Data Processing Agreement (DPA)

Last updated: 26 February 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service (the "Agreement") between Internal Cast LLC ("Processor") and the customer agreeing to these terms ("Controller"), collectively referred to as the "Parties."

This DPA reflects the Parties' agreement on the processing of Personal Data in accordance with applicable data protection laws, including the EU General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK GDPR.

Prevailing Clause. In case of conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection obligations.

1. Subject Matter and Duration

This DPA governs Processor's processing of Personal Data on behalf of Controller in connection with Controller's use of the Internal Cast platform, mobile applications, and related services ("Services").

Processing shall continue for the term of the Agreement and shall end upon termination or deletion of Controller's account, except as otherwise required by law.

2. Nature and Purpose of Processing

Processor will process Personal Data solely for:

  • Providing the Services (e.g., hosting, streaming, and delivering private podcast episodes)
  • Authentication and user management
  • Customer support
  • Security, monitoring, and fraud prevention
  • AI-based text summarization, script generation, and voice synthesis (via authorized sub-processors)
  • Analytics and performance optimization (in aggregated or anonymized form)

Processor will not process Personal Data for its own purposes or for any third-party purposes without Controller's written consent. Processor shall process Personal Data only on documented instructions from Controller, including with respect to international transfers.

3. Categories of Data Subjects

  • Controller's authorized users (admins, contributors)
  • Controller's end users (listeners, employees, contractors)
  • Any other individuals whose data Controller uploads to the Services

4. Categories of Personal Data

May include, as determined by Controller:

  • Identifiers: name, email, organization ID, user IDs
  • Usage data: playback events, progress, timestamps
  • Device and technical data: browser, OS, app version, IP address
  • Content metadata: episode titles, descriptions, uploaded media
  • Audio and Voice Data: voice samples provided by users for cloning or broadcast purposes

Special categories of data. The Processor does not require or intend to process any special categories of personal data (GDPR Art. 9) or personal data relating to criminal convictions and offences (GDPR Art. 10). The Processor processes voice data solely for the purpose of digital synthesis and conversion into audio. Such processing is not intended for biometric identification unless specifically instructed and configured by the Controller. The Controller is responsible for ensuring the legal basis for processing such data.

5. Roles of the Parties

  • Controller determines the purposes and means of processing Personal Data.
  • Processor acts solely on behalf of Controller and in accordance with Controller's documented instructions.

If Processor cannot comply with an instruction, it will notify Controller without undue delay.

AI Processing Instructions. The Controller acknowledges that by using the automated features of the Services (e.g., text-to-speech, AI summarization), the Controller is instructing the Processor to transfer data to AI sub-processors. The Processor's responsibility is limited to ensuring secure transmission and ensuring that sub-processors do not use Controller Data for model training.

6. Confidentiality

Processor ensures that all personnel authorized to process Personal Data are bound by confidentiality obligations.

7. Security Measures

Processor implements appropriate technical and organizational measures to protect Personal Data, including:

  • Hosting on secure, SOC 2-compliant cloud infrastructure
  • Encryption in transit (HTTPS/TLS) and at rest where applicable
  • Role-based access control and audit logging
  • Regular vulnerability assessments and security monitoring

Processor shall regularly review and update these measures to ensure an appropriate level of security relative to the risk.

A detailed description of security practices is available upon request.

8. Sub-Processors

Controller provides general authorization for the engagement of Sub-Processors. Processor engages the following categories of Sub-Processors:

  • Hosting & Infrastructure Providers — for secure hosting, storage, deployment, and content delivery
  • AI Service Providers (Text generation & Voice synthesis) — for automated content processing via API, under agreements that prohibit use of Controller Data for model training
  • CDN & Performance Monitoring — for content delivery optimization and anonymous, aggregated analytics
  • Payment Processing: Stripe (acts as an independent data controller under its own privacy policy)

Sub-Processors are selected based on their compliance with GDPR requirements and the availability of Standard Contractual Clauses (SCCs) or equivalent data protection mechanisms.

The specific names of current Sub-Processors are maintained in a separate "Sub-Processor List," which is available to the Controller upon written request to team@internalcast.com or via the secure dashboard.

Sub-Processor Obligations. Processor shall ensure that all approved Sub-Processors are bound by written agreements imposing the same data protection, confidentiality, and security obligations as those set out in this DPA. In particular, each Sub-Processor shall (a) implement appropriate technical and organizational measures consistent with Article 32 GDPR; (b) promptly notify the Processor of any personal data breach; and (c) provide the Processor with reasonable assistance in responding to requests from data subjects or supervisory authorities. The Processor remains fully liable to the Controller for the performance of its Sub-Processors and their compliance with these obligations.

