citesvue
Data Processing Addendum

The DPA that automatically applies to your subscription.

This Data Processing Addendum (the “DPA”) forms part of the Citesvue subscription agreement between Customer and Citesvue. It applies whenever Citesvue processes personal data on Customer’s behalf in the course of providing the Service. It is GDPR / UK GDPR Article 28 compliant, includes the EU Standard Contractual Clauses for international transfers, and is countersigned automatically when Customer accepts the Terms — no separate signature exchange is required for Team or Business tiers. Enterprise customers may execute a wet-signed version on request.

Request a signed copyRead the security controls
Last updatedVersion1.0 · public preview
How this works

Acceptance, precedence, and where this DPA fits.

  • Acceptance. By accepting the Terms or executing an Order Form, Customer accepts this DPA.
  • Parties. The “Processor” is Citesvue Inc. (or the contracting Citesvue affiliate named in the Order Form). The “Controller” is the Customer entity that owns the workspace.
  • Precedence. In any conflict between this DPA and the Terms with respect to the processing of personal data, this DPA prevails.
  • Scope. This DPA covers Citesvue’s processing of personal data on Customer’s behalf in connection with the Service. Account registration data and billing data, where Citesvue acts as an independent controller, are governed by the Privacy Policy.
Definitions

The terms we use, the way we use them.

  • “Applicable Data Protection Law” means the EU GDPR, the UK GDPR, the Swiss Federal Act on Data Protection, US state privacy laws (CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, OCPA, TDPSA, etc.), and any successor or equivalent law applicable to the processing.
  • “Customer Personal Data” means personal data contained in Customer Content or otherwise processed by Citesvue on Customer’s behalf.
  • “Sub-processor” means any third party engaged by Citesvue to process Customer Personal Data on Customer’s behalf.
  • “SCCs” means the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), as supplemented by the UK Addendum where applicable.
  • “Personal Data Breach” has the meaning given in Article 4(12) GDPR.
  • Other capitalised terms have the meanings given in the Terms or in Applicable Data Protection Law.
Roles & scope

Customer is the Controller. Citesvue is the Processor.

For Customer Personal Data, Customer is the Controller (or, where Customer acts as a processor for a third party, the Processor) and Citesvue is the Processor (or sub-processor, respectively). The processing details required by Article 28(3) GDPR are set out below.

ElementDescription
Subject matterOperation of the Citesvue platform — converting recorded sessions into structured, citable evidence.
DurationFor the term of the subscription, plus the post-termination retention window in /privacy.
Nature & purposeHosting, ingestion, transcription, visual analysis, artifact extraction, search and retrieval, integration delivery, audit logging.
Categories of data subjectsCustomer’s employees, contractors, customers, prospects, and any other individuals whose voice, image, or screen content appears in recordings Customer chooses to upload.
Categories of personal dataIdentifiers (name, email, role); audio recordings; video recordings; on-screen text and images; transcripts; comments and annotations; usage telemetry; authentication metadata.
Special category dataNot requested or required by the Service. May appear incidentally in recordings; Customer is responsible for assessing lawful basis where this occurs.
Frequency of processingContinuous, for the duration of the subscription.
Customer instructions

We process on documented instructions.

Citesvue will process Customer Personal Data only on the documented instructions of Customer, including with respect to international transfers. Customer’s instructions are: (a) the Terms and this DPA; (b) the configurations Customer makes in the Service (workspace settings, retention policies, integration configurations, region pinning, member roles); and (c) any further written instructions Customer provides.

If Citesvue believes an instruction violates Applicable Data Protection Law, Citesvue will inform Customer in writing without delay (subject to legal restrictions).

Sub-processors

Categories listed here. Named list available in the trust portal.

Customer authorises Citesvue to engage Sub-processors to provide the Service. The categories of Sub-processors and their function are listed below. The named list of Sub-processors (with entity name, country of operation, and function) is published in the customer trust portal — request access via security@citesvue.com.

