Open Word Real-Time Translation Service
Effective Date: 19th December 2025
This Data Processing Agreement ("DPA") forms part of the agreement for the provision of Open Word services between:
(1) Firmus Technology Ltd, a company registered in Northern Ireland (the "Processor" or "Open Word"); and
(2) The Customer identified in the service agreement (the "Controller").
Open Word provides a real-time transcription and translation service for live events including church services, conferences, and other gatherings. In the course of providing these services, personal data may be inadvertently processed when speakers mention names, personal circumstances, or other identifying information.
This DPA sets out the terms on which Open Word will process personal data on behalf of the Controller in compliance with UK GDPR and the Data Protection Act 2018.
1.1 "Data Protection Laws" means the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and any other applicable data protection legislation in the United Kingdom.
1.2 "Personal Data" means any information relating to an identified or identifiable natural person processed by Open Word in connection with the services.
1.3 "Processing" means any operation performed on personal data, including transcription, translation, storage, and transmission.
1.4 "Sub-processor" means any third party engaged by Open Word to process personal data on behalf of the Controller.
1.5 "Services" means the real-time transcription and translation services provided by Open Word.
1.6 Terms such as "data subject", "personal data breach", "processing", and "supervisory authority" shall have the meanings given to them in the Data Protection Laws.
2.1 Open Word shall process personal data only for the purpose of providing the transcription and translation services as instructed by the Controller.
2.2 The subject matter, duration, nature, and purpose of processing, together with the types of personal data and categories of data subjects, are set out in Schedule 1 to this DPA.
2.3 The Controller acknowledges that personal data processed through the Services may include incidental mentions of individuals during live events, including but not limited to names, health information shared in prayer requests, and other personal circumstances.
Open Word shall:
3.1 Process personal data only on documented instructions from the Controller, unless required to do so by law applicable to Open Word.
3.2 Ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.3 Take all measures required pursuant to Article 32 of UK GDPR (security of processing).
3.4 Respect the conditions for engaging sub-processors as set out in Clause 5.
3.5 Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures for the fulfilment of the Controller's obligation to respond to data subject requests.
3.6 Assist the Controller in ensuring compliance with Articles 32 to 36 of UK GDPR, taking into account the nature of processing and the information available to Open Word.
3.7 At the choice of the Controller, delete or return all personal data after the end of the provision of services, and delete existing copies unless storage is required by law.
3.8 Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits and inspections.
The Controller shall:
4.1 Ensure there is a lawful basis for the processing of personal data through the Services, which may include legitimate interests or consent as appropriate.
4.2 Provide appropriate notice to data subjects that services may be transcribed and translated, and that personal data mentioned during events may be processed.
4.3 Display clear signage at events indicating that live transcription and translation is in operation.
4.4 Implement reasonable measures to minimise the incidental capture of personal data, including briefing speakers on avoiding unnecessary disclosure of third-party personal information.
4.5 Respond to data subject requests and complaints, with assistance from Open Word where required.
4.6 Notify Open Word promptly of any data subject requests that relate to the Services.
5.1 The Controller provides general authorisation for Open Word to engage sub-processors to perform specific processing activities as set out in Schedule 2.
5.2 Open Word shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller an opportunity to object to such changes.
5.3 Where Open Word engages a sub-processor, it shall impose on that sub-processor data protection obligations equivalent to those set out in this DPA by way of a contract.
5.4 Open Word shall remain fully liable to the Controller for the performance of the sub-processor's obligations.
6.1 Personal data may be transferred to countries outside the United Kingdom in connection with the Services, including to the United States.
6.2 Where personal data is transferred to a country not subject to an adequacy decision, Open Word shall ensure appropriate safeguards are in place, which may include:
(a) Standard Contractual Clauses approved by the UK Information Commissioner;
(b) Certification under the UK-US Data Bridge (where applicable);
(c) Other appropriate safeguards recognised under Data Protection Laws.
6.3 Details of international transfers and applicable safeguards are set out in Schedule 2.
7.1 Open Word shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
(a) Encryption of personal data in transit using TLS 1.2 or higher;
(b) Secure authentication for access to the Services;
(c) Regular security assessments and updates;
(d) Access controls limiting personnel access to personal data;
(e) Secure deletion of personal data in accordance with retention policies.
7.2 Open Word shall regularly test, assess, and evaluate the effectiveness of technical and organisational measures for ensuring the security of processing.
8.1 Open Word shall notify the Controller without undue delay after becoming aware of a personal data breach affecting personal data processed under this DPA.
8.2 Such notification shall include, to the extent available:
(a) A description of the nature of the breach including the categories and approximate number of data subjects and personal data records affected;
(b) The name and contact details of a point of contact;
(c) The likely consequences of the breach;
(d) The measures taken or proposed to address the breach.
