Last updated: September 29, 2025
This Data Processing Addendum (“DPA”) forms part of the Business Terms of Service (“Agreement”) between MorphCast Inc., a Delaware corporation with offices at 835 Fifth Avenue, San Rafael, CA 94901, USA (“Service Provider” or “MorphCast”), and the entity accepting the Agreement (“Business Customer” or “Business”).
Notice: MorphCast provides its Services under U.S. law. MorphCast does not offer its Services in the EU. This DPA is intended to comply with applicable U.S. privacy laws, including the California Consumer Privacy Act as amended by the CPRA.
1. Definitions
- “CPRA” means the California Consumer Privacy Act as amended by the California Privacy Rights Act.
- “Personal Information” has the meaning given in the CPRA and includes any equivalent term under other applicable U.S. state privacy laws.
- “Process”, “Processing” refer to any operation performed on Personal Information.
- “Business” has the meaning given in the CPRA and, for this DPA, refers to the Business Customer.
- “Service Provider” has the meaning given in the CPRA and, for this DPA, refers to MorphCast when Processing on behalf of the Business.
- “Sensitive Personal Information” (“SPI”) has the meaning given in the CPRA.
- “Services” means the MorphCast services described in the Agreement.
2. Roles of the Parties
- Business Customer is the sole Business determining the purposes and means of Processing Personal Information uploaded to or generated within the Services.
- MorphCast acts solely as a Service Provider on behalf of Business Customer.
- For clarity, this DPA does not apply to account data, billing information, security and operational logs that MorphCast Processes as a Business in order to manage customer accounts, comply with legal obligations, and ensure the security and integrity of the Services.
3. Scope of Processing
MorphCast processes Personal Information solely as a Service Provider/Processor on behalf of the Business customer, and only in accordance with documented instructions as set forth in this DPA. MorphCast does not sell or share Personal Information as defined by the CPRA.
Sensitive Personal Information (SPI). If the Business customer chooses to associate emotion or engagement metrics with a user’s display name or other identifier, such data may qualify as Sensitive Personal Information under applicable law. In such cases, MorphCast continues to act solely as a Service Provider/Processor, and the Business customer is responsible for ensuring appropriate notices, consents, and lawful bases for processing.
4. Confidentiality & Security
- MorphCast shall ensure personnel are bound by confidentiality obligations.
- MorphCast implements the technical and organisational security measures described in Annex 1 (Security Measures).
5. Subcontracted Service Providers (Sub-Processors)
- MorphCast may engage subcontracted service providers listed in Annex 2 (Approved Subcontracted Service Providers).
- MorphCast shall:
a. enter into a written agreement imposing obligations equivalent to this DPA;
b. remain liable for any subcontractor’s performance. - Business Customer may subscribe to email notifications of changes to Annex 2 and object on reasonable grounds within 10 business days.
6. Consumer Requests
MorphCast shall, where feasible, assist Business Customer in responding to verifiable Consumer requests under applicable U.S. privacy laws (including CPRA), such as access (right to know), deletion, correction, opt-out of sale or sharing, and limit use and disclosure of Sensitive Personal Information, by appropriate technical or organisational means.
7. Security Incidents
MorphCast shall notify Business Customer without undue delay after becoming aware of a Security Incident affecting Personal Information, providing sufficient information for Business Customer to meet any applicable reporting obligations.
8. Retention & Deletion
Upon termination of the Agreement (or earlier upon written request), MorphCast will delete or return all Personal Information within 60 days, save to the extent retention is required by law or for backup integrity (max 90 days, encrypted and inaccessible to operations).
9. Audit
Once per 12-month period, Business Customer may request (a) a summary of MorphCast’s most recent third-party security audit or (b) an on-site audit, provided:
- at least 30 days’ written notice;
- during normal business hours;
- no undue disruption and subject to confidentiality.
Costs borne by Business Customer unless the audit reveals material non-compliance.
10. International Data Transfers
MorphCast Services are not available in all jurisdictions. In particular, MorphCast does not offer Services in the EU/EEA or in the People’s Republic of China, as set out in our Territorial Exclusion Policy.
This DPA is designed to comply with applicable U.S. privacy laws (including the CPRA) and, where relevant, Canadian privacy laws (including PIPEDA). Business customers operating in other jurisdictions are responsible for identifying any stricter or additional local obligations and for instructing MorphCast accordingly; we will reasonably support such compliance through our Product configuration and our commitments under this DPA.
11. Limitation of Liability
Each party’s liability under this DPA is subject to the limitation-of-liability clause in the Agreement.
12. Term
This DPA terminates automatically upon deletion of all Personal Information by MorphCast or when the Agreement terminates, whichever is later.
13. Signatures
Effectiveness
“This Data Processing Addendum forms part of and is incorporated into the MorphCast Business Terms of Service. By accepting the Business Terms of Service, the Customer also agrees to this Data Processing Addendum.
For Customers that require a signed copy, this DPA may be executed separately and will then be deemed effective as of the date of the last signature below.
| For MorphCast Inc. | For Business Customer |
|---|---|
| Name: Stefano Bargagni | Name: [COMPANY SIGNATORY] |
| Title: CEO | Title: [TITLE] |
| Date: 6 Aug 2025 | Date: [DATE] |
| Signature: | Signature: |
Annex 1 — Security Measures (summary)
- TLS 1.2+ encryption in transit, AES-256 at rest
- Segmented network; least-privilege IAM
- 24×7 intrusion detection; monthly vulnerability scanning
- Annual independent penetration test
- Encrypted backups with 30-day retention
- Incident-response plan with 24-hour internal escalation
Annex 2 — Approved Subcontracted Service Providers
| # | Service Provider | Service / Primary Function | Affected Products (examples) | Primary Data Location |
|---|---|---|---|---|
| 1 | Amazon Web Services, Inc. | Cloud infrastructure (EC2, S3, RDS, Lambda, MediaConvert, telemetry endpoint, Redis cache) | All products: SDK license API, Ready-to-Use Web Apps (Data Storage), Studio workspace, Portal, Video Conference, Zoom App, Media Player, Website | USA (us-west-2) |
| 2 | Amazon CloudFront | Global CDN / edge caching & WAF bot-management | Studio asset delivery, Media Player streaming, Portal UI, Website, Ready-to-Use Web Apps | Global |
| 3 | Cloudflare, Inc. | Edge security (CDN, WAF, bot management) | Website (morphcast.com) | Global |
| 3 | Google LLC – Cloud Services | Cloud Storage buckets, Firestore database, Apps Script automations (billing export), reCAPTCHA bot-detection | Contact Form (reCAPTCHA), Portal billing exports, internal admin automations | USA |
| 4 | Google LLC – Workspace / Drive | Email, Docs, Drive file storage, internal ticketing & marketing lists | Corporate communications, user-support records, marketing outreach | USA |
| 5 | Stripe, Inc. | Payment processing, subscription billing, invoice e-mails | Portal license purchases, Studio paid tier | USA |
| 6 | Voiceflow Inc. | Website chat widget backend, transient message storage (≤ 24 h) | Website chat support | USA |