SUMMARY AI
Data Processing Addendum
This Data Processing Addendum (“DPA”) governs SUMMARY AI’s processing of Customer Data you provide to SUMMARY AI through SUMMARY AI services for businesses (“Services”) under the terms of the SUMMARY AI Terms of Service, Privacy Policy, or other agreement between you and SUMMARY AI governing your use of the Services (the “Agreement”) and is hereby incorporated into the Agreement. If and to the extent language in this DPA conflicts with the Agreement, the conflicting terms in this DPA shall control.
SUMMARY AI and Customer each agree to comply with their respective obligations under applicable data privacy and data protection laws (collectively, “Data Protection Laws”) in connection with the Services. Data Protection Laws may include, depending on the circumstances, European Union General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (“DPA 2018”) under the Data (Use and Access) Act 2025 (“DUAA”), Cal. Civ. Code §§ 1798.100 et seq., as amended by the California Privacy Rights Act of 2020 (the California Consumer Privacy Act) (“CCPA”), Colo. Rev. Stat. §§ 6-1-1301 et seq. (the Colorado Privacy Act) (“CPA”), Connecticut’s Data Privacy Act (“CTDPA”), Utah Code Ann. §§ 13-61-101 et seq. (the Utah Consumer Privacy Act) (“UCPA”), VA Code Ann. §§ 59.1-575 et seq. (the Virginia Consumer Data Protection Act) (“VCDPA”) (collectively “U.S. Privacy Laws”), and applicable subordinate legislation and regulations implementing those laws.
In connection with the Agreement, Customer is the person that determines the purposes and means for which Customer Data (as defined below) is processed (a “Data Controller”), whereas SUMMARY AI processes Customer Data in accordance with the Data Controller’s instructions and on behalf of the Data Controller (as a “Data Processor”). “Data Controller” and “Data Processor” are intended to include equivalent concepts under other Data Protection Laws. For purposes of the Agreement and this DPA, “Customer Data” means personal data (or equivalent concepts, as defined by Data Protection Laws) that Customer provides to the Services that SUMMARY AI processes on behalf of Customer. SUMMARY AI will process Customer Data as your Data Processor to provide or maintain the Services and for the purposes set forth in this DPA, the Agreement and/or in any other applicable agreements between you and SUMMARY AI. SUMMARY AI acknowledges that you are disclosing personal data for the aforementioned limited and specific purposes.
-
PROCESSING REQUIREMENTS
As a Data Processor, SUMMARY AI agrees to:
- Process Customer Data (i) for the purpose of providing and supporting SUMMARY AI’s services (including to provide insights, reporting, analytics and platform abuse, trust and safety monitoring); (ii) to improve SUMMARY AI’s services (but only if and to the extent Customer expressly opts-in to improve the services); (iii) in compliance with the instructions received from Customer; and (iv) where the CCPA applies, in a manner that provides no less than the level of privacy protection required by the CCPA.
- Promptly inform you in writing if it cannot comply with the requirements of this DPA.
- Not provide you with remuneration in exchange for Customer Data from you. The parties acknowledge and agree that Customer has not “sold” (as such term is defined by the CCPA) Customer Data to SUMMARY AI.
- Not “sell” (as such term is defined by U.S. Privacy Laws) or “share” (as such term is defined by the CCPA) personal data.
- Inform you promptly if, in SUMMARY AI’s opinion, an instruction from you violates applicable Data Protection Laws.
- Take commercially reasonable steps to require (i) persons employed by it and (ii) other persons engaged to perform on SUMMARY AI’s behalf to be subject to a duty of confidentiality with respect to the Personal Data and to comply with the data protection obligations applicable to SUMMARY AI under the Agreement and this DPA.