8.3 Open Word shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of any personal data breach.
9.1 Real-time transcription and translation data is processed transiently and is not stored by Open Word beyond the duration necessary to provide the service, unless the Controller configures recording or storage features.
9.2 Where the Controller enables recording or storage features, data shall be retained in accordance with the Controller's configured retention period, after which it shall be automatically deleted.
9.3 Upon termination of the service agreement, Open Word shall delete all personal data within 30 days unless the Controller requests return of the data or retention is required by law.
10.1 Open Word shall assist the Controller in responding to requests from data subjects exercising their rights under Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection.
10.2 If Open Word receives a request from a data subject directly, it shall promptly notify the Controller and shall not respond to the request without the Controller's instructions unless required by law.
11.1 Open Word shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA.
11.2 The Controller may conduct audits of Open Word's processing activities, subject to reasonable notice and during normal business hours.
11.3 Open Word may satisfy audit requirements by providing third-party audit reports, certifications, or other evidence of compliance.
12.1 Each party shall be liable for any damage caused by processing that infringes Data Protection Laws in accordance with the provisions of those laws.
12.2 Nothing in this DPA shall limit or exclude either party's liability for breaches of Data Protection Laws to the extent such limitation or exclusion is not permitted by law.
13.1 This DPA shall remain in effect for the duration of the processing of personal data by Open Word under the service agreement.
13.2 This DPA shall be governed by and construed in accordance with the laws of Northern Ireland.
13.3 In the event of any conflict between this DPA and the service agreement, this DPA shall prevail in respect of data protection matters.
13.4 Amendments to this DPA will be made available on the Open Word website and within the app and Customers will be made aware that this has changed.
13.5 Continued use of the service implies acceptance of the terms and conditions and Data Processing Agreement.
Real-time transcription of spoken audio and translation of transcribed text for live events including church services, conferences, and similar gatherings.
Processing occurs in real-time during live events and continues for the duration of the service agreement. Where recording features are enabled, processing continues until deletion in accordance with the Controller's configured retention period.
The processing involves:
(a) Capturing audio from live events via the Controller's configured input devices;
(b) Converting speech to text using automated speech recognition;
(c) Translating transcribed text into languages selected by the Controller;
(d) Displaying transcribed and translated text to end users in real-time;
(e) Optionally storing recordings and transcripts where enabled by the Controller.
Personal data processed may include:
(a) Names of individuals mentioned during events;
(b) Health information (where shared in prayer requests or pastoral communications);
(c) Family circumstances and relationships;
(d) Religious beliefs and opinions;
(e) Other personal circumstances mentioned during events.
Data subjects may include:
(a) Speakers and presenters at events;
(b) Individuals mentioned by speakers (congregation members, family members, etc.);
(c) Attendees where their contributions are captured.
The processing may involve special category data including religious beliefs, health data, and ethnic origin where such information is mentioned during events. The Controller is responsible for ensuring an appropriate lawful basis exists for such processing.
Open Word uses the following sub-processors in the provision of its services:
| Sub-processor | Purpose | Location | Transfer Safeguard |
|---|---|---|---|
| Deepgram Inc. | Speech-to-text transcription | United States | UK-US Data Bridge / SCCs |
| Google LLC | Text translation services | United States / EU | UK-US Data Bridge / Adequacy (EU) |
| Supabase Inc. | Database and authentication services | United States | UK-US Data Bridge / SCCs |
| Render Services Inc. | Backend hosting | United States | UK-US Data Bridge / SCCs |
| Vercel Inc. | Frontend hosting | United States | UK-US Data Bridge / SCCs |
Open Word may update this list of sub-processors from time to time. The Controller will be notified of any changes and may object to new sub-processors in accordance with Clause 5.2.
All data in transit is encrypted using TLS 1.2 or higher. Data at rest (where stored) is encrypted using AES-256 encryption.
Access to systems containing personal data is restricted to authorised personnel only, with role-based access controls and multi-factor authentication.
The Services are designed to process data transiently where possible. Personal data is not retained beyond the period necessary for the purpose of processing unless recording features are explicitly enabled by the Controller.
Open Word maintains incident response procedures for identifying, reporting, and responding to personal data breaches.
Services are hosted on resilient infrastructure with appropriate redundancy and backup procedures.
All personnel with access to personal data are subject to confidentiality obligations and receive appropriate data protection training.
This Data Processing Agreement is entered into as of the date the Controller accepts the Open Word terms of service or otherwise indicates acceptance of this DPA.
For electronic acceptance, the Controller's agreement to the Open Word terms of service incorporating this DPA shall constitute acceptance of this Data Processing Agreement. A record of acceptance will be maintained by Open Word.