Data Processing Agreement (DPA)

Last updated: 14 October 2025

This Data Processing Agreement ("DPA") forms part of the Terms of Service (the "Agreement") between Internal Cast LLC ("Processor") and the customer agreeing to these terms ("Controller"), collectively referred to as the "Parties."

This DPA reflects the Parties' agreement on the processing of Personal Data in accordance with applicable data protection laws, including the EU General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK GDPR.

Prevailing Clause. In case of conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection obligations.

1. Subject Matter and Duration

This DPA governs Processor's processing of Personal Data on behalf of Controller in connection with Controller's use of the Internal Cast platform, mobile applications, and related services ("Services").

Processing shall continue for the term of the Agreement and shall end upon termination or deletion of Controller's account, except as otherwise required by law.

2. Nature and Purpose of Processing

Processor will process Personal Data solely for:

  • Providing the Services (e.g., hosting, streaming, and delivering private podcast episodes)
  • Authentication and user management
  • Customer support
  • Security, monitoring, and fraud prevention
  • Analytics and performance optimization (in aggregated or anonymized form)

Processor will not process Personal Data for its own purposes or for any third-party purposes without Controller's written consent. Processor shall process Personal Data only on documented instructions from Controller, including with respect to international transfers.

3. Categories of Data Subjects

  • Controller's authorized users (admins, contributors)
  • Controller's end users (listeners, employees, contractors)
  • Any other individuals whose data Controller uploads to the Services

4. Categories of Personal Data

May include, as determined by Controller:

  • Identifiers: name, email, organization ID, user IDs
  • Usage data: playback events, progress, timestamps
  • Device and technical data: browser, OS, app version, IP address
  • Content metadata: episode titles, descriptions, uploaded media

Special categories of personal data (as defined in GDPR Art. 9) are not intended to be processed by the Services. Controller is solely responsible for ensuring that no such data is uploaded. The Processor does not require or intend to process any special categories of personal data (GDPR Art. 9) or personal data relating to criminal convictions and offences (GDPR Art. 10).

5. Roles of the Parties

  • Controller determines the purposes and means of processing Personal Data.
  • Processor acts solely on behalf of Controller and in accordance with Controller's documented instructions.

If Processor cannot comply with an instruction, it will notify Controller without undue delay.

6. Confidentiality

Processor ensures that all personnel authorized to process Personal Data are bound by confidentiality obligations.

7. Security Measures

Processor implements appropriate technical and organizational measures to protect Personal Data, including:

  • Hosting on secure infrastructure (DigitalOcean)
  • Encryption in transit (HTTPS/TLS) and at rest where applicable
  • Role-based access control and audit logging
  • Regular vulnerability assessments and security monitoring

Processor shall regularly review and update these measures to ensure an appropriate level of security relative to the risk.

A detailed description of security practices is available upon request.

8. Sub-Processors

Controller provides general authorization for the engagement of Sub‑Processors. Controller authorizes Processor to use the following sub-processors:

  • Hosting & Infrastructure: DigitalOcean, Vercel
  • Payment Processing: Stripe (independent controller)
  • AI Services: OpenAI (text-to-speech / transcription)
  • Analytics: Vercel Analytics (anonymous, aggregated)

Sub-Processor Obligations. Processor shall ensure that all approved Sub-Processors are bound by written agreements imposing the same data protection, confidentiality, and security obligations as those set out in this DPA. In particular, each Sub-Processor shall (a) implement appropriate technical and organizational measures consistent with Article 32 GDPR; (b) promptly notify the Processor of any personal data breach; and (c) provide the Processor with reasonable assistance in responding to requests from data subjects or supervisory authorities. The Processor remains fully liable to the Controller for the performance of its Sub-Processors and their compliance with these obligations.

Sub-Processor Listings and Notice. The current list of Sub‑Processors and their locations shall be available upon request or published at internalcast.com/subprocessors (if applicable). Processor shall notify Controller in writing of any intended addition or replacement of Sub‑Processors at least 30 days in advance, allowing Controller to object on reasonable grounds.

