Entry into force: April 28th 2026
1. Purpose
pyannote SAS, (hereinafter the “Company”) has developed a speech recognition software program (hereinafter the “Solution”) allowing speaker diarization (hereinafter the “Services”).
The Solution is accessible via the platform https://pyannote.ai (hereinafter the “Platform”).
The Company licenses the Solution on-premises mode or via API to customers (hereinafter a “Customer”) wishing to use the Solution and the related Services.
Depending on Customer’s requirements, the Company may submit to the Customer one or several quotations (hereinafter referred to as a « Quotation »), specifying the terms and conditions of a user license of the Solution (hereinafter the “License”).
The purpose of these general terms and conditions is to define the terms and conditions allowing the Customer to use the Solution, as well as to define their rights and obligations within this context (hereinafter the “General Terms and Conditions”).
These General Terms and Conditions will prevail over any other general or specific terms and conditions not expressly approved by the Company.
2. Manager of the Solution and Services, contact details
The Solution and the Services are managed by pyannote, a French simplified joint stock company (“Société par Actions Simplifiée”), under number 924837636 with the Registry of Trade and Companies of Toulouse, whose head office is located 2 ALLEE DE L'AUTAN, 31320 AUZEVILLE-TOLOSANE.
pyannote can be contacted, including for any claim, through any of the following channels:
Street Address: 2 ALLEE DE L'AUTAN, 31320 AUZEVILLE-TOLOSANE
Email address: vincent@pyannote.ai
3. Legal capacity
The Solution and the Services can be accessed by:
- Any person having the full legal capacity to be bound by these General Terms and Conditions. Any person who does not have such full legal capacity may only access the Solution and the Services with the agreement of their legal representative.
- Any entity acting through a person having full legal capacity to contract for and on behalf of the entity.
4. Quotation and acceptance of the General Terms and Conditions
The acceptance of these Terms and Conditions occurs upon signing the Quotation and/or signing up directly on the Platform.
If required, a Quotation is drawn up before any Services are provided.
It describes all Services that the Company undertakes to provide to the Customer and the selected plan. Should the Customer request any additional Services, an additional Quotation must be drawn up. Unless otherwise stated, all Quotations issued by the Company are valid for 3 (three) months as of their date of issuance. If the Quotation is not approved by the Customer within this period, the Quotation will be considered null and void. The Customer must sign the Quotation to validate it and send it to the Company through any relevant channels, including by email.
Each express or implied validation of a Quotation, implies full acceptance of these General Terms and Conditions, in the version that was in effect on the date the Quotation was validated. Any qualified acceptance will be considered as null and void. Any Customer who does not accept to be bound by these General Terms and Conditions must not order Services from the Company.
5. Contractual documents
The contractual documents are by decreasing order of priority and to the exclusion of any others:
- The Quotation (if any);
- The Pricing;
- These General Terms and Conditions.
In the event of conflict between different Quotations, the provisions contained in the latest Quotation shall prevail.
6. Absence of right of withdrawal
As the Services are effective immediately, the Customer is expressly informed that the right of withdrawal cannot be exercised in accordance with article L.221-28 of the French Consumer Code.
7. Services
The Customer may use any of the Services as available on the Solution.
The Client may choose one or more options (confidence score, speaker identification, streaming, overlapping speech separation, etc.) as described on the Solution and/or the applicable Quotation.
8. Term
The License and the Services are based on a “pay as you go” model.
The Customer shall pay for usage of the Services, in accordance with the terms of the Appendix 1 “Pricing”.
9. Terms of the Licence
9.1 Terms of use
The Company grants the Customer a personal, limited and non-exclusive License to use the Solution in accordance with the terms of these General Terms and Conditions.
It is the Customer’s responsibility to (a) maintain the confidentiality of passwords and account, (b) appoint the individuals with access to account and (c) to make sure that all activities of the account comply with the dispositions of these General Terms and Conditions.
The Customer therefore shall not, therefore:
- Reproduce, arrange, adapt all or part of the Solution;
- Use the results of the Solution or the Company know-how in order to train a similar or identical software program allowing speaker diarization without the intervention of the Company;
- Use the results of the Solution or the Company know-how to create an unfair competition situation with the Company;
- Proceed with any form of commercial exploitation of its personal account on the Solution with third parties;
- Transfer, provide, lend, rent the Solution, grant sub-licenses or other rights of use, or more generally, communicate to a third party or an affiliate all or part of the Solution;
- Integrate all or part of the Solution into any computer system or any other software solution other than those provided for in these terms.
The rights to use the Solution is granted to the Customer subject to the effective and integral payment of the price provided in article “Financial Conditions”.
The Customer agrees to make reasonable efforts to prevent any unauthorized use of the Services and to put an end to potential abuses. The Customer shall also keep the Company promptly informed should he/she detect any abusive use or any unauthorized access to the Solution.
The Customer agrees not to perform any of the following acts and to make reasonable efforts to ensure that no third party perform them either: (a) sale, resale, leasing, or any equivalent transfer of the Services to a third party, (b) attempting to reverse engineer the Services or any of their elements, (c) attempting to create a substituting or similar service via the use or access to the Services or the Solution, (d) to use the Services for highly hazardous activities, (e) to use the Services to store, transfer or index data whose exportation is subject to the rules regarding the control of exports or (f) to use the Services for contents which are prohibited by French law or by any regulation in force in the country where the Solution is used, or for contents that may lead to the liability of the Company under French law or by any regulation in force in the country where the Solution is used.
