Data Processing Agreement
MLALab.ai acts as a data processor on behalf of our users (data controllers) under GDPR Article 28. This page outlines our data processing practices and sub-processor list.
Processing Purposes
- Video transcription (speech-to-text)
- Text translation (multi-language)
- Text-to-speech synthesis
- AI content auditing
- Payment processing
- Transactional email communication
Sub-Processors
| Sub-Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Cloud Database Provider | Database, Authentication, File Storage | All user data | US / EU |
| Frontend Hosting Provider | Web application hosting | Frontend requests, logs | Global CDN |
| Backend Hosting Provider | API hosting | API requests, logs | US |
| Payment Processor | Payment processing | Email, payment info | US |
| AI Transcription Provider | Speech-to-text, AI auditing | Audio/text (ephemeral) | US |
| Translation & TTS Provider | Translation, text-to-speech | Text content (ephemeral) | US |
| Premium TTS Provider | Premium voice synthesis | Text content (ephemeral) | US / EU |
| Email Service Provider | Transactional email | User email addresses | US |
| DNS & CDN Provider | DNS, DDoS protection | Traffic metadata | Global |
Sub-processor names available upon request for customers with active DPAs. Contact privacy@mlalab.ai.
Data Retention
- Account data: Retained until account deletion request (7-day grace period, then permanent deletion)
- Project data: Retained until user deletes project or account
- AI processing data: Ephemeral — not retained by AI providers after processing
- Payment data: Retained per PCI DSS and tax requirements
- Audit logs: 1 year (anonymized on account deletion)
Breach Notification
In the event of a personal data breach, we will notify affected data controllers within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
Technical & Organizational Measures
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Role-based access control with principle of least privilege
- SOC 2-certified infrastructure providers
- Structured audit logging of all data access
- Automated dependency vulnerability scanning
- 24-hour session expiry with 15-minute idle timeout
- Rate limiting on all API endpoints
Request a DPA
Enterprise customers requiring a signed Data Processing Agreement can contact us at privacy@mlalab.ai. We will provide a customized DPA including Standard Contractual Clauses (SCCs) for international data transfers.
Last updated: March 10, 2026