GDPR processor terms.
For customers in the EEA, UK, and Switzerland that need a signed processor-controller addendum. Cover sheet below; full executed copy on request.
Subject matter and duration
Acorn processes personal data submitted as part of transcription, embedding, or generation jobs for the duration of the agreement and any post-termination retention period required by law.
Nature and purpose
Storage, transmission, transcription, embedding, generation, and deletion of Customer Data submitted via the Acorn API; account administration; billing.
Types of personal data
As determined by Customer. May include audio recordings of identifiable speakers, transcribed text, document content, prompts, and any personal data the Customer chooses to include.
Data subjects
End users, customers, employees, and other individuals whose personal data Customer submits to Acorn.
Security measures
Per the Security page: HTTPS in transit, audio sharding, sandboxed worker execution, hashed credentials, passkey-only admin auth, signed webhooks, regional pinning on request.
Sub-processor changes
Acorn maintains a current list at /subprocessors. At least 30 days notice before a new sub-processor begins handling Customer Data.
International transfers
Where Customer Data is transferred from the EEA, UK, or Switzerland to a third country, Acorn relies on the EU Standard Contractual Clauses (Commission Decision 2021/914) plus, where applicable, the UK IDTA and Swiss FDPIC adequacy.
Request the executable DPA.
Email legal@acorncompute.com with your legal entity name and signing-authority contact. PDF returned within one business day.