Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Caven BV, a company registered in Belgium with registered office at Sint-Annastraat 7, 9420 Erpe-Mere and VAT number BE1037354721 ("Processor", "we", "us", or "our") and the user or entity ("Controller", "you", or "your") using Caven services.

This DPA reflects the parties' agreement with respect to the processing of Personal Data by us on your behalf in connection with our provision of the Caven service.

By using our services, you acknowledge that you have read and understood this DPA and agree to its terms.

2. Definitions

Terms used in this DPA shall have the meanings set forth in this DPA. Capitalized terms not defined herein shall have the meanings given to them in the Terms of Service.

• GDPR: The General Data Protection Regulation (EU) 2016/679.
• Personal Data: Any information relating to an identified or identifiable natural person ('Data Subject').
• Processing: Any operation performed on Personal Data, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.
• Data Subject: An identified or identifiable natural person to whom the Personal Data relates.
• Supervisory Authority: An independent public authority established by a Member State pursuant to Article 51 of the GDPR.

3. Scope and Purpose

This DPA applies to the Processing of Personal Data by the Processor on behalf of the Controller in the course of providing the Caven services.

The Caven Approach: We provide a desktop-first meeting recording application that captures audio and screen directly from the user's device. We do not use bots to join meetings. Recording happens locally first, after which selected data is securely transmitted to our infrastructure and approved sub-processors for storage, transcription, summarization, and optional integrations.

The purpose of the Processing is to provide the services as described in the Terms of Service, which includes:

• Recording meetings locally via the Caven Desktop App
• Transcribing audio securely via AssemblyAI's EU endpoint
• Storing recordings and generated files in Cloudflare R2 object storage
• Storing application data in PostgreSQL hosted through Supabase
• Generating AI-powered summaries and action items through approved AI APIs with EU-configured routing where enabled
• Providing user authentication, account management, billing, and optional calendar integrations

4. Data Processing

4.1 Categories of Data Subjects

The primary subjects whose data may be processed include:

• Authorized users of the Caven service (account holders)
• Participants in meetings recorded by the user (only when the user explicitly initiates a recording)
• Individuals mentioned in recorded content

4.2 Categories of Processed Data & Opt-In Principle

We operate under a strict principle of data minimization and user-controlled processing. We only process sensitive business or meeting data when explicitly instructed by the user (either manually or via an active workflow).

Business/Meeting Data (User Controlled):

• Voice recordings and their transcriptions (Processed only when a user actively hits 'record' or enables an automatic transcription workflow)
• Meeting content and generated AI summaries

Minimal Operational Data:

• Basic account information (name, email address)
• Authentication tokens and session data
• User preferences, UI settings, and workflow metadata
• Billing and subscription metadata
• Operational telemetry and audit logs limited to what is needed for security, debugging, and service reliability
• Optional calendar connection metadata when a user enables Google or Microsoft calendar integrations

Note: We do not process or store your payment details directly. All payments are handled securely by our external payment provider (Stripe). We only receive billing status confirmations.

4.3 Duration of Processing & Zero Retention

We will process Personal Data for the duration of the agreement between you and us, unless otherwise required by applicable law.

Zero Retention AI Processing: Audio submitted for speech-to-text is sent to AssemblyAI via its EU endpoint with no AI training and no data retention. Where AI summaries or related features are enabled, we use OpenAI enterprise configurations with EU-oriented routing where available, or customer-controlled EU AI endpoints, and we do not permit customer data to be used for model training.

5. Processor Obligations

As the Processor, we shall:

• Process Personal Data only on documented instructions from you, including with regard to transfers to third countries, unless required to do so by EU or Member State law.
• Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of Personal Data
• Ability to ensure ongoing confidentiality, integrity, availability, and resilience
• Ability to restore availability and access to Personal Data in a timely manner
• Regular testing and evaluation of security measures

• Respect the conditions for engaging sub-processors as set forth in Section 6.
• Assist you in ensuring compliance with your obligations under the GDPR, taking into account the nature of processing and the information available to us.
• Assist you in responding to requests from Data Subjects exercising their rights under the GDPR.
• At your choice, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless EU or Member State law requires storage of the Personal Data.
• Make available to you all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you.

