This Data Processing Agreement ("DPA") forms part of the agreement between you ("Customer", "Controller") and RECRAM INC ("RecRam", "Processor", "we", "us") for the use of RecRam's services, as described in our Terms and Conditions of Service. This DPA governs the processing of personal data by RecRam on your behalf in accordance with the GDPR and applicable data protection laws. For details on how RecRam collects and uses data as a data controller, please refer to our Privacy Policy.

1. Definitions

"Controller" means the natural or legal person (Customer) who determines the purposes and means of the processing of personal data.
"Processor" means RecRam, which processes personal data on behalf of the Controller.
"Sub-processor" means any third party engaged by RecRam to process personal data on behalf of the Controller.
"Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
"Processing" means any operation performed on personal data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
"GDPR" means Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data; the UK General Data Protection Regulation as incorporated into UK law by the European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018; and any future amendments or supplements thereto.
"Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.
"Services" means the RecRam platform and all features offered through www.recram.com, including video forms, AI analysis, Room, Magnet, transcription, and related tools, as further described in the Terms and Conditions of Service.

2. Scope and Purpose of Processing

RecRam acts as a data processor when processing personal data contained in form responses, video recordings, and other content submitted by data subjects through the Customer's use of the Services. The Customer remains the data controller and determines the purposes and means of processing.

The purpose of processing includes:

Collecting, storing, and organizing form response data on behalf of the Customer
Processing video and audio recordings for transcription and AI-powered analysis
Generating AI analysis results (transcripts, sentiment scores, keyword extraction, summaries)
Hosting and making response data available to the Customer through the platform
Sending notifications to the Customer about new submissions
Deleting personal data upon the Customer's instruction or account termination

3. Types of Personal Data Processed

The following categories of personal data may be processed under this DPA:

Video and audio recordings: Responses submitted through video forms, including facial imagery and voice data
Text responses: Written answers, comments, and messages submitted through forms
Contact information: Name, email address, phone number, and other identifying information collected through forms (as configured by the Customer)
AI analysis results: Transcriptions, sentiment analysis scores, keyword extractions, summaries, and other insights generated by AI processing of response data
Device and browser metadata: IP address, browser type, operating system, device identifiers, and geolocation data of respondents
Communication data: Messages exchanged within Room sessions

4. Categories of Data Subjects

The personal data processed under this DPA relates to the following categories of data subjects:

Form respondents: Individuals who submit responses to video forms, surveys, and questionnaires created by the Customer
Room participants: Individuals who join live Room sessions hosted by the Customer
Magnet visitors: Website visitors who interact with Magnet widgets embedded on the Customer's website

5. Processing Instructions

RecRam will process personal data only in accordance with the Customer's documented instructions, unless required to do so by applicable law. If a Union or Member State law requires RecRam to process personal data beyond the Customer's instructions, RecRam will inform the Customer of that legal requirement before processing, unless that law prohibits such notification on important public interest grounds.

If RecRam reasonably believes that a Customer instruction infringes the GDPR or other applicable data protection law, RecRam will promptly notify the Customer and may suspend execution of that instruction until the Customer confirms or modifies it in writing.

Documented instructions include:

Instructions transmitted via email or other durable medium
Instructions given through the use of the platform interface and its features
The terms of this DPA and the Terms and Conditions of Service

The Customer warrants that it has fulfilled its obligations under applicable privacy laws, including informing data subjects and obtaining their consent where required, and that there is a lawful basis for all processing instructed under this DPA.

6. Confidentiality

RecRam ensures that all personnel authorized to process personal data under this DPA are bound by appropriate confidentiality obligations, whether contractual or statutory. This obligation survives the termination of this DPA and the employment or engagement of such personnel.

RecRam restricts access to personal data to those employees, contractors, and agents who need access to perform the Services, and only to the extent necessary for that purpose.

7. Security Measures

RecRam implements and maintains appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing, including:

Encryption

In transit: All data transmitted between clients and RecRam servers is encrypted using TLS 1.3
At rest: All stored data, including video recordings and AI analysis results, is encrypted using AES-256 encryption

Access Controls

Role-based access controls with the principle of least privilege
Multi-factor authentication for internal systems
Regular access reviews and revocation of unnecessary privileges

Infrastructure Security

Hosting on Google Cloud Platform with SOC 2 and ISO 27001 certified infrastructure
DDoS protection and web application firewall through Cloudflare
Network segmentation and firewall rules restricting access to production systems
Automated vulnerability scanning and patching

Operational Security

Regular security audits and penetration testing
Incident response procedures and escalation protocols
Employee security awareness training
Logging and monitoring of access to personal data

