DPA

This English version of the Data Processing Agreement is provided for reading and comprehension purposes only. The legally binding version is the German version, which can be found here: www.chamelaion.com/de/dpa

VERSION: 25.08.2025

(A) CHAMELAION GmbH, with its registered office at Berger Straße 342, D-60385 Frankfurt am Main, Federal Republic of Germany, registered with the Commercial Register of the Local Court of Frankfurt am Main under HRB 136581, VAT Identification Number: DE450519324 and economic identification number DE450519324, represented by its management (hereinafter referred to as the “Processor” within the meaning of data protection law), offers AI-based video translation services via the web platform accessible at https://www.chamelaion.com (“Website”).
‍(B) In the course of (i) concluding a subscription via the Website (including the applicable General Terms and Conditions and the Processor’s Privacy Policy) or (ii) entering into an Enterprise Order (including the incorporated Special Terms and Conditions for Enterprise Packages of the Processor (“Enterprise Terms”) as well as the subsidiary applicable General Terms and Conditions and the Processor’s Privacy Policy) (the relevant contractual arrangement hereinafter referred to as the “Service Agreement”), the customer (hereinafter referred to as the “Controller” within the meaning of data protection law) has engaged the Processor to provide services in the field of AI-based video translation. Terms specifically defined under the Service Agreement shall have the same meaning in this Data Processing Agreement unless expressly stated otherwise.
‍(C) In the performance and fulfillment of the services agreed under the Service Agreement, the Processor may obtain access to personal data and will process such data solely on behalf of and in accordance with the instructions of the Controller within the meaning of Article 28 in conjunction with Article 4(8) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”).
‍(D) The subject matter of this Data Processing Agreement is the compliance by the Processor with the tasks and requirements set out below regarding the handling of data in connection with the Service Agreement.
‍

In consideration of the foregoing, the parties agree as follows:

Contents
1. Obligations of the Processor
2. Audit and Inspection Rights of the Controller
3. Information and Assistance Obligations of the Processor
4. Authority of the Controller to Issue Instructions
5. Return of Data Carriers and Deletion of Data
6. Term of the Agreement and Termination
7. Liability
8. Governing Law, Place of Performance, Jurisdiction
9. Miscellaneous

