Data Processing Agreement (DPA)
This English version of the Data Processing Agreement is provided for reading and comprehension purposes only. The legally binding version is the German version, which can be found here: www.chamelaion.com/de/dpa
VERSION: 03.03.2026
(A) CHAMELAION GmbH, with registered office at Berger Straße 342, D-60385 Frankfurt am Main, Federal Republic of Germany, registered in the commercial register of the Local Court (Amtsgericht) Frankfurt am Main under HRB 136581, VAT ID: DE450519324, business identification number: DE450519324, represented by its management (hereinafter the “Processor” within the meaning of data protection law), offers AI-assisted services in the field of video translation and synchronisation (including lip synchronization/LipSync) via the web platform accessible at https://www.chamelaion.com (the “Website”). Where agreed, access may also be provided via an API.
(B) In the context of
(i) the conclusion of a subscription via the Website (including the applicable General Terms and Conditions and the Processor’s privacy policy) or
(ii) an Enterprise Order (including the incorporated Special Terms and Conditions for Enterprise Packages of the Processor (the “Enterprise Terms”) as well as the supplementary General Terms and Conditions and the Processor’s privacy policy) (the respectively applicable contractual variant hereinafter collectively the “Service Agreement”), the customer (hereinafter the “Controller” within the meaning of data protection law) has engaged the Processor to provide services in the field of AI-based video translation and synchronisation (including lip synchronization/LipSync). Terms that are specifically defined terms under the Service Agreement shall have the same meaning in this Data Processing Agreement unless expressly stated otherwise herein. (C) In the course of performing and fulfilling the services agreed under the Service Agreement, the Processor obtains partial access to personal data and processes such personal data exclusively on behalf of and in accordance with the instructions of the Controller within the meaning of Article 28 in conjunction with Article 4(8) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”). (D) The subject matter of this Data Processing Agreement is the Processor’s compliance with the tasks and requirements set out below regarding data handling in connection with the Service Agreement.
Having said the foregoing, the parties agree as follows:
CONTENT
1. Services of the Processor
2. Audit and control rights ofthe Controller
3. Information and assistanceobligations of the Processor
4. Controller’s right to issueinstructions
5. Return of data carriers anddeletion of data
6. Duration of the processing,termination
7. Liability
8. Governing law, place ofperformance, jurisdiction
9. Miscellaneous.
Services of the Processor
1.1 The scope, nature and purpose of the processing of personal data by the Processor for the Controller arise directly from the Service Agreement. For the avoidance of doubt: The services provided under the Service Agreement include, in particular, the processing of audio and video content for video translationand - where used/activated by the Controller - for synchronisation including lip synchronization (“LipSync”).
1.2 The Processor is prohibited from processing personal data in any manner that deviates from, or goes beyond, the provisions set out in the Service Agreement.
1.3 Taking into account the details set out in the Service Agreement, the following data types and data categories may be subject to processing of personal data by the Processor:
(a) audioand video data, including image and sound recordings of identifiable persons;
(b) technical analysis and timing information derived from the a forementioned audio and videodata (e.g., frame/sequence information as well as information for synchronising image and sound, including, where applicable, mouth-/lip-related image excerpts, insofar as required for LipSync);(c) personal information spoken or shown in writing within the aforementioned media, such asnames, contact data, function or role designations, content of personal or business communications, as well as, where applicable, special categories of personal data pursuant to Article 9 GDPR, insofar as transmitted by the Controller or its users in the course of using the service;
(d) metadata relating to the transmitted files (such as timestamps, file names or usage information);
(e) usage, log and communication data (insofar as required for service provision), including - where used - API-related access data such as timestamps of API requests, technical request metadata and authentication/key identifiers inhashed or pseudonymised form, insofar as required for service provision andsecurity; and
(f) any other personal data contained in the audiovisual material provided by the Controller.
1.4 The group of data subjects affected by the handling of personal data under this Data Processing Agreement includes - depending on the content of the video files transmitted by the Controller to the Processor - in particular natural persons who are visible or audible in the video files transmitted by the Controller, such as speakers, participants, interviewees, hosts, customers, employees or other third parties. This also includes persons whose personal data are contained in or mentioned within the spoken or written content of such files. In addition, the group of data subjects includes the Controller’s employees, customers, business partners and other communication partners as well as users and administrators of the online services used by the Controller. The group of data subjects may further include any other natural persons whose personal data are processed by the Controller in the course of using the service.
1.5 As a rule, the processing of data takes place exclusively within the territory of the Federal Republic of Germany, in a Member State of the European Union or in another contracting state of the Agreement on the European Economic Area. Any relocation to a third country requires the Controller’s prior written consent and may only occur if the special requirements of Articles 44 et seq. GDPR are met. Clause 1.10 remains unaffected.
