Data Processing Agreement

Effective Date: February 5, 2026
Version: 1.0
Last Updated: February 17, 2026

This Data Processing Agreement (“DPA”) supplements the Terms of Service (“Agreement”) between you (“Controller”, “you”, “your”) and Codaran Ltd (“Processor”, “Codaran”, “we”, “us”, “our”) when you instruct Codaran to process personal data on your behalf through the VoxDev platform (“the Service”).

Company: Codaran Ltd (Company Number: 17014338)
Registered Office: 128, City Road, London, EC1V 2NX, United Kingdom

This DPA is entered into by and between the Controller and the Processor, each a “Party” and together the “Parties”. This DPA applies to the extent that the Processor processes personal data on behalf of the Controller in the course of providing the Service. In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters.

1. Definitions

In this DPA, the following terms shall have the meanings set out below:

• “Applicable Data Protection Law” means all applicable laws and regulations relating to the processing of personal data, including (but not limited to) the UK GDPR, the EU GDPR, the UK Data Protection Act 2018, and the California Consumer Privacy Act (CCPA/CPRA), each as amended from time to time.
• “Controller” means the entity that determines the purposes and means of the processing of personal data — i.e., you, the customer.
• “Data Subject” means an identified or identifiable natural person whose personal data is processed under this DPA.
• “EEA” means the European Economic Area.
• “Personal Data” means any information relating to a Data Subject that is processed by the Processor on behalf of the Controller in the course of providing the Service.
• “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
• “Processing” (and “process”, “processed”) means any operation performed on Personal Data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
• “Processor” means Codaran Ltd, which processes Personal Data on behalf of the Controller.
• “Sub-Processor” means any third party engaged by Codaran to process Personal Data on behalf of the Controller.
• “SCCs” means the Standard Contractual Clauses for the transfer of personal data to third countries, as adopted by the European Commission.
• “UK IDTA” means the UK International Data Transfer Agreement or UK Addendum to the EU SCCs, as issued by the UK Information Commissioner.

Terms not defined in this DPA shall have the meanings given to them in the Agreement, or, if not defined there, the meanings given under Applicable Data Protection Law.

2. Scope and Details of Processing

2.1. Subject Matter

The processing of Personal Data by the Processor is carried out for the purpose of providing the Service as described in the Agreement. The Service is an AI-powered software development assistant that provides meeting transcription, AI-powered analysis, requirement extraction, code analysis, and AI-assisted software development.

2.2. Duration

The Processor shall process Personal Data for the duration of the Agreement, unless otherwise agreed in writing. Upon termination, the provisions of Section 12 shall apply.

2.3. Nature and Purpose of Processing

The Processor processes Personal Data for the following purposes:

1. Processing meeting audio for real-time transcription and speaker identification;
2. Analysing meeting conversations using third-party AI models to extract software requirements, specifications, and documentation;
3. Enabling AI agent access to codebases (when configured by the Controller) for analysis and modification;
4. Generating AI-powered assessments, including clarifying questions, completeness evaluations, and priority estimates;
5. Transmitting data to third-party AI model providers for processing as necessary to provide the Service;
6. Account management, authentication, and billing.

2.4. Types of Personal Data

The categories of Personal Data processed include:

• Names and contact information (email addresses, professional roles);
• Voice data and voice characteristics (mathematical representations used for speaker identification);
• Opinions, statements, and professional discussions expressed in meetings;
• Codebase contents (which may incidentally contain personal data such as names, email addresses, or comments);
• IP addresses and usage metadata;
• Account and authentication information;
• Payment-related information (processed by third-party payment providers).

2.5. Categories of Data Subjects

The Data Subjects whose Personal Data may be processed include:

• The Controller's employees, contractors, and authorised users of the Service;
• Meeting participants (including clients, partners, and any other individuals who participate in meetings recorded through the Service);
• Individuals whose personal data may incidentally appear in codebases connected to the Service.

