SpeakSights
Voice Assessment for Hiring

Data Processing Agreement

GDPR Article 28 compliant agreement governing how SpeakSights processes personal data on behalf of your organization.

Effective Date: February 22, 2026 | Version 1.0

Automatically Accepted at Sign-Up

By creating an organization account on SpeakSights, you (the Data Controller) accept this Data Processing Agreement with SpeakSights AI (the Data Processor). This DPA is incorporated into and forms part of the SaaS Terms of Service.

1. Definitions

Controller:The organization (your company) that determines the purposes and means of processing candidate personal data. When you invite candidates to take assessments on SpeakSights, you are the Controller.
Processor:SpeakSights AI, which processes candidate personal data on behalf of the Controller, strictly per the Controller's documented instructions.
Data Subject:The individual whose personal data is processed — primarily candidates invited to complete voice assessments, and secondarily your organization's team members (org users).
Personal Data:Any information relating to an identified or identifiable natural person, including name, email, voice recordings, transcriptions, and assessment scores.
Processing:Any operation performed on personal data, including collection, storage, AI analysis, transcription, display, and deletion.
Sub-processor:A third-party service provider engaged by SpeakSights to assist in processing personal data (e.g., AssemblyAI, OpenAI, Azure).
GDPR:The EU General Data Protection Regulation (2016/679) and equivalent national implementations.

2. Subject Matter, Duration & Nature of Processing

2.1 Subject Matter

SpeakSights AI provides a cloud-based voice assessment platform that allows organizations to screen candidates by analyzing voice recordings across multiple communication dimensions using artificial intelligence.

2.2 Duration

This DPA remains in effect for the duration of your organization's use of the SpeakSights platform. Upon termination of your account, this DPA governs the deletion of personal data as specified in Section 9.

2.3 Nature & Purpose of Processing

Audio Transcription

Converting candidate voice recordings to text via AssemblyAI

Voice Analysis

AI-powered scoring of clarity, pronunciation, pace, vocabulary, and grammar

Content Evaluation

Assessing relevance and quality of candidate responses via OpenAI GPT-4o

Accent Assessment

Optional accent comprehension testing for international roles

Score Storage

Storing assessment scores and recommendations for recruiter review

Reporting

Presenting structured assessment results in the organization dashboard

3. Categories of Personal Data & Data Subjects

3.1 Candidate Data (Primary)

Identity: Full name, email address, phone number (if provided)
Voice Recordings: Audio files of assessment responses. Deleted after 30 days by default. Each organisation may configure 30–365 days via dashboard settings.
Transcriptions: Text transcripts of voice responses. Cleared after 90 days by default. Each organisation may configure 30–365 days via dashboard settings.
Assessment Scores: Numeric scores per communication dimension. Kept indefinitely — low privacy sensitivity, no speech content, essential for pipeline analytics. Deleted only on account closure.
Optional Media: Profile photo or video recording if enabled by org. Follows audio retention policy (30-day default, org-configurable up to 365 days).
Consent Record: Timestamp and version of candidate consent given before assessment

⚠️ Special Category Data — Prohibited

Organizations must NOT use SpeakSights to collect or process special categories of personal data (health, genetic, biometric, racial or ethnic origin, political opinions, religious beliefs, trade union membership, sexual orientation). Voice assessments are designed to evaluate communication skills only. Any such data inadvertently captured in recordings will be processed and deleted under standard retention policy but must not be submitted intentionally.

3.2 Organization User Data (Secondary)

Email addresses, names, and login data for org admins, recruiters, and team members. SpeakSights is the Data Controller for this data (not a processor). Governed by the B2B Privacy Policy.

4. Processor Obligations (GDPR Article 28)

SpeakSights commits to the following obligations as your Data Processor:

Process only on documented instructions

We will only process candidate data to provide the SpeakSights assessment service. We will not use candidate data for any other purpose, including AI model training.

Confidentiality of personnel

All SpeakSights staff with access to personal data are bound by confidentiality agreements and receive regular data protection training.

Technical and organizational security

We implement industry-standard security measures including TLS 1.3 encryption, AES-256 at-rest encryption, role-based access controls, and 24/7 security monitoring. See our Data Protection page for full details.

Sub-processor management

We engage sub-processors only with your general written authorization (this DPA constitutes authorization). We maintain a current list of sub-processors and notify you of changes. Sub-processors are bound by equivalent data protection obligations.

Assistance with data subject rights

We will assist you in responding to data subject requests (access, erasure, rectification, portability) within 48 hours of your request to privacy@speaksights.com.

Security incident notification

We will notify you without undue delay (and within 72 hours) upon becoming aware of a personal data breach affecting your organization's candidate data.

Deletion at end of contract

On termination of your account, all candidate personal data will be securely deleted within 90 days. You may request confirmation of deletion.

Audit rights

You have the right to audit our compliance with this DPA. In practice, we satisfy this obligation through third-party security reports and compliance documentation available upon request.

5. Approved Sub-processors

By accepting this DPA, you authorize SpeakSights to engage the following sub-processors. We will provide 30 days' notice before adding new sub-processors.