1.6 The provisions of this Data Processing Agreement apply to all activities related to the Service Agreement in which the Processor and its employees or any persons engaged by the Processor come into contact with personal data originating from the Controller or collected for the Controller.
1.7 The following technical and organizational measures are agreed:
(a) The Processor shall document the implementation of the technical and organizational measures presented prior to award of the contract before processing begins, in particular with regard to the specific execution of the order, and shall submit them to the Controller for review. If accepted by the Controller, the documented measures shall form the basis of this Data Processing Agreement. If an audit by the Controller identifies a need for adjustment regarding technical and/or organizational measures, such need shall be implemented by mutual agreement.
(b) The Processor is obliged to comply with the statutory data protection provisions and not to pass on information obtained from the Controller’s sphere to third parties or expose it to access by third parties. Documents and data shall besecured against access by unauthorized persons, taking into account the stateof the art.
(c) Persons employed by the Processor in data processing are prohibited from collecting, processing or using personal data without authorization. The Processor shall obligate all persons entrusted by it with the processing and performance of this Data Processing Agreement (hereinafter “Employees”) in writing to confidentiality (confidentiality obligation, Article 28 (3) sentence 2 lit. (b) GDPR) and shall ensure compliance with due care. Upon request, the Processor shall provide appropriate evidence of Employees’ confidentiality obligations to the Controller.
(d) The Processor shall structure its internal organization so that it meets the particular requirements of data protection. It shall take all appropriate technical and organizational measures for adequate protection of the Controller’s data pursuant to Article 32 GDPR and shall maintain them for the duration of data processing. In particular, the Processor shall take measures to ensure the confidentiality, integrity, availability and resilience of systems and services related to processing. This includes, among other things, access controls to prevent unauthorized entry to data processing systems, access and authorization concepts to restrict data access to authorized persons, measures for logging and traceability of access, encryption of data during transmission and, where appropriate, during storage, as well as procedures for the regular review, assessment and evaluation of the effectiveness of technical and organizational measures. The Processor also ensures that its Employees are familiar with applicable data protection provisions, have been bound by confidentiality, and receive regular training inthe handling of personal data. Where subcontractors are used, the Processor shall ensure by contractual arrangements that such subcontractors also maintain a level of protection comparable to the requirements of this agreement.
(e) The Processor reserves the right to change the implemented technical and organizational measures, provided it ensures that the contractually agreed level of protection is not undercut. The Processor shall promptly inform the Controller in writing if it has reason to believe that the measures pursuant to Clause 1.7(d) are no longer sufficient, and shall coordinate with the Controller regarding further technical and organizational measures.(f) Upon request, compliance with the agreed technical and organizational measures shall be evidenced to the Controller in an appropriate manner.
1.8 The Processor shall, where possible, support the Controller by means of suitable technical and organizational measures in fulfilling the Controller’s obligations under Articles 12 to 22 GDPR and Articles 32 to 36 GDPR. If a data subject contacts the Processor directly for information, rectification or deletion regarding their data, the Processor shall forward such request to the Controller without undue delay and await the Controller’s instructions. Without a specific individual instruction from the Controller, the Processor shall not contact the data subject.
1.9 In addition to complying with the provisions of this Data Processing Agreement, the Processor assumes the following obligations (in each case insofar as legally required):
(a) maintaining a record of all categories of processing activities carried out on behalf of the Controller pursuant to Article 30(2) GDPR, whereby the record shall be made available both to the Controller (upon request) and to data protection authorities (in the event of a lawful request); (b) supporting the Controller in the preparation of a data protection impact assessment pursuant to Article 35 GDPR and any prior consultation of the supervisory authority pursuant to Article 36 GDPR;
(c) where required by law, appointing a data protection officer in writing who can perform their duties pursuant to Articles 38 and 39 GDPR; the Processor shall provide the Controller with the contact details for the purpose of direct contact and shall notify the Controller in text form without undue delay of any change of the operational data protection officer or data protection contact person, including the successor’s details; (d) unless prohibited by a court or administrative order, promptly informing the Controller if the Controller’s data are endangered at the Processor due to seizure or attachment, insolvency or composition proceedings, or other events or measures by third parties; in this context, the Processor shall promptly inform all competent bodies that decision-making authority over the data lies exclusively with the Controller as the controller within the meaning of theGDPR.
