Taia Translations Ltd
Version 2.0 · To be read with the Terms & Conditions and Privacy Policy
This Data Processing Agreement (the “DPA”) forms part of, and is governed by, the Terms and Conditions (the “Terms”) between Taia Translations Ltd (“Taia” or the “Processor”) and the customer identified in the Terms or in any Order Form (the “Customer” or the “Controller”). It sets out the terms on which Taia processes Personal Data on behalf of the Customer in the course of providing the Services.
This DPA is incorporated into the Terms by reference and is binding on every Customer who accepts the Terms. Where a Customer’s procurement process requires a separately signed copy, a signable version is available on request from legal@taia.io; the terms of that signed copy are identical to those set out here.
Where there is a conflict between this DPA and the Terms in relation to the processing of Personal Data, this DPA shall prevail.
Capitalised terms not defined in this DPA have the meanings given in the Terms. In addition:
“Applicable Data Protection Law” means the UK General Data Protection Regulation, the EU General Data Protection Regulation (Regulation (EU) 2016/679), the UK Data Protection Act 2018 and any other data protection or privacy laws applicable to the processing of Personal Data under this DPA.
“Customer Personal Data” means any Personal Data contained within the Customer Content or otherwise processed by Taia on behalf of the Customer in the course of providing the Services.
“Data Subject” has the meaning given in Applicable Data Protection Law.
“Personal Data”, “processing”, “controller” and “processor” have the meanings given in Applicable Data Protection Law.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data.
“Restricted Transfer” means a transfer of Personal Data from the United Kingdom, the European Economic Area or Switzerland to any country not subject to an adequacy decision under Applicable Data Protection Law.
“Standard Contractual Clauses” or “SCCs” means (a) the standard contractual clauses approved by the European Commission in its Decision (EU) 2021/914 (the “EU SCCs”); and (b) the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner (the “UK Addendum”).
“Sub-processor” has the meaning given in the Terms. A current, named list is maintained at /legal/sub-processors.
2.1 Roles. The Parties acknowledge that, for the purposes of Applicable Data Protection Law, the Customer is the controller of Customer Personal Data and Taia is the processor.
2.2 Subject matter and details. The subject matter, nature, purpose, duration of processing, types of Personal Data and categories of Data Subjects are described in Schedule 1.
2.3 Customer instructions. Taia shall process Customer Personal Data only on documented instructions from the Customer, including the instructions set out in this DPA, in the Terms, and in the Customer’s use of the Services. Taia will inform the Customer if, in its opinion, an instruction infringes Applicable Data Protection Law.
2.4 Customer responsibilities. The Customer warrants that:
(a) it has obtained all consents and provided all notices required under Applicable Data Protection Law for Taia to process Customer Personal Data as contemplated by this DPA and the Terms;
(b) its instructions to Taia comply with Applicable Data Protection Law; and
(c) the Customer Content does not include any “special category” Personal Data under Article 9 of the UK or EU GDPR (such as health, biometric or political data) unless the Customer has expressly notified Taia in writing and the Parties have agreed any additional safeguards required.
2.5 Legal disclosures. If Taia is required by law to process Customer Personal Data other than on the Customer’s instructions, Taia shall inform the Customer of that legal requirement before processing, unless that law prohibits such notification.
3.1 Taia shall ensure that all personnel authorised to process Customer Personal Data are bound by appropriate obligations of confidentiality, whether contractual or statutory.
3.2 Taia shall limit access to Customer Personal Data to personnel who need such access to perform their duties in connection with the Services.
4.1 Taia shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with processing Customer Personal Data. The measures currently in place are summarised in Schedule 2.
4.2 Taia regularly reviews its security measures and may update Schedule 2 from time to time, provided that the overall level of security shall not be materially reduced.
5.1 Authorisation. The Customer provides general authorisation to Taia to engage Sub-processors to assist with the provision of the Services. The current list of Sub-processors is maintained at /legal/sub-processors.
5.2 Sub-processor obligations. Taia shall:
(a) enter into a written agreement with each Sub-processor that imposes data protection obligations no less onerous than those imposed on Taia under this DPA;
(b) remain liable to the Customer for the acts and omissions of its Sub-processors in respect of Customer Personal Data; and
(c) only share with each Sub-processor the Customer Personal Data necessary for that Sub-processor to perform its role.
5.3 Changes. Taia shall give the Customer at least thirty (30) days’ prior notice of any intended addition or replacement of a Sub-processor that performs a fundamentally new processing activity, by updating the published list. The Customer may subscribe to notifications of such changes.
5.4 Objection. The Customer may object to a new Sub-processor on reasonable data protection grounds within fifteen (15) days of notice being given. If the objection cannot be resolved by the Parties in good faith, the Customer’s sole remedy is to terminate the affected Services with effect from the date Taia first uses the new Sub-processor, with a pro-rata refund of any prepaid Fees relating to the period after termination.
6.1 Taia shall, taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling the Customer’s obligations to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law.
6.2 If Taia receives a request directly from a Data Subject in relation to Customer Personal Data, Taia shall not respond to that request (except to acknowledge receipt and to direct the Data Subject to the Customer) and shall promptly forward the request to the Customer.
