What caption formats does DeliverCC export, and which one do I use?

DeliverCC outputs four formats from a single generation: SRT (universal subtitle format for YouTube, Vimeo, social media), VTT (web video standard for HTML5 players), SCC (Scenarist Closed Captions for US broadcast TV), and TTML (Apple Music synced-lyrics dialect, the line-level file labels send to Apple Music to enable karaoke-style lyric highlighting in the app).

Does DeliverCC caption dialogue and ad-libs, or only sung lyrics?

Both. Paste everything you want captioned: lyrics, ad-libs, and any spoken dialogue, and DeliverCC aligns all of it. A broadcast caption file has to carry every word, sung and spoken, so captioning the spoken parts is what makes your delivery complete and compliant. Because the tool aligns the text you provide, anything you want captioned has to be in what you paste. An ad-lib that is not in your lyric sheet will not appear unless you add it.

What's the difference between video captions and Apple Music synced lyrics?

They go to two different places. Video captions (SRT, VTT, and SCC) ride with your video and display text over the picture wherever the video plays: SRT and VTT for YouTube, Vimeo, and social, and SCC for US broadcast TV. Apple Music synced lyrics ride with the song instead, scrolling and highlighting line by line inside the Apple Music app while the track plays. Same timed text underneath, two different destinations, and they are not interchangeable. TTML (Timed Text Markup Language) is a W3C standard for timed text; DeliverCC emits the Apple Music synced-lyrics dialect of TTML, the line-level file your label or distributor submits to Apple through Transporter or iTunes Connect to turn on synced lyrics for a release. It is not a general video-caption TTML and it is not a video subtitle. For video, use the SRT, VTT, or SCC output.

Can I use DeliverCC for Spotify lyrics?

Not as a file, because Spotify does not accept one. Spotify's synced lyrics are powered entirely by Musixmatch. The only way to add them is to verify an artist or label account in Musixmatch and sync the lyrics inside Musixmatch's own tool, which then pushes them to Spotify. No tool can hand Spotify a finished lyrics file. Apple Music is different: it accepts a time-synced TTML lyrics file submitted directly by the rights holder or distributor, which is the file DeliverCC produces. So DeliverCC serves the destination that takes a file and leaves the one that requires manual work in a separate tool. Instagram, Amazon Music, and Tidal run through Musixmatch the same way Spotify does.

What languages does DeliverCC support?

DeliverCC supports twenty-one alignment languages: English, Spanish, Portuguese, Korean, Japanese, French, German, Italian, Arabic, Danish, Dutch, Finnish, Hindi, Indonesian, Norwegian, Polish, Russian, Swedish, Thai, Turkish, and Chinese. Each language uses the highest-quality alignment model available. For non-Latin script languages (Korean, Japanese, Arabic, Hindi, Thai, Chinese), lyrics must be provided in the native script of the song, not romanized transliteration.

Why forced alignment instead of speech-to-text?

Music vocals break speech-to-text. Mumbled delivery, ad-libs, harmonies, autotune, and non-lexical sounds all degrade transcription accuracy. DeliverCC uses forced alignment: you provide the correct lyrics (the artist-approved version) and the system aligns those exact lyrics to the audio rather than guessing what was sung. The captions say exactly what the lyric sheet says, with word-level timing accuracy that holds even on the hardest vocal performances.

Do I provide the lyrics, or does DeliverCC transcribe them?

You provide the lyrics. DeliverCC is built around the lyric sheet being the source of truth, not a transcription. This matches the workflow most labels already use: captions go out matched to the official lyrics, not to whatever an AI thinks it heard in the recording. DeliverCC handles the timing, you control what the words say.

How long does a generation take?

Typical generation takes 30 to 60 seconds from clicking Generate to captions appearing. The first request on a fresh worker can take around 90 seconds while infrastructure spins up; subsequent requests on warm workers are consistently faster. Most users see sub-60-second times in normal use.

Can I edit the alignment manually after generation?

Yes. Every generation lands in the timeline editor with a waveform view, draggable block edges, per-block text editing, and full undo and redo. Most songs need zero edits. When edits are needed (usually for ad-libs or intro instrumentals), the fix takes seconds. Edits are baked into the exported caption file in whatever format you select.

How does DeliverCC handle ad-libs, mumbled vocals, and producer tags?

Forced alignment handles ad-libs, producer tags, and mumbled vocals better than transcription tools. DeliverCC aligns to the lyrics you provide: if your lyric sheet includes the ad-lib, it gets timed alongside the vocal automatically. If your lyric sheet skips it (which is normal for filler "yeah" and "mmm" sounds), the surrounding words still align correctly. If you want to add or remove an ad-lib after generation, the timeline editor lets you edit any block text and adjust timing manually.

What can I upload, and is there a size limit?

DeliverCC accepts standard audio formats (MP3, WAV, FLAC, AAC, M4A, OGG) and video formats (MP4, MOV, M4V, WebM, AVI, MKV). Uploads are capped at 500 MB and 15 minutes of duration. DeliverCC automatically extracts the audio from video uploads. For music video editors: raw video exports can be many gigabytes (over the 500 MB cap), so exporting audio-only from your editor is the faster path. A 5-minute MP3 is typically under 10 MB.