Sub-Processor Notice. Processor shall notify Controller in writing of any intended addition or replacement of Sub-Processors at least 30 days in advance, allowing Controller to object on reasonable grounds.

9. International Data Transfers

Where Personal Data is transferred outside the EEA, UK, or Switzerland, Processor will ensure such transfers are made pursuant to:

  • Standard Contractual Clauses (SCCs) adopted by the European Commission, or
  • UK International Data Transfer Addendum, or
  • Other appropriate safeguards under GDPR Art. 46.

10. Data Subject Rights

Where a data subject contacts the Processor directly to exercise their rights under applicable data protection laws, the Processor shall immediately forward the request to the Controller and shall not respond except as instructed by the Controller.

Processor shall provide reasonable assistance, taking into account the nature of processing and available technical measures.

Processor will assist Controller in fulfilling data subject requests under GDPR/UK GDPR, including:

  • Access, rectification, erasure
  • Restriction of processing
  • Data portability
  • Objection to processing

Processor shall provide reasonable assistance to the Controller within a reasonable timeframe, not to exceed 15 calendar days, of receiving the Controller’s written instructions. If the Processor cannot comply within this timeframe, it shall notify the Controller and provide the reasons for delay.

11. Data Breach Notification

In the event of a personal data breach or any security incident that may affect Customer Data, Processor shall notify Controller without undue delay and, in any event, within 72 hours after becoming aware of the breach.

Processor shall maintain a breach response plan and log all incidents, regardless of severity.

Such notice shall include:

  • The nature and scope of the breach;
  • The categories and approximate number of data subjects and data records affected;
  • Likely consequences of the breach;
  • Measures taken or proposed to address and mitigate the breach.

Processor shall cooperate fully with Controller and provide any additional information reasonably requested to comply with applicable data protection laws, including Controller’s obligations to notify authorities and affected individuals.

12. Data Return and Deletion Procedures

Upon termination or expiration of the Agreement, or upon the Controller’s written request, the Processor shall, at the Controller’s choice: (1) return all personal data in a structured, commonly used, and machine‑readable format (e.g., CSV, JSON, or encrypted archive); or (2) delete all personal data from active systems within 30 days and confirm deletion in writing.

Backup copies containing Customer Data shall be retained in encrypted archives for no longer than 90 days after termination, after which they will be permanently deleted or irreversibly anonymized. During this retention period, such backups will remain isolated from active systems and subject to the same technical and organizational security measures as active data.

The Processor shall document all deletions and, upon request, provide a written certificate confirming the completion of data erasure.

13. Audit and Inspection Rights

The Controller or its appointed independent auditor may audit the Processor’s compliance with this DPA once per calendar year, or more frequently if required by law or following a verified data breach.

Audits shall be conducted (a) upon reasonable written notice (minimum 15 business days); (b) during normal business hours; and (c) in a manner that does not disrupt Processor’s operations. The Processor may require the Controller and its auditors to sign a confidentiality agreement before granting access. The Processor may, at its discretion, satisfy audit obligations by providing independent third‑party audit reports (e.g., SOC 2 Type II, ISO/IEC 27001) or other equivalent certifications demonstrating compliance. The Controller shall bear all costs of any on‑site inspection unless a material breach of this DPA is discovered.

14. Liability and Limitations

Each party shall be liable for damages caused by its own breach of this DPA or applicable data protection laws. The Processor’s total aggregate liability arising out of or in connection with this DPA shall not exceed the limits set forth in the main Service Agreement or Terms of Service, except where such limitation is prohibited by law (for example, in cases of willful misconduct or gross negligence). Nothing in this DPA shall limit the Controller’s right to seek compensation from the Processor under Article 82 of the GDPR, where applicable. Nothing in this DPA shall limit or exclude either Party’s liability where prohibited by applicable law.

15. Miscellaneous

In case of conflict between this DPA and the Agreement, the DPA prevails with respect to data protection obligations.

This DPA is governed by the same law and jurisdiction as the Agreement unless otherwise required by applicable data protection laws.

Where required by applicable data protection law, this DPA shall be governed by the laws of the EU Member State where the Controller is established.

Documentation and Recordkeeping. Processor shall maintain records of all categories of processing activities carried out on behalf of Controller, in accordance with Article 30(2) GDPR. Such records shall be made available to Controller or competent supervisory authorities upon request.

For questions about this DPA or to request a signed copy, contact:
Email: team@internalcast.com
Address: Internal Cast LLC, Wyoming, USA