Data Processing
Agreement

1.1 Parties. This Data Processing Agreement (“DPA”) is entered into between AmpliForge GmbH, Eschborn, Germany (“Processor”) and the Customer who has accepted the AmpliForge Terms of Service (“Controller”).

1.2 Scope. This DPA applies to all personal data that the Processor processes on behalf of the Controller in connection with the AmpliForge content supply chain platform and related services.

1.3 Precedence. In the event of a conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.

1.4 Role. The Controller acts as the data controller determining the purposes and means of processing. The Processor acts as the data processor carrying out processing operations on behalf of and under the instructions of the Controller.

3.1 Purpose. The Processor processes personal data solely to provide the Services to the Controller, specifically:

• Transcription of audio and video content assets uploaded by the Controller
• AI-powered extraction of insights, key statements, and frameworks from transcripts
• Generation of distribution-ready marketing content (LinkedIn posts, newsletters, blog posts, threads)
• Application of brand voice profiles to generated content
• Storage and management of content assets, transcripts, and generated outputs

3.2 Categories of Data. The processing may involve names, titles and contact details of speakers; voice recordings and audio data; statements and opinions expressed in recorded content; and business information and professional context.

3.3 Duration. The Processor shall process personal data for the duration of the Services agreement. Upon termination, the Processor shall delete or return personal data as set out in § 11.

4.1 Instructions. The Processor shall process personal data only on documented instructions from the Controller. The Processor shall immediately inform the Controller if an instruction infringes applicable data protection law.

4.2 Confidentiality. The Processor shall ensure that persons authorised to process personal data are committed to confidentiality or subject to a statutory obligation of confidentiality.

4.3 No Unauthorised Use. The Processor shall not process personal data for its own purposes, sell or share personal data with third parties, or use personal data to train AI models without explicit written consent from the Controller.

4.4 AI Transparency. In compliance with EU AI Act Art. 50, all content generated by AI through the Services is flagged as AI-generated. The Controller controls whether disclosure is appended to distributed content.

5.1 The Processor implements and maintains appropriate technical and organisational measures including:

• Encryption in transit: TLS 1.3 for all data transmissions
• Encryption at rest: AES-256 for stored media and data (Hetzner Object Storage)
• Access control: Row-Level Security (RLS) at database level; JWT authentication for all API access
• Workspace isolation: Strict data separation between customer workspaces; no cross-workspace data access
• Signed URLs: All media access restricted to time-limited signed URLs
• Backup and recovery: Daily automated backups with 7-day retention; cross-region disaster recovery
• Minimal retention: Logs maximum 14 days; content assets deleted 90 days after customer deletion

6.1 The Controller hereby provides general authorisation for the Processor to engage the sub-processors listed below.

6.2 Changes. The Processor shall notify the Controller of any intended changes to sub-processors with at least 14 days’ notice. The Controller may object within 14 days on reasonable data protection grounds.

7.1 EU-First Architecture. Transcription, AI processing, and media storage all take place on EU-based infrastructure. Content Assets, transcripts, and generated content are never transferred to non-EU sub-processors.

7.2 Non-EU Transfers. Where personal data is transferred outside the EU/EEA (currently Vercel and Resend, USA), such transfers are governed by Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.

8.1 The Processor shall assist the Controller in responding to data subject rights requests (access, rectification, erasure, restriction, portability, objection) under Arts. 15–22 GDPR.

8.2 Direct data subject requests received by the Processor are redirected to the Controller without independent response.

8.3 Workspace Deletion. Deletion of a workspace triggers complete deletion of all associated data within 30 days.

9.1 The Processor shall notify the Controller within 24 hours of becoming aware of a personal data breach. Notification includes nature and scope, likely consequences, and measures taken.

10.1 The Processor shall support audits with at least 30 days’ notice. Third-party certifications (ISO 27001, SOC 2) may satisfy audit obligations for certified areas.

11.1 Upon termination, all personal data is deleted or returned within 30 days. Deletion confirmed in writing on request. JSON data export available at privacy@ampliforge.com.

12.1 Liability under this DPA is subject to the limitations in the AmpliForge Terms of Service. Where both parties are responsible, liability is apportioned per Art. 82 GDPR.

13.1 This DPA enters into force upon account creation and runs for the duration of the Services agreement. Either party may terminate immediately upon material uncured breach. Sections 11, 12, and 14 survive.

14.1 Governing Law. German law applies. Jurisdiction: Frankfurt am Main.

14.2 Language. English version prevails in case of translation.

14.3 Amendments. Material changes notified 30 days in advance by email or in-platform notice.

14.4 Contact.privacy@ampliforge.com

14.5 Supervisory Authority. HBDI — Hessischer Beauftragter für Datenschutz und Informationsfreiheit, Wiesbaden, Germany.