9.2 Prohibited behavior
It is strictly prohibited to use the Services and the Solution to the following ends:
- Carrying out activities that are unlawful, fraudulent or infringe on the rights or the security of others,
- Violating public order or any local policy or laws,
- Hacking into the computer system of a third party or any activity aimed to harm, control, interfere or intercept all or part of a third party's computer system, violating its integrity or its security,
- Sending unsolicited emails and / or prospecting or commercial solicitation,
- Using the Solution for the release of information or links to third party websites,
- Assisting or inciting, in any manner or form whatsoever, the carrying out of one or several of the actions or activities described above,
- Monitor and/or spy on activities of third parties;
- Initiate or engage military actions;
- And more generally, any action that uses the Solution or Services for any other purpose than that for which they were designed, understood as civil usage.
The Customer is strictly prohibited from copying and / or using for their own purposes or those of a third party, the concept, technology or any other component of the Solution.
The following is also strictly prohibited: (i) any behavior that would interrupt, suspend, slow down or prevent continuity of the Services, (ii) any hacking or attempts to hack into the Company’s IT systems, (iii) any hijacking of the Solution's system resources, (iv) any acts that would place a disproportionate load on the Solution's infrastructure, (v) any attempts to breach the Solution's security and authentication structures, (vi) any acts that could infringe on the rights and financial, commercial and moral interests of the Company and finally, more generally, (vii) any breach of these General Terms and Conditions.
10. Maintenance and support Services
10.1 Update maintenance
During the term of the License, as defined in article “Term”, the Company shall make the Customer benefit from all improvements of the features of the Solution (hereinafter referred to as the “Updates”).
The nature and the frequency of these Updates shall be left at the Company’s own discretion.
The Customer expressly agrees that the Updates shall be performed automatically and without prior notice.
10.2 Technical support
Unless otherwise stated in the Quotation or by any means, the Company provides a technical support regarding the Solution which consists in assistance.
The support can be provided through emails to the Company’s support service at the address: contact@pyannote.ai.
According to the requirements, the Company shall assess the time needed for answers, as well as their nature, and shall inform the Customer of such assessment.
Level of services
11.1 Availability
The Company shall make its best effort to ensure an optimal availability of its server infrastructure.
Nevertheless, the Customer expressly acknowledges and accepts that the Company reserves the right to interrupt access to the Solution and data momentarily for maintenance purposes.
The Customer is aware of the internet technical hazards and of the interruption or disruption in the use and access to the Services they might cause. Therefore, the Company shall not be liable for any potential unavailability or slowdowns of the Services that may be caused by such technical hazard.
The Customer acknowledges that the Company cannot guarantee the continuity of the Services when remotely performed on the Internet.
The Company shall not be held liable for the potential impact of the aforementioned unavailability of the Solution and Services on the Customer’s activities.
11.2 Security and confidentiality
The Company endeavors to secure the access to the Solution and the use of the Services, taking into account all protocols, in conformity with the relevant trade practices.
Financial Conditions
12.1 Prices
The prices of the License granted to the Customer and for the use of Services are indicated in appendix 1 “Prices” and/or in the applicable issued Quotation(s).
If applicable, the parties may adopt an upfront fee depending on Customer needs.
Unless otherwise stated, they are expressed in Euros and are exclusive of taxes. Each party will be responsible for all related taxes for which it will be accountable.
12.2 Calculation
The Customer understands that monthly invoices shall be issued, based on actual Services consumption and usage in accordance with the Appendix 1 and/or the applicable Quotation(s).
The Customer hereby acknowledges and agrees that the price to be paid shall be calculated using metrics measured by the Company and made available on first demand. Such usage metrics shall govern in case of dispute or claims over user’s Services consumption.
More generally, the Customer expressly acknowledge and accept that:
- Data collected on the Company’s Solution and its computer equipment attest to the reality of the transactions performed in the context of these General terms and Conditions;
- These data are the main means of acceptable proof between the Company and the Customer, in particular for the calculation of amounts due to the Company.
Minimum File Duration Billing
For billing purposes, each audio file is subject to a minimum duration of twenty (20) seconds. Any file with a duration of less than twenty (20) seconds shall be deemed to have a duration of twenty (20) seconds and will be invoiced accordingly.
12.3 Payment methods
Payments for all fees shall be made in accordance with the terms defined in the Appendix 1 and the applicable Quotation(s).
The Client guarantees the Company that it has the necessary authorisations to proceed with the payment of the price.
Where provided under on-premises mode, the Customer shall permit the Company to process two (2) requests allowing to track the usage of the Solution and generate the associated invoices. Thus, the Customer undertakes to provide the Company with all necessary access to its servers as essential condition. The Company may verify the proper application of this provision in accordance with the article 18 “Audit”.