1.10 The Processor is generally permitted, in accordance with Article 28(2) sentence 2 GDPR, to engage sub-processors or subcontractors. The Controller is aware that the Processor currently works with the following sub-processors:
(a) Google Firebase, a product of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA94043, USA, website: https://www.google.com, including its affiliated companies such as Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”);
(b) OpenAI Ireland Ltd, a company registered in the Republic of Ireland with registered office at 1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland, company number 737350, website: https://www.openai.com (“OpenAI”);
(c) DeepL SE, Maarweg 165, 50825 Cologne, Federal Republic of Germany, website: https://www.deepl.com(“DeepL”);
(d) ElevenLabs Inc., 169 Madison Ave #2484, New York, NY 10016, United States of America, website: https://elevenlabs.io (“ElevenLabs”); and (e) exclusively in the “Professional Dubbing Services” modality (cf. Clause 4 of the Enterprise Terms), the pool of external translation service providers disclosed in the course of placing an Enterprise Order and updated from time to time (“Translation Experts”). The Processor has entered into a data processing agreement (so-called Data Processing Addendum, each a “DPA”) with each of Google, OpenAI, DeepL and ElevenLabs. These DPAs are linked on the Controller’s website at https://www.chamelaion.com/privacy-policy and were reviewed and acknowledged by the Controller in the version applicable prior to conclusion of the Service Agreement. The Controller is aware that, of the aforementioned entities, currently only Google is an active participant in the EU-US Data Privacy Framework (DPF - https://www.dataprivacyframework.gov). Inparticular, the Controller is aware that, pursuant to the DPAs, data processing may take place in the United States of America; however, the respective sub-processors are obligated under their respective DPAs to comply with European data protection standards vis-à-vis the Processor and to enable corresponding oversight by the Processor. Both the Controller and the Processor share the legal view that all DPAs concluded by the Processor currently meet the requirements of Articles 44 et seq. GDPR (EU Standard Contractual Clauses). TheProcessor has also concluded with each Translation Expert a master agreement (obligating Translation Experts to strict confidentiality and compliance with data protection standards) as well as an incorporated data processing agreement pursuant to Article 28 GDPR (“AVV-TE”), under which Translation Experts act as processors for the Processor. For clarification: data are forwarded to Translation Experts in any event only if the Controller has explicitly commissioned the “Professional Dubbing Services” service (cf. Clause 4 of the Enterprise Terms). If this service has not been commissioned, there is no data exchange with Translation Experts. Each enterprise customer concluding an Enterprise Order that includes “Professional Dubbing Services” is separately instructed as part of the commissioning about the applicable data protection rules. Against this background, the Controller hereby gives its consent also within the meaning of Clause 1.5. The Processor shall inform the Controller about changes to the DPAs and (insofar as relevant for the Controller) the AVV-TE, and shall link the current versions of the DPAs on its website at https://www.chamelaion.com/privacy-policy for review; it shall also keep a local copy of the DPAs and the AVV-TE, which can be sent to the Controller promptly upon request. The Processor shall inform the Controller in good time before adding further sub-processors or replacing existing sub-processors and shall grant the Controller an appropriate period for review and objection.
2 Audit and control rights of the Controller
2.1 The Controller has the right to regularly satisfy itself of compliance with the provisions of this Data Processing Agreement, in particular the implementation and compliance with the technical and organizational measures pursuant to Clause 1.7(d). For this purpose, the Controller may, for example, obtain information from the Processor, request existing expert reports, certifications or internal audits, or review the Processor’s technical and organizational measures during normal business hours in person and/or through a knowledgeable third party, provided that such third party is not in acompetitive relationship with the Processor.
2.2 The Controller shall conduct controls only to the extent required and shall take appropriate account of the Processor’s operational processes. The parties shall coordinate in good time regarding the date and type of review.
2.3 The Controller shall document the results of the control and communicate them to the Processor. The Controller shall inform the Processor without undue delay of any necessary procedural changes if the control identifies circumstances whose future avoidance requires changes to the ordered process.
2.4 Upon oral or written request, the Processor shall provide the Controller within a reasonable period with all information and evidence required to conduct a control pursuant to Clause 2.1. In addition, the Processor undertakes to provide the Controller, upon request, with a comprehensive and up-to-date data protection and security concept for processing on behalf, aswell as information regarding persons authorized to access the data.
3 Information and assistance obligations of the Processor
3.1 In the event of disruptions, suspicion of data protection violations or breaches of the Processor’s contractual obligations, suspicion of security-relevant incidents, or other irregularities in the processing of thepersonal data made available by the Processor, persons acting for it in performance of the contract, or third parties, the Processor shall inform the Controller without undue delay, but no later than within sixty (60) hours, in written or electronic form. The same applies to audits of the Processor by the data protection supervisory authority. The notifications shall contain at least the information specified in Article 33(3) GDPR.
3.2 The Processor is obliged, in the case of Clause 3.1, to support the Controller within reasonable limits in fulfilling its clarification, remediation and information measures. The Processor shall take the necessary measures without undue delay, in particular to secure the data and to mitigate possible adverse consequences for data subjects, shall inform the Controller thereof, and shall request further instructions.
4 Controller’s right to issue instructions
4.1 The Processor processes the data only within the scope of the Service Agreement and exclusively on behalf of and in accordance with the instructions of the Controller within the meaning of Article 28 GDPR (processing on behalf within the meaning of data protection law).