- Engage the subprocessors available at summaryai.com/subprocessors/ to process Customer Data (each a “Subprocessor,” and the list at the foregoing URL, the “Subprocessor List”) to help SUMMARY AI satisfy its obligations in accordance with this DPA or to delegate all or part of the processing activities to such Subprocessors. Customer hereby consents to the use of such Subprocessors. In the event that SUMMARY AI seeks to use additional Subprocessors and update the Subprocessor List, SUMMARY AI will provide notice of such additional Subprocessors to you (which may be via email, a posting or notification on an online portal for our services or other reasonable means). In the event that you do not wish to consent to the use of such additional Subprocessor, you may notify SUMMARY AI that you do not consent within fifteen (15) days on reasonable grounds relating to the protection of Customer Data by following the instructions set forth in the Subprocessor List or contacting dpo@labhouse.io. In such case, SUMMARY AI shall have the right to cure the objection through one of the following options: (i)SUMMARY AI will cancel its plans to use the Subprocessor with regards to processing Customer Data or will offer an alternative to provide its Services or services without such Subprocessor.(ii)SUMMARY AI will take the corrective steps requested by you in your objection notice and proceed to use the Subprocessor. (iii)SUMMARY AI may cease to provide, or you may agree not to use whether temporarily or permanently, the particular aspect or feature of the SUMMARY AI Services or services that would involve the use of such Subprocessor; or (iv)You may cease providing Customer Data to SUMMARY AI for processing. If none of the above options are commercially feasible, in SUMMARY AI’s reasonable judgment, and the objection(s) have not been resolved to the satisfaction of the parties within thirty (30) days of SUMMARY AI’s receipt of your objection notice, then either party may terminate any subscriptions, order forms or usage regarding the Services or SUMMARY AI services for cause and in such case, you will be refunded any pre-paid fees for the applicable subscriptions, order forms or usage to the extent they cover periods or terms following the date of such termination. Such termination right is your sole and exclusive remedy if you object to any new Subprocessor. SUMMARY AI shall enter into contractual arrangements with each Subprocessor binding them to provide the same level of data protection and information security to that provided for herein.
- Upon request, provide you with SUMMARY AI’s privacy and security policies and other such information necessary to demonstrate compliance with the obligations set forth in this DPA and applicable Data Protection Laws.
- Where required by law and upon reasonable notice and appropriate confidentiality agreements, cooperate with assessments, audits, or other steps performed by or on behalf of Customer that are necessary to confirm that SUMMARY AI is processing Personal Data in a manner consistent with this DPA. Where permitted by law, SUMMARY AI may instead make available to Customer a summary of the results of a third-party audit or certification reports relevant to SUMMARY AI’s compliance with this DPA.
- To the extent that SUMMARY AI received deidentified data derived from personal data subject to U.S. Privacy Laws from Customer, SUMMARY AI shall (i) adopt reasonable measures to prevent such deidentified data from being used to infer information about, or otherwise being linked to, a particular natural person or household; (ii) publicly commit to maintain and use such deidentified data in a deidentified form and to not attempt to re-identify the deidentified data, except that the recipient may attempt to re-identify the data solely for the purpose of determining whether its deidentification processes are compliant with U.S. Privacy Laws; and (iii) before sharing deidentified data with any other party, including Subprocessors, contractually obligate any such recipients to comply with the requirements of this provision.
- Where the personal data is subject to the CCPA, not (i) retain, use, disclose, or otherwise process personal data except as necessary for the business purposes specified in the Agreement or this Addendum; (ii) retain, use, disclose, or otherwise process personal data in any manner outside of the direct business relationship between SUMMARY AI and Customer; or (iii) combine any personal data with personal data that SUMMARY AI receives from or on behalf of any other third party or collects from SUMMARY AI’s own interactions with individuals, provided that SUMMARY AI may so combine personal data for a purpose permitted under the CCPA if directed to do so by Customer or as otherwise permitted by the CCPA.
- Where required by law, grant the Data Controller the rights to (i) take reasonable and appropriate steps to ensure that SUMMARY AI uses Customer Data in a manner consistent with Data Protection Laws and (ii) stop and remediate unauthorized use of Customer Data.