12.4 Payment delays and incidents
Any payment delay of all or part of an amount at its due term, shall automatically entail, without prejudice to the provisions set out in article “Sanction for breaches”, and after prior formal notice by registered letter with acknowledgement of receipt, the contents of which have not been respected within a period of 15 (fifteen) days:
- Forfeiture of the term of all amounts payable by the Customer, regardless of the terms of payment that had previously been agreed,
- Immediate suspension of the License until complete payment of all amounts due by the Customer is received,
- Invoicing by the Company of a late payment interest at the rate of 3 (three) times the legal interest rate, calculated on the total of all due amount that were not paid on time, as well as a lump sum of 40 (forty) euros for costs recovery.
The Company and the Customer agree that this rate shall be calculated based on periods of one calendar month and that any month started shall be counted as a whole month.
13. Obligations for Customers
Without prejudice to other obligations provided for in these General Terms and Conditions, the Customer undertakes to respect the following obligations.
13.1
The Customer undertakes to provide the Company with all documents, data and information necessary for the appropriate fulfilment of the Company’s obligations under these General Terms and Conditions.
More generally, the Customer undertakes to actively cooperate with the Company for the proper performance of these General Terms and Conditions and to keep the Company informed with any difficulty in such performance. The Customer undertakes to appoint an employee or a representative as an interlocutor dedicated to the follow-up and operational monitoring of the Services.
13.2
The Customer acknowledges having read and understood the characteristics and constraints of the Solution, having received from the Company all necessary guidance, instructions and details to subscribe with full knowledge, and being fully acquainted with the Solution that it has, prior to these General Terms and Conditions, sufficiently spoken with the Company to ensure that the Solution fulfils its expectations, needs and constraints.
13.3
The Customer is sole responsible for the use of the Solution by its users. The Customer warrants that the users shall not use the Solution for any illicit, non-compliant or unauthorised purposes, including against all laws and regulations in force in the applicable country/territory of use of the Solution. The Customer is therefore solely responsible for setting up procedures aimed at preventing and redressing the commission of such acts.
More generally, the Customer is sole responsible for decisions that may have been made by the users, or any other person belonging to the user’s company, on the basis of their use of the Solution.
To this end, the Customer acknowledges being informed that the Company reserves the right to monitor the access of the Solution by the users and ensure that each account is used only by its sole user.
13.4
The Customer is solely responsible for its relations and the monitoring with its users, clients, and partners, as well as for the respect of its contractual commitments towards third parties. The Customer is solely responsible for monitoring the use of the Solution by the user. The Company should not be responsible for any difficulty that may arise in these contexts.
13.5
The Customer must ensure that the management of users, access privileges and more generally, system settings shall be conducted professionally and that the user shall be a “person skilled in the art”.
14. Customer’s Guarantee
The Customer agrees to defend, indemnify and hold the Company harmless from and against any claims, demands, actions and/or grievances whatsoever, that the Company could incur as a result of a breach by said Customer of any one of its obligations or guarantees under these General Terms and Conditions.
The Customer agrees to compensate the Company for any damage that the latter could be subject to, and to pay any costs, liabilities, charges and / or convictions that the latter could incur, as a result of such a breach.
15. Sanctions for breaches
In the event of breach by either of the Company or the Customer of any of their obligations hereto, these General Terms and Conditions shall be fully terminated 1 (one) month after the party in breach has received notice from the other party by registered letter with acknowledgement of receipt, and this having received no response, stating the latter's intention to apply this clause, this without prejudice to any damages that could be claimed from the party in breach.
16. Liability and guarantee of the Company
Customers acknowledges and agrees that Company shall fulfill its obligations under these General Terms and Conditions with diligence and in compliance with trade practice, specifying that it has an obligation to provide due care, but without any obligation of result.
The Company undertakes to inform the Customer of any difficulty that may occur with regards to the implementation or the use of the Solution.
The Company makes it best effort to set up adequate procedures in order to strengthen the security of the functioning of the Solution and to prevent any failure, intrusion or intrusion attempt by malicious third party.
However, the Company should not be held responsible for any lack of vigilance or security by the Customer or users in the preservation of their credentials.
The Company undertakes to keep strictly confidential all data collected through the Solution, under these General Terms and Conditions, and to take all appropriate measures to ensure their security and confidentiality.
The Customer expressly acknowledges having reviewed said measures and considering they are sufficient to enable the Company to fulfill its above-mentioned obligations of security and confidentiality.
The Company certifies that it holds an insurance policy covering professional civil liability. The Company agrees to maintain this insurance policy in force for as long as any of its obligations under these General Terms and Conditions are applicable.
The Company shall not be held responsible for any damage which is not incurred by a malfunction of the Solution, in particular all difficulties arising from the Customer’s or user’s infrastructure, personnel, materials or software.
The Services are provided by the Company as is and without any guarantee of any kind, whether express or implicit. In particular, the Company does not guarantee to Customer (i) that the Services, which are subject to constant research in order to improve their performance and progress, will be totally free of errors, defects or faults, (ii) that the Services, being standard and in no way proposed solely for the benefit of a given the Customer according to his own personal constraints, will specifically meet his needs and expectations.
In any event and except as otherwise stated in the applicable Quotation, the Company shall not be held liable to the Customer for the payment of damages of any kind, whether they be direct, indirect, incidental, consequential material, commercial, financial or moral, for an amount exceeding the total amount invoiced by the Company in the twelve (12) months prior to the time the alleged damages occurred.