‍

1 Obligations of the Processor

1.1 The scope, nature, and purpose of the processing of personal data by the Processor on behalf of the Controller are derived directly from the Service Agreement.
‍1.2 The Processor is prohibited from processing personal data in a manner that deviates from or exceeds the specifications set out in the Service Agreement.
‍1.3 Subject to the details specified in the Service Agreement, the following categories and types of personal data may be subject to processing by the Processor:
(a) Audio and video data, including image and sound recordings of identifiable individuals;
(b) Personal information contained in the aforementioned media, whether spoken or displayed in written form, such as names, contact details, functional or role designations, content of personal or business communications, and, where applicable, special categories of personal data within the meaning of Article 9 GDPR, provided such data is transmitted by the Controller or its users in the course of using the service;
(c) Metadata relating to the transmitted files (such as timestamps, filenames, or usage information);
(d) Usage, log, and communication data (to the extent necessary for service provision); and
(e) Any other personal data contained in the audiovisual material provided by the Controller.
‍1.4 The group of data subjects whose personal data may be processed under this Data Processing Agreement includes, depending on the content of the video files transmitted by the Controller to the Processor, in particular natural persons who are visible or audible in such files, such as speakers, participants, interviewees, presenters, customers, employees, or other third parties. It also includes individuals whose personal data is contained or mentioned in the spoken or written content of such files. Furthermore, the group of data subjects extends to employees, customers, business partners, and other communication partners of the Controller as well as users and administrators of the online services used by the Controller. In addition, it may include any other natural persons whose personal data is processed by the Controller in the course of using the service.
‍1.5 Processing of data shall, as a rule, take place exclusively within the territory of the Federal Republic of Germany, a Member State of the European Union, or another state party to the Agreement on the European Economic Area. Any transfer to a third country requires the prior written consent of the Controller and may only take place if the specific requirements of Articles 44 et seq. GDPR are fulfilled. Section 1.10 remains unaffected.
‍1.6 The provisions of this Data Processing Agreement apply to all activities related to the Service Agreement in which the Processor, its employees, or any third parties engaged by the Processor come into contact with personal data originating from or collected for the Controller.
‍1.7 The following technical and organizational measures (TOMs) are agreed:
(a) The Processor shall document the implementation of the TOMs outlined prior to the award of the contract, in particular with regard to the execution of the specific order, before the start of processing and present such documentation to the Controller for review. Upon acceptance by the Controller, the documented measures form part of this Data Processing Agreement. Where an audit by the Controller identifies a need for adjustments to the TOMs, such adjustments shall be implemented by mutual agreement.
(b) The Processor is obliged to comply with applicable data protection laws and to refrain from disclosing or exposing to third parties any information obtained from the Controller. Documents and data must be protected against unauthorized access, taking into account the state of the art.
(c) Persons employed by the Processor in data processing are prohibited from collecting, processing, or using personal data without authorization. The Processor shall require all persons entrusted with the execution of this Data Processing Agreement (hereinafter “Employees”) to sign confidentiality undertakings in written form (Article 28(3) sentence 2(b) GDPR) and shall ensure compliance with these obligations with due care. Proof of such confidentiality undertakings shall be provided to the Controller upon request.
(d) The Processor shall organize its internal operations in such a way as to meet the specific requirements of data protection. It shall take all appropriate TOMs to protect the Controller’s data pursuant to Article 32 GDPR and maintain such measures for the duration of data processing. In particular, the Processor shall take measures to ensure confidentiality, integrity, availability, and resilience of processing systems and services, including but not limited to access controls, access rights and permission concepts, logging and traceability of access, encryption of data during transmission and, where applicable, storage, as well as procedures for the regular review, assessment, and evaluation of the effectiveness of the TOMs. The Processor shall further ensure that its employees are familiar with applicable data protection provisions, are bound by confidentiality, and are regularly trained in handling personal data. Where subprocessors are engaged, the Processor shall ensure through contractual arrangements that they provide a comparable level of protection.
(e) The Processor reserves the right to modify the TOMs, provided that the agreed level of protection is not reduced. The Processor must promptly notify the Controller in writing if it has reason to believe that the measures under Section 1.7(d) are no longer adequate, and shall coordinate with the Controller on further TOMs.
(f) The Controller may request proof of compliance with the agreed TOMs at any time in an appropriate manner.
‍1.8 The Processor shall assist the Controller, to the extent possible and using appropriate TOMs, in fulfilling its obligations under Articles 12 to 22 GDPR and Articles 32 to 36 GDPR. If a data subject contacts the Processor directly with a request for access, rectification, or erasure of their data, the Processor shall promptly forward the request to the Controller and await its instructions. The Processor shall not engage with the data subject without specific instructions from the Controller.
‍1.9 In addition to compliance with the provisions of this Data Processing Agreement, the Processor shall assume the following obligations (to the extent legally required):
(a) Maintain a record of all categories of processing activities carried out on behalf of the Controller pursuant to Article 30(2) GDPR, to be made available to the Controller (upon request) and to supervisory authorities (in case of a lawful request);
(b) Assist the Controller in carrying out a data protection impact assessment under Article 35 GDPR and, where applicable, in prior consultation with the supervisory authority under Article 36 GDPR;
(c) Where legally required, appoint in writing a data protection officer who can perform duties in accordance with Articles 38 and 39 GDPR; the Processor shall provide the Controller with the officer’s contact details for direct communication and shall promptly notify the Controller in text form of any successor;
(d) Unless prohibited by judicial or administrative order, promptly inform the Controller if the Processor’s data is endangered by seizure, confiscation, insolvency or composition proceedings, or other events or measures by third parties; in such cases, the Processor shall promptly inform all relevant parties that control over the data rests exclusively with the Controller as the responsible party under GDPR.
‍1.10 The Processor is generally authorized, in accordance with Article 28(2) sentence 2 GDPR, to engage subprocessors. The Controller acknowledges that the Processor currently cooperates with the following subprocessors:
(a) Google Firebase, a product of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, including affiliates such as Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”);
(b) OpenAI Ireland Ltd, 1st Floor, The Liffey Trust Centre, 117–126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland, Company No. 737350 (“OpenAI”);
(c) DeepL SE, Maarweg 165, 50825 Cologne, Federal Republic of Germany (“DeepL”);
(d) Eleven Labs Inc., 169 Madison Ave #2484, New York, NY 10016, United States of America (“ElevenLabs”); and
(e) solely in the “Professional Dubbing Services” modality (see Section 4 of the Enterprise Terms), the disclosed and periodically updated pool of external translation service providers (“Translation Experts”) engaged upon conclusion of an Enterprise Order.

The Processor has concluded a Data Processing Agreement (DPA) with Google, OpenAI, DeepL, and ElevenLabs. These DPAs are linked on the Processor’s website at www.chamelaion.com/privacy-policy and were reviewed and acknowledged by the Controller prior to the conclusion of the Service Agreement. The Controller acknowledges that, at present, only Google participates actively in the EU–US Data Privacy Framework (DPF – https://www.dataprivacyframework.gov). The Controller further acknowledges that under the DPAs, data may be processed in the United States of America, but that each subprocessor has contractually committed to compliance with European data protection standards and to enabling the Processor to monitor such compliance. Both the Controller and the Processor share the view that the DPAs concluded by the Processor currently satisfy the requirements of Articles 44 et seq. GDPR (EU Standard Contractual Clauses).The Processor has also concluded with each Translation Expert a framework agreement (requiring strict confidentiality and adherence to data protection standards) and an incorporated data processing agreement pursuant to Article 28 GDPR (“DPA-TE”), under which the Translation Experts act as subprocessors of the Processor. For clarification: data is only shared with Translation Experts if the Controller has explicitly booked the “Professional Dubbing Service” (see Section 4 of the Enterprise Terms). If this service is not booked, no data is exchanged with Translation Experts. Each enterprise customer will, when concluding an Enterprise Order that includes “Professional Dubbing Services,” be separately informed of the applicable data protection provisions. Against this background, the Controller hereby provides its consent within the meaning of Section 1.5.The Processor shall inform the Controller of any changes to the DPAs or, where relevant, to the DPA-TE, and shall link the current versions of such DPAs on its website at www.chamelaion.com/privacy-policy. In addition, the Processor shall keep a local copy of the DPAs and the DPA-TE available and provide them to the Controller without undue delay upon request. The Processor shall inform the Controller in advance of the engagement of new or the replacement of existing subprocessors and shall grant the Controller a reasonable period to review and object.