Data Processing Addendum

1. Parties and Scope

This Data Processing Addendum ("DPA") is entered into between the Customer and LERFILM INC d/b/a OHEAR.AI. It governs the processing of Personal Data that we carry out on the Customer's behalf in providing the Service. It applies to the extent that (a) the GDPR, (b) the UK GDPR, or (c) the CCPA / CPRA applies to such processing.

2. Roles

The Customer is the Controller (or Business). OHEAR.AI is the Processor (or Service Provider). Each party complies with its obligations under applicable Data Protection Laws. We process Personal Data only on documented instructions from the Customer, including with regard to international transfers.

3. Categories of Data and Data Subjects

Subjects: Customer's employees, contractors, voice actors, and authorized supervisors.

Categories: identifiers (name, work email, role), professional data (organization, payment routing for actor payouts via Stripe), audio recordings of voice performance, and platform usage telemetry.

Special categories: we do not require, and do not intentionally process, special-category data under GDPR Article 9.

4. Nature, Purpose, and Duration

Nature: hosting, transmission, transcoding, forced alignment, transcription QC, comment storage, and stem assembly for ADR production.

Purpose: to provide the Service to the Customer.

Duration: for the term of the underlying agreement, plus the retention windows in our Privacy Policy.

5. Security Measures

We implement appropriate technical and organizational measures, including TLS 1.2+ in transit, AES-256 at rest, role-based access control, scoped signed URLs for asset access, single-tenant logical separation, audit logging of administrative events, and annual review of access privileges. See the Security overview for additional detail.

6. Sub-processors

The Customer authorizes us to engage the sub-processors listed below. We will give 30 days advance notice of additions or replacements that handle Personal Data. The Customer may object on reasonable data-protection grounds within that window.

• Cloudflare, Inc. — edge hosting, R2 storage, email routing, web analytics. US.
• Supabase, Inc. — managed Postgres and authentication. US (EU available on request).
• Fly.io, Inc. — API and worker compute. US.
• Modal Labs, Inc. — audio processing pipelines. US.
• Stripe, Inc. — payments and Stripe Connect Express payouts. US.

7. International Transfers

For transfers of Personal Data from the EEA, UK, or Switzerland to the US, the Standard Contractual Clauses (Module Two: Controller to Processor) are incorporated by reference and form part of this DPA. The UK Addendum to the SCCs applies for UK transfers.

8. Data Subject Rights

We will provide reasonable assistance, taking into account the nature of the processing, to help the Customer respond to requests from data subjects exercising rights under applicable Data Protection Laws. Requests received directly by us are forwarded to the Customer without undue delay.

9. Personal Data Breach Notification

We will notify the Customer without undue delay, and in any event within 72 hours, of becoming aware of a Personal Data Breach affecting Customer Personal Data. The notice will describe the nature of the breach, the categories and approximate number of records affected, our containment measures, and a contact for further information.

10. Audit

We will make available information necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, conducted by the Customer or a mutually agreed third-party auditor, on reasonable advance notice and subject to confidentiality.

11. Return or Deletion

On termination, we will delete or return Customer Personal Data within 30 days, except where retention is required by law or where the data is no longer attributable to a specific data subject.

12. Contact

Request a counter-signed copy or raise DPA questions at [email protected].