17. Intellectual Property
The systems, software, “neurons” network, structures, infrastructures, databases and content (text, images, graphics, music, logos, trademarks, databases, etc.) used by the Company on the Solution and the Services are protected by all intellectual property rights, or rights for the creators of databases, in force.
Unless otherwise stated in the Quotation, the License does not grant the Customer any intellectual property rights in the Solution, other than those granted in these General Terms and Conditions, which remains the exclusive property of the Company.
The intellectual property rights pertaining to the results carried out by the Solution (text file including speech segments), shall be transferred to the Customer in full and entirety, as and when they are delivered by the Solution, subject to the payment of the corresponding Services under the conditions defined in the article "Financial Conditions".
This assignment is granted, on an exclusive basis, for the entire legal duration of the copyright, for the entire world and for the purposes of exploitation of the results by reproduction and public representation on all media and/or networks and by all means, existing or future, foreseeable or unforeseeable, without restriction or reservation, by the Customer or any person of its choice.
It also includes the right to translate, arrange, modify, transform, adapt and/or correct said results, alone or with the collaboration of a third party, to reuse them in whole or in part, to incorporate them in or merge them with any other software or intellectual work, as well as to transfer to third parties the use or ownership of all or part of the rights hereby assigned.
18. Audit
Throughout the term hereof, the Company shall have the possibility to request an audit no more than once a year in the Customer’s premises or in any other place in which it will be enabled to check the conditions of use of the Solution, including that such use is in compliance with the purpose hereof, at its own expense and provided that it has given formal notice to the Customer by registered letter with acknowledgement of receipt at least 15 (fifteen) days beforehand.
It is expressly agreed between the Company and the Customer that this audit may be carried out by the Company’s internal auditors or by any external auditor of its choice, without the Customer being entitled to oppose. The Customer shall however have the possibility to make all reservations with the choice of the auditor. The Company shall solely decide whether or not to maintain the auditor it has selected.
The Customer shall allow this auditor access to its premises, as well as to any relevant document for purposes of the audit, during regular business hours. The Company undertakes to respect and to ensure that its auditor respect all the Customer’s requirements with regards to access to its premises and confidentiality.
The Company shall provide to the Customer a copy of the conclusions of its audit, by any written means. The Customer may submit to the Company any comments within thirty (30) calendar days from the receipt of this report.
In case an audit report states that an improper use of the Solution is made by the Customer, the latter undertakes to remedy, at its own expenses and in a timely manner, as well as to promptly indemnify the Company with all fees, charges and expenses incurred by the Company in connection with this audit, upon presentation of the corresponding invoice, without prejudice of any damages or additional price that could be claimed by the Company.
19. Confidentiality
Each party undertakes to keep strictly confidential the documents, elements, data and information of the other party which it may receive which are expressly identified by the other party as confidential. As far as the Company is concerned, the parties expressly agree that this obligation of confidentiality shall cover the personal data that it will be required to process for the Customer within the framework of the Services.
All of this information is hereinafter referred to as "Confidential Information".
The party receiving Confidential Information undertakes not to disclose it without the prior consent of the other party for a period of 10 (ten) years from the end of the performance of the Services concerned. It may only transmit them to employees, collaborators, trainees or consultants if they are bound by the same obligation of confidentiality as provided for herein. This obligation does not extend to documents, elements, data and information:
(i) of which the receiving party was already aware;
(ii) which were already public at the time of their communication or which would become public without breach of these terms;
(i) which would have been lawfully received from a third party;
(i) the disclosure of which is required by judicial authorities, pursuant to laws and regulations or in order to establish a party's rights under these terms.
20. Personal Data
The parties undertake, each insofar as it is concerned, to comply with all legal and regulatory obligations incumbent on them in terms of personal data protection, in particular Law 78-17 of January 6, 1978 in its latest amended version known as the Loi Informatique et Libertés and Regulation EU 2016/679 of the European Parliament and of the Council of April 27, 2016 (together the "Applicable Regulations").
To find out more about the processing carried out by the Company as data controller, the Customer is invited to consult the Company's privacy policy, which is available on the Platform.
To find out more about the processing carried out by the Company as data processor, the Customer is invited to consult the data protection agreement (the "DPA") in Appendix 1.
21. Effect of termination
Upon termination of these General Terms and Conditions for any reason whatsoever, the Customer shall promptly cease to use the Solution and the Services.
Each Party undertakes not to do any action, after termination of the General Terms and Conditions that could damage the reputation of the other Party or the Solution.
21. Effect of termination
Upon termination of these General Terms and Conditions for any reason whatsoever, the Customer shall promptly cease to use the Solution and the Services.
Each Party undertakes not to do any action, after termination of the General Terms and Conditions that could damage the reputation of the other Party or the Solution.
22. References
The Customer hereby authorize the Company to cite and use as appropriate a reproduction of its trademark or logo as a customer reference, especially at events, in its business documents and on its internet site, in any form whatsoever.
On the other hand, the Customer shall request the Company’s prior approval for any reproduction of its trademark or logo as a customer reference, especially at events, in its business documents and on its internet site, in any form whatsoever.
23. Force majeure
Neither party may be held liable for a failure to perform its contractual obligations if this failure is due to an event beyond the parties' control and constitutes force majeure, as defined in Article 1218 of the French Civil Code.
