BookRealm
Begin Your Book

Legal

Data Processing Addendum

Last updated: May 25, 2026

1. Purpose

This Data Processing Addendum ("DPA") forms part of the agreement between SpeakerRealm LLC d/b/a BookRealm ("Processor") and the Customer ("Controller") and applies whenever BookRealm processes Personal Data on the Controller's behalf. It is intended to satisfy Article 28 GDPR, the UK GDPR, and CCPA/CPRA service-provider requirements.

2. Roles

For all Customer Content, the Customer is the Controller and BookRealm is the Processor. For account-level data necessary to operate the service (billing, authentication, security logs), BookRealm acts as an independent Controller.

3. Scope and duration

BookRealm processes Personal Data for the duration of the Customer's subscription and until deletion is complete. Categories of data subjects include the Customer, invited family members, voice contributors, and designated recipients. Categories of Personal Data are described in the Privacy Policy.

4. Sub-processors

The Customer authorizes the sub-processors listed below. BookRealm will give at least 30 days' notice of any addition or replacement and offer the Customer a reasonable opportunity to object.

  • Supabase Inc. — database and storage (US)
  • Cloudflare Inc. — application hosting and CDN (global edge)
  • Stripe Inc. — payments (US)
  • Resend Inc. — transactional email (US)
  • ElevenLabs Inc. — voice cloning and synthesis (US)
  • OpenAI L.L.C. and Google LLC — LLM inference via gateway (US)

5. Security measures

TLS in transit; AES-256 at rest; Row-Level Security on all user-scoped tables; least-privilege service-role separation; audit logging on privileged actions; secrets stored in a managed vault; principle of least privilege on staff access; vendor SOC 2 review.

6. International transfers

For transfers from the EEA, UK, or Switzerland to the United States, the parties incorporate the EU Standard Contractual Clauses (Module 2) and, where applicable, the UK International Data Transfer Addendum.

7. Data subject requests

BookRealm will assist the Controller in responding to data-subject requests (access, rectification, erasure, portability, restriction, objection, and biometric consent withdrawal) within the timelines required by applicable law.

8. Breach notification

BookRealm will notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach affecting the Controller's data.

9. Audit

BookRealm will make available all information necessary to demonstrate compliance with this DPA and allow for audits, conducted by the Controller or a mutually agreed auditor, no more than once per year and subject to reasonable confidentiality and notice obligations.

10. Deletion

On termination, BookRealm will delete or return all Personal Data within 30 days, except where retention is required by law. Backups are purged within 30 additional days.

11. Signing

Enterprise customers requiring a counter-signed copy can request one at hello@everarealm.com.