Back to Home
Data Processing Agreement
Last Updated: September 2025
GDPR Compliant
CCPA Compliant
Enterprise Ready
Agreement Summary
Data Controller (You)
- • Determine processing purposes
- • Control data retention periods
- • Issue processing instructions
- • Responsible for legal compliance
Data Processor (Podbloom)
- • Follow your documented instructions
- • Implement security measures
- • Assist with data subject requests
- • Report security incidents
1. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person as defined by applicable data protection laws.
- Processing: Any operation performed on personal data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, or destruction.
- Data Subject: The individual to whom personal data relates.
2. Scope and Application
This DPA applies when Podbloom processes personal data on behalf of Customer through:
- Audio transcription and host-read advertisement extraction
- Episode description and show note analysis for sponsor identification
- User analytics and performance tracking
- Content hosting and shareable page generation
- Customer support and platform management
3. Data Controller and Processor Roles
3.1 Customer as Data Controller
Customer determines:
- Purposes and means of processing personal data
- Categories of data subjects and personal data
- Duration of processing and retention periods
- Instructions for data handling and deletion
- Whether to enable audio transcription, description analysis, or both
3.2 Podbloom as Data Processor
Podbloom processes personal data solely:
- According to Customer's documented instructions
- As necessary to provide the contracted services
- In compliance with applicable data protection laws
- With appropriate technical and organizational measures
4. Categories of Data and Data Subjects
| Data Category | Source | Purpose | Retention |
|---|---|---|---|
| Audio Content | Podcast audio files | Transcription and host-read advertisement extraction | Temporary (deleted after processing) + 90 days for transcripts |
| Episode Descriptions | RSS feed episode descriptions and show notes | Text-based advertisement and sponsor extraction | While account active + 1 year |
| Listener Analytics | Shareable page interactions | Performance tracking and engagement metrics | 2 years (aggregated) |
| Content Metadata | RSS feeds, episode data, and user uploads | Content organization and categorization | While account active + 1 year |
| User Account Data | Registration and profile information | Account management and service provision | While account active + 7 years |
4.2 Data Subjects
- Podcast hosts and guests (voice data and mentions in descriptions)
- Podcast listeners (analytics data)
- Customer account users (account data)
- Sponsors and advertisers (mentioned in content and descriptions)
5. Processing Activities
5.1 Audio Content Processing
- Audio Transcription: Convert podcast audio to text using automated transcription services
- Host-Read Ad Extraction: Identify sponsor mentions and advertisements from audio transcripts
- Speaker Identification: Recognize and catalog speaker voices and mentions
5.2 Text Content Processing
- RSS Description Analysis: Extract sponsor information from episode descriptions and show notes
- Text-Based Ad Recognition: Identify promotional content, sponsor mentions, and call-to-action elements
- Content Categorization: Organize and structure extracted advertisement information
5.3 Combined Processing
- Multi-Source Analysis: Combine data from both audio transcripts and episode descriptions for comprehensive advertisement extraction
- Content Enhancement: Cross-reference and validate sponsor information across multiple sources
- Data Deduplication: Remove duplicate sponsor mentions found in both audio and text sources
5.4 Analytics and Reporting
- Performance Tracking: Monitor click rates, engagement, and conversion metrics
- Audience Analytics: Aggregate demographic and behavioral insights
- Reporting: Generate performance reports and data exports
6. Data Security Measures
6.1 Technical Safeguards
- Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256)
- Access Controls: Role-based access with multi-factor authentication
- Infrastructure: SOC 2 compliant cloud infrastructure
- Monitoring: 24/7 security monitoring and threat detection
- Data Minimization: Audio files temporarily stored only during transcription processing
6.2 Organizational Measures
- Staff Training: Regular data protection training for all personnel
- Access Policies: Strict need-to-know access principles
- Background Checks: Security screening for personnel with data access
- Incident Response: Documented procedures for security breaches
7. Data Subject Rights
Podbloom will assist Customer in responding to data subject requests:
