FeaturesHow it WorksPricing
Legal Document

Data Processing Agreement

Last updated: March 30, 2026

1. Parties & Definitions

Data Controller

The customer ("you", "Controller") who uses ReMinutes to process meeting data. The Controller determines the purposes and means of processing personal data.

Data Processor

AIx Technologies ("we", "us", "Processor"), operating as ReMinutes, processes personal data on behalf of the Controller in accordance with the Controller's instructions and the terms of this Agreement.

Applicability

This Data Processing Agreement (DPA) supplements the ReMinutes Terms of Service and Privacy Policy. It applies whenever we process personal data on your behalf as part of providing the ReMinutes service.

2. Scope of Processing

We process personal data solely to provide the ReMinutes meeting transcription and analysis service. Processing activities include: recording meetings via bot integration, transcribing audio to text, generating AI-powered analysis (summaries, action items, decisions, questions), storing meeting data in your account, and generating search embeddings for your meeting library.

3. Categories of Data Processed

The following categories of personal data may be processed as part of the service:

  • Audio Recordings: Meeting audio captured via file upload or live meeting bot.
  • Transcripts: Text transcriptions generated from audio recordings.
  • Participant Names: Names of meeting participants as identified in transcripts and calendar events.
  • Email Addresses: Participant email addresses from calendar integrations and meeting metadata.
  • Meeting Metadata: Meeting titles, dates, times, durations, conferencing links, and organizer information.
  • AI-Generated Content: Summaries, action items, decisions, and other analysis output derived from meeting content.

4. Sub-Processors

We engage the following sub-processors to deliver the service. Each sub-processor processes data only as necessary for its specific function:

  • AssemblyAI (US): Audio transcription. Audio is processed per-request and not retained after transcription is complete.
  • Google Gemini (US): AI analysis of transcripts for summaries, action items, and insights. Transcript text is processed per-request and not used for model training.
  • Attendee.dev (US): Meeting bot service. Receives meeting link, time, and title to schedule recording bots. Does not retain meeting data after processing.
  • Supabase (US/EU): Database and file storage infrastructure. Data stored in SOC 2 compliant data centers with row-level security isolation.
  • Paddle (UK): Merchant of Record for billing and payment processing. Handles invoices, subscriptions, and refunds. Does not access meeting content.
  • Vercel (US): Application hosting infrastructure. SOC 2 compliant. Processes requests in transit only; does not store meeting content.

5. Security Measures

We implement the following technical and organizational measures to protect personal data:

  • Encryption at Rest: All stored data is encrypted using AES-256 encryption, including audio files, transcripts, and database records.
  • Encryption in Transit: All data transfers use TLS 1.3 encryption, including API communications with sub-processors.
  • Database Isolation: Row-Level Security (RLS) policies ensure users can only access their own data. No cross-tenant data access is possible.
  • Webhook Verification: All incoming webhooks are verified using HMAC signature verification to prevent unauthorized data injection.
  • Access Controls: Administrative access is restricted to authorized personnel only. API keys and secrets are managed via environment variables and never stored in code.
  • Regular Audits: Security practices are reviewed regularly. Infrastructure providers (Supabase, Vercel) maintain SOC 2 compliance.

6. Data Subject Rights

We support your obligations to respond to data subject requests under applicable data protection laws:

  • Right to Access: Data subjects can request a copy of their personal data. Controllers can export all meeting data via Settings > Data & Privacy > Export Data.
  • Right to Deletion: Data subjects can request deletion of their personal data. Controllers can delete individual meetings or their entire account via Settings > Data & Privacy.
  • Right to Rectification: Personal information can be updated via Profile settings. Meeting content can be edited or re-processed.
  • Right to Portability: All data can be exported in machine-readable JSON format via the dashboard export function.

7. Data Retention

Retention Periods

Data retention follows the terms set out in our Privacy Policy. Meeting recordings and transcripts are retained for the duration of the Controller's subscription or until deleted by the Controller. Free tier data is retained for 7 days. Usage logs are retained for 12 months for billing and audit purposes.

Deletion on Termination

Upon termination of the service agreement, all personal data processed on behalf of the Controller will be deleted within 30 days, unless retention is required by law.

See our Privacy Policy for full retention details.

8. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of data subjects, we will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

9. International Transfers

Personal data may be transferred to and processed in the United States and the United Kingdom, where our sub-processors operate. We ensure that appropriate safeguards are in place for international data transfers, including Standard Contractual Clauses (SCCs) where required by applicable law.

10. Controller Obligations

The Controller is responsible for: ensuring a lawful basis for processing personal data (including obtaining consent from meeting participants where required), providing notice to data subjects about the processing, ensuring that any instructions given to the Processor comply with applicable data protection laws, and responding to data subject requests.

11. Governing Law

This Data Processing Agreement is governed by the laws of the Sultanate of Oman, consistent with the governing law of the ReMinutes Terms of Service. Any disputes arising from this Agreement shall be resolved in the courts of Oman.

12. Contact

For questions about this Data Processing Agreement or to request a signed copy, please contact us at: hello@reminutes.com

Data Processing Agreement (DPA) | ReMinutes