What happens to my audio after I generate captions?

Audio files are automatically deleted from DeliverCC's storage approximately 14 days after upload, a window that covers the project review and revision phase. Generated caption files stay in your account until you delete them. Nothing about your audio or your lyrics is used to train any model. The full retention policy is in the privacy policy.

How does the credit system work?

One credit equals one caption generation, and includes all four export formats from the same alignment data. Monthly plans reset each month: Creator gets 5 credits, Studio gets 12, Label gets 30. Pay-as-you-go credits are bought one at a time and never expire. If you run out mid-month, you can buy a Pay-as-you-go credit or upgrade your plan. There are no overage charges and no per-format fees.

DeliverCC: Closed Captions for Music Videos. Done in Seconds.

Version2.0

Published2026-06-03

Last Updated2026-06-04

Contactdpa@delivercc.io

At a glance

Effective Date: [Date upon execution by Customer]

DPA Version: 2.0 (published 2026-06-03)

Parties: Allen Productions LLC (dba DeliverCC) and the Customer identified below

—

Preamble

This Data Processing Agreement ("DPA") forms part of the agreement between Allen Productions LLC, a Tennessee limited liability company doing business as DeliverCC ("DeliverCC," "Processor," "we," "us," or "our") and the customer identified at the time of execution ("Customer," "Controller," "you," or "your"), under which DeliverCC provides caption file generation services through its software-as-a-service platform (the "Services") in accordance with DeliverCC's Terms of Service published at delivercc.io/terms (the "Service Agreement").

This DPA governs the processing of Personal Data and Customer Confidential Audio (each as defined below) by DeliverCC on behalf of Customer in connection with the Services. To the extent of any conflict between this DPA and the Service Agreement, this DPA prevails with respect to data protection matters.

By executing this DPA, Customer and DeliverCC agree to the terms set out below.

Definitions

For the purposes of this DPA:

"Applicable Data Protection Law" means all data protection and privacy laws applicable to the processing of Personal Data under this DPA, including without limitation:

—(a) the EU General Data Protection Regulation (Regulation 2016/679) ("GDPR");
—(b) the United Kingdom General Data Protection Regulation as it forms part of UK law ("UK GDPR");
—(c) the Swiss Federal Act on Data Protection ("Swiss DPA");
—(d) the California Consumer Privacy Act and California Privacy Rights Act (collectively, "CCPA");
—(e) any other applicable national, state, or provincial data protection law.

"Controller" means the entity that determines the purposes and means of processing Personal Data. With respect to data processed under this DPA, Customer is the Controller.

"Customer Confidential Audio" means audio files uploaded to the Services by Customer or Customer's authorized users, including without limitation unreleased musical recordings, masters, demos, pre-release content, or any other audio content of commercial sensitivity.

"Customer Personal Data" means Personal Data that DeliverCC processes on behalf of Customer in providing the Services, as further described in Annex 1.

"Data Subject" means an identified or identifiable natural person to whom Personal Data relates.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.

"Processor" means the entity that processes Personal Data on behalf of the Controller. With respect to data processed under this DPA, DeliverCC is the Processor.

"Standard Contractual Clauses" or "SCCs" means the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, available at https://eur-lex.europa.eu/eli/dec_impl/2021/914.

"Sub-processor" means any third party engaged by DeliverCC to process Customer Personal Data on DeliverCC's behalf in connection with the Services.

"UK IDTA" means the United Kingdom International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, as issued by the UK Information Commissioner's Office.

Other capitalized terms used but not defined in this DPA have the meanings given in the Service Agreement or in Applicable Data Protection Law.

Subject Matter and Scope

2.1 Subject matter. DeliverCC will process Customer Personal Data and Customer Confidential Audio solely for the purpose of providing the Services to Customer in accordance with the Service Agreement and Customer's documented instructions.

2.2 Duration. This DPA applies during the term of the Service Agreement and survives termination to the extent necessary to comply with applicable law and to complete the return or deletion of Customer Personal Data.

2.3 Nature, purpose, and categories of data. The nature and purpose of the processing, the categories of Data Subjects, and the categories of Personal Data are described in Annex 1.

Roles and Responsibilities

3.1 Customer as Controller. Customer is the Controller of Customer Personal Data. Customer is responsible for the lawfulness of the Personal Data processing, including ensuring that Customer has obtained any necessary consents, that Customer has a valid legal basis under Applicable Data Protection Law, and that Customer has provided required notices to Data Subjects.

3.2 DeliverCC as Processor. DeliverCC is the Processor of Customer Personal Data and processes it solely on behalf of and pursuant to the instructions of Customer. DeliverCC will:

—(a) process Customer Personal Data only on Customer's documented instructions, including with respect to international transfers, except where required to do so by applicable law;
—(b) immediately inform Customer if, in DeliverCC's opinion, Customer's instruction infringes Applicable Data Protection Law;
—(c) ensure that personnel authorized to process Customer Personal Data are bound by confidentiality obligations;
—(d) implement and maintain appropriate technical and organizational measures as described in Annex 2;
—(e) comply with the requirements of this DPA regarding the engagement of Sub-processors;
—(f) assist Customer in responding to Data Subject requests and in fulfilling Customer's obligations under Applicable Data Protection Law;
—(g) make available to Customer information necessary to demonstrate compliance with this DPA;
—(h) at the choice of Customer, return or delete Customer Personal Data after the end of the Services, subject to applicable legal retention requirements.