CategoryFunctionRegion(s)
Cloud infrastructureCompute, object storage, networking, KMSUS / EU regional pinning available
Speech-to-text providerSpeaker-aware ASR — zero-retention API modeUS / EU regional pinning available
Visual analysis & OCR providerFrame analysis and on-screen text extractionUS / EU
LLM provider(s)Artifact extraction & Q&A — zero-retention API mode where supported; no training on inputsUS / EU
Email & transactional messagingService emails, magic links, security advisoriesUS / EU
Application observabilityError tracking, performance traces, structured logs (PII-stripped)US / EU
Customer support toolingTicketing and customer correspondenceUS / EU
Payments processorCard processing — PCI-DSS Level 1; Citesvue does not store PAN dataUS / EU

Notice & objection. Citesvue will give Customer at least 30 days’ notice before engaging a new Sub-processor (via the trust portal and email). During that window, Customer may object on reasonable data-protection grounds; if the parties cannot agree on a remedy, Customer may terminate the affected portion of the Service for convenience and receive a pro-rata refund of pre-paid fees.

Sub-processor obligations. Citesvue will impose data-protection obligations on each Sub-processor that are no less protective than those in this DPA. Citesvue remains liable for the acts and omissions of its Sub-processors as if they were its own.

International transfers

SCCs by default. Adequacy where it exists.

ScenarioMechanismParties
Customers in the UKCitesvue → Customer: UK GDPR controller-to-processor SCCs (UK Addendum to the EU SCCs, Module Two).Customer ↔ Citesvue UK Ltd.
Customers in the EU/EEACitesvue → Customer: EU SCCs (2021/914), Module Two — controller to processor.Customer ↔ Citesvue EU GmbH.
Sub-processors outside EU/UKEU SCCs Module Three (processor-to-processor) where the sub-processor is the data importer.Citesvue ↔ Sub-processor.
Adequacy decisionsWhere the destination country has an adequacy decision (e.g. UK ↔ EU; UK Extension to the EU-US Data Privacy Framework), we rely on the adequacy decision.No SCCs required for that leg.

The SCCs are deemed incorporated into this DPA by reference. The selections required by the SCCs (Module, optional clauses, Annexes) are completed as set out in the Schedule to this DPA. Where Annexes refer to specific information, the contents of this DPA, the Order Form, and the trust portal’s named Sub-processor list constitute that information.

For the EU-US Data Privacy Framework: where a Sub-processor is certified under the DPF and the data category is in scope, transfers may rely on the DPF as a supplementary mechanism alongside the SCCs. The SCCs remain the primary mechanism.
Technical & organisational measures (TOMs)

The controls in force, in plain language.

DomainMeasure
EncryptionTLS 1.2+ in transit; AES-256 at rest with envelope encryption; per-tenant data keys; KMS-managed root keys.
Access controlRole-based, least-privilege access; SSO with MFA enforced for all production-facing personnel; just-in-time elevation with peer approval and time-bound expiry; default-deny on customer content.
Network controlsPrivate VPCs; ingress restricted to documented endpoints; no direct database access from the public internet; audit-logged bastion access; WAF and DDoS protection at the edge.
Tenant isolationLogical isolation enforced at every layer (data store, search index, queue, cache). Cross-tenant access is impossible by design.
Vulnerability managementContinuous dependency scanning, container image scanning, SAST in CI; quarterly internal pen-tests; annual third-party pen-tests; coordinated disclosure programme.
Endpoint securityManaged endpoints with full-disk encryption, EDR, automated patching, and risk-based conditional access.
Personnel securityBackground checks (where lawful), security training at hire and annually, signed confidentiality and acceptable-use policies.
Backup & recoveryEncrypted backups in the same region as primary data; point-in-time recovery on Team+; documented RTO ≤ 4h / RPO ≤ 1h for primary data services.
Audit loggingCustomer-facing audit log of authentication, configuration, sharing, and export events; internal audit log of administrative access to customer content; logs retained per the privacy policy.
Secure SDLCMandatory peer code review, security review for changes touching auth/crypto, test coverage gates, signed deploys, automated rollback.
Incident responseDocumented runbook; on-call rotation 24/7 for SEV-1/2; post-incident review with structured root-cause analysis; customer notification per breach clause below.

Detailed control mappings to ISO 27001 / SOC 2 (Type II in progress) are available under NDA via the trust portal. See /security for the public summary and /compliance for current and in-progress certifications.

Breach notification

A clear timeline and a single inbox.