3. Controller Obligations

The Controller warrants and undertakes that:

1. It has a lawful basis for the processing of Personal Data and shall ensure compliance with Applicable Data Protection Law at all times;
2. It has provided all necessary notices to, and obtained all necessary consents or authorisations from, Data Subjects for the processing described in this DPA, including (without limitation) consent from all meeting participants for recording, transcription, AI analysis, and transmission to third-party AI providers;
3. Its instructions to the Processor shall comply with Applicable Data Protection Law. The Controller acknowledges that the Service involves transmission of data to third-party AI providers and that by using the Service, the Controller instructs the Processor to carry out such transmission;
4. It shall promptly inform the Processor if it becomes aware of any circumstances that may affect the Processor's ability to comply with this DPA;
5. It is solely responsible for the accuracy, quality, and legality of the Personal Data provided to the Processor and the means by which it acquired such Personal Data.

4. Processor Obligations

The Processor shall:

1. Process Personal Data only on documented instructions from the Controller (including the instructions set out in this DPA and the Agreement), unless required to do so by applicable law, in which case the Processor shall inform the Controller of that legal requirement before processing (unless prohibited by law from doing so);
2. Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
3. Implement and maintain appropriate technical and organisational security measures as described in Section 5;
4. Respect the conditions set out in Section 6 for engaging Sub-Processors;
5. Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to Data Subject rights requests;
6. Assist the Controller in ensuring compliance with the obligations relating to security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of the processing and the information available to the Processor;
7. At the Controller's choice, delete or return all Personal Data upon termination of the Agreement, and delete existing copies unless applicable law requires retention, as described in Section 12;
8. Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, as described in Section 11;
9. Immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes Applicable Data Protection Law;
10. Not process Personal Data for any purpose other than providing the Service as described in the Agreement. Without limiting the foregoing, the Processor shall not: (i) sell Personal Data; (ii) retain, use, or disclose Personal Data for commercial purposes other than providing the Service; or (iii) use Personal Data to train AI models, except where the Controller has provided separate, explicit consent for such use.

5. Security Measures

The Processor shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, as appropriate:

1. Encryption: Encryption of Personal Data at rest (using industry-standard encryption algorithms) and in transit (using TLS 1.2 or higher);
2. Access controls: Role-based access controls with the principle of least privilege, ensuring that only authorised personnel have access to Personal Data;
3. Monitoring and testing: Regular security assessments, vulnerability scanning, and penetration testing of systems that process Personal Data;
4. Incident response: Documented incident response procedures, including procedures for the detection, investigation, containment, and remediation of Personal Data Breaches;
5. Personnel security: Security awareness training for all personnel who have access to Personal Data, including training on data protection obligations and incident reporting;
6. Infrastructure security: Physical security of data centre infrastructure is maintained by our cloud infrastructure providers, who hold industry-standard security certifications;
7. Data minimisation: Processing only the Personal Data necessary to provide the Service. Meeting audio is processed in real-time for transcription and is not stored after transcription is complete. Codebase contents are held only in processing context during active sessions and are not permanently stored;
8. Backup and recovery: Regular automated backups of systems that store Personal Data, with tested recovery procedures;
9. Logging: Audit logging of access to systems that process Personal Data, with logs retained for a reasonable period to support security investigation and compliance.

The Processor shall regularly review and, where necessary, update these security measures to ensure continued appropriateness, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

6. Sub-Processors

6.1. General Authorisation

The Controller hereby grants the Processor general written authorisation to engage Sub-Processors for the processing of Personal Data, subject to the conditions set out in this Section 6. The current list of Sub-Processors is available at our Sub-Processor List.

6.2. Notification of Changes

The Processor shall notify the Controller of any intended changes concerning the addition or replacement of Sub-Processors, providing the Controller with the opportunity to object to such changes. The Processor shall provide at least 30 days' advance notice before engaging a new Sub-Processor or replacing an existing one. Notice shall be provided via email to the address associated with the Controller's account, or through the Service interface.

