Data Processing Agreement

Controller: the customer who determines the purposes and means of processing personal data through the Service.

Processor: Mufal, Inc., which processes personal data on behalf of the Controller.

Personal Data: any information relating to an identified or identifiable natural person as defined in Article 4(1) GDPR.

Sub-processor: any third party engaged by Mufal to process Personal Data on behalf of the Controller.

Mufal processes Personal Data on behalf of the Controller solely to provide the Service as described in the Terms of Service. The categories of Personal Data processed include:

• Account identifiers (email address, user ID)
• Meeting audio (streamed in real time; not stored unless session is saved)
• Transcription and notes content created during sessions
• Device and usage metadata

Data subjects include the Controller and any natural persons whose voice or data appears in recorded sessions.

Mufal shall:

• Process Personal Data only on documented instruction from the Controller
• Ensure that persons authorized to process the data are bound by confidentiality
• Implement appropriate technical and organizational security measures (Article 32 GDPR)
• Not engage additional Sub-processors without prior written consent, except as listed in Section 5
• Assist the Controller in fulfilling data subject rights requests
• Delete or return all Personal Data upon termination of the Agreement
• Make available all information necessary to demonstrate compliance with this DPA

The Controller warrants that it has a lawful basis for processing the Personal Data it submits to the Service, and that it has obtained all necessary consents, including the consent of meeting participants where required by applicable law.

The Controller grants Mufal general authorization to engage the following Sub-processors:


Mufal will notify the Controller of any intended additions or replacements to this list with at least 10 days' advance notice to allow the Controller to object.

Where Personal Data is transferred outside the European Economic Area, Mufal relies on Standard Contractual Clauses (SCCs) as adopted by the European Commission, or equivalent safeguards, to ensure an adequate level of protection.

Mufal implements the following technical and organizational measures:

• TLS 1.2+ encryption for all data in transit
• Encryption at rest for stored session data
• Access controls with principle of least privilege
• SOC 2 Type 1 and Type 2 certification
• Regular penetration testing and vulnerability assessments
• Incident response procedures with 72-hour breach notification

Mufal will provide commercially reasonable assistance to help the Controller respond to data subject requests. Where a data subject contacts Mufal directly, Mufal will promptly forward the request to the Controller.

Mufal will notify the Controller without undue delay, and no later than 72 hours after becoming aware of a Personal Data breach, providing sufficient information to allow the Controller to meet its own notification obligations.

Upon reasonable written request and no more than once per year, Mufal will provide the Controller with documentation to demonstrate compliance with this DPA. The Controller may conduct an audit through an independent third party auditor bound by confidentiality obligations.

This DPA remains in effect for the duration of the Agreement between the parties. Upon termination, Mufal will delete all Personal Data processed under this DPA within 30 days, unless retention is required by applicable law.

For DPA-related inquiries or to execute a signed copy of this agreement, contact our Data Protection Officer at:

[email protected]
Mufal, Inc.