9. International Data Transfers

Where Personal Data is transferred outside the EEA, UK, or Switzerland, Processor will ensure such transfers are made pursuant to:

  • Standard Contractual Clauses (SCCs) adopted by the European Commission, or
  • UK International Data Transfer Addendum, or
  • Other appropriate safeguards under GDPR Art. 46.

10. Data Subject Rights

Where a data subject contacts the Processor directly to exercise their rights under applicable data protection laws, the Processor shall immediately forward the request to the Controller and shall not respond except as instructed by the Controller.

Processor shall provide reasonable assistance, taking into account the nature of processing and available technical measures.

Processor will assist Controller in fulfilling data subject requests under GDPR/UK GDPR, including:

  • Access, rectification, erasure
  • Restriction of processing
  • Data portability
  • Objection to processing

Processor shall provide reasonable assistance to the Controller within 10 business days of receiving the Controller’s written instructions. If the Processor cannot comply within this timeframe, it shall notify the Controller and provide the reasons for delay.

11. Data Breach Notification

In the event of a personal data breach or any security incident that may affect Customer Data, Processor shall notify Controller without undue delay and, in any event, within 72 hours after becoming aware of the breach.

Processor shall maintain a breach response plan and log all incidents, regardless of severity.

Such notice shall include:

  • The nature and scope of the breach;
  • The categories and approximate number of data subjects and data records affected;
  • Likely consequences of the breach;
  • Measures taken or proposed to address and mitigate the breach.

Processor shall cooperate fully with Controller and provide any additional information reasonably requested to comply with applicable data protection laws, including Controller’s obligations to notify authorities and affected individuals.

12. Data Return and Deletion Procedures

Upon termination or expiration of the Agreement, or upon the Controller’s written request, the Processor shall, at the Controller’s choice: (1) return all personal data in a structured, commonly used, and machine‑readable format (e.g., CSV, JSON, or encrypted archive); or (2) delete all personal data from its systems and confirm deletion in writing.

Backup copies containing Customer Data shall be retained in encrypted archives for no longer than 90 days after termination, after which they will be permanently deleted or irreversibly anonymized. During this retention period, such backups will remain isolated from active systems and subject to the same technical and organizational security measures as active data.

The Processor shall document all deletions and, upon request, provide a written certificate confirming the completion of data erasure.

13. Audit and Inspection Rights

The Controller or its appointed independent auditor may audit the Processor’s compliance with this DPA once per calendar year, or more frequently if required by law or following a verified data breach.

Audits shall be conducted (a) upon reasonable written notice (minimum 15 business days); (b) during normal business hours; and (c) in a manner that does not disrupt Processor’s operations. The Processor may require the Controller and its auditors to sign a confidentiality agreement before granting access. The Processor may, at its discretion, satisfy audit obligations by providing independent third‑party audit reports (e.g., SOC 2 Type II, ISO/IEC 27001) or other equivalent certifications demonstrating compliance. The Controller shall bear all costs of any on‑site inspection unless a material breach of this DPA is discovered.

14. Liability and Limitations

Each party shall be liable for damages caused by its own breach of this DPA or applicable data protection laws. The Processor’s total aggregate liability arising out of or in connection with this DPA shall not exceed the limits set forth in the main Service Agreement or Terms of Service, except where such limitation is prohibited by law (for example, in cases of willful misconduct or gross negligence). Nothing in this DPA shall limit the Controller’s right to seek compensation from the Processor under Article 82 of the GDPR, where applicable. Nothing in this DPA shall limit or exclude either Party’s liability where prohibited by applicable law.

15. Miscellaneous

In case of conflict between this DPA and the Agreement, the DPA prevails with respect to data protection obligations.

This DPA is governed by the same law and jurisdiction as the Agreement unless otherwise required by applicable data protection laws.

Where required by applicable data protection law, this DPA shall be governed by the laws of the EU Member State where the Controller is established.

Documentation and Recordkeeping. Processor shall maintain records of all categories of processing activities carried out on behalf of Controller, in accordance with Article 30(2) GDPR. Such records shall be made available to Controller or competent supervisory authorities upon request.

For questions about this DPA or to request a signed copy, contact:
Email: team@internalcast.com
Address: Internal Cast LLC, Wyoming, USA