Legal

Data Processing Agreement

We try to keep these short, plain, and free of dark patterns. If anything's unclear, email legal@praatbox.com — a human reads them.

Last updated: April 2026

Roles

You are the data controller. Praatbox B.V. is the data processor. We process personal data on your behalf, under your instructions, for the purposes described in the main service agreement.

Sub-processors

We use a small, vetted list of sub-processors. Changes are announced 30 days in advance and you can object.

  • Google Cloud (EU hosting — Frankfurt)
  • Stripe (billing only)
  • Resend (transactional email)
  • Anthropic, OpenAI (LLM inference, EU-routed where available)

Security measures

Encryption in transit (TLS 1.3) and at rest (AES-256). PII redaction on transcript export. Quarterly access reviews. Annual penetration test by an external firm.

Sub-processor access

No sub-processor has standing access to your conversation data. LLM inference uses zero-retention enterprise contracts.

Incident response

We notify you within 72 hours of any confirmed personal data breach affecting your data, with a written report covering scope, cause, and remediation.