Customer Instructions

4.1 Documented instructions. The Service Agreement, this DPA, and any configuration or feature settings made by Customer through the Services constitute Customer's complete and final instructions to DeliverCC regarding the processing of Customer Personal Data.

4.2 Additional instructions. Customer may provide additional instructions to DeliverCC in writing (including by email to dpa@delivercc.io). DeliverCC will comply with reasonable additional instructions, but reserves the right to charge reasonable fees for instructions that materially exceed the scope of the Services or require significant additional effort.

4.3 Compliance with law. DeliverCC will not be obligated to follow instructions that would, in DeliverCC's reasonable opinion, violate Applicable Data Protection Law or other applicable law.

Confidentiality

5.1 General confidentiality. DeliverCC will treat Customer Personal Data as confidential information and will not disclose it except as authorized in this DPA, the Service Agreement, or as required by law. DeliverCC will ensure that any personnel authorized to process Customer Personal Data are bound by written confidentiality obligations no less protective than those in this DPA.

5.2 Customer Confidential Audio — special protections. Customer Confidential Audio receives the following additional protections, which apply regardless of whether Customer has specifically identified particular audio as confidential:

(a) Treatment as confidential. DeliverCC treats all Customer Confidential Audio as Customer's confidential information of the highest sensitivity, regardless of any markings, labels, or specific notices.

(b) Use limitation. DeliverCC processes Customer Confidential Audio solely for the purpose of generating Customer's requested caption file. DeliverCC does not send Customer Confidential Audio, or any data derived from it (including alignment data, vocal separation outputs, transcription artifacts, or any other derived data), to any AI service for processing, and does not use any of it for:

—training, fine-tuning, or evaluation of any artificial intelligence or machine learning model;
—internal analytics, metrics, or reporting beyond operational telemetry necessary to provide the Services;
—service improvement, research, or product development;
—any commercial purpose other than providing the Services to Customer.

The scope is precise: no DeliverCC customer content is sent to AI services for processing, or used to train or evaluate models, by DeliverCC or by any Sub-processor acting on that content.

(c) Retention limitation. DeliverCC retains Customer Confidential Audio for approximately 14 days from upload, after which it is automatically and permanently deleted from DeliverCC's infrastructure and from the infrastructure of DeliverCC's Sub-processors. The 14-day window is tied to the project review and revision phase of music-video and single-release pipelines and is justified per GDPR Article 5(1)(e) purpose-limitation: retention beyond that realistic project tail would not serve a stated purpose and so is not retained.

(d) Sub-processor commitments. DeliverCC engages Sub-processors that operate under standard terms restricting their use of customer data to providing their service to DeliverCC. Under those terms:

—Customer Confidential Audio is treated as confidential;
—audio retention is limited to what is necessary to deliver the Sub-processor's portion of the Service — for example, the approximately 14-day retention window in DeliverCC's storage Sub-processor, controlled by the automated deletion mechanism described in Section 5.2(c);
—Customer Confidential Audio may not be used for any purpose other than providing services to DeliverCC, including (without limitation) AI training or model evaluation.

(e) Notification of unauthorized access. DeliverCC will notify Customer without undue delay, and in any case within 72 hours of becoming aware, of any unauthorized access to or disclosure of Customer Confidential Audio uploaded under Customer's account, regardless of the materiality of the access.

5.3 Survival. The obligations in Section 5.2 survive termination of this DPA with respect to any Customer Confidential Audio that was uploaded during the term.

Security Measures

6.1 Technical and organizational measures. DeliverCC will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. The specific measures are described in Annex 2.

6.2 Risk-appropriate measures. The measures take into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

6.3 Modifications. DeliverCC may update its security measures from time to time, provided that any update does not materially decrease the level of protection. DeliverCC will publish updates within this DPA at the next version revision, with 30 days' advance notice to Customers with an executed DPA.

6.4 Personnel. DeliverCC ensures that personnel with access to Customer Personal Data:

—(a) are subject to written confidentiality obligations;
—(b) receive appropriate data protection and security training;
—(c) have access only to the extent necessary to perform their duties.

Sub-processors

7.1 General authorization. Customer provides general authorization for DeliverCC to engage Sub-processors to assist in providing the Services, subject to the conditions in this Section.

7.2 Current Sub-processors. DeliverCC's current Sub-processors are listed in Annex 3. DeliverCC ensures that each Sub-processor is bound by data protection obligations no less protective than those in this DPA.

7.3 Notification of changes. DeliverCC will notify Customer at least 30 days in advance of adding or replacing a Sub-processor that processes Customer Personal Data. Notification may be made by email to the address Customer provides for this purpose, by updates to the Sub-processor list at delivercc.io/sub-processors, or through similar means.