8. Sub-processors

The Customer provides general authorization for RecRam to engage sub-processors for the provision of the Services. RecRam maintains the following list of sub-processors:

Sub-processor	Location	Purpose
Google Cloud Platform (Vertex AI / Gemini)	United States	Cloud hosting, compute, storage, and AI processing for transcription, sentiment analysis, and video analysis
OpenAI	United States	AI language processing for text analysis, summarization, and natural language understanding
Anthropic (Claude)	United States	AI language processing for advanced text analysis, content classification, and intelligent summarization
Cloudflare	United States	Content delivery network (CDN), edge computing (Workers), DDoS protection, and web application firewall
Paddle	United Kingdom	Payment processing, subscription billing, invoicing, and tax compliance (Merchant of Record)
MongoDB Atlas	United States	Primary database hosting and storage of application data
Redis Cloud	United States	In-memory caching and session management
Google Workspace	United States	Internal communication, email, and collaboration tools

RecRam will notify the Customer of any intended changes to the list of sub-processors by updating this page and, where practicable, by email notification at least 15 calendar days before the new sub-processor begins processing personal data. The Customer may object to the appointment of a new sub-processor within 15 calendar days of notification, provided the objection is based on reasonable grounds relating to data protection. If the Customer objects and RecRam cannot reasonably accommodate the objection, either party may terminate the agreement with respect to the affected Services.

RecRam enters into written agreements with all sub-processors that impose data protection obligations no less protective than those set out in this DPA. RecRam remains fully liable for the acts and omissions of its sub-processors.

9. Data Subject Rights Assistance

RecRam will assist the Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling the Customer's obligation to respond to requests from data subjects to exercise their rights under the GDPR, including:

Right of access (Article 15)
Right to rectification (Article 16)
Right to erasure (Article 17)
Right to restriction of processing (Article 18)
Notification obligation regarding rectification or erasure or restriction of processing (Article 19)
Right to data portability (Article 20)
Right to object (Article 21)
Rights related to automated decision-making and profiling (Article 22)

If RecRam receives a request directly from a data subject, RecRam will promptly forward the request to the Customer without undue delay and will not respond to the data subject directly unless instructed by the Customer or required by law.

For details on how data subjects can exercise their rights, please refer to our Privacy Policy.

10. Data Breach Notification

In the event of a Data Breach affecting personal data processed under this DPA, RecRam will:

Notify the Customer without undue delay and in any event within 72 hours of becoming aware of the breach, in accordance with Article 33(2) of the GDPR
Provide the Customer with sufficient information to enable the Customer to fulfill its obligations to notify the competent supervisory authority and affected data subjects under Articles 33 and 34 of the GDPR, including:
- The nature of the breach, including the categories and approximate number of data subjects and records affected
- The name and contact details of the data protection officer or other point of contact
- The likely consequences of the breach
- The measures taken or proposed to address the breach and mitigate its effects
Cooperate with the Customer in investigating, mitigating, and remediating the breach
Document the breach and all related facts, effects, and remedial actions taken, in accordance with Article 33(5) of the GDPR

11. Data Deletion on Termination

Upon termination or expiration of the Customer's account or this DPA, RecRam will, at the Customer's election:

Delete all personal data processed on behalf of the Customer within 30 days of termination, including all copies, backups, and AI analysis results; or
Return all personal data to the Customer in a commonly used, machine-readable format upon request made before the 30-day deletion period

RecRam may retain personal data to the extent required by applicable law, provided that RecRam ensures the confidentiality of such data and processes it only for the purpose required by law.

Deletion of the Customer's account through the platform will be treated as an instruction to delete all associated personal data under this section. For details on data retention and deletion, please refer to our Privacy Policy.

12. International Data Transfers

RecRam may transfer personal data outside the European Economic Area ("EEA") or the United Kingdom in connection with the provision of the Services. Where such transfers occur, RecRam ensures that appropriate safeguards are in place in accordance with Chapter V of the GDPR, including:

Standard Contractual Clauses (SCCs): RecRam relies on the European Commission's Standard Contractual Clauses (Module 2: Controller to Processor) as adopted by Commission Implementing Decision (EU) 2021/914 as the primary mechanism for transfers from the EEA to third countries not covered by an adequacy decision
UK International Data Transfer Agreement / Addendum: For transfers from the United Kingdom, RecRam relies on the UK IDTA or the UK Addendum to the EU SCCs, as applicable
Adequacy decisions: Where the European Commission or UK Government has issued an adequacy decision for the recipient country (including the EU-U.S. Data Privacy Framework), transfers may rely on that decision
Supplementary measures: RecRam implements supplementary technical measures (encryption, pseudonymization) and organizational measures to ensure that transferred data is protected to a standard essentially equivalent to that guaranteed within the EEA, in line with the CJEU Schrems II decision

Data Exporter: RECRAM YAZILIM A.S., Muallimköy Mh, Bilisim Vadisi, Deniz Cd. No:143/8-1, 41400 Gebze/Kocaeli, Turkey.
Data Importer: The Customer, as identified when creating an account with RecRam.