6.3. Right to Object

If the Controller objects to a new or replacement Sub-Processor on reasonable data protection grounds, the Processor shall use reasonable efforts to make available to the Controller a change in the Service or recommend a commercially reasonable alternative. If the Processor cannot accommodate the Controller's objection, the Controller may terminate the Agreement by providing written notice to the Processor, and the Processor shall refund any prepaid fees for the period following the effective date of termination.

6.4. Sub-Processor Obligations

The Processor shall:

1. Enter into a written agreement with each Sub-Processor that imposes data protection obligations no less protective than those set out in this DPA;
2. Remain fully liable to the Controller for the performance of each Sub-Processor's obligations;
3. Conduct appropriate due diligence on each Sub-Processor's ability to meet its data protection obligations.

6.5. AI Provider Sub-Processors

The Controller acknowledges that the Service relies on third-party AI model providers as Sub-Processors for core functionality (meeting transcription, AI analysis, code analysis, and AI agent operations). The specific AI providers used may change over time as described in Section 6.2. The Processor maintains contractual agreements with AI providers that restrict them from training on Controller data, but cannot independently audit or guarantee provider compliance. The current AI providers are listed in the Sub-Processor List.

7. International Data Transfers

Codaran Ltd is based in the United Kingdom. Personal Data may be transferred to and processed in countries outside the Controller's country of residence, including the United States and countries where our Sub-Processors operate.

7.1. Transfer Mechanisms

The Processor shall ensure that any transfer of Personal Data outside the UK or EEA is subject to appropriate safeguards in accordance with Applicable Data Protection Law, including:

1. For transfers from the UK: UK International Data Transfer Agreements (IDTAs) or the UK Addendum to the EU SCCs, as issued by the UK Information Commissioner;
2. For transfers from the EEA: EU Standard Contractual Clauses (SCCs) as adopted by the European Commission;
3. Adequacy decisions: Where the European Commission or UK Secretary of State has determined that a third country provides an adequate level of data protection;
4. Supplementary measures: Where required following a Transfer Impact Assessment, the Processor shall implement supplementary technical measures (such as encryption in transit and at rest) and organisational measures as recommended by the EDPB or ICO.

7.2. Transfer Impact Assessments

Where required by Applicable Data Protection Law, the Processor shall conduct Transfer Impact Assessments to evaluate the level of data protection in the recipient country and determine whether supplementary measures are necessary. The Processor shall make the results of such assessments available to the Controller upon request.

8. Data Subject Rights

The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising Data Subject rights under Applicable Data Protection Law, including:

• Right of access;
• Right to rectification;
• Right to erasure (“right to be forgotten”);
• Right to restriction of processing;
• Right to data portability;
• Right to object to processing;
• Rights related to automated decision-making and profiling.

If the Processor receives a request directly from a Data Subject, the Processor shall promptly notify the Controller and shall not respond to the request directly unless instructed to do so by the Controller or required to do so by applicable law.

9. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting the Controller's Personal Data. The notification shall include, to the extent available:

1. A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned;
2. The name and contact details of the Processor's data protection contact point;
3. A description of the likely consequences of the Personal Data Breach;
4. A description of the measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including measures to mitigate its possible adverse effects.

Where it is not possible to provide the information at the same time, the Processor shall provide the information in phases without undue further delay. The Processor shall cooperate with the Controller and take reasonable steps to assist the Controller in investigating, mitigating, and remediating the Personal Data Breach.

10. Data Protection Impact Assessments

The Processor shall provide reasonable assistance to the Controller in conducting data protection impact assessments (“DPIAs”) and prior consultations with supervisory authorities, where required by Applicable Data Protection Law, taking into account the nature of the processing and the information available to the Processor.

The Controller acknowledges that certain features of the Service (including meeting recording, voice processing for speaker identification, multi-agent AI processing, and codebase access) may require the Controller to conduct a DPIA prior to commencing processing. The Controller is solely responsible for determining whether a DPIA is required and for conducting it.