7.4 Right to object. If Customer reasonably objects to a new Sub-processor on data protection grounds, Customer may notify DeliverCC of the objection in writing within 30 days of notification of the change. The parties will work in good faith to address Customer's concern. If DeliverCC cannot reasonably address Customer's concern, Customer may terminate the affected Services with a prorated refund of any unused subscription period, as Customer's sole remedy.

7.5 Sub-processor obligations. DeliverCC remains liable to Customer for the acts and omissions of its Sub-processors to the same extent as if DeliverCC performed the processing itself.

Data Subject Rights and Assistance

8.1 Data Subject requests. If DeliverCC receives a request from a Data Subject relating to Customer Personal Data (such as a request for access, correction, deletion, restriction, or portability), DeliverCC will:

—(a) promptly notify Customer of the request;
—(b) not respond to the request itself, except as authorized by Customer or required by applicable law;
—(c) provide reasonable assistance to Customer in responding to the request.

8.2 Customer assistance generally. Taking into account the nature of the processing, DeliverCC will provide reasonable assistance to Customer in fulfilling Customer's obligations under Applicable Data Protection Law with respect to:

—(a) responding to Data Subject requests;
—(b) ensuring the security of processing;
—(c) notifying Personal Data Breaches to supervisory authorities and Data Subjects;
—(d) carrying out data protection impact assessments;
—(e) consulting with supervisory authorities where required.

8.3 Reasonable fees. DeliverCC may charge reasonable fees for assistance that materially exceeds the scope of the Services or requires significant additional effort, with prior notice to Customer.

Personal Data Breach Notification

9.1 Notification timeline. DeliverCC will notify Customer without undue delay, and in any case within 72 hours of becoming aware, of any Personal Data Breach affecting Customer Personal Data.

9.2 Notification contents. The notification will, to the extent known at the time of notification:

—(a) describe the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects affected and the categories and approximate number of Personal Data records affected;
—(b) communicate the contact information of DeliverCC's data protection contact;
—(c) describe the likely consequences of the Personal Data Breach;
—(d) describe the measures DeliverCC has taken or proposes to take to address the breach and mitigate its possible adverse effects.

9.3 Cooperation. DeliverCC will cooperate with Customer and provide reasonable assistance to enable Customer to comply with its own breach notification obligations under Applicable Data Protection Law.

9.4 Records. DeliverCC will maintain records of Personal Data Breaches in accordance with applicable law.

Audit Rights

10.1 Compliance documentation. DeliverCC will make available to Customer information necessary to demonstrate compliance with this DPA, including:

—(a) DeliverCC's then-current Sub-processor list;
—(b) DeliverCC's then-current technical and organizational security measures;
—(c) DeliverCC's then-current Sub-processor certifications, including SOC 2 Type II reports of major Sub-processors where available, subject to confidentiality obligations.

10.2 Audit right. Customer may, no more than once per calendar year and upon at least 30 days' written notice, conduct (or have conducted by a qualified third-party auditor selected by Customer and reasonably acceptable to DeliverCC) an audit of DeliverCC's compliance with this DPA. Audits will:

—(a) be conducted during DeliverCC's normal business hours;
—(b) be limited in scope to matters relevant to compliance with this DPA;
—(c) be subject to reasonable confidentiality obligations;
—(d) not unreasonably interfere with DeliverCC's business operations;
—(e) be at Customer's expense, except where the audit reveals material non-compliance by DeliverCC, in which case DeliverCC will reimburse Customer's reasonable audit costs.

10.3 Alternative means. Customer's audit right may be satisfied by DeliverCC providing copies of relevant third-party audit reports (such as Sub-processor SOC 2 reports), independent certifications, or DeliverCC's own attestations of compliance, where Customer reasonably accepts such documentation as sufficient.

10.4 Special audits required by law. If a supervisory authority or applicable law requires an immediate audit, the timing and scope provisions of Section 10.2 may be adjusted as necessary to comply with the legal requirement.

International Data Transfers

11.1 Geographic scope. DeliverCC processes Customer Personal Data exclusively in the United States. As described in Annex 3, all of DeliverCC's Sub-processors are US-located and process Customer Personal Data in the United States. The United Kingdom is relevant only as a transfer origin under Section 11.3 (where Customer is established in the UK), not as a processing location.

11.2 EU/EEA transfers. Where Customer Personal Data is transferred from the European Economic Area to a country that has not received an adequacy decision from the European Commission, the parties incorporate by reference the Standard Contractual Clauses (Module Two: Controller to Processor). Sub-processor relationships are governed by DeliverCC's separate per-Sub-processor data processing agreements, which themselves incorporate appropriate SCCs where required. The SCCs are deemed completed as follows:

—(a) Clause 7 (Docking clause) — applicable;
—(b) Clause 9(a) (Use of sub-processors) — Option 2 (general written authorization), with notice period of 30 days;
—(c) Clause 11(a) (Redress) — the optional language is not included;
—(d) Clause 17 (Governing law) — the law of Ireland;
—(e) Clause 18 (Choice of forum and jurisdiction) — the courts of Ireland;
—(f) Annex I.A (List of Parties) — Customer is the data exporter; DeliverCC is the data importer;
—(g) Annex I.B (Description of Transfer) — as set out in Annex 1 of this DPA;
—(h) Annex II (Technical and Organizational Measures) — as set out in Annex 2 of this DPA;
—(i) Annex III (List of Sub-processors) — as set out in Annex 3 of this DPA.