6. Authorized Sub-processors

To provide the Caven service, we engage specific third-party service providers ("sub-processors"). We adhere to a strict policy of transparency, data minimization, and wherever possible, EU-first infrastructure. All sub-processors are bound by strict data processing agreements that prohibit the use of your data for their own purposes, including AI model training.

AssemblyAI is configured through its EU endpoint for speech-to-text processing, with no AI training and no data retention for submitted audio.

OpenAI is only used for optional summarization features and is configured for EU-oriented processing where enabled, or routed through a customer-controlled EU endpoint.

Sub-processors do not receive Google or Microsoft calendar metadata unless strictly required for functionality explicitly enabled by the user.

Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Note: Because we do not use meeting bots, we do not rely on third-party bot infrastructure providers, significantly reducing third-party data exposure compared to standard meeting recorders.

7. Professional Secrecy and Security

Caven is specifically designed with professionals in regulated industries (such as lawyers, healthcare providers, and financial advisors) in mind. We understand the critical nature of professional secrecy (beroepsgeheim) and legal privilege.

• No Bots: Your meetings remain strictly between invited human participants. No virtual bots join the call to snoop or record.
• Encryption: Data is encrypted both in transit (TLS 1.3) and at rest (AES-256).
• Private Processing Controls: We configure providers and endpoints to minimize retention and prevent customer data from being used for AI model training.

8. International Data Transfers

We aim to keep personal data processing within the EEA wherever feasible, including by using AssemblyAI's EU endpoint, EU-hosted database infrastructure, EU object storage endpoints, and EU AI processing endpoints where configured. If a feature or sub-processor requires processing outside the EEA, we will do so only where a valid GDPR transfer mechanism applies.

• The European Commission has decided that the third country ensures an adequate level of protection.
• Appropriate safeguards are in place, such as binding corporate rules, standard contractual clauses, or approved codes of conduct.
• You have explicitly consented to the transfer after being informed of the risks.
• The transfer is necessary for the performance of a contract between you and us.
• The transfer is necessary for important reasons of public interest.

9. Data Subject Rights

We shall assist you in fulfilling your obligation to respond to requests from Data Subjects exercising their rights under the GDPR, including:

• Right of access
• Right to rectification
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object
• Right not to be subject to automated decision-making

We provide a dedicated interface for users to exercise their right to deletion, accessible through the account settings in the Caven application.

10. Data Breach Notification

In the event of a Personal Data breach, we shall notify you without undue delay after becoming aware of the breach. The notification will:

• Describe the nature of the breach
• Provide the name and contact details of our data protection officer or other contact point
• Describe the likely consequences of the breach
• Describe the measures taken or proposed to address the breach

We shall document any Personal Data breaches, including the facts, effects, and remedial action taken.

11. Audit Rights

We shall make available to you all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you.

Any audit shall be subject to the following conditions:

• You shall provide reasonable advance notice of at least 30 days.
• Audits shall be conducted during normal business hours.
• Audits shall not unreasonably interfere with our normal business operations.
• All information obtained during an audit shall be treated as confidential.

12. Termination

Upon termination of the services, we shall, at your choice, delete or return all Personal Data to you, and delete existing copies unless EU or Member State law requires storage of the Personal Data.

13. Liability

Each party shall be liable for damages caused by its own breach of this DPA or the GDPR. If one party is held liable for a violation of this DPA or the GDPR by the other party, the latter shall, to the extent to which it is liable, indemnify the first party for any cost, charge, damages, expenses, or loss incurred.

14. Governing Law

This DPA shall be governed by the laws of Belgium, without regard to its conflict of laws principles. Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of Belgium.

15. Contact Information

If you have any questions about this Data Processing Agreement, please contact us: