Data Processing Agreement

Last Updated: 25 November 2025

This DPA forms part of the Agreement between SessionCommander ("Processor") and the customer ("Controller") regarding the processing of personal data under UK GDPR.

1. Roles of the Parties

  • The Customer is the Data Controller.
  • SessionCommander is the Data Processor.
  • Guests and studio users may act as additional data subjects.

2. Scope of Processing

We process personal data to:

  • provide the Platform and its features
  • store, transmit, and manage audio files, comments, metadata, and related project content
  • authenticate users and secure accounts
  • send notifications
  • maintain logs
  • ensure service integrity and security
  • provide support and technical assistance

Processing is limited to what is necessary to fulfil these purposes.

3. Categories of Data

  • Contact details (name, email)
  • Login data, activity logs, IP addresses
  • Audio review comments and approvals
  • Guest invitation data
  • Uploaded audio files and attachments (may contain identifiable voices)
  • Studio and project metadata
  • Support ticket information

Special category data is not intentionally collected, unless uploaded by the Controller.

4. Duration

Processing continues for the duration of the subscription and data retention periods agreed in the Privacy Policy or contract.

5. Processor Obligations

We shall:

  • process data only on documented instructions;
  • maintain confidentiality;
  • implement appropriate technical and organisational security measures;
  • assist in addressing data subject requests;
  • notify the Controller of personal data breaches without undue delay;
  • provide information necessary for audits (not more than once per year unless required by law);
  • delete or return personal data at the end of the contract, unless legally required to retain it.

6. Controller Obligations

The Controller shall:

  • ensure lawful basis for data processing;
  • ensure data uploaded is accurate and not excessive;
  • manage its own users, roles, and permissions;
  • maintain responsibility for Content uploaded to the Platform;
  • comply with laws relating to audio recordings and third-party data.

7. Sub-Processors

We use sub-processors to deliver essential services such as:

  • hosting
  • email delivery
  • data storage
  • analytics
  • backup services
  • payment processing

A current list can be provided upon request.

We will notify the Controller of changes and allow objections.

8. International Transfers

Where data is transferred outside the UK, appropriate safeguards (e.g., SCCs, adequacy decisions) will be applied.

9. Security

We implement multi-layered security including:

  • password hashing
  • encrypted transmission (TLS)
  • access logs
  • audit logs
  • role-based access
  • secure infrastructure
  • optional 2FA
  • network segmentation (where applicable)

10. Data Breach Notification

We will notify the Controller without undue delay after becoming aware of a personal data breach and will provide information as it becomes available.

11. Deletion or Return of Data

At contract termination:

  • Content and personal data will be deleted within agreed timeframes
  • Backups will be overwritten automatically during their standard retention cycle
  • Data may be exported upon request before deletion

12. Liability and Indemnity

Liability is governed by the main Agreement or Terms of Service.

Nothing in this DPA limits rights under UK GDPR.

13. Governing Law

This DPA is governed by the laws of England and Wales.