7.1 Individual Rights Support
- Access: Provide copies of personal data
- Rectification: Correct inaccurate personal data
- Erasure: Delete personal data when required
- Portability: Export data in machine-readable format
- Objection: Stop processing for specific purposes
7.2 Response Timeframe
- Acknowledge requests within 48 hours
- Provide assistance within 10 business days
- Implement corrections within 5 business days
8. Subprocessors
| Subprocessor | Purpose | Location | Safeguards |
|---|---|---|---|
| Google Cloud Platform | Data storage and processing infrastructure | Global (with data residency controls) | Standard Contractual Clauses, SOC 2 Type II |
| OpenAI/Similar AI Providers | Content analysis and advertisement extraction from text and transcripts | United States | Data Processing Addendum, Encryption |
| Transcription Services (AssemblyAI/Similar) | Audio-to-text conversion for host-read advertisement extraction | United States | Data Processing Agreement, SOC 2 Compliance |
| Stripe | Payment processing and subscription management | Global | PCI DSS Compliance, Privacy Shield successor |
8.2 Subprocessor Management
- All subprocessors must meet equivalent data protection standards
- Customer will be notified of subprocessor changes with 30 days' notice
- Customer may object to new subprocessors within the notice period
9. Data Transfers
9.1 International Transfers
Data may be transferred outside the Customer's jurisdiction with appropriate safeguards:
- Adequacy Decisions: To countries with adequate data protection
- Standard Contractual Clauses: EU-approved contract terms
- Certification Programs: Privacy Shield successors or equivalent frameworks
9.2 Transfer Safeguards
- Encryption during all transfers
- Access logging and monitoring
- Regular compliance audits
10. Data Retention and Deletion
10.1 Retention Periods
- Active Customer Data: Retained while subscription is active
- Audio Files: Temporarily stored during transcription processing, then securely deleted within 24 hours
- Transcripts: Retained for 90 days after processing completion
- Episode Descriptions: Retained while account is active plus 1 year
- Terminated Accounts: All data deleted within 90 days of termination
- Legal Compliance: Extended retention only as required by law
- Backup Data: Securely deleted from backups within 6 months
10.2 Deletion Procedures
- Secure deletion using industry-standard methods
- Verification of complete data removal
- Certificate of destruction available upon request
11. Audits and Compliance
11.1 Audit Rights
Customer may:
- Request compliance documentation
- Conduct on-site audits with reasonable notice
- Engage third-party auditors (at Customer's expense)
- Review security certifications and assessments
11.2 Compliance Reporting
Podbloom provides:
- Annual compliance reports
- Security certification updates
- Incident notifications within 24 hours
- Regular vulnerability assessments
12. Data Breach Notification
12.1 Incident Response
Upon discovering a personal data breach, Podbloom will:
- Immediate Assessment: Evaluate scope and impact within 4 hours
- Customer Notification: Notify Customer within 24 hours
- Documentation: Provide detailed incident report
- Remediation: Implement corrective measures immediately
12.2 Notification Details
Breach notifications will include:
- Nature and scope of the breach
- Categories and number of affected data subjects
- Likely consequences and potential impact
- Measures taken to address the breach
- Recommendations for Customer actions
13. Liability and Indemnification
13.1 Processor Liability
Podbloom is liable for damages only when:
- Acting outside or contrary to Customer instructions
- Failing to comply with data protection obligations
- Acting beyond the scope of this DPA
13.2 Mutual Indemnification
Each party indemnifies the other for:
- Violations of data protection laws within their control
- Unauthorized disclosure of personal data
- Failure to implement required security measures
14. Term and Termination
14.1 Term
This DPA remains in effect while Podbloom processes personal data on Customer's behalf.
14.2 Termination Effects
Upon termination:
- All personal data will be deleted or returned as instructed
- Subprocessor agreements will be terminated
- Confidentiality obligations survive termination
15. Contact Information
- Email: support@podbloom.co
16. Governing Law
This DPA is governed by the same law as the main Terms and Conditions, with data protection laws taking precedence for data processing matters.
This Data Processing Agreement ensures comprehensive protection for personal data processed through the Podbloom platform while enabling the innovative features that make your podcast sponsorships more effective through both audio and text-based content analysis.