Data Processing Agreement (DPA)

under Art. 28 GDPR — for use of the Babelfish Speech-to-Text API

Effective date: April 27, 2026 · Version: 1.0
This agreement becomes effective automatically upon first use of the Babelfish API. A separate signature is not required, but a paper version can be requested via email: dpa@kreislauftechnik.de.

1. Parties

Data Processor	Controller
Kreislauftechnik GmbH i.G. Weidenhäuserstr. 60 35037 Marburg Germany represented by: Patrick Falk (Managing Director) Email: dpa@kreislauftechnik.de	You as a customer / user of the Babelfish API. Responsibility for personal data contained in audio files you upload lies with you as the controller (Art. 4 No. 7 GDPR). By using the API you agree to this DPA.

2. Subject and duration of processing

Subject: Automated transcription of audio files into text using self-hosted speech-to-text models (Babelfish service).

Type of processing: Reception, temporary storage, automated processing (transcription), return of transcription results.

Duration: For each individual audio file only for the duration of processing. Audio data is irreversibly deleted immediately after successful transcription (typically within minutes after upload).

3. Type of personal data

The following data categories may be contained in audio files and are therefore processed:

Voice recordings of identifiable or identifiable-rendering natural persons
Content of spoken statements (may contain any personal data — depending on audio content)
Timestamps of audio recordings (if contained in metadata)

Responsibility for the legality of the content to be transcribed (in particular consents from recorded persons) lies with the controller.

4. Categories of data subjects

All persons whose voice or statements are contained in audio files uploaded by the controller. Typically: interview partners, clients, patients, employees, meeting participants, speakers in podcasts or lectures.

5. Obligations of the data processor

5.1 Place of processing

Processing takes place exclusively on servers within Germany (Hetzner Online GmbH, locations Falkenstein/Vogtland and Nuremberg). No transfer to third countries occurs.

5.2 Technical and organizational measures (TOM)

The data processor implements the following measures pursuant to Art. 32 GDPR:

Transport encryption: TLS 1.2+ with Forward Secrecy for all API requests.
Authentication: Cryptographically secure API key generation. Per-customer individual keys, hashed in storage.
Access control: Servers only accessible via multi-factor authentication through Tailscale mesh. No public SSH ports.
Data minimization: Audio files processed exclusively in memory / temporarily and irreversibly deleted after transcription.
Tenant separation: Multi-tenant architecture. Data of different controllers logically separated.
Logging: Access logs (IP, timestamp, file size — no audio content). Logs deleted after 30 days.
Availability: Configuration backups (no audio data). Quarterly restore tests.
Updates: Security updates applied promptly.

5.3 Confidentiality

All persons processing data on behalf of the data processor are bound to confidentiality (Art. 28 para. 3 lit. b GDPR).

5.4 Sub-processors

The following sub-processors are involved:

Provider	Location	Purpose
Hetzner Online GmbH	Gunzenhausen, DE	Server hosting (Falkenstein/Nuremberg)
Stripe Payments Europe Ltd.	Dublin, IE	Payment processing (separate DPA with Stripe)

Any extension of this list will be communicated by email at least 30 days in advance to the address registered with your account. You have the right to object to such extensions in writing.

5.5 Assistance with data subject rights

The data processor supports the controller in responding to data subject requests pursuant to Art. 15-22 GDPR. Since audio data is deleted immediately after processing, access and erasure requests are typically moot. Upon request, the data processor provides confirmation of deletion.

5.6 Notification of data breaches

The data processor will notify the controller without undue delay (within 24 hours of becoming aware) of any personal data breach pursuant to Art. 33 GDPR.

6. Obligations of the controller

Ensuring the legality of data submitted for processing
Obtaining required consents from persons recorded
Secure storage of API keys
Notification of this data processor if keys are lost or compromised

7. End of contract and data return / deletion

Since audio data is deleted immediately after processing, no audio data remains with the data processor at the end of the contract.

Account deletion: account metadata (email, usage statistics) deleted within 14 days unless statutory retention requirements apply (e.g., German commercial law §§ 257 HGB, 147 AO).

8. Audits

The controller has the right to verify compliance with this contract by the data processor. Audits must be arranged with appropriate notice (at least 14 days) and during normal business hours. Upon request, the data processor provides suitable evidence (e.g., internal security audit logs).

9. Liability

Liability rules pursuant to Art. 82 GDPR apply. Any contractual liability beyond this is regulated in the Terms of Service.

10. Final provisions

If individual provisions of this DPA are invalid, the validity of the remaining provisions remains unaffected. The statutory provision applies in place of the invalid one.

German law applies. Place of jurisdiction is Marburg, Germany, to the extent legally permissible.

Contact for data protection inquiries:
Kreislauftechnik GmbH i.G.
Data Protection
Weidenhäuserstr. 60, 35037 Marburg, Germany
Email: datenschutz@kreislauftechnik.de

← back to Babelfish