By force majeure, the parties agree in particular to understand the occurrence of an event with the characteristics of unpredictability and irresistibility usually recognized by French law and courts, as well as strikes, terrorist activities, riots, insurrections, wars, government actions, epidemics, natural disasters or default attributable to a third party telecommunications provider.
The prevented party shall inform the other party as soon as possible, indicating the nature of the case of force majeure. The parties shall come together to determine together the most appropriate means to alleviate, if possible, the consequences of the event(s) constituting force majeure.
If the case of force majeure lasts for more than 3 (three) months, each party may terminate these terms, ipso jure, without legal formality, without notice and without the right to compensation of any kind whatsoever, by sending a registered letter with acknowledgement of receipt with immediate effect.
If, as a result of a case of force majeure, the affected party is prevented from fulfilling only part of its contractual obligations, it shall remain liable for the fulfilment of the obligations not affected by the case of force majeure as well as its payment obligations.
As soon as the case of force majeure ceases, the prevented party must immediately inform the other party and resume performance of the affected obligations within a reasonable period of time.
24. Independent Parties
It is expressly agreed that neither the Company nor the Customer can invoke these General Terms and Conditions to claim to be an agent, an officer or an employee of the other, nor make any commitment in the name and on behalf of the other toward third parties, except where provided for in these General Terms and Conditions.
No legal structure of any kind is formed between the Company and the Customer hereunder. The Company and the Customer retain its autonomy, its responsibilities and its own clients.
25. Amendments
The Company reserves the right to amend these General Terms and Conditions at any time by providing the Customer with a 1 (one) months’ notice.
Customer shall be informed of these amendments through any pertinent channel.
Customer who continues to use the Solution after the entry into force of the amended General Terms and Conditions shall be deemed to have accepted these amendments.
26. Residence and notice
For the performance of these General Terms and Conditions, the Company and the Customer shall elect domicile at its address, as it appears on the Quotation. The Company and the Customer shall inform the other of any change of address by registered letter with acknowledgement of receipt. Otherwise, any letter sent to the address indicated at the top of this document will be considered as having been validly received.
It is specified that unless otherwise stated herein:
- notifications giving notice and formal notices must be sent by registered letter with acknowledgement of receipt or any other form of mail delivered against signature, postage paid, to the address elected as stated above,
- the time limits and effects provided for herein shall start upon the date of first submission of such notification or formal notice.
27. Electronic signature
It is agreed between the parties that these terms may be signed by any electronic means, the parties recognizing the reliability of the process, thus giving it the same legal value as a handwritten signature within the meaning of the law.
28. Law and Jurisdiction
These General Terms and Conditions of Use are governed by French law.
In the event of dispute concerning the validity, interpretation and / or application of these General Terms and Conditions, the Company and the Customer agree that the courts of Toulouse shall be the only competent jurisdiction capable of judging the dispute, save conflicting mandatory rules of practice.
Appendix 1: Data Processing Agreement (or "DPA")
Table of Contents
PART I – DESCRIPTION OF THE PROCESSING OPERATIONS SUBJECT TO SUBCONTRACTING
Summary of the main purposes of processing carried out on behalf of the Data Controller
Detailed description of the Processing and Instructions of the Data Controller
PART II – PRINCIPLES AND OBLIGATIONS
PART I – DESCRIPTION OF THE PROCESSING OPERATIONS SUBJECT TO SUBCONTRACTING
1. Summary of the main purposes of processing carried out on behalf of the Data Controller
The Data Controller entrusts the Processor, in accordance with the detailed instructions in paragraph 2.2 below, with the following selected Processing Purposes:
• provision of the services performed by pyannote in accordance with the general terms and conditions
2. Detailed description of the Processing and Instructions of the Data Controller
A detailed description of the Processing and the Data Controller's Instructions is provided in Appendix A to this DPA.
PART II – PRINCIPLES AND OBLIGATIONS
The Services entrusted to the Processor under the General Terms and Conditions involve the processing of Personal Data by the Processor on behalf of and for the account of the Data Controller. The purpose of this DPA is to define the respective rights and obligations of the Parties concerning the Processing of Personal Data carried out in the context of the provision of the Services and, more specifically, to clarify the Data Controller's Instructions in this regard.
It is hereby agreed that when the Parties decide to carry out Personal Data Processing on their own behalf, they shall act respectively as Data Controllers and undertake to comply with the obligations incumbent upon them as such under the Applicable Legislation on Personal Data Protection.
In the event of any discrepancy between this DPA and the Agreement, the provisions of this DPA shall prevail. In the event of any conflict between the terms of this DPA and the provisions of the Standard Contractual Clauses (as defined below), the Contractual Clauses shall prevail.
All terms beginning with a capital letter in this DPA shall have the following meanings:
Supervisory Authority: means any independent local authority responsible for monitoring the application of Applicable Legislation on the Protection of Personal Data, in order to protect the fundamental rights and freedoms of data subjects with regard to the processing of their personal data.
Special Categories of Personal Data: means the categories of Personal Data referred to in Article 9 of the GDPR and, more specifically, any Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data for the purpose of uniquely identifying a natural person, and Personal Data concerning the health or concerning the sex life or sexual orientation of a data subject.
