Data Processing Agreement
Our standard DPA for organisations that need a formal data processing agreement.
1. Scope
This Data Processing Agreement ("DPA") supplements the Terms of Service between Loopion Ltd ("Processor") and the customer ("Controller") and governs the processing of personal data by Loopion on behalf of the customer.
2. Definitions
- "Personal Data" has the meaning given in GDPR Article 4(1)
- "Processing" has the meaning given in GDPR Article 4(2)
- "Data Subject" means the identified or identifiable natural person to whom personal data relates
- "Sub-processor" means any third party engaged by Loopion to process personal data
3. Processing Details
| Subject matter | Meeting recording, transcription, action extraction, and accountability tracking |
| Duration | For the term of the service agreement |
| Nature & purpose | AI-based processing of meeting audio to extract and track action items |
| Types of data | Names, email addresses, voice recordings, meeting transcripts, action items |
| Categories of data subjects | Meeting participants, team members, workspace users |
4. Processor Obligations
Loopion shall:
- Process personal data only on documented instructions from the Controller
- Ensure persons authorised to process personal data are bound by confidentiality obligations
- Implement appropriate technical and organisational security measures
- Not engage sub-processors without prior written authorisation (general or specific)
- Assist the Controller in responding to data subject requests
- Assist the Controller in ensuring compliance with GDPR Articles 32–36
- Delete or return all personal data upon termination of the service
- Make available information necessary to demonstrate compliance and allow audits
5. Security Measures
Loopion implements the following technical and organisational measures:
- AES-256-GCM encryption for sensitive data at rest
- TLS 1.3 encryption for data in transit
- HMAC SHA-256 request authentication with replay protection
- Role-based access control
- Automated threat detection and circuit-breaker lockdown
- Regular security testing including attack simulations
- Incident response procedures with 72-hour breach notification
- Self-healing recovery systems for service continuity
6. Sub-processors
Current sub-processors are listed on our Subprocessors page. The Controller will be notified of any changes at least 30 days in advance.
7. International Transfers
Where personal data is transferred to sub-processors outside the EU/EEA, Loopion ensures appropriate safeguards are in place, including the EU Standard Contractual Clauses (SCCs) as adopted by the European Commission.
8. Data Breach Notification
In the event of a personal data breach, Loopion will notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach, providing:
- The nature of the breach including categories and approximate number of data subjects affected
- Contact details for further information
- Likely consequences of the breach
- Measures taken or proposed to address the breach
9. Audit Rights
The Controller may audit Loopion's compliance with this DPA once per year, with 30 days' written notice. Loopion will cooperate and provide access to relevant documentation and personnel.
10. Get Our DPA
Need a signed DPA?
Enterprise customers can request a countersigned DPA for their records.
Request DPA →