13. Audit Rights

RecRam will make available to the Customer all information necessary to demonstrate compliance with the obligations set out in Article 28 of the GDPR and this DPA, and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer.

RecRam may satisfy its audit obligations by:

Providing copies of relevant third-party audit reports, certifications, or attestations (such as SOC 2 Type II or ISO 27001)
Responding to written audit questionnaires submitted by the Customer
Allowing on-site audits with reasonable advance notice (at least 30 days), during business hours, and subject to reasonable confidentiality obligations

The Customer shall bear the costs of any audit it initiates, unless the audit reveals a material breach of this DPA by RecRam.

14. Data Protection Impact Assessment Assistance

RecRam will assist the Customer, taking into account the nature of processing and the information available to RecRam, in ensuring compliance with the Customer's obligations under Articles 35 and 36 of the GDPR regarding data protection impact assessments and prior consultation with supervisory authorities, where required.

15. AI Data Processing Addendum

RecRam uses artificial intelligence services to provide certain features of the platform. This addendum governs the processing of personal data by AI systems.

AI Processing Services

RecRam uses a combination of industry-leading AI providers to process Customer data, including Google Vertex AI (Gemini), OpenAI, and Anthropic (Claude). RecRam reserves the right to change, add, or replace AI providers in accordance with the sub-processor notification process described in Section 8. These providers are used for the following purposes:

Video and audio transcription: Converting spoken content in video and audio recordings to text
Sentiment analysis: Analyzing the emotional tone and sentiment expressed in responses
Visual analysis: Analyzing video content for facial expressions, on-screen text (OCR), objects, and visual anomalies
Keyword and topic extraction: Identifying key themes, topics, and keywords from responses
Response summarization: Generating concise summaries of lengthy responses
Custom analysis: Evaluating responses against user-defined rules and criteria configured through AI Config

Data Handling by AI Systems

Customer data is sent to AI providers solely for the purpose of performing the analysis requested by the Customer through the platform
No AI provider uses Customer data to train, improve, or develop their AI models. RecRam uses enterprise-grade API agreements with all AI providers that explicitly prohibit the use of customer data for model training:
- Google Vertex AI (Gemini): Governed by Google Cloud's Data Processing and Security Terms, which prohibit the use of customer data for model training
- OpenAI: Governed by OpenAI's Enterprise API Data Processing Agreement, which excludes API data from model training by default
- Anthropic (Claude): Governed by Anthropic's Enterprise API Terms, which prohibit the use of customer inputs and outputs for model training
AI processing results (transcripts, sentiment scores, summaries, keywords) are stored alongside the original response data in RecRam's database and are subject to the same security, retention, and deletion policies as all other personal data under this DPA and the Privacy Policy
Data sent to AI providers for processing is encrypted in transit (TLS 1.3) and is not persistently stored by the provider beyond the time necessary to complete the processing request
RecRam maintains Data Processing Agreements with each AI provider to ensure GDPR compliance and data protection

Customer Controls

Customers have the following controls over AI processing of their data:

Enable or disable AI analysis: AI analysis features can be enabled or disabled at the form level. When AI analysis is disabled, no response data is sent to AI processing services
Delete AI analysis results: Customers may request deletion of AI analysis results independently of the underlying response data at any time through the platform or by contacting gdpr@recram.com

16. Duration and Termination

This DPA takes effect when the Customer begins using the Services and remains in effect for as long as RecRam processes personal data on behalf of the Customer. The DPA automatically terminates when RecRam ceases all processing of personal data on behalf of the Customer, subject to the data deletion obligations in Section 11.

The obligations in this DPA that by their nature should survive termination (including confidentiality, data deletion, and audit rights) will survive the termination of this DPA.

17. Contact

For questions about this Data Processing Agreement or to exercise any rights under this DPA, please contact:

Data Protection Officer
Email: gdpr@recram.com

RECRAM INC
112 Capitol Trail Suite A1127
Newark, Delaware 19711 (US)

RECRAM YAZILIM A.S.
Muallimköy Mh, Bilisim Vadisi, Deniz Cd. No:143/8-1
41400 Gebze/Kocaeli, Turkey