Data Processing Addendum

Effective May 17, 2026

This Data Processing Addendum (“DPA”) supplements the Terms of Servicebetween CrazySound (the processor) and the business customer identified in the order or account billing record (“Customer,” the controller) when the Customer's use of the Service involves the processing of Personal Data subject to the EU General Data Protection Regulation (GDPR), UK GDPR, Swiss Federal Act on Data Protection (FADP), Brazilian LGPD, or similar laws.

If your organization requires a signed copy of this DPA on paper, email legal@crazysound.ai with your company name, billing address, and a contact for execution.

1. Definitions

Capitalized terms have the meanings given in the GDPR. “Customer Personal Data” means Personal Data contained in Customer Content (as defined in the Terms) that the Customer submits to the Service.

2. Roles and scope

With respect to Customer Personal Data, the Customer is the Controller and CrazySound is the Processor. CrazySound processes Customer Personal Data only on documented instructions from the Customer, which instructions are the Terms of Service and this DPA, unless required by EU/UK/Swiss law (in which case CrazySound will notify the Customer before processing unless the law prohibits notice).

3. Subject matter, duration, nature, purpose

  • Subject matter: Processing of Customer Personal Data to provide the CrazySound audio generation Service.
  • Duration:For the term of the Customer's account, plus the retention periods described in our Privacy Policy.
  • Nature and purpose: Storage, hosting, transmission to AI subprocessors for generation, and delivery of Outputs back to the Customer.
  • Categories of Data Subjects:The Customer's end users, employees, and any individuals named or referenced in Customer Content.
  • Categories of Personal Data: As determined by the Customer. Typically business names, contact details, prompt text, generated scripts, and metadata. The Customer should not submit Special Categories of Personal Data unless strictly necessary.

4. Confidentiality

CrazySound ensures that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations (whether contractual or statutory).

5. Security

CrazySound implements and maintains appropriate technical and organizational measures to protect Customer Personal Data, as described on our Security page. These measures are reviewed periodically and updated to address new threats.

6. Subprocessors

The Customer grants CrazySound a general authorization to engage subprocessors. CrazySound's current production subprocessors are listed in our Privacy Policy, Section 5. CrazySound will:

  • Enter into a written agreement with each subprocessor imposing data-protection obligations no less protective than those in this DPA.
  • Remain liable for the acts and omissions of subprocessors.
  • Notify the Customer at least 30 days in advance of adding or replacing a subprocessor (subscribe to subprocessor-updates@crazysound.ai to receive notices). The Customer may object on reasonable grounds within 14 days; if the objection cannot be resolved, the Customer may terminate the affected Service at the next renewal without penalty. Past payments are non-refundable consistent with Section 3.1 of the Terms of Service.

7. Assistance with Data Subject requests

Considering the nature of the processing, CrazySound will assist the Customer through appropriate technical and organizational measures, insofar as possible, to fulfill the Customer's obligations to respond to requests from Data Subjects exercising their rights under the GDPR. Standard requests (access, deletion, portability) can be handled by the Customer directly through the account dashboard. For non-standard requests, contact privacy@crazysound.ai.

8. Personal Data breach

CrazySound will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach affecting Customer Personal Data. The notification will include, to the extent then known, the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address it.

9. Data Protection Impact Assessments

CrazySound will provide reasonable assistance to the Customer with any required Data Protection Impact Assessments and consultations with supervisory authorities, taking into account the nature of the processing and the information available to CrazySound.

10. Return and deletion

Upon termination of the Customer's account, CrazySound will delete or return Customer Personal Data within the timeframes described in our Privacy Policy, Section 7, unless retention is required by applicable law (in which case the data will be isolated and protected from further processing).

11. Audits

CrazySound will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA. The Customer may, no more than once per year and on reasonable advance notice, conduct an audit limited to information relevant to the Customer's use of the Service. To minimize disruption, audits will first rely on CrazySound's most recent third-party attestations (e.g., SOC 2, ISO 27001) and security documentation; an on-site audit will only proceed if those materials are insufficient. The Customer bears the cost of any audit; CrazySound bears the cost of remediating any material non-compliance identified.

12. International transfers

Where the processing of Customer Personal Data involves transfers from the EEA, UK, or Switzerland to a country not deemed adequate by the European Commission, the parties incorporate the EU Standard Contractual Clauses adopted in Commission Implementing Decision (EU) 2021/914 (the “SCCs”) by reference. The relevant modules and selections are:

  • Module Two (Controller to Processor) where the Customer is the Controller.
  • Module Three (Processor to Processor) where the Customer is itself a Processor for an upstream Controller.
  • Clause 7 (docking clause) is included.
  • Clause 9: Option 2 (general written authorization), notice period 30 days as in Section 6.
  • Clause 11: independent dispute resolution body, option (a) is not selected.
  • Clause 17: Governing law is the law of Ireland.
  • Clause 18: Forum is the courts of Ireland.
  • Annex I.A (List of Parties): the parties to this DPA.
  • Annex I.B (Description of Transfer): as in Section 3 above.
  • Annex II (Technical and Organizational Measures): as described on the Security page.
  • Annex III (Subprocessors): as in our Privacy Policy Section 5.

For UK transfers the parties incorporate the UK International Data Transfer Addendum to the SCCs, version B1.0. For Swiss transfers the SCCs are deemed amended in accordance with FDPIC guidance.

13. Liability

Each party's liability under this DPA is subject to the limitations of liability in the Terms of Service, except that nothing in the Terms or this DPA limits either party's liability to a Data Subject under applicable data-protection law.

14. Conflict

In case of conflict between the Terms of Service and this DPA, this DPA prevails to the extent of the conflict on data-protection matters. Where the SCCs are incorporated by reference, the SCCs prevail over conflicting provisions of this DPA.

15. Term

This DPA enters into effect on the date the Customer first becomes a paid customer of CrazySound and remains in effect until the termination of the Customer's account, plus any survival period required to complete deletion or return of Customer Personal Data.

16. Contact

Privacy and DPA inquiries: privacy@crazysound.ai. Signed-DPA requests: legal@crazysound.ai.