Direkt zum Inhalt

ElevenLabs Data Processing Addendum

1. Definitions and Interpretation

Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the following meaning:

“Applicable Data Protection Laws” means any applicable privacy or data protection legislation or regulations, including but not limited to European Data Protection Laws, and the California Consumer Privacy Act, as amended by the California Privacy Rights Act and its implementing regulations as amended or superseded from time to time (“CCPA”) as well as similar laws adopted in other states. In the event of a conflict in the meanings of defined terms in the Applicable Data Protection Laws, the meaning from the law applicable to the region of residence of the relevant Data Subject applies;

“Controller” shall be interpreted consistent with Applicable Data Protection Laws and includes, at a minimum and where applicable “controller” as that term is defined under European Data Protection Laws and Applicable Data Protection Laws in the U.S. and “business” as the term is defined under the CCPA;

"Customer Personal Data" means any Personal Data Processed by ElevenLabs as a Processor on behalf of Customer or Third-Party Controller pursuant to the Agreement;

“Data Subject” shall be interpreted consistent with Applicable Data Protection Laws, and includes at a minimum and where applicable “data subject” as that term is defined under European Data Protection Laws and “consumer” as the term is defined under the CCPA and Applicable Data Protection Laws in the U.S.;

“Data Subject Rights” means all rights granted to Data Subjects under Applicable Data Protection Laws, which may include, as applicable, rights to information, access, rectification, erasure, restriction, portability, objection, the right to withdraw consent, and the right not to be subject to automated individual decision-making in accordance with Applicable Data Protection Laws;

"Data Transfer" means a disclosure of Customer Personal Data by an organization subject to European Data Protection Laws to another organization located outside the EEA, the UK, or Switzerland;

"DPA" means this Data Processing Agreement;

"EEA" means the European Economic Area;

"European Data Protection Laws" means the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC), their national implementations in the EEA, including the European Union, and all other data protection laws of the EEA, the United Kingdom (“UK”), and Switzerland, each as applicable, and as may be amended or replaced from time to time;

“EU-US Data Privacy Framework” means the adequacy decision laid down in the Commission Implementing Decision of July 10, 2023, pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework, C(2023) 4745 final;

“Personal Data” shall be interpreted consistent with Applicable Data Protection Laws, and includes at a minimum and where applicable “personal data” as that term is defined under European Data Protection Laws and “personal information” as the term is defined under the CCPA;

“Process” and “Processing” shall be interpreted consistent with Applicable Data Protection Laws;

“Processor” shall be interpreted consistent with Applicable Data Protection Laws, and includes at a minimum and where applicable a “processor” as the term is defined under European Data Protection Laws and “service provider” or “contractor” as those terms are defined under the CCPA;

“SCCs” means the clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council as amended or replaced from time to time;

"Services" means the services provided by ElevenLabs to the Customer under the Agreement.

"Subprocessor" means any person appointed by ElevenLabs to Process Personal Data on behalf of the Customer in connection with the Agreement;

"Data Transfer" means a disclosure of Customer Personal Data by an organization subject to European Data Protection Laws to another organization located outside the EEA, the UK, or Switzerland;

“Third-Party Controller” means a Controller for which the Customer is a Processor; and

“UK Addendum” means the addendum to the SCCs issued by the UK Information Commissioner under Section 119A(1) of the UK Data Protection Act 2018 (version B1.0, in force March 21, 2022).

The terms, "Commission""Member State""Personal Data Breach"and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

The terms, “Business Purpose”“Share”, and “Shared” shall have the same meaning given to them under the CCPA. The terms “Sell” and “Selling” shall have the meaning defined in Applicable Data Protection Laws in the U.S.


2. Scope
2.1 This DPA applies to the Processing of Customer Personal Data by ElevenLabs.The subject matter, nature and purposes of the Processing, the types of Customer Personal Data and categories of Data Subjects are set out in Annex I, which is an integral part of this DPA.

2.2 Customer is a Controller of Customer Personal Data and appoints ElevenLabs as a Processor of such data. Customer is responsible for compliance with the requirements of Applicable Data Protection Laws applicable to Controllers. In particular, and where applicable, Customer acknowledges and agrees that it will provide notice to Data Subjects about the Processing of Personal Data by ElevenLabs as described in this DPA, and obtain Data Subjects’ consent to such Processing by ElevenLabs as necessary to comply with Applicable Data Protection Law. ElevenLabs shall comply with the obligations of Applicable Data Protection Laws and, as applicable, shall provide the level of privacy protection to Customer Personal Data required by such Applicable Data Protection Laws.

2.3 If Customer is a Processor on behalf of a Third-Party Controller, then Customer: is the single point of contact for ElevenLabs; must obtain all necessary authorizations from such Third-Party Controller; will ensure that the Third Party Controller provided notice and obtained any consents necessary for Processing by ElevenLabs as set forth in section 2.2; and undertakes to issue all instructions and exercise all rights on behalf of such other Third-Party Controller.