Standard Contractual Clauses (or "SCCs"): refer to any contractual clause approved by a competent legislative or regulatory authority (including the authorities of European Union Member States or European Union institutions such as Supervisory Authorities or the European Commission) in order to regulate the Transfer of Personal Data to a Third Country. These may include, in particular, the Standard Contractual Clauses adopted by the European Commission.
Agreement: refers to the General Terms and Conditions of pyannote.
Personal Data or "Data(s)": any information relating to an identified or identifiable natural person (e.g. an identifier such as a name, an identification number, location data, an online identifier, or any information concerning one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person).
Sensitive Data: includes a) Special Categories of Personal Data, b) Personal Data relating to criminal convictions or offences, c) national identification numbers (e.g. social security numbers), or d) Personal Data that is sensitive insofar as i) it relates to domestic and private activities (e.g. electronic communications whose confidentiality must be protected), and/or ii) it has an impact on the exercise of a fundamental right (e.g., location data whose collection impinges on freedom of movement) and/or iii) its breach would clearly have serious implications for the daily life of the data subject (e.g., financial data that could be used for fraudulent payments).
Applicable Law: means any law or other type of regulation or obligation applicable to the Data Controller or Processor in connection with the performance of the Services provided under the Agreement.
Approved Location: refers to countries belonging to the European Economic Area (EEA) and Adequate Countries.
Instructions: refers to the instructions provided by the Data Controller to the Processor concerning the Processing of Personal Data, including the purpose and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and the categories of data subjects, as well as the obligations and rights of the Data Controller. These Instructions are described in this DPA and its Appendices.
Applicable Legislation on Personal Data Protection: refers to any regulations applicable to the Processing of Personal Data carried out in the context of the provision of the Services, including (but not limited to) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 ("GDPR"), any local legislation of a Member State of the European Union implemented in application of the GDPR that may be applicable to the processing, including any subsequent regulations amending, supplementing or updating these regulations, as well as any recommendations, opinions, decisions or codes of conduct published by a Supervisory Authority, where applicable.
Adequate Countries: refers to a third country or international organisation for which the European Commission has determined, by means of a decision, that the third country or international organisation in question ensures an adequate level of protection, in accordance with Article 46 of the GDPR.
Third Country: refers to any country outside an Approved Location.
Client: refers to the natural or legal person who has accepted the General Terms and Conditions and who, in that capacity, acts as Data Controller for the purposes of this DPA.
Data Subject(s): refers to the natural person whose Personal Data is subject to processing in the context of the provision of Services on behalf of the Data Controller (e.g., customers and/or prospects of the Data Controller, and/or employees of the Data Controller and/or the Processor, where applicable).
Data Controller (or "DC"): refers to the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
Services: refers to the Services provided by the Processor to the Data Controller under the Agreement.
Processor: refers to the natural or legal person, public authority, service or other body that performs Personal Data processing on behalf of the Data Controller.
Sub-Processor (or "SP"): means another processor, acting on behalf of the main Processor in the context of the processing and subject to obligations at least equal to those provided for in the agreement.
Processing of Personal Data: refers to any operation or set of operations performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, communication by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Transfer: means either transferring Personal Data to a Third Country or providing access to Personal Data to a third party (including a Processor) located in a Third Country.
Transfer outside an Approved Location: means a Transfer of Personal Data outside an Adequate Country or the EEA.
Instructions from the Data Controller
3.1 Processing Instructions: The Processor and any person acting under its authority and processing Personal Data in connection with the performance of the Services undertakes:
• To process Personal Data solely on behalf of the Data Controller.
• For the sole Processing Purposes listed in Part II of this DPA; and,
• In accordance with the written and documented Instructions of the Data Controller described in this DPA (including its Appendices).
Any new Instruction or modification of an Instruction shall be notified in writing to the Processor at the address indicated in Part I. Any additional Instructions shall be the subject of an amendment to this DPA.
3.2 Mandatory processing (legal obligation of the Processor): The Processor shall only process Personal Data on the instructions of the Data Controller, unless it is required to do so under the Applicable Law to which it is subject. In this case, the Processor shall inform the Client (in writing, at the address indicated for this purpose in Part I) of this legal obligation prior to processing, unless the Applicable Law concerned prohibits such information on important grounds of public interest.
3.3 Instruction contrary to Applicable Law: The Processor shall immediately inform the Client in writing if, in its opinion, an Instruction constitutes a violation of Applicable Legislation on the Protection of Personal Data.
3.4 Compliance with Applicable Personal Data Protection Legislation: Applicable Personal Data Protection Legislation defines a set of principles and obligations that must be observed when processing Personal Data. Each Party undertakes to comply with these principles, whether acting as Data Controller or Processor.
In this regard, the Data Controller is expressly informed that the Services involve the processing of biometric data. The Data Controller is solely responsible for selecting the appropriate legal basis for processing such Personal Data and for implementing all necessary measures to that end.
4.1 Authorisation to use a Processor: This DPA constitutes a general written authorisation from the Data Controller concerning the use by the Processor of a Sub-processor to carry out all or part of the processing activities on behalf of the Data Controller, as described in the applicable Processing Sheets set out in Appendix A to this DPA. The Processor shall inform the Client of any planned changes concerning the addition or replacement of a Sub-Processor by sending written notification to the Client in order to give the Client the opportunity to object to such changes. In the absence of objections within a period of 15 days, the Client shall be deemed to have accepted the proposed Sub-Processor.