  • Notification window. Citesvue will notify the affected Customer’s designated security and privacy contacts without undue delay and in any event within 72 hours after becoming aware of a confirmed Personal Data Breach affecting that Customer’s data.
  • Contents of the notice. To the extent then known, the notice will include (a) the nature and likely consequences of the breach; (b) the categories and approximate volume of personal data and data subjects affected; (c) the measures taken or proposed; and (d) a single point of contact for follow-up. We will update Customer as the investigation progresses.
  • No supervisory-authority notification by Citesvue. Customer remains the controller and is responsible for any required notification to supervisory authorities or data subjects. Citesvue will provide reasonable assistance.
  • Cooperation. Citesvue will document the breach, the measures taken, and any remediation, and will make this documentation available to Customer.
We do not bury breach notification inside marketing communications. Notification is sent to the on-file security contact and the workspace owner directly.
Data subject rights

How we help you respond.

Citesvue will provide Customer with the in-product functionality and reasonable assistance necessary to enable Customer to fulfil its obligations to respond to data-subject requests under Applicable Data Protection Law.

RightHow Citesvue assists
AccessCustomer can self-serve via account export. Citesvue assists where the request is routed via Customer.
RectificationIn-product editing for most fields; Citesvue assists for system-managed fields where required.
ErasureProject-, recording-, or account-level deletion in-product or via API. Citesvue purges across primary stores, derived stores, and indices, and on the next backup rotation cycle. Signed deletion receipt provided.
RestrictionOn Customer’s written instruction.
PortabilityBulk export (JSON/CSV/DOCX/PDF) in-product; full-workspace export via API.
ObjectionOn Customer’s written instruction.

If a data subject contacts Citesvue directly with a request relating to Customer Personal Data, Citesvue will (where lawful) refer the data subject to Customer and inform Customer of the request without undue delay.

Audits

Documentation, reports, and on-site at reasonable cadence.

  • Documentation. Customer may request, no more than once per twelve months, the most recent independent audit reports (e.g. SOC 2 Type II once issued), penetration-test summaries, and a completed security questionnaire (CAIQ). These are made available under NDA via the trust portal.
  • On-site / virtual audit. Where Customer reasonably believes documentation is insufficient (e.g. following a confirmed Personal Data Breach affecting Customer), Customer may, at its own expense, conduct or commission an audit of Citesvue’s controls relevant to the processing of Customer Personal Data. The parties will agree the scope, timing, and confidentiality terms in advance, and will conduct the audit during business hours and in a manner that does not interfere with Citesvue’s operations.
  • Independent auditor. Audits performed by a third party require a mutually acceptable auditor under written confidentiality terms.
Return & deletion

What happens to the data when the contract ends.

  • Export window. For 30 days after termination, Customer may export Customer Personal Data via in-product export or the API.
  • Deletion. After the export window (or earlier on Customer’s written instruction), Citesvue will delete Customer Personal Data from primary stores, derived stores, and search indices, and will purge it from backups on the next rotation cycle (≤ 30 days further). A signed deletion receipt is provided on request.
  • Retention exceptions. Citesvue may retain Customer Personal Data only to the extent and for the period required by applicable law (e.g. statutory tax/finance retention for invoices).
Liability under the DPA

One liability cap covers everything.

Each party’s liability under this DPA is subject to the limitation of liability in the Terms. The limit applies in aggregate across all claims under the Terms and the DPA combined. Nothing in this DPA limits a party’s liability where such limitation is not permitted under Applicable Data Protection Law.

Term & termination

The DPA lives as long as the processing.

This DPA is effective from Customer’s acceptance of the Terms (or signature of an Order Form referencing this DPA) and continues for as long as Citesvue processes Customer Personal Data, plus any post-termination period required for return, deletion, and statutory retention.

US state addenda

CCPA/CPRA service-provider terms and equivalents.

  • Service-provider role. For California personal information, Citesvue acts as a “service provider” (CCPA/CPRA), “processor” (under VCDPA, CPA, CTDPA, UCPA, OCPA, TDPSA, and similar US state laws). Citesvue does not sell, share, or process personal information for any purpose other than the limited and specified purpose of providing the Service to Customer.
  • No combination. Citesvue will not combine personal information received from one Customer with personal information received from another Customer or any other source, except as expressly permitted by law to detect security incidents or perform another service-provider function on Customer’s behalf.
  • Compliance. Citesvue will provide the same level of privacy protection as required of Customer; will notify Customer if it determines it can no longer meet its obligations; and will allow Customer to take reasonable steps to remediate unauthorised use.
Contacts

The single inbox per topic.

Related

The rest of the legal & trust surface.