Data Processing Agreement
This Data Processing Agreement (DPA) governs how Click & Speak Pte. Ltd. processes personal data on behalf of organizations using Gliglish.
Parties and Definitions: This Data Processing Agreement is between Click & Speak Pte. Ltd. (the 'Processor') and your organization (the 'Controller') when you purchase an organizational subscription to Gliglish (such as Gliglish for Education, Gliglish for Business, or any other organizational plan). By purchasing an organizational subscription, your organization automatically enters into this DPA. This DPA governs how we process personal data on behalf of your organization in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR), the UK GDPR and UK Data Protection Act 2018, and the Family Educational Rights and Privacy Act (FERPA). In this DPA, 'data subject' refers to the individual person whose personal data is being processed — typically the students, employees, or staff members of your organization who use Gliglish.
Personal Data We Process: In providing the Services, we process personal data including, but not limited to: user account information (names, email addresses); voice recordings and transcriptions; interactions with the artificial intelligence; usage data and system metrics; and device information. We process this data solely to provide and improve the Services as authorized by your organization.
Purpose Limitation: We will process personal data primarily for the purpose of providing and improving the Gliglish service, as outlined in this DPA and our Terms of Service. Your organization controls administrative access to user accounts. We may also process personal data of individual users in accordance with our Privacy Policy, including for the purposes of communicating service updates, analyzing usage patterns, and improving our services more broadly. Unless we receive documented instructions from your organization, we will not process organizational administrative data (such as billing information and organization-specific settings) for any purpose unrelated to providing the organizational subscription.
Our Data Processing Commitments: As the Processor, we commit to: (1) Processing personal data to provide the Gliglish service to your organization's users as described in our Terms of Service; (2) Ensuring that persons authorized to process the data have committed to confidentiality; (3) Implementing appropriate technical and organizational security measures; (4) Maintaining transparency about our sub-processors; (5) Assisting your organization in responding to requests from data subjects; (6) Assisting your organization in ensuring compliance with security, breach notification, impact assessment, and consultation obligations; (7) Upon termination of the organizational subscription, removing organizational administrative access to user accounts while allowing individual users to retain control of their own personal data under our standard Terms of Service; (8) Making available to your organization all information necessary to demonstrate compliance with these obligations.
Security Measures: We implement appropriate technical and organizational measures to protect personal data, including: encryption in transit and at rest; secure access controls; regular security assessments; employee training on data protection; and monitoring for unauthorized access attempts. These measures are designed to ensure a level of security appropriate to the risk involved in processing your data. Specific measures include: data pseudonymization where appropriate; HTTPS/SSL for data transmission; strong authentication systems; regular backups; comprehensive logging; and secure system configuration.
Sub-processors: We engage sub-processors to assist in providing the Services. All sub-processors are bound by written agreements that require them to provide appropriate protection for personal data. We maintain a list of current sub-processors below. We will provide updates to this list if significant changes occur.
| Name | Purpose | Location |
|---|---|---|
| Microsoft Corporation | Database storage, web servers, assets storage, backup storage, speech recognition, LLM processing, text-to-speech | United States |
| OpenAI, Inc. | LLM processing, speech-to-text, text-to-speech | United States |
| Amazon Web Services, Inc. | Assets storage, backup storage | United States |
| Heroku, Inc. (A Salesforce company) | Database storage, cloud processing, processing of backup data | United States |
| Groq Cloud | LLM processing, speech-to-text, text-to-speech | United States |
Data Minimization: We collect and process only the personal data necessary to provide the Services. This includes limiting data collection to necessary information and ensuring third-party providers receive only the minimal amount of data necessary to run the service.
Data Breach Notification: In the event of a personal data breach affecting your organization's data, we will notify you without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include: the nature of the breach; categories and approximate number of data subjects affected; likely consequences of the breach; measures taken or proposed to address the breach; and steps to mitigate potential adverse effects.