7.1 Taia shall notify the Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data.
7.2 Such notification shall, to the extent reasonably available at the time, include:
(a) a description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records concerned;
(b) the likely consequences of the breach;
(c) the measures taken or proposed to address the breach and mitigate its effects; and
(d) the contact point at Taia from whom further information can be obtained.
7.3 Taia shall provide reasonable cooperation and assistance to the Customer in the Customer’s compliance with its own breach notification obligations under Applicable Data Protection Law.
8.1 Taia shall provide reasonable assistance to the Customer, at the Customer’s reasonable expense, in connection with any data protection impact assessment or prior consultation with a supervisory authority that the Customer is required to carry out under Applicable Data Protection Law in respect of the Customer’s use of the Services.
9.1 Taia primarily processes Customer Personal Data within the United Kingdom and the European Economic Area. Production infrastructure is operated exclusively on Amazon Web Services in the AWS Europe (Ireland) region, and no production data leaves the AWS network. Where any transfer of Customer Personal Data outside the United Kingdom or the European Economic Area is required for the provision of the Services and amounts to a Restricted Transfer:
(a) the Parties shall be deemed to have entered into the Standard Contractual Clauses, with the Customer as data exporter and Taia (or the relevant Sub-processor) as data importer, in respect of that Restricted Transfer;
(b) the EU SCCs shall apply to transfers subject to EU GDPR, with Module Two (controller to processor) selected, optional clauses on instructions and audits included, and a docking clause included;
(c) the UK Addendum shall apply to transfers subject to UK GDPR; and
(d) Taia shall implement supplementary measures where necessary to ensure an essentially equivalent level of protection.
9.2 In the case of large language model providers used to power Advanced AI features, Taia shall in addition ensure that contractual terms with each provider prohibit the use of Customer Personal Data for model training and require deletion of submitted content after processing, save for time-limited retention strictly necessary for service operation.
10.1 Taia shall make available to the Customer information reasonably necessary to demonstrate compliance with this DPA, including (where available) third-party audit reports and security certifications.
10.2 The Customer may, no more than once in any twelve (12) month period and on at least thirty (30) days’ prior written notice, request an audit of Taia’s compliance with this DPA. Such audit shall be:
(a) conducted during normal business hours and in a manner that does not unreasonably disrupt Taia’s operations;
(b) conducted by the Customer or by an independent qualified auditor mutually agreed by the Parties and subject to confidentiality obligations;
(c) limited to information and systems necessary to verify compliance with this DPA, and shall not extend to other customers’ data or to Taia’s general commercial information; and
(d) at the Customer’s expense, save where the audit reveals a material breach of this DPA by Taia, in which case Taia shall bear the reasonable costs of the audit.
10.3 Taia may satisfy its obligations under this clause 10 by providing relevant third-party certifications or audit reports where these address the matters the Customer wishes to audit.
11.1 On termination of the Services, the Customer may, within thirty (30) days, export its Customer Content (including Customer Personal Data) from the Platform using the export functionality provided.
11.2 At the end of that thirty (30) day window, Taia shall delete all Customer Personal Data from its production systems, save that:
(a) Taia may retain copies in routine system backups, which shall remain subject to the obligations of this DPA until overwritten in the ordinary course;
(b) Taia may retain Customer Personal Data to the extent required by Applicable Data Protection Law or other applicable law; and
(c) Taia shall retain any aggregated, de-identified statistical and operational data derived from the use of the Services, which shall no longer constitute Personal Data.
11.3 On request, Taia shall provide written confirmation of deletion.
12.1 The liability of each Party under or in connection with this DPA shall be subject to the limitations and exclusions of liability set out in the Terms.
13.1 This DPA shall take effect on the same date as the Terms and shall continue in force for so long as Taia processes Customer Personal Data on behalf of the Customer.
13.2 The obligations in this DPA shall survive termination of the Services to the extent necessary to give effect to any provision of this DPA that expressly or by implication is intended to survive.
14.1 Conflict. In the event of any conflict between this DPA and the Terms in relation to the processing of Personal Data, this DPA shall prevail.
14.2 Severability. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.
14.3 Governing law. This DPA shall be governed by the law of England and Wales, and the courts of England and Wales shall have exclusive jurisdiction over any dispute arising under it.
Subject matter. The provision of the Services described in the Terms, including AI Translation, the Translation Studio, and Professional Services.
Duration of processing. For the duration of the Customer’s Subscription and any post-termination period during which Customer Personal Data is retained in accordance with clause 11.
Nature and purpose of processing. Processing for the purpose of translating Customer Content from one language into another, including ancillary operations such as storage, indexing, alignment, terminology extraction, and quality assurance, and supporting operations such as user authentication, billing and customer support.
Types of Personal Data. Any types of Personal Data that the Customer chooses to include in Customer Content or to provide to Taia in connection with the Services. Typical categories may include:
Special category data (Article 9 GDPR) is not expected to be included unless the Customer has notified Taia in writing in advance.
Categories of Data Subjects. The Data Subjects whose Personal Data may be included in Customer Content, as determined by the Customer. Typical categories include:
Taia maintains the following technical and organisational measures to protect Customer Personal Data. These measures are reviewed periodically and updated as appropriate.
Encryption
Access control
Network and infrastructure security
Application security
Operational measures
Data minimisation
A signable copy of this DPA is available on request from legal@taia.io. For questions about data processing, contact privacy@taia.io or visit taia.io/contact.
Last updated: 18th May 2026