11.3 UK transfers. Where Customer Personal Data is transferred from the United Kingdom to a country that has not received an adequacy decision from the UK Information Commissioner's Office, the parties incorporate by reference the UK International Data Transfer Addendum to the EU Standard Contractual Clauses ("UK IDTA"). The UK IDTA is deemed completed in conjunction with the SCCs incorporated under Section 11.2.

11.4 Swiss transfers. Where Customer Personal Data is transferred from Switzerland, the SCCs incorporated under Section 11.2 apply, with the following modifications:

—(a) references to "GDPR" or "Regulation (EU) 2016/679" are deemed to include the Swiss Federal Act on Data Protection;
—(b) references to "EU Member State" or similar are deemed to include Switzerland;
—(c) the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.

11.5 Processing location. All processing of Customer Personal Data occurs in the United States. No per-customer geographic residency option is offered, because US-only processing is the architectural default for all Customers.

Return and Deletion of Data

12.1 At end of Services. Upon termination of the Service Agreement, or upon Customer's written request at any time, DeliverCC will, at Customer's choice:

—(a) return Customer Personal Data to Customer in a structured, commonly used, and machine-readable format; or
—(b) delete Customer Personal Data from DeliverCC's systems.

12.2 Timing. DeliverCC will complete return or deletion within 30 days of termination of the Service Agreement or Customer's request, except for:

—(a) data DeliverCC is required to retain by applicable law (such as billing records retained for tax purposes);
—(b) data contained in routine system backups, which will be deleted in accordance with DeliverCC's backup retention schedule (no longer than 90 days after termination);
—(c) anonymized or aggregated data that no longer constitutes Personal Data.

12.3 Confirmation. Upon Customer's written request, DeliverCC will provide written confirmation that deletion has been completed.

12.4 Customer Confidential Audio. Customer Confidential Audio is automatically deleted approximately 14 days after upload as described in Section 5.2(c) and is not retained beyond that window. If Customer terminates the Service Agreement during the 14-day window, the return-or-deletion obligations in Section 12.1 apply to any Customer Confidential Audio still on disk at the time of termination, completed within the timing set out in Section 12.2. Outside that window, no Customer Confidential Audio remains to return or delete.

Liability

13.1 General liability. Each party's liability arising out of or related to this DPA is governed by the limitation of liability provisions in the Service Agreement. The aggregate liability of DeliverCC under this DPA and the Service Agreement, taken together, will not exceed the limits set forth in the Service Agreement.

13.2 Exceptions. The limitations in Section 13.1 do not apply to:

—(a) DeliverCC's obligations under Section 5 (Confidentiality), including Customer Confidential Audio commitments;
—(b) DeliverCC's indemnification obligations expressly set out in this DPA;
—(c) liability that cannot be limited or excluded under applicable law.

13.3 SCC liability. Where the SCCs apply, the liability provisions of the SCCs apply as among the parties to those clauses, but the aggregate cap on DeliverCC's liability set forth in the Service Agreement applies to all claims combined.

Term and Termination

14.1 Term. This DPA takes effect on the Effective Date and continues for the duration of the Service Agreement.

14.2 Survival. Provisions of this DPA that by their nature should survive termination — including without limitation Sections 5 (Confidentiality), 9 (Personal Data Breach Notification, with respect to breaches occurring during the term), 12 (Return and Deletion of Data), 13 (Liability), and any applicable Annexes — survive termination of this DPA.

14.3 Material breach. Either party may terminate this DPA, the Service Agreement, or both, upon material breach of this DPA by the other party that is not cured within 30 days of written notice of the breach.

General Provisions

15.1 Order of precedence. In the event of any conflict or inconsistency, the following order of precedence applies (with earlier-listed instruments taking precedence):

—(a) the SCCs (and UK IDTA where applicable);
—(b) this DPA;
—(c) the Service Agreement;
—(d) any other agreement between the parties.

15.2 Entire agreement. This DPA, together with the Service Agreement, the Annexes hereto, and (where applicable) the SCCs and UK IDTA, constitute the entire agreement between the parties regarding the processing of Customer Personal Data.

15.3 Modifications. DeliverCC may update this DPA from time to time to reflect changes in Applicable Data Protection Law or industry best practices, provided that any update does not materially decrease Customer's rights or DeliverCC's obligations. DeliverCC will notify Customer of material updates with at least 30 days' notice.

15.4 Severability. If any provision of this DPA is held invalid or unenforceable, the remaining provisions remain in full force and effect, and the invalid provision will be modified to the minimum extent necessary to make it valid and enforceable.