-
NOTICE TO CUSTOMER
SUMMARY AI will inform you if SUMMARY AI becomes aware of:
- Any legally binding request for disclosure of Customer Data by a law enforcement authority, unless SUMMARY AI is otherwise forbidden by law to inform you, for example to preserve the confidentiality of an investigation by law enforcement authorities.
- Any notice, inquiry or investigation by an independent public authority established by a member state pursuant to Article 51 of the GDPR (a “Supervisory Authority”) with respect to Customer Data.
- Any complaint or request (in particular, requests for access to, rectification or blocking of Customer Data) received directly from your data subjects. SUMMARY AI will not respond to any such request without your prior written authorization.
-
ASSISTANCE TO CUSTOMER
SUMMARY AI will provide reasonable assistance to Customer regarding:
- Any requests from your data subjects in respect of access to or the rectification, erasure, restriction, portability, objection, blocking or deletion of Customer Data that SUMMARY AI processes for you. In the event that a data subject sends such a request directly to SUMMARY AI, SUMMARY AI will promptly send such request to you.
- The investigation of any breach of SUMMARY AI’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to Customer Data processed by SUMMARY AI for you (a “Personal Data Breach”).
- Where appropriate, the preparation of data protection impact assessments with respect to the processing of Customer Data by SUMMARY AI and, where necessary, carrying out consultations with any supervisory authority with jurisdiction over such processing.
-
REQUIRED PROCESSING
- If SUMMARY AI is required by Data Protection Laws to process any Customer Data for a reason other than in connection with the Agreement, SUMMARY AI will inform you of this requirement in advance of any processing, unless SUMMARY AI is legally prohibited from informing you of such processing.
-
SECURITY
SUMMARY AI will:
- Maintain reasonable and appropriate organizational and technical security measures (including with respect to personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, incident response, and encryption) to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of Customer Data and to protect the rights of the subjects of that Customer Data.
- Take appropriate steps to confirm that SUMMARY AI personnel are protecting the security, privacy and confidentiality of Customer Data consistent with the requirements of this DPA.
- Notify you of any Personal Data Breach by SUMMARY AI, its Subprocessors, or any other third parties acting on SUMMARY AI’s behalf without undue delay after SUMMARY AI becomes aware of such Personal Data Breach.
-
OBLIGATIONS OF CUSTOMER
- Customer represents, warrants and covenants that it has and shall maintain throughout the term all necessary rights, consents and authorizations to provide the Customer Data to SUMMARY AI and to authorize SUMMARY AI to use, disclose, retain and otherwise process that Customer Data as contemplated by this DPA, the Agreement and/or other processing instructions provided to SUMMARY AI.
- Customer shall comply with all applicable Data Protection Laws.
- Customer shall reasonably cooperate with SUMMARY AI to assist SUMMARY AI in performing any of its obligations with regard to any requests from Customer’s data subjects, including, without limitation by maintaining a record of which “completion ID” or similar numbers that are related to which data subjects in order to facilitate individual rights requests.
- Customer acknowledges and agrees that it, rather than SUMMARY AI, is responsible for certain configurations and design decisions for the services and that Customer, and not SUMMARY AI, is responsible for implementing those configurations and design decisions in a secure manner that complies with applicable Data Protection Laws. Without limitation to the foregoing, Customer represents, warrants and covenants that it shall only transfer Customer Data to SUMMARY AI using secure, reasonable and appropriate mechanisms.
- Customer shall not provide Customer Data to SUMMARY AI except through agreed mechanisms. For example, Customer shall not include Customer Data other than technical contact information, or in technical support tickets, transmit user Customer Data to SUMMARY AI by email.
- Customer shall not take any action that would (i) render the provision of Customer Data to SUMMARY AI a “sale” under U.S. Privacy Laws or a “share” under the CCPA; or (ii) render SUMMARY AI not a “service provider” under the CCPA.