11. Audit Rights

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and Applicable Data Protection Law.

The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller, subject to the following conditions:

1. The Controller shall provide at least 30 days' advance written notice of any audit, unless a shorter notice period is required by a supervisory authority;
2. Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations;
3. The Controller (or its auditor) shall comply with reasonable confidentiality and security requirements, including non-disclosure agreements;
4. Any third-party auditor must not be a competitor of the Processor;
5. Audits shall be limited to once per calendar year, unless there are reasonable grounds to believe a Personal Data Breach has occurred or the Controller is required to conduct an additional audit by a supervisory authority;
6. The Controller shall bear the costs of any audit, except where the audit reveals material non-compliance by the Processor with this DPA, in which case the Processor shall bear reasonable costs.

Where the Processor holds current third-party certifications or audit reports (such as SOC 2 or ISO 27001), the Processor may provide these to the Controller in lieu of a physical audit, provided the Controller finds them reasonably sufficient to verify compliance.

12. Term and Termination

12.1. Term

This DPA shall come into effect on the date the Controller first accepts the Agreement and shall remain in force for as long as the Processor processes Personal Data on behalf of the Controller.

12.2. Effect of Termination

Upon termination of the Agreement, the Processor shall, at the Controller's written election:

1. Return all Personal Data to the Controller in a structured, commonly used, and machine-readable format (where the Service provides data export features); or
2. Delete all Personal Data and existing copies, unless applicable law requires retention of some or all of the Personal Data.

If the Controller does not make an election within 30 days of termination, the Processor shall delete the Personal Data. The Processor shall certify the deletion of Personal Data upon the Controller's written request.

12.3. Retention After Termination

The Processor may retain Personal Data after termination only to the extent required by applicable law (such as tax records and financial reporting obligations). Any retained Personal Data shall continue to be protected in accordance with this DPA. The Processor shall document and communicate to the Controller any such retention requirements.

13. Liability

Each Party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement, except that nothing in the Agreement or this DPA shall limit either Party's liability:

• For breaches of Applicable Data Protection Law to the extent such liability cannot be limited by contract;
• For regulatory fines or penalties imposed by supervisory authorities;
• For death or personal injury caused by negligence;
• For fraud or fraudulent misrepresentation.

Where both Parties are involved in the same processing activity and are responsible for any damage caused by that processing, each Party shall be liable for the entire damage in order to ensure effective compensation of the Data Subject, in accordance with Article 82 of the UK GDPR / EU GDPR. Where a Party has paid full compensation for the damage suffered, that Party shall be entitled to claim back from the other Party the part of the compensation corresponding to the other Party's share of responsibility.

14. General Provisions

14.1. Governing Law. This DPA shall be governed by the same law that governs the Agreement, as set out in the Agreement's Dispute Resolution and Governing Law section.

14.2. Conflict. In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters.

14.3. Amendments. This DPA may only be amended in writing signed by both Parties, except that the Processor may update the security measures described in Section 5 from time to time, provided such updates do not materially reduce the level of protection afforded to Personal Data.

14.4. Severability. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

14.5. Entire DPA. This DPA, together with the Agreement, represents the complete agreement between the Parties regarding the processing of Personal Data in connection with the Service.

14.6. Enterprise Customers. Enterprise customers may negotiate custom DPA terms. Please contact legal@voxdev.tech for bespoke arrangements.

15. Contact Information

For any questions regarding this DPA or to exercise your rights under this DPA, please contact us:

• Data Protection Contact: privacy@voxdev.tech
• Legal Enquiries: legal@voxdev.tech
• General Support: support@voxdev.tech
• Postal Address: Codaran Ltd, 128, City Road, London, EC1V 2NX, United Kingdom

UK Supervisory Authority: Information Commissioner's Office (ICO) — ico.org.uk