15.5 Governing law. Except as provided in Section 11.2 with respect to the SCCs, this DPA is governed by the laws of the State of Tennessee, United States, consistent with the Service Agreement.

15.6 Notices. Notices under this DPA must be in writing and may be sent by email, with notices to DeliverCC sent to dpa@delivercc.io. Legal correspondence may also be sent to legal@delivercc.io and security disclosures to security@delivercc.io. A copy of any formal notice may be sent by mail to:

Allen Productions LLC
100 Powell Place #1189
Nashville, TN 37204
United States

15.7 Counterparts and electronic execution. This DPA may be executed in counterparts and by electronic signature or click-through acceptance, each of which is deemed an original.

Execution

This DPA is executed by Customer's electronic acceptance through the DeliverCC platform, by email confirmation to dpa@delivercc.io, or by signed PDF returned to dpa@delivercc.io. Upon execution, DeliverCC will provide Customer with a confirmation including the version of this DPA accepted, the timestamp of acceptance, and the name and email of the accepting individual.

By executing this DPA, Customer represents that the individual accepting on Customer's behalf has authority to bind Customer to this DPA.

Annex 1

Description of Processing

A. Subject Matter and Duration

Subject matter: processing of Customer Personal Data and Customer Confidential Audio for the purpose of generating closed caption files for Customer's audio and video content.

Duration: for the term of the Service Agreement, plus any post-termination period necessary to complete return or deletion of data.

B. Nature and Purpose of Processing

DeliverCC processes Customer Personal Data and Customer Confidential Audio to:

—authenticate and manage Customer's account;
—accept uploaded audio and lyrics text;
—fetch audio from Supabase Storage to an owner-operated Mac Studio (United States, under DeliverCC's physical control) for local alignment using open-source software (Demucs for source separation and WhisperX for forced alignment);
—generate caption files in the requested format(s);
—store generated caption files in Customer's account history;
—process payments and manage subscriptions;
—provide customer support and respond to communications.

C. Categories of Data Subjects

—Customer's authorized users (employees, contractors, or team members)
—End users whose voice or content appears in audio uploaded by Customer (typically not identifiable except through the content itself)

D. Categories of Customer Personal Data

—Account information: name, email address
—Payment information: held by Stripe; DeliverCC retains only customer ID and subscription status
—Transactional email metadata: recipient address, subject, send status (held by Resend solely for transactional delivery of receipts, account confirmations, password resets, and data-export-ready notifications; no audio, lyrics, or caption content)
—Optional OAuth identifier: where Customer's authorized user chooses to sign in with Google, Google authenticates the user and returns name and email to DeliverCC at sign-in only
—Service usage data: generation timestamps, file formats, languages, processing latencies, anonymous error codes
—Communications: support emails and responses

E. Categories of Customer Confidential Audio

—Audio files in MP3 format, derived from Customer's original audio or video content
—May include unreleased musical recordings, masters, demos, or pre-release content of significant commercial value

F. Special Categories of Data

DeliverCC does not request or knowingly process special categories of Personal Data (such as health, biometric, or political data) under this DPA. Customer represents that Customer will not upload such categories of data to the Services.

Annex 2

Technical and Organizational Security Measures

DeliverCC implements and maintains the following technical and organizational measures to protect Customer Personal Data and Customer Confidential Audio:

1. Access Controls

—Authentication via Supabase Auth with secure session management
—Row-level security policies enforced at the database layer, restricting users to their own data
—Multi-factor authentication available for user accounts
—API keys and secrets stored as encrypted server-side environment variables
—Service-role credentials never exposed to client browsers
—HMAC signature verification (using Stripe's webhook signing) for the Stripe billing webhook, which is the only incoming webhook endpoint

2. Encryption

—HTTPS/TLS encryption for all data in transit
—Encryption at rest for stored data, managed by AWS (us-east-1 region) underlying our database and storage infrastructure
—Audio storage bucket is private (non-public); access requires a service-role credential held only on DeliverCC's owner-operated Mac Studio and on server-side application infrastructure, and is never exposed to client browsers
—Payment data handled exclusively by PCI DSS Level 1 certified Stripe infrastructure

3. Network Security

—Vercel Deployment Protection for deployment-level access controls
—Vercel Deployment Protection bypass token scoped to the Stripe billing webhook (the only incoming webhook), enabling Stripe to deliver signed events through the deployment auth gate
—Rate limiting on public endpoints
—Cloud infrastructure managed by SOC 2 Type II certified providers

4. Data Lifecycle Controls

—Automated deletion of Customer Confidential Audio approximately 14 days after upload via scheduled database (pg_cron) and storage cleanup processes
—Automated deletion of word-level alignment data within 24 hours
—Storage cleanup reconciliation between database state and storage objects
—Account deletion with 30-day grace period and cascade deletion across all data stores

5. Operational Security

—Code review for changes that touch authentication, data handling, or infrastructure
—Dependency management and security update reviews
—Pre-commit secret scanning to prevent credential leaks
—Audit logging of administrative actions

6. Personnel Security

—Confidentiality obligations binding all personnel with data access
—Access on a need-to-know basis
—Security awareness training for personnel with data access

7. Incident Response

—Defined incident response procedure
—Personal Data Breach notification within 72 hours of awareness
—Documentation and analysis of incidents to prevent recurrence

8. Sub-processor Management

—Sub-processors selected based on security posture, certifications, and data protection commitments
—Contractual data protection obligations with all Sub-processors
—30-day advance notice and right to object for Sub-processor changes

DeliverCC may update these measures from time to time, provided that updates do not materially decrease the level of protection. Updates are published within this DPA at the next version revision, with 30 days' advance notice to Customers with an executed DPA.