-
STANDARD CONTRACTUAL CLAUSES
-
SUMMARY AI will process Customer Data that originates in the European Economic Area in accordance
with the
standard contractual clauses adopted by the EU Commission on June 4, 2021 (“EU SCCs”) which are
deemed entered
into (and incorporated into this DPA by this reference) and completed as follows:
- Module Two (Controller to Processor) of the EU SCCs apply when Customer is a controller and SUMMARY AI is processing Customer Data as a processor.
- Module Three (Processor to Sub-Processor) of the EU SCCs apply when Customer is a processor and SUMMARY AI is processing Customer Data as a sub-processor.
-
For each module of the EU SCCs, where applicable, the following applies:
- The optional docking clause in Clause 7 does not apply.
- In Clause 9, Option 2 (general written authorization) applies, and the minimum time period for prior notice of sub-processor changes shall be as set forth in Section 1(g) of this DPA.
- In Clause 11, the optional language does not apply.
- All square brackets in Clause 13 are hereby removed.
- In Clause 17 (Option 1), the EU SCCs will be governed by the EU member state where the data exporter is located.
- In Clause 18(b), disputes will be resolved before the courts of the EU member state where the data exporter is located.
- Exhibit A to this DPA contains the information required in Annex I and Annex III of the EU SCCs.
- Exhibit B to this DPA contains the information required in Annex II of the EU SCCs.
- With respect to Customer Data originating from the United Kingdom, the parties will comply with the terms of Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the Information Commissioner’s Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses (the “UK Addendum”). The parties also agree (i) that the information included in Part 1 of the UK Addendum is as set out in Annex I of Appendix A to this DPA and (ii) that either party may end the UK Addendum as set out in Section 19 of the UK Addendum.
-
SUMMARY AI will process Customer Data that originates in the European Economic Area in accordance
with the
standard contractual clauses adopted by the EU Commission on June 4, 2021 (“EU SCCs”) which are
deemed entered
into (and incorporated into this DPA by this reference) and completed as follows:
-
TERM. DATA RETURN AND DELETION
- This DPA shall remain in effect as long as SUMMARY AI carries out Customer Data processing operations on your behalf or until the termination of the Agreement (and all Customer Data has been returned or deleted in accordance with this DPA). On the termination of the data processing services, upon your reasonable request, and in any case at least once every thirty (30) days, SUMMARY AI shall, and shall direct each Subprocessor to, return to you or delete the Customer Data, unless Data Protection Laws prevent SUMMARY AI from returning or destroying all or part of the Customer Data. For clarity, SUMMARY AI may continue to process information derived from Customer Data that has been aggregated or stored in a manner that does not identify individuals or customers to improve SUMMARY AI’s systems and services.
A. LIST OF PARTIES
- Data exporter(s): the Customer identified on the applicable Services registration documents
- Data importer(s):
Name: LABHOUSE MOBILE, SL.
Address:Plaça Pau Vila, 1, Ciutat Vella, 08003 Barcelona, Spain
Contact Person’s, position and contact details:
- Data Protection Officer
Activities relevant to the data transferred under these Clauses: The performance of the services described in the agreement to which this is attached.
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
-
Categories of data subjects whose personal data is transferred:
Data subjects whose characteristics are present in content uploaded by the Customer.
-
Categories of personal data transferred
Customer information relating to video meetings, audio content, note takers and related information or other content uploaded by the Customer.
-
Sensitive data transferred (if applicable) and applied restrictions or
safeguards that fully take into consideration the nature of the data and the risks involved,
such as for instance strict purpose limitation, access restrictions (including access only for
staff having followed specialised training), keeping a record of access to the data,
restrictions for onward transfers or additional security measures.
No sensitive data is intended to be transferred unless the user includes it unexpectedly in unstructured data.
-
The frequency of the transfer (e.g. whether the data is transferred on a
one-off or continuous basis).
On a continuous basis.