International Data Transfers: We store primary data on servers located in the United Kingdom and Ireland. However, providing the Service necessarily involves processing by sub-processors located in other countries, including the United States, as detailed in the 'Sub-processors' section below. For transfers of personal data from the EEA to third countries that do not ensure an adequate level of data protection according to the European Commission, we rely on the Standard Contractual Clauses (SCCs) as our transfer mechanism as detailed in the 'EU Standard Contractual Clauses' section below. For transfers of personal data from the UK to third countries that do not have UK adequacy regulations, we rely on the UK International Data Transfer Agreement (IDTA) or the International Data Transfer Addendum to the EU SCCs, as detailed in the 'UK Data Transfers' section below.
Sensitive Data: If the transfer involves sensitive personal data (revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, data concerning a person's sex life or sexual orientation, or data relating to criminal convictions), we apply specific restrictions and additional safeguards as required by applicable law.
Educational Institution Specific Terms: When providing services to educational institutions worldwide, we implement the following protections: (1) For US institutions, we act as a 'school official' with legitimate educational interests as defined under FERPA; for institutions outside the US, we assume equivalent responsibilities under applicable educational privacy laws; (2) We process student personal data only for legitimate educational purposes, to provide and improve the Services, and to fulfill our obligations under this DPA; (3) We implement industry-standard safeguards specifically designed for educational environments; (4) We promptly comply with reasonable requests from educational institutions for access to or deletion of student data; (5) We limit the disclosure of student data to third parties to what is necessary for providing the Services. For educational institutions in the United States, these commitments are designed to satisfy our compliance obligations under FERPA. For educational institutions in other jurisdictions, these protections are designed to comply with local educational data protection requirements.
Data Subject Rights: We will promptly notify your organization of any requests received directly from data subjects regarding their personal data when such requests relate to their use of the service through your organizational subscription. In most cases, users can directly access, modify, and delete their own data through the user interface. For requests requiring organizational approval (such as requests affecting educational records covered by FERPA), we will not implement such requests unless authorized by your organization. Individual users retain their personal data rights as described in our Privacy Policy, including when they transition between individual and organizational subscriptions.
Data Retention and Deletion: When a user is covered by an organizational subscription, we process their data according to this DPA. If a user had an individual account before joining your organizational subscription (primarily users with free accounts), or continues using the Services after your organizational subscription ends, their data will be governed by our standard Terms of Service and Privacy Policy. Upon termination of your organizational subscription, we will: (1) Remove your organization's administrative access and control over user accounts; (2) Delete your organization's administrative data (billing information, admin accounts, settings, etc.) unless retention is required by law; and (3) Upon request, provide bulk deletion of student accounts associated with your organization. This bulk deletion is optional — by default, individual user accounts will automatically downgrade to free accounts, allowing students to continue using the service as free individual users if they choose to do so. In cases where your organization requests deletion of user accounts, we will notify the affected users and provide them with the option to convert their account to a free individual account instead of being deleted. While accounts are under an active organizational subscription, account deletion requests must go through your organization's administrators. After the subscription ends and accounts downgrade to free individual accounts, users can then independently delete their own account and personal data at any time through our interface or by contacting us.
Audit Rights: Upon reasonable notice and no more than once per year, your organization may review our compliance with this DPA. Such audits will be conducted at your expense, during normal business hours and in a manner that does not unreasonably interfere with our operations. Alternatively, we may provide certifications, audit reports, or other documentation to demonstrate compliance.
Non-compliance and Termination: If we are unable to comply with this DPA for any reason, we will promptly inform your organization. In the event of a breach of this DPA, your organization may suspend the transfer of personal data until compliance is restored or terminate the agreement. Personal data transferred prior to termination will be returned or deleted at your organization's choice, unless prohibited by applicable law.