3. Processing of Customer Personal Data
3.1 ElevenLabs shall not Process Customer Personal Data other than on the relevant Customer’s documented instructions.

3.2 The Customer’s instructions are documented in this DPA, the Agreement, and any applicable statement of work, and ElevenLabs shall process Customer Personal Data for the limited and specific purposes of carrying out these documented instructions or as otherwise expressly permitted by Applicable Data Protection Laws. Where permitted by Applicable Data Protection Laws, Customer has the right to take reasonable and appropriate steps to ensure that ElevenLabs uses Customer Personal Data consistent with Customer’s obligations under Applicable Data Protection Laws.

3.3 Solely for the purposes of the CCPA, and except as expressly permitted by the CCPA, ElevenLabs is prohibited from: (i) Selling or Sharing Customer Personal Data, (ii) retaining, using, or disclosing Customer Personal Data for any purpose other than for the specific purpose of performing the Services, (iii) retaining using, or disclosing Customer Personal Data with Personal Data obtained from, or on behalf of, sources other than Customer, except as expressly permitted under the CCPA. The Parties acknowledge and agree that the exchange of Personal Data between the Parties does not form part of any monetary or other valuable consideration exchanged between the Parties with respect to the Agreement or this DPA.

3.4 Unless prohibited by applicable law, ElevenLabs will inform Customer if ElevenLabs is subject to a legal obligation that requires ElevenLabs to Process Customer Personal Data in contravention of Customer’s documented instructions.

4. Personnel
ElevenLabs shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Customer Personal Data, as strictly necessary for the purposes of the Agreement, and ensuring that all such individuals are subject to contractual confidentiality obligations or professional or statutory obligations of confidentiality.

5. Security
5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, ElevenLabs shall in relation to the Customer Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures listed in Annex II.

5.2 In assessing the appropriate level of security, ElevenLabs shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

6. Subprocessing
6.1. Customer hereby authorizes ElevenLabs to engage Subprocessors. A list of ElevenLab’s current Subprocessors is included at https://compliance.elevenlabs.io.

6.2. ElevenLabs will enter into a written agreement with Subprocessors which imposes the same obligations as required by Applicable Data Protection Laws.

6.3. ElevenLabs will notify Customer prior to any intended change to Subprocessors. Customer may object to the addition of a Subprocessor by providing written notice detailing the grounds of such objection within thirty (30) days following ElevenLabs’ notification of the intended change. Customer and ElevenLabs will work together in good faith to address Customer’s objection. If ElevenLabs chooses to retain the Subprocessor, ElevenLabs will inform Customer at least thirty (30) days before authorizing the Subprocessor to Process Customer Personal Data, and either party may immediately discontinue providing or using the relevant parts of the Services, as applicable, and may terminate the relevant parts of the Services within thirty (30) days.

7. Data Subject Rights
7.1 Taking into account the nature of the Processing and the information available to ElevenLabs, ElevenLabs shall assist the Customer by implementing appropriate technical and organisational measures, as appropriate, for the fulfillment of the Customer’s obligations to respond to requests to exercise Data Subject Rights.

7.2 ElevenLabs shall:

  • 7.2.1 promptly notify Customer if it receives a request from a Data Subject under any Applicable Data Protection Laws in respect of Customer Personal Data; and
  • 7.2.2 ensure that it does not respond to that request except on the documented instructions of Customer or as required by applicable laws.

8. Personal Data Breach
8.1 ElevenLabs shall notify Customer without undue delay upon becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Applicable Data Protection Laws.

8.2 ElevenLabs shall co-operate with the Customer and take reasonable commercial steps as directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

9. Data Protection Impact Assessment and Prior Consultation
ElevenLabs shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervisory Authorities or other competent data privacy authorities, which Customer reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Applicable Data Protection Laws, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to ElevenLabs.

10. Deletion or Return of Customer Personal Data
10.1. This DPA is terminated upon the termination of the Agreement.

10.2. The Customer may request return of Customer Personal Data in ElevenLabs’ or ElevenLabs’ Subprocessors’ possession up to ninety (90) days after termination of the Agreement. Unless required or permitted by applicable law, ElevenLabs will delete all remaining copies of Customer Personal Data within one hundred eighty (180) days after returning Customer Personal Data to Customer. ElevenLabs may retain Customer Personal Data to the extent required by applicable law but only to the extent and for such period as required by such law and always provided that ElevenLabs shall ensure the confidentiality of all such Customer Personal Data.

11. Audit rights and Compliance
11.1 Subject to this Section 11, and upon reasonable request of Customer, ElevenLabs shall make available to the Customer on request all information and documentation necessary to demonstrate compliance with this Agreement. Where permitted by law, ElevenLabs may instead make available to Customer a summary of the results of a third-party audit or certification reports relevant to ElevenLabs' compliance with this DPA.