-
Nature of the processing
The performance of the services described in the services agreement to which this DPA is attached.
-
Purpose(s) of the data transfer and further processing
The performance of the services described in the services agreement to which this DPA is attached.
-
The period for which the personal data will be retained, or, if that is not possible, the
criteria used to determine that period
During the term of the agreement, and in compliance with applicable laws, including laws on the statute of limitations and Data Protection Laws.
-
For transfers to (sub-) processors, also specify subject matter, nature and duration of the
processing
The performance of the services described in the services agreement to which this DPA is attached.
C. COMPETENT SUPERVISORY AUTHORITY
-
Identify the competent supervisory authority/ies.
The data protection authority of the EU Member State in which the exporter is established.
The data protection authority of the UK is the UK Information Commissioner.
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
-
Information Security Program (ISP)
SUMMARY AI will maintain an ISP designed to (a) help the Customer secure Personal Data against accidental or unlawful loss, access or disclosure, (b) identify reasonably foreseeable and internal risks to security and unauthorized access to the SUMMARY AI Network (defined below), and (c) minimize security risks, including through risk assessment and regular testing. SUMMARY AI will appoint an employee to be accountable for the ISP.
The ISP will include the following measures:
-
Network Security
The SUMMARY AI Network will be accessible to employees, contractors and any other person as required to provide the data processing services. SUMMARY AI will maintain access controls and policies to manage access to the SUMMARY AI Network from each network connection and user, including the use of authentication controls, firewalls or Intrusion Detection systems. SUMMARY AI will maintain security incident response plans to handle potential security incidents.
-
Physical Security
Physical components of the SUMMARY AI Network are housed in facilities (“Facilities”) which meet or exceed all of the following physical security requirements:
- Physical Access Controls. Physical barrier controls are used to prevent unauthorized entrance to the Facilities both at the perimeter and at building access points. Passage through the physical barriers at the Facilities requires either electronic access control validation (e.g., card access systems, etc.) or validation by human security personnel (e.g., contract or in-house security guard service, receptionist, etc.). Employees and contractors are assigned photo-ID badges that must be worn while the employees and contractors are at any of the Facilities. Visitors are required to sign-in with designated personnel, must show appropriate identification, are assigned a visitor ID badge that must be worn while the visitor is at any of the Facilities, and are continually escorted by authorized employees or contractors while visiting the Facilities.
- Limited Employee and Contractor Access. SUMMARY AI provides access to the Facilities to those employees and contractors who have a legitimate business need for such access privileges. When an employee or contractor no longer has a business need for the access privileges assigned to him/her, the access privileges are promptly revoked, even if the employee or contractor continues to be an employee of SUMMARY AI or its affiliates.
- Physical Security Protections. All access points (except for main entry doors) are maintained in a locked state. Access points to the Facilities are monitored by video surveillance cameras designed to record all individuals accessing the Facilities. SUMMARY AI also maintains electronic intrusion detection systems designed to detect unauthorized access to the Facilities, including monitoring points of vulnerability (e.g., primary entry doors, emergency egress doors, roof hatches, dock bay doors, etc.) with door contacts, glass breakage devices, interior motion-detection, or other devices designed to detect individuals attempting to gain access to the Facilities. All physical access to the Facilities by employees and contractors is logged and routinely audited.
-
Personal Data Security. Controls for the Protection of Personal Data.
SUMMARY AI will maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data), confidentiality and integrity of Personal Data appropriate to the risk, including inter alia as appropriate: (i) the pseudonymization and encryption of personal data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. SUMMARY AI regularly monitors compliance with these measures. SUMMARY AI will not materially decrease the overall security of the data processing services during a subscription term.
-
Business Continuity and Disaster Recovery
SUMMARY AI will maintain a Business Continuity and Disaster Recovery plan based on risk.
-
Employee security
SUMMARY AI will have signed confidentiality agreements with the employees and contractors.
-
Network Security