4.2 All instructions issued shall be documented by both the Controller and the Processor (at least in text form). Persons authorized to issue instructions for the Controller are those stored as such in the Controller’s account at the time the instruction is issued (as a rule, in the case of natural persons, the account holder itself, and in the case of legal entities or partnerships, their corporate body or statutory representative). Persons authorized to receive instructions on behalf of the Processor are all persons who, according to the Processor’s current excerpt from the commercial register, are managing directors or holders of commercial power of attorney (Prokuristen) of the Processor, as well as any other persons named as authorized recipients and/or representatives in the Processor’s legal notice (imprint) at https://www.chamelaion.com/imprint.
4.3 The Processor is obliged to inform the Controller without undue delay if it is of the opinion that an instruction of the Controller violates data protection provisions. The Processor is entitled to suspend implementation of the relevant instruction until it has been confirmed or amended by the responsible person at the Controller.
5 Returnof data carriers and deletion of data
5.1 The parties agree that, after completion of the contractual work or earlier upon request by the Controller, but no later than upon termination of the Service Agreement, the Processor shall hand over to the Controller, or (after prior written consent) destroy in a data-protection-compliant manner, all documents that have come into its possession, created processing and usage results, and data stocks that are connected with the Data Processing Agreement, unless otherwise stipulated in this Data Processing Agreement. The same applies to test and reject material and temporary files. The deletion log shall be provided to the Controller upon request.
5.2 The Processor shall confirm deletion to the Controller in writing. The Controller has the right to verify the complete and contract-compliant return and/or deletion of data at the Processor in an appropriate manner; Clause 2.2 applies accordingly.
5.3 The Processor is obliged to retain documentation serving as evidence of processing on behalf and in proper order beyond the end of the contract in accordance with the respective retention periods. The Processor shall hand over such documentation upon request of the Controller. The Processor may, for its own discharge, hand such documentation over to the Controller already upon termination of the contract.
5.4 The Processor is obliged, even beyond the end of the Service Agreement, to treat confidentially the data that became known to it in connection with the Service Agreement.
5.5 In addition, the Processor shall ensure that personal data are regularly reviewed for the necessity of their continued storage and that data no longer required are deleted in accordance with the requirements of the GDPR.
6 Duration of the processing, termination
6.1 The duration of this Data Processing Agreement corresponds to the duration of the Service Agreement, unless otherwise provided by the special provisions of this Data Processing Agreement. In case of doubt, termination of the Service Agreement shall also constitute termination of this Data Processing Agreement, and termination of this Data Processing Agreement shall constitute termination of the Service Agreement.
6.2 The right of either party to terminate this Data Processing Agreement without notice for good cause remains unaffected.
6.3 The obligations to return or delete the data as well as obligations of confidentiality and proof shall remain in effect after termination for the period necessary under applicable law, but at least for three (3) months.
7 Liability
7.1 The parties’ liability is governed by Article 82 GDPR. This does not affect the Processor’s liability towards the Controller for breach of obligations under this Data Processing Agreement or the Service Agreement.
7.2 The parties shall indemnify each other from liability if one party proves that it is not in any way responsible for the circumstance by which damage occurred to a data subject. The same applies accordingly in the event that an administrative fine is imposed on one party, whereby indemnification shall be provided to the extent that the other party bears a share of responsibility for the breach sanctioned by the fine.
8 Governing law, place of performance, jurisdiction
8.1 German law shall apply to this Data Processing Agreement.
8.2 The place of performance is the Processor’s registered office in Frankfurt am Main, Federal Republic of Germany.
8.3 Exclusive jurisdiction for disputes arising from this Data Processing Agreement is Frankfurt am Main, Federal Republic of Germany, unless mandatory statutory provisions provide otherwise.
9 Miscellaneous
9.1 The parties agree that the Processor’s defense of retention under section 273 of the German Civil Code (BGB) with respect to the data to be processed and the associated data carriers is excluded.
9.2 Amendments, supplements and addenda to this Data Processing Agreement shall be valid only if agreed between the parties in writing. This also applies to any amendment of this contractual provision.
9.3 If any provision of this Data Processing Agreement is or becomes invalid, this shall not affect the validity of this Data Processing Agreement in all other respects. The invalid provision shall be deemed replaced by a valid provision that comes closest to the economic purpose of the invalid provision. The same applies in the event of a contractual gap.
9.4 For the legal effects between the parties, only the German-language contract text of this Data Processing Agreement is authoritative. Any automatically or manually generated translations into other languages serve informational purposes only and have neither direct nor indirect effect between the parties (mere convenience translations). For interpretation within the meaning of sections 133 and 157 BGB, only the German-language contract text shall be used.
© 2025 CHAMELAION GmbH
.avif)