Data Processing Agreement

Preamble

This Data Processing Agreement ("DPA") governs the processing of personal data carried out by Loonacast on behalf of the Customer in connection with the Loonacast Service. It forms an integral part of the contract between the Customer and Loonacast (the "Main Agreement", in particular our Terms of Service) and is binding upon both parties as soon as the Customer uploads, imports or otherwise transmits personal data of third parties (e.g. voices or images of guests) to the Service.

This DPA implements the requirements of Art. 28 GDPR. In the event of a conflict between this DPA and the Main Agreement with respect to the processing of personal data, this DPA prevails.

1. Parties

Controller ("Customer"): the natural or legal person who has entered into the Main Agreement with Loonacast.

Processor ("Loonacast"):

2. Subject Matter and Duration of the Processing

The subject matter of the processing is the provision of the Loonacast Service as described in Annex 1. The duration of the processing corresponds to the duration of the Main Agreement. Processing ends with the deletion of the Customer's data in accordance with clause 11.

3. Nature and Purpose of the Processing

Loonacast processes personal data on the Customer's behalf for the following purposes:

• importing podcast episodes from files, RSS feeds or third-party platforms;
• generating transcripts with word-level timing and speaker labels;
• identifying interesting moments in the transcript using AI and producing clip metadata, titles, hashtags and B-roll suggestions;
• rendering short-form video clips, including face tracking, captions, B-roll overlays and logo overlays;
• storing episodes and clips and making them available for download or in-app playback;
• publishing clips to third-party social media platforms on the Customer's instruction.

4. Types of Personal Data

• audio recordings (voice data) and video recordings (image data, including faces);
• the contents of conversations and any personal information disclosed therein;
• transcripts and word-level timestamps derived from the audio;
• metadata of imported episodes (titles, descriptions, publication dates, host/guest names);
• account data of natural persons connected to the Customer's workspace;
• handles and profile information of social-media accounts linked for publishing.

5. Categories of Data Subjects

• the Customer's hosts and co-hosts;
• guests appearing in uploaded episodes;
• third parties mentioned or otherwise identifiable in the audio/video material;
• members of the Customer's organisation who have access to the Loonacast workspace;
• audiences and users of the third-party platforms to which the Customer publishes content.

6. Obligations of Loonacast as Processor

Loonacast shall:

• process personal data only on documented instructions from the Customer, including with regard to transfers to third countries, unless required to do so by Union or Member State law;
• ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
• take the technical and organisational measures set out in Annex 2 (Art. 32 GDPR);
• engage sub-processors only in accordance with clause 7;
• assist the Customer, by appropriate technical and organisational measures, in fulfilling its obligation to respond to requests for the exercise of data-subject rights;
• assist the Customer in ensuring compliance with the obligations pursuant to Art. 32 to 36 GDPR, taking into account the nature of the processing and the information available;
• notify the Customer without undue delay (and in any case within 72 hours of becoming aware) of any personal-data breach affecting the Customer's data;
• make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR.

7. Sub-Processors

The Customer hereby grants Loonacast general written authorisation, within the meaning of Art. 28 (2) GDPR, to engage sub-processors. The sub-processors engaged at the time this DPA is concluded are listed in Annex 1.

Loonacast shall inform the Customer of any intended addition or replacement of sub-processors at least 30 days in advance and shall give the Customer the opportunity to object on reasonable grounds related to data protection. If the Customer objects and the parties cannot reach an agreement, the Customer may terminate the Main Agreement for cause with regard to the affected services.

Loonacast shall impose on each sub-processor the same data-protection obligations as those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures. Loonacast remains fully liable to the Customer for the performance of each sub-processor's obligations.

8. International Data Transfers

Where personal data is transferred to a country outside the EU/EEA that is not covered by an adequacy decision of the European Commission, the transfer is safeguarded by the European Commission's Standard Contractual Clauses (Module 3, processor to processor) pursuant to Art. 46 (2) (c) GDPR or, where applicable, by certification of the recipient under the EU–US Data Privacy Framework. The relevant transfer mechanism for each sub-processor is indicated in Annex 1.

9. Audit Rights

Loonacast shall make available to the Customer all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.

Audits shall primarily be performed by reviewing up-to-date attestations, certifications and audit reports of Loonacast or its sub-processors (e.g. ISO 27001, SOC 2). On-site audits may be carried out no more than once per calendar year, on reasonable prior written notice (at least 30 days), during regular business hours, in a manner that does not interfere with Loonacast's operations and at the Customer's expense. The Customer's auditor must not be a competitor of Loonacast and must be subject to written confidentiality obligations.

10. Data-Subject Requests

If a data subject submits a request relating to personal data processed under this DPA directly to Loonacast, Loonacast shall forward the request to the Customer without undue delay and shall not respond to it itself, unless legally required. Loonacast supports the Customer in handling such requests through self-service functions in the Service (in particular for access, rectification and deletion).

11. Return and Deletion of Personal Data

On termination of the Main Agreement, Loonacast shall, at the Customer's choice, delete or return all personal data processed on the Customer's behalf and delete existing copies, unless Union or Member State law requires continued storage. Deletion shall be carried out within 30 days after the end of the Main Agreement. Loonacast shall confirm deletion in writing or text form on request.

12. Liability

Liability between the parties is governed by the Main Agreement. The statutory liability regime towards data subjects and supervisory authorities under Art. 82 GDPR remains unaffected.

13. Governing Law and Jurisdiction

This DPA is governed by the laws of the Federal Republic of Germany. Exclusive place of jurisdiction is the registered seat of Loonacast, where the Customer is a merchant, a legal person under public law or a special fund under public law.

14. Severability

Should individual provisions of this DPA be or become invalid in whole or in part, this shall not affect the validity of the remaining provisions. The parties shall replace the invalid provision with a valid provision that comes closest to its economic purpose.

Annex 1 – List of Sub-Processors

The following sub-processors are engaged in the provision of the Service. The Customer hereby approves their use. Loonacast will notify the Customer of any changes in accordance with clause 7.

Annex 2 – Technical and Organisational Measures (Art. 32 GDPR)