Annex 3

Sub-processor List

DeliverCC engages the following Sub-processors to provide the Services. All Sub-processors are US-located; there is no per-customer geographic residency option.

Note on Mac Studio. The Mac Studio used for audio alignment processing is owner-operated by DeliverCC in the United States, under DeliverCC's physical control, and is intentionally not a Sub-processor — it is in-house infrastructure, not a third-party service. Listed here for transparency only.

Supabase, Inc.

Service: User authentication, account database, audio file storage
Location: United States (AWS us-east-1, Northern Virginia)
Certifications: SOC 2 Type II
Data accessed: Customer Personal Data (account information), Customer Confidential Audio (audio retained for approximately 14 days from upload, then automatically deleted as described in Section 5.2(c))

Vercel, Inc.

Service: Application hosting and serverless function execution
Location: United States (iad1 region, Northern Virginia)
Certifications: SOC 2 Type II
Data accessed: Customer Personal Data in transit during request processing; Customer Confidential Audio is not routed through Vercel for alignment (audio is fetched directly from Supabase Storage by DeliverCC's owner-operated Mac Studio using a service-role credential)

Stripe, Inc.

Service: Payment processing and subscription management
Location: United States
Certifications: PCI DSS Level 1
Data accessed: Payment information (handled directly by Stripe), customer billing identifiers (DeliverCC retains only Stripe customer ID and subscription status)

Resend, Inc.

Service: Transactional email delivery (receipts, account confirmations, password resets, data-export-ready notifications)
Location: United States
Certifications: SOC 2 Type II
Data accessed: Transactional email metadata only — recipient address, subject, send status. Resend does not access audio, lyrics, or caption content.

Google LLC

Service: Optional Google OAuth sign-in
Location: United States
Data accessed: Where Customer's authorized user chooses to sign in with Google, Google authenticates the user and returns name and email to DeliverCC at sign-in only. Google does not receive audio, lyrics, captions, or any service usage data. Google's own privacy practices govern its handling of the user's Google account.

DeliverCC will provide notification of any addition or replacement of Sub-processors at least 30 days in advance, as set out in Section 7.3.

Annex 4

EU Standard Contractual Clauses (incorporated by reference)

Where applicable under Section 11.2, the parties incorporate by reference the European Commission Standard Contractual Clauses set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021, available at https://eur-lex.europa.eu/eli/dec_impl/2021/914.

The completion of the SCCs is set out in Section 11.2 of this DPA, with reference to Annexes 1, 2, and 3 of this DPA.

Annex 5

UK International Data Transfer Addendum (incorporated by reference)

Where applicable under Section 11.3, the parties incorporate by reference the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses ("UK IDTA"), available at https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/international-data-transfer-agreement-and-guidance/.

The UK IDTA is completed in conjunction with the SCCs incorporated under Section 11.2.

Annex 6

Swiss DPA Provisions

Where applicable under Section 11.4, the SCCs apply with the modifications set out in Section 11.4 to address transfers from Switzerland.

Annex 7

Record of Processing Activities and Security Measures

This Annex is provided pursuant to Article 30 of the EU General Data Protection Regulation ("Record of Processing Activities" or RoPA) and Article 32 ("Security of Processing"). It is also intended to satisfy similar requirements under the UK GDPR and similar frameworks. The information here mirrors the corresponding section of DeliverCC's public Privacy Policy, adapted to the role-explicit terminology of this DPA (Customer = Controller; DeliverCC = Processor).

(a) Controller and Processor identity. Customer is the Controller of Customer Personal Data processed under this DPA. DeliverCC (Allen Productions LLC, a Tennessee limited liability company doing business as DeliverCC) is the Processor. Postal address and contact channels for DeliverCC are set out in Section 15.6.

(b) Purposes of processing. DeliverCC processes Customer Personal Data on behalf of Customer to: (i) operate the Services — generating caption files from Customer's audio and lyrics; (ii) authenticate users and manage accounts; (iii) process payments and manage billing; (iv) send transactional email; (v) monitor service performance through anonymous usage metrics; (vi) respond to support requests; (vii) comply with legal obligations (tax, accounting, regulatory). DeliverCC does not use Customer Personal Data for targeted advertising, behavioral profiling, AI/ML model training, fine-tuning, or evaluation.

(c) Categories of data subjects. Customer's authorized users (employees, contractors, or team members); end users whose voice or content appears in audio uploaded by Customer (typically not identifiable except through the content itself); contact persons of Customer where Customer is a business entity.