AssemblyAI

United States
Purpose:Speech-to-text transcription of candidate audio
Data shared:Audio files (deleted immediately after transcription)
Compliance:SOC 2 Type II
Transfer basis:SCCs

OpenAI (GPT-4o)

United States
Purpose:AI analysis of transcripts for communication dimension scoring
Data shared:Text transcripts only (no audio)
Compliance:Enterprise API — zero data retention, no model training on customer data
Transfer basis:SCCs

Microsoft Azure

US & EU
Purpose:Cloud infrastructure, blob storage for audio files, Azure Speech Services for pronunciation scoring
Data shared:Audio files in org-isolated containers
Compliance:ISO 27001, SOC 1/2/3, FedRAMP, GDPR
Transfer basis:SCCs / EU data center option

Neon (PostgreSQL)

United States
Purpose:Database hosting for assessment scores and candidate records
Data shared:Assessment scores, candidate names/emails
Compliance:SOC 2
Transfer basis:SCCs

ZeptoMail (Zoho)

United States / India
Purpose:Transactional email delivery (candidate invites, assessment notifications)
Data shared:Candidate email, name, assessment invite link
Compliance:GDPR compliant
Transfer basis:SCCs / Standard contractual clauses

Vercel

United States (Edge globally)
Purpose:Application hosting and serverless functions
Data shared:Application request data (no persistent personal data storage)
Compliance:ISO 27001, SOC 2
Transfer basis:SCCs

6. Security Measures (GDPR Article 32)

Encryption in Transit

TLS 1.3 for all web traffic. HTTPS-only. Strong cipher suites.

Encryption at Rest

AES-256 for database records. Azure Blob Storage encryption for audio files.

Per-Org Data Isolation

All audio blobs prefixed with org-{orgId}/. Database rows scoped by organizationId. No cross-org data access possible.

Access Controls

Role-based access (admin/recruiter/viewer). JWT authentication. Principle of least privilege.

SAS Token Security

Audio files accessed via time-limited SAS tokens (2-hour expiry) for AI processing. No permanent public URLs.

Security Monitoring

24/7 infrastructure monitoring. Anomaly detection. Rate limiting on all API endpoints.

Data Retention Enforcement

Automated cleanup: audio blobs deleted per org policy (30-day default); transcripts cleared per org policy (90-day default). Scores kept indefinitely. All orgs can configure retention 30–365 days. Audit logs for all deletions.

Staff Training

All personnel with data access receive GDPR and security awareness training.

→ See full technical Data Protection details

7. Data Subject Rights Assistance

As the Data Controller, your organization is responsible for handling data subject rights requests from candidates. SpeakSights will assist you in fulfilling these obligations.

How it works:

1

Candidate submits a data subject request (access, erasure, portability) to your organization.

2

Your admin emails privacy@speaksights.com with the candidate's email address and the specific right being exercised.

3

SpeakSights processes the request within 48 hours and provides you with the data export or deletion confirmation.

4

Your organization fulfills the response to the data subject.

48-hour response

For DSR assistance

Data portability

JSON or CSV export

Right to erasure

Permanent deletion

8. International Data Transfers

Some sub-processors are located outside the European Economic Area (EEA). We ensure appropriate safeguards are in place for all international transfers:

Standard Contractual Clauses (SCCs)

All transfers to US-based sub-processors (AssemblyAI, OpenAI, Neon, Vercel) are covered by the European Commission's Standard Contractual Clauses (2021/914). These provide equivalent protection to GDPR for EU data subjects.

Azure EU Data Center Option

For organizations requiring EU data residency, we can configure Azure Blob Storage to use EU data centers (West Europe / North Europe) for audio file storage upon enterprise plan request.

9. Data Retention & Deletion on Termination

9.1 Retention During Active Use

Candidate audio files30 days (default) — org-configurable 30–365 daysAutomatically deleted from Azure storage
Transcriptions & analysis data90 days (default) — org-configurable 30–365 daysCleared from database records
Assessment scores & recommendationsIndefinitely (never auto-deleted)Deleted only on account closure
Candidate PII (name, email, phone)Retained while org account is activeDeleted on account closure
Org user accountsRetained while account is activeDeleted 90 days after account closure

9.2 Deletion on Contract Termination

Upon account closure or termination of this agreement:

  • All candidate personal data will be permanently deleted within 90 days
  • You may request a data export before deletion by emailing privacy@speaksights.com
  • We will provide written confirmation of deletion within 30 days of completion
  • Anonymized aggregate statistics (no personal data) may be retained for service improvement

10. Controller Obligations

As the Data Controller, your organization is responsible for:

1

Obtaining a lawful basis for processing candidate data before using SpeakSights (typically: candidate consent, or legitimate interest for employment screening)

2

Providing candidates with a privacy notice before they take the assessment (SpeakSights provides a built-in consent step; your org is responsible for any additional notices)

3

Ensuring candidate assessments are conducted in a non-discriminatory manner consistent with applicable employment law

4

Not submitting special category personal data (health conditions, disabilities, religion, ethnicity, etc.) through the platform

5

Notifying SpeakSights of any data subject requests within 5 business days so we can assist in fulfilling them

6

Maintaining appropriate internal records of your data processing activities (GDPR Article 30)

11. Liability & Indemnification

Each party shall be liable for any GDPR violations it causes through its own actions or omissions. Liability under this DPA is subject to the limitations set out in the SaaS Terms of Service.

SpeakSights' liability under this DPA is limited to violations directly caused by our failure to comply with our processor obligations as set out in GDPR Article 28 and this agreement. We are not liable for processing instructions provided by you as Controller that violate applicable data protection law.

12. Governing Law & Jurisdiction

This DPA is governed by the laws of India. Disputes shall be resolved in the courts of Hyderabad, Telangana, India.

GDPR Applicability: Where you process personal data of EU/EEA residents, the GDPR applies to that processing regardless of governing law. In such cases, GDPR obligations take precedence over conflicting provisions of this DPA. SpeakSights maintains EU Standard Contractual Clauses for all EU data subject processing.

Questions About This DPA?

Data Protection Officer

privacy@speaksights.com

DSR requests, DPA inquiries

Security Team

security@speaksights.com

Incident reports, audit requests

Response Time

48 hours for DPA inquiries

DSR Assistance

48 hours processing time

B2B Privacy PolicyTerms of ServiceGDPR RightsData ProtectionBack to Home