4.2 Refusal by the Data Controller of the Sub-Processor proposed by the Processor: The Data Controller may object to any change/new Sub-Processor on reasonable grounds relating to the existence of objective risks of non-compliance with the Applicable Legislation on Personal Data Protection or with this DPA. In this case, the Parties shall meet in good faith and use their best efforts to discuss a resolution. The Processor may choose to (i) not hire the Sub-Processor or (ii) take the corrective action requested by the Client in connection with the objections before hiring the Sub-Processor. If neither option is reasonably possible, and if the Processor cannot for legitimate reasons hire another Sub-Processor for the intended processing, either Party may terminate this Agreement upon a thirty (30) days' notice.
4.3 Agreement with the Processor: In any event, if a Processor is used to carry out the Processing of Personal Data in connection with the performance of the Agreement, The Processor undertakes to enter into an agreement or other legal agreement with any duly authorised Processor imposing obligations similar to those set out in this DPA and offering a level of protection at least equivalent to that required by the Applicable Legislation on Personal Data Protection and by this DPA. The Parties hereby agree that the Processor is authorised to use the Processors identified in Appendix A to this DPA or, where applicable, in the applicable agreement.
4.4 Guarantees of the Sub-Processor: Processors must provide sufficient guarantees regarding the implementation of appropriate technical and organisational measures to ensure that the processing complies with the requirements of the Applicable Legislation on Personal Data Protection and this DPA.
4.5 Audit of the Processor: In addition, the Client may request the Processor, under the conditions set out in Article 11 of this DPA, i) to carry out audits to assess the compliance of a Processor with the requirements and obligations imposed on it under the Applicable Legislation on Personal Data Protection or this DPA, and ii) to provide it with a copy of the processing agreement concluded with the Processor.
4.6 Responsibility of the Sub-Processor: Notwithstanding the foregoing, if a Sub-Processor fails to fulfil its obligations regarding the protection of Personal Data under the relevant agreement on processing, the Processor shall remain fully liable to the Data Controller for the Sub-Processor's failure to fulfil its obligations.
Transfer of Personal Data
The Processor is authorised to transfer personal data processed as part of the DPA to countries located outside the European Union, if appropriate safeguards have been implemented as defined in Chapter V of GDPR (Adequacy Decision, European Commission Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), Standard Contractual Clauses of a Supervisory Authority of an EU Member State, Approved Code of Conduct or GDPR Certification).
Fate of Personal Data
Unless Applicable Legislation on Personal Data Protection requires the retention of Personal Data and subject to a written request from the Client addressed to the contact mentioned in Part I, The Personal Data retained by the Processor shall, at the Client's discretion, be deleted or returned by the Processor within fifteen (15) working days following the termination of the Agreement. The Client acknowledges that these operations shall be strictly limited to the Personal Data retained by the Processor at the time of the request and provided by the Client. Notwithstanding the foregoing, the Processor may retain, beyond termination of the Agreement, the categories of Personal Data identified as “Retained indefinitely” in Appendix A (in particular job input data, job metadata, and data relating to the General Terms and Conditions agreed by the Client) to the extent strictly necessary for the Processor’s own legal, accounting, tax, billing reconciliation, audit-trail and fraud-prevention obligations, as permitted by Article 28(3)(g) of the GDPR. Such retained data shall remain subject to the security and confidentiality obligations set out in this DPA for the duration of retention and shall not be processed for any other purpose.
Security of Processing
7.1 Employees of the Processor: The Processor undertakes to ensure that any employee or agent involved in the implementation of Personal Data Processing and acting under its orders is subject to a confidentiality obligation (legal or contractual).
7.2 Technical and organisational measures: The Processor shall take all necessary measures to ensure the security of Personal Data and shall follow the Instructions provided by the Data Controller. When processing Personal Data, the Processor shall implement, in accordance with the Data Controller's Instructions, appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, among other things, as necessary:
• Pseudonymisation and encryption of Personal Data.
• Means to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services.
• Means to restore the availability of and access to Personal Data within appropriate timeframes in the event of a physical or technical incident.
• A procedure for regularly testing, analysing and evaluating the effectiveness of technical and organisational measures to ensure the security of Processing.
Where applicable, any specific technical and organisational measures required by the Data Controller shall be described in Appendix. Any modification to these measures constitutes a modification to the Instructions, which must be duly documented in accordance with Article 2 of this DPA.
Information and Rights of Data Subjects
8.1 Information for Data Subjects: The Data Controller is solely responsible for providing data subjects with accurate information regarding the processing of their personal data in accordance with the Applicable Legislation on Personal Data Protection. In the event that the Data Controller delegates to the Processor the responsibility for communicating this information to data subjects, it undertakes to provide the Processor with a model information notice in accordance with the aforementioned Applicable Legislation, as well as detailed instructions on how to communicate said information. This model information notice shall be appended to the Agreement or, at the very least, communicated to the Processor before the start of the Personal Data Processing operations.
8.2 Rights of Data Subjects: The Processor undertakes to assist the Data Controller in managing any request from a data subject to exercise their rights. To this end, the Parties agree on the following procedures for managing requests to exercise rights:
• The Processor shall refrain from responding directly to any request from a data subject to exercise their rights;
• When the Processor receives a request from a data subject wishing to exercise their rights, it shall inform the Client as soon as possible and within a maximum of 48 working hours of receiving the request. The Processor shall inform the Client of the request in writing to the contacts identified by the Client in Part I.