(d) Categories of personal data. Account information (name, email, plan); payment metadata (Stripe customer ID, billing status, plan and credit history; full card data is held by Stripe and not by DeliverCC); Customer Confidential Audio (audio files uploaded by Customer); lyrics text; generated caption files and timing-block derivatives; word-level alignment data (intermediate, 24-hour retention); audio filename labels; transactional email metadata (held by Resend); optional Google OAuth identifier (name and email at sign-in only, where Customer's user chooses Google sign-in); service usage metrics (anonymized at the event level); email correspondence; authentication session metadata.

(e) Categories of recipients. Customer Personal Data is shared only with the Sub-processors listed in Annex 3: Supabase, Vercel, Stripe, Resend, and Google (the latter only for users who choose Google OAuth sign-in). The Mac Studio used for audio alignment processing is owner-operated by DeliverCC and is not a Sub-processor; no external entity receives Customer Confidential Audio for processing. Customer Personal Data may be disclosed to legal authorities where required by binding legal process. Customer Personal Data may be transferred to a successor entity in a business transfer.

(f) International transfers and safeguards. All processing occurs in the United States. Storage and application processing occur in the United States via Supabase (AWS us-east-1) and Vercel (iad1). Audio alignment processing occurs on an owner-operated Mac Studio located in the United States. For Customer's authorized users in the European Economic Area, the United Kingdom, and Switzerland, transfers of Customer Personal Data to the United States are covered by the European Commission's Standard Contractual Clauses with DeliverCC's US-based infrastructure providers (as incorporated under Section 11.2), by the UK International Data Transfer Addendum where applicable (Section 11.3), and by adequacy decisions where applicable. Allen Productions LLC is not certified under the EU-US Data Privacy Framework.

(g) Retention periods. Customer Confidential Audio: approximately 14 days from upload, then automatically deleted, with the 14-day window tied to the project review and revision purpose stated in Section 5.2(c). Word-level alignment data: 24 hours from generation. Generated caption files, timing blocks, lyrics, and audio filename labels: lifetime of Customer's account, deletable at any time by Customer. Account information: lifetime of the account; deleted within 30 days of account deletion except where law requires retention (typically 7 years for tax records). Anonymous usage data: up to 12 months. Email correspondence: up to 24 months. Full retention table is reflected in DeliverCC's public Privacy Policy.

Technical and organizational security measures. A general description of DeliverCC's security measures (pursuant to Article 32) is set out in Annex 2. The principal measures, summarized:

— Encryption. Data is encrypted in transit (HTTPS/TLS). Customer Confidential Audio at rest is encrypted by Supabase Storage using AES-256 on the underlying object-store layer; the audio bucket is private and accessible only via signed URLs or service-role credentials. The Mac Studio used for audio processing has disk encryption enabled.

— Access control. Authentication uses secure session cookies with row-level security policies enforcing per-user data isolation at the database layer. API keys and service credentials are held only as server-side environment variables, never exposed to browsers. The Mac Studio is operated by a single individual under physical custody, and that physical custody is itself an access-control measure.

— Processing-location control. Audio alignment processing runs entirely on owner-operated hardware (the Mac Studio) located in the United States under DeliverCC's physical control. DeliverCC does not send Customer Confidential Audio, lyrics, or any derived content to any third-party AI service, hosted large language model, external inference API, or external GPU service during caption generation.

— No AI processing or model training of DeliverCC customer content. DeliverCC does not send Customer Confidential Audio, lyrics, captions, or any derived content to any AI service for processing, and does not use any of it to train, fine-tune, or evaluate AI/ML models. This is unconditional on DeliverCC's side. Sub-processors operate under standard terms restricting their use of customer data to providing their service to DeliverCC; under those terms, customer data may not be used for unrelated purposes such as AI training or model evaluation (Section 5.2(d), Annex 3).

— Automated deletion. Customer Confidential Audio is automatically deleted approximately 14 days after upload via scheduled database (pg_cron) and storage cleanup processes. Word-level alignment data is automatically deleted within 24 hours via the same mechanism.

— Breach notification. Within 72 hours of becoming aware of a Personal Data Breach (Section 9).

— Operational scale. DeliverCC is currently operated by a single individual, processing on a single in-house machine. DeliverCC's security posture is calibrated to this scale.

Article 32 proportionality — access logging. Article 32 of the GDPR requires technical and organizational measures appropriate to the risk and to the scale of processing. DeliverCC does not currently implement detailed per-read audit logging of every access to audio storage. This is a deliberate calibration to DeliverCC's actual processing posture: a single operator, single in-house machine, with physical custody of the processing hardware serving as the primary access control. Detailed per-read access logging is a control designed for multi-employee, multi-system vendor environments where many individuals have potential access to customer data and access must be governed across them. At DeliverCC's scale and posture, it would not provide a meaningfully different security outcome. If Customer contractually requires per-read access logging as part of Customer's specific risk assessment, DeliverCC will evaluate the scope and feasibility under that specific contractual ask.

END OF DATA PROCESSING AGREEMENT

DeliverCC — operated by Allen Productions LLC (Tennessee)

delivercc.io