DATA PROCESSING AGREEMENT
The Data Processing Agreement, in plain reading.
v1.0 · Effective from publication date
Written so your DPO can approve it in one sitting. Every term, sub-processor, and safeguard documented in full. The signed PDF carries the same content.
PDF available on request — email dpo@sageio.net
SCOPE & ROLES
Who does what, with whose data.
Under this DPA, the Customer is the data controller and Sageio acts as a processor on the Customer's behalf. Sageio processes personal data only to deliver the contracted services — real-time meeting translation, transcription, and summarization — and only under the Customer's documented instructions. This DPA forms part of the Subscription Agreement between Sageio and the Customer; in the event of conflict, the DPA prevails for matters of personal data processing. It applies to all processing activities carried out in connection with the Sageio platform.
DATA PROCESSED
What we process, and why we may.
| Category of data | Purpose of processing | Legal basis (GDPR Art. 6) | Retention |
|---|---|---|---|
| Meeting audio | Speech-to-text transcription and translation during the meeting. | Art. 6(1)(b) — performance of contract. | Deleted within 24 hours of meeting end. Not used for model training. |
| Meeting transcripts & translations | Storage and retrieval by the Customer's workspace members. | Art. 6(1)(b) — performance of contract. | Configurable by the Customer. Default: 90 days. |
| Summaries & action items | AI-generated meeting outputs derived from the transcript. | Art. 6(1)(b) — performance of contract. | Configurable by the Customer. Default: 90 days, following the transcript. |
| Account identifiers (name, email, role) | Authentication, workspace access, and audit logging. | Art. 6(1)(b) — performance of contract. | Duration of the account plus 30 days after closure. |
| Workspace & usage metadata | Service operation, billing reconciliation, and abuse prevention. | Art. 6(1)(b) and Art. 6(1)(f) — legitimate interest in service integrity. | 12 months from generation. |
| Audit logs | Security monitoring and Customer access review. | Art. 6(1)(f) — legitimate interest in security. | 12 months from generation. |
| Billing identifiers | Subscription management. Payment card data is processed by LemonSqueezy as Merchant of Record and is not stored by Sageio. | Art. 6(1)(b) — performance of contract. | Duration of the account plus 7 years for tax records. |
SUB-PROCESSORS
The full chain of custody.
| Sub-processor | Purpose | Processing location |
|---|---|---|
| Amazon Web Services | Cloud hosting, object storage, encryption key management. | Customer-selected region (default: Asia-Pacific). EU and US on Enterprise plans. |
| Neon | Managed PostgreSQL database for application data. | Region matched to Customer's primary AWS region. |
| Vercel | Hosting for marketing site and customer-facing web application. | Global edge network. Origin: customer-selected region. |
| Clerk | Authentication, single sign-on, and identity management. | United States. |
| Deepgram | Speech-to-text transcription of meeting audio. | United States. |
| Google (Gemini API) | AI-generated meeting summaries and action items. | United States. Data not used to train Google models per enterprise API terms. |
| LemonSqueezy | Payment processing as Merchant of Record. Tax compliance. | United States. |
SECURITY MEASURES
Engineering meets commitment.
Sageio implements technical and organizational measures appropriate to the risk of processing, including encryption in transit (TLS 1.3) and at rest (AES-256-GCM), role-based access control, audit logging, regular penetration testing, and a documented incident response process. Production access requires explicit business justification, is time-bound, and is logged. The complete catalog of measures, including current compliance program status, is published on the Security page and updated as the program evolves.
INTERNATIONAL TRANSFERS
Cross-border data, lawfully moved.
Where personal data is transferred outside the European Economic Area, the United Kingdom, or other jurisdictions with equivalent restrictions, Sageio relies on the European Commission's Standard Contractual Clauses (Module Two: Controller-to-Processor) and, where applicable, the UK International Data Transfer Addendum. For transfers to jurisdictions covered by an adequacy decision, Sageio relies on that decision. Sub-processors are bound to equivalent obligations through contractual flow-down. Transfer impact assessments are conducted for each sub-processor processing personal data outside the data exporter's jurisdiction.
DATA SUBJECT RIGHTS
Your users' rights, our obligations.
- Right of access — confirmation and a copy of personal data processed.
- Right to rectification — correction of inaccurate or incomplete data.
- Right to erasure — deletion within 30 days of a valid request, subject to legal retention requirements.
- Right to restriction — limitation of processing in defined circumstances.
- Right to data portability — export in a structured, machine-readable format.
- Right to object — including to processing based on legitimate interest.
- Right to lodge a complaint with the relevant supervisory authority.
CONTACT
Real people, named inboxes.
- Data protection officer: dpo@sageio.net
- Security: security@sageio.net
Registered in Taiwan. Registered entity: 好客網路股份有限公司 (Unified Business Number: 29041135). Postal address available on request to dpo@sageio.net.
Version history
- v1.0Effective from publicationInitial publication.