• The Processor undertakes to communicate all the information at its disposal to assist the Data Controller in managing a request to exercise rights.
Assistance to the Data Controller for the Processing of Personal Data
9.1 Personal Data Breach: The Processor shall notify the Client, at the address indicated in Part I, of any Personal Data Breach within a maximum of 48 hours after becoming aware of it, so that the Data Controller is able to notify the competent Supervisory Authority of the Breach. The notification sent by the Processor to the Client shall contain, where available, the following information:
• The nature and scope of the Personal Data Breach, including, where possible, the categories and approximate number of data subjects affected by the Breach and the categories and approximate number of Personal Data concerned.
• The name and contact details of the Local Privacy Leader. A description of the likely consequences of the Personal Data Breach.
• A description of the measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate any negative consequences.
If it is not possible to provide all this information at the same time, it may be provided by the Processor in stages, without undue delay.
The Data Controller shall notify the data subject of the Personal Data Breach if it is likely to result in a high risk to the rights and freedoms of natural persons. In such circumstances, the Processor undertakes to assist the Data Controller and, in particular, i) to provide any additional information that may be necessary, and/or, ii) where applicable, to assist the Data Controller in communicating the Breach. The Data Controller shall bear the sole cost of notifying the data subjects of the Breach.
9.2 Assistance with impact assessments relating to the protection of Personal Data and prior consultations: Taking into account the nature of the Processing and the information available, the Processor shall assist the Data Controller when the latter considers that an impact assessment relating to data protection is necessary in view of the nature, scope, context and purposes of the processing. To this end, the Processor shall provide all information necessary to carry out such impact assessments concerning the processing operations implemented in the context of the provision of the Services.
10.1 Principle: Where the Processor fails to comply with the Applicable Legislation on the protection of Personal Data, this DPA or any Instruction from the Data Controller, the Processor agrees to take the necessary measures to remedy such non-compliance.
The Processor's total liability for all damages suffered as a result of a breach of its obligations under this DPA and the Applicable Legislation on Personal Data Protection shall not exceed the total amount excluding tax of the sums paid or payable by the Client under the relevant Agreement during the twelve (12) months preceding the event giving rise to the claim. In any event, the Processor's overall liability shall not exceed the overall liability limit provided for in the Agreement, where applicable.
10.2 Restrictions: For the avoidance of doubt, the Processor's liability shall be excluded if the alleged breach and the resulting damage(s) arise from (1) the Processor's compliance with the Data Controller's instructions, which are incomplete, insufficiently detailed or contrary to Applicable Law or Applicable Legislation on Personal Data Protection (2) a security breach or any failure related to the Data Controller's IT infrastructure or information systems (3) a breach by the Data Controller of its obligations under the Applicable Legislation on Personal Data Protection or this DPA .
11.1 Information, documentation and audits: The Processor shall provide the Client with all information necessary to demonstrate that it complies with the Applicable Legislation on Personal Data Protection and with this Appendix. The Processor also undertakes to allow and contribute to the performance of audits (remote or on-site) by the Client or any other external auditor it has appointed, provided that the purpose of the audit is solely to ensure that the Processor complies with its obligations under the Agreement or the Applicable Legislation on Personal Data Protection. Any auditor (internal or external) acting on behalf of the Client shall be subject to a confidentiality obligation.
All audits must be notified in writing to the Processor at least 15 working days prior to the start of the audit, except in the case of a spontaneous audit by a local authority that has not been previously notified to the Client or the Processor. Furthermore, the Parties agree that audits (i) may only take place during normal working hours (i.e. between 8 a.m. and 6 p.m.), (ii) shall not significantly disrupt the Processor's business, and (iii) shall be limited to one audit per year, per entity (i.e., per Processor and Sub-Processor) responsible for the processing of Personal Data under the Agreement. Finally, each Party shall bear the audit costs it has incurred during the preparation and performance of the audit operations. The Processor undertakes to bear all costs related to the implementation of remedial action required following a breach of its obligations under this DPA and identified in the audit report.
11.2 Communication of Audit Results: The Parties acknowledge that the competent Supervisory Authorities, as well as the Client if directly impacted by the audit, may request communication of the audit results; they therefore agree to allow access to such results upon request.
11.3 Supervisory Authorities and Government Requests
The Processor shall cooperate with the competent Supervisory Authorities in conducting audits. Unless prohibited by Applicable Law, a court order or any other requisition or request that is required to be complied with by law, The Processor shall promptly inform the Client of any request for access to, seizure or copying of Personal Data and/or Instructions or of this DPA (including its appendices), the Agreement or any other documentation and request, within the limits set out above.
The Processor undertakes to keep a record of Personal Data Processing carried out on behalf of the Data Controller. Where the GDPR applies, this processing must contain at least all the information required under Article 30 of the GDPR. The Processor shall give the Client access to this record upon request.
It is agreed between the Parties that the Agreement may be signed by any electronic means, the Parties recognising the reliability of the process, thus giving it the same legal value as a handwritten signature within the meaning of the law.