Data Processing Addendum

This Data Processing Addendum ('DPA') forms part of the agreement between the customer ('Customer', 'you') and Echo Media Systems, a product of One Infinity Labs, Inc. ('Echo', 'we'), governing Echo's processing of personal data contained in Customer Content and related service data on your behalf.

This DPA applies where and to the extent data protection laws — including the EU General Data Protection Regulation (GDPR), the UK GDPR, and similar laws — apply to personal data that Echo processes for you.

For personal data contained in Customer Content, you are the controller (or a processor acting on behalf of another controller) and Echo is your processor. Echo processes that personal data only on your documented instructions, which consist of the agreement, this DPA, and your use of the service's features.

For account data and billing data — such as your name, email, and subscription details — Echo (and, for billing, Polar as merchant of record) acts as an independent controller, as described in our Privacy Policy.

Subject matter: the audio, video, and text content you upload to Echo, and the transcripts and derivative content generated from it, which may contain personal data such as names, voices, likenesses, and opinions of identifiable people.

Purpose: providing the Echo service — storage, transcription, AI-assisted generation of derivative content, and delivery of outputs to you — and no other purpose. Echo does not use Customer Content to train AI models.

Duration: for the term of your agreement with Echo. Customer Content is retained until you delete the relevant project or your account, and is deleted within 30 days of account deletion.

Categories of data subjects: you, your team members, and any individuals who appear in or are referenced in your Customer Content (for example, podcast guests or meeting participants).

Echo will:

• Process personal data only on your documented instructions, unless required otherwise by law (in which case we will inform you unless legally prohibited).
• Ensure that persons authorized to process the data are bound by confidentiality obligations.
• Implement appropriate technical and organizational security measures, as summarized in our Security Overview, including encryption in transit and at rest, least-privilege access controls, and per-customer data isolation.
• Assist you, taking into account the nature of the processing, with data subject requests and with your obligations regarding security, breach notification, and data protection impact assessments.
• Notify you without undue delay after becoming aware of a personal data breach affecting your personal data, with the information reasonably needed for your own notification obligations.
• Make available information reasonably necessary to demonstrate compliance with this DPA, and allow for audits as required by applicable law, subject to reasonable confidentiality and scheduling conditions.

You authorize Echo to engage the following subprocessors to process personal data for the purposes stated:

• Anthropic: text generation for derivative content.
• Deepgram: speech-to-text transcription of uploaded audio and video.
• Polar: merchant of record — payments, tax, and billing.
• Neon: Postgres database hosting.
• Vercel: application hosting and content delivery (CDN).
• Resend: transactional email delivery.
• Google: optional OAuth sign-in.

Echo imposes data protection obligations on each subprocessor that are materially equivalent to those in this DPA, and remains responsible for their performance.

We will give you advance notice — by email or in-app notice — before adding or replacing a subprocessor that processes personal data on your behalf. If you have a reasonable, data-protection-based objection to a new subprocessor, you may raise it within 14 days of the notice; if we cannot resolve the objection, you may terminate the affected service and receive a pro-rata refund of prepaid fees for the unused period.

Where Echo or its subprocessors transfer personal data from the European Economic Area, the United Kingdom, or Switzerland to countries that have not received an adequacy decision, the parties rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses (and the UK Addendum or Swiss adaptations where applicable), which are incorporated into this DPA by reference for such transfers. Echo will enter into equivalent transfer terms with its subprocessors where required.

If a data subject contacts Echo directly with a request relating to personal data we process on your behalf, we will, where the data subject can be identified as connected to your account, refer the request to you and not respond substantively except as required by law. The service's project and account deletion features are the primary tools for honoring deletion requests.

On termination or expiry of your agreement, or on deletion of your account, Echo will delete all Customer Content and associated personal data processed on your behalf within 30 days, except where retention is required by applicable law. On written request made before deletion, we will provide a reasonable means to export your Customer Content first.

If there is a conflict between this DPA and the Terms of Service regarding the processing of personal data, this DPA controls. Questions about this DPA, requests for a countersigned copy, or transfer documentation can be sent to legal@1labs.ai.

This document is a working draft prepared for launch and is pending review by legal counsel.