal data pursuant to a legal obligation. Where possible, the Processor shall inform the Controller of the legal requirement prior to processing unless prohibited by law. The Processor shall enable the Controller to object where applicable.
Processor guarantees proper, careful, and lawful processing of the personal data in accordance with the GDPR and other applicable laws.
Processor shall ensure its employees are bound by confidentiality obligations.
Processor acknowledges that data processed via Pamela may incidentally contain sensitive personal data. Such processing is passive, without classification or content interpretation.
Processor shall not be liable for the nature or sensitivity of user-provided data, nor for any consequences arising from decisions based on software-generated outputs.
Article 4. Use of Sub-processors
Processor may use sub-processors as specified in Annex 1 without further consent.
Any changes to sub-processors will be notified to the Controller in advance. Controller may object within 14 days. Parties will cooperate in good faith to resolve any objections.
Sub-processors are bound by the same obligations as set forth in this Agreement.
Processor remains fully liable for actions of sub-processors.
All of Pamela's sub-processors hold ISO 27001 and/or SOC 2 certifications. Pamela itself is not yet formally certified but adheres to GDPR and industry best practices.
Article 5. Security
Processor shall implement appropriate technical and organisational measures in accordance with Article 32 GDPR.
While Processor cannot guarantee absolute security, it shall maintain a level of security appropriate to the risk and data sensitivity.
Article 6. Breach Notification
Processor shall notify the Controller of any data breach within 48 hours, including the nature, scope, consequences, affected individuals and data categories, and remedial measures taken.
Processor shall take reasonable steps to contain and prevent future incidents.
Article 7. Rights of Data Subjects
Processor shall assist the Controller in fulfilling its obligations regarding data subject rights (Articles 15–22 GDPR).
If Processor receives a request directly, it shall forward it to the Controller. Processor may inform the data subject of this redirection.
Article 8. Audit
Controller may audit Processor’s compliance with this Agreement once annually, or more frequently in case of substantiated suspicion of misuse.
If an independent audit was recently conducted, a copy of the relevant report may suffice.
Parties will agree in advance on the scope and timing of the audit. Processor shall cooperate fully and provide access to relevant systems and documentation.
Findings will be discussed with Processor and are confidential.
If breaches or non-compliance are found, audit costs shall be borne by Processor. Otherwise, costs shall be borne by the Controller.
Article 9. Liability
Any liability limitations in the Main Agreement also apply to this Agreement.
Processor shall not be liable for damages arising from decisions made based on software-generated outputs (e.g., transcripts, summaries or analysis), nor for the processing of sensitive data unintentionally or intentionally disclosed by users.
Article 10. Duration and Termination
This Agreement enters into force on the date of signing and shall remain in force as long as the Main Agreement is valid.
Termination of the Main Agreement shall automatically terminate this Agreement, unless otherwise agreed.
Obligations which by nature survive termination (e.g., confidentiality, liability, security) shall remain in force.
Upon termination, Processor shall, at Controller's discretion, return or securely delete all personal data and any copies.
Article 11. Miscellaneous
In case of conflict, the terms of this Agreement take precedence over the Main Agreement.
If any provision is declared void, the remainder shall remain in force.
This Agreement is governed by Dutch law. Disputes shall be submitted to the competent court as specified in the Main Agreement.
Annex 1 – Description of the Processing
Purpose: transcription, analysis and summarization of meetings via Pamela software
Personal data: voice recordings, names, metadata, meeting content
Data subjects: users and meeting participants
Legal basis: performance of a contract
Sub-processors:
Deepgram (ISO 27001, SOC2 Type II)
Supabase (SOC 2, HIPAA, ePHI)
AWS Europe (GDPR, ISO/IEC 27001, SOC 1, SOC 2, SOC 3, BSI C5)
Gemini Flash 2 (GDPR, ISO 27001, ISO 27018, ISO 27701, ISO 42001, SOC 1, SOC 2, SOC 3, MTCS, OSPAR, HITRUST CSF, FINMA, CSA STAR, BSI C5:2020)
International transfers: only where covered by adequacy decision or SCCs
Retention: we do not store audio on any of our servers and/or subprocessors. We directly stream to transcribe.
Deletion: automated or upon request via support
Annex 2 – Security Measures
Pamela is not currently ISO/SOC certified but follows GDPR and ISO 27001-aligned best practices, including:
End-to-end encryption in transit and at rest
Role-based access control and audit logging
Hosting backend in EU-based AWS data centers
Monitoring, backup, and incident response protocols
A TPM or internal security documentation is available upon request.