Relationship with Privacy Policy: This DPA works alongside our Privacy Policy. The Privacy Policy continues to apply to all users, including those covered by organizational subscriptions. While this DPA places certain restrictions on how we process data on behalf of your organization, we may still process user data in accordance with our Privacy Policy for purposes such as improving the Services, communicating product updates, and using cookies or similar technologies for essential functionality and diagnostics. For clarity, we may continue to review conversations and voice recordings to improve our service for all users, including those under organizational subscriptions.
Freemium and Organizational Transitions: Users may transition between individual accounts and organizational subscriptions. This commonly occurs in two scenarios: (1) When users with free individual accounts join an organizational subscription, and (2) When organizational users downgrade to free individual accounts after an organizational subscription ends. When a user with an existing individual account is added to your organizational subscription, their previous data continues to be processed according to our Privacy Policy, and your organization gains administrative control over the user's account for the duration of the subscription. When your organizational subscription ends, unless bulk deletion is requested, individual users will automatically downgrade to free accounts where they maintain control of their own data under our standard Terms of Service and Privacy Policy. Both your organization and individual users have control over this process — your organization can request bulk deletion, while individual users retain the option to convert their account to a free individual account. This balanced approach ensures users maintain ultimate control over their personal data while respecting your organization's administrative requirements.
EU Standard Contractual Clauses: The following applies to transfers of personal data from the European Economic Area (EEA) to countries outside the EEA. This DPA incorporates by reference the Standard Contractual Clauses (SCCs) adopted by the European Commission's Implementing Decision (EU) 2021/914, available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN. Specifically, Module Two (Controller to Processor) of these SCCs applies to our processing relationship when transferring EEA data. The parties agree that: (a) Click & Speak Pte. Ltd. acts as the 'data importer'; (b) your organization acts as the 'data exporter'; (c) the applicable law for Clause 17 shall be the law of Ireland, governing only these SCCs and not the broader agreement. For purposes of the SCCs and their required annexes: (1) The information required for Annex I.A (List of Parties) is set forth in the 'Parties and Definitions' section of this DPA; (2) The information required for Annex I.B (Description of Transfer) is set forth in the 'Personal Data We Process' section of this DPA; (3) The information required for Annex I.C (Competent Supervisory Authority) is the Irish Data Protection Commission, which shall be the competent supervisory authority in accordance with Clause 13, applicable solely for EEA data transfers; (4) The information required for Annex II (Technical and Organisational Measures) is set forth in the 'Security Measures' section of this DPA; and (5) The information required for Annex III (List of Sub-processors) is set forth in the 'Sub-processors' section of this DPA. By agreeing to this DPA, your organization is deemed to have signed the SCCs. Click & Speak Pte. Ltd. is deemed to have signed and accepted the SCCs in its capacity as the data importer by making the Services available to your organization.
UK Data Transfers: For transfers of personal data from the UK to countries outside the UK that have not received adequacy regulations from the UK government, we rely on one of the following transfer mechanisms approved by the UK Information Commissioner's Office (ICO): (1) The International Data Transfer Agreement (IDTA); or (2) The International Data Transfer Addendum to the EU SCCs ('UK Addendum'). Where we rely on the UK Addendum, it supplements the EU SCCs referenced in the 'EU Standard Contractual Clauses' section. For UK data transfers: (a) Click & Speak Pte. Ltd. acts as the 'importer'; (b) your organization acts as the 'exporter'; (c) the governing law is the law of England and Wales; and (d) the competent supervisory authority is the UK Information Commissioner's Office. The information about parties, data processed, security measures, and sub-processors contained elsewhere in this DPA applies equally to UK data transfers. The UK transfer mechanism applies in addition to, and does not replace, the EU SCCs for UK data transfers.
Contact: If you have any questions or concerns about this Data Processing Agreement, please contact us via:
Email: [email protected]
Address: Click & Speak Pte. Ltd., 100 Tras Street, #16-01 100 AM, Singapore 079027.
Registration number (UEN): 201735018E
This Data Processing Agreement forms part of our Terms of Service and may be updated from time to time. Continued use of our services after such updates constitutes acceptance of the revised agreement.