Get started
Get started

Inworld AI Data Processing Addendum

Updated: March 11, 2026
This Inworld AI Data Processing Addendum (“DPA”) supplements, and is incorporated into, the Inworld AI Services Agreement (“Agreement”) governing use of the Services and is entered as of the Effective Date between the customer identified above (“Customer”) and Theai, Inc. dba Inworld AI (“Inworld AI”), on its behalf and on behalf of its Affiliates, as appropriate. Capitalized terms not defined in the DPA have the meanings provided in the Agreement. In this DPA, Inworld AI and Customer are each referred to as a “Party” and collectively as the “Parties.” Each party represents it is lawfully able to enter into this Agreement and, if it is entering into the Agreement for an entity, that it has legal authority to bind that entity. By clicking “I agree,” accepting the Order Form, or using the Services, Customer agrees to this Agreement.
  1. Details.
1.1. Scope and Roles. As part of providing the Services to the Customer under the Agreement, Inworld AI may Process Customer Data on behalf of Customer. Inworld AI acts as a Data Processor on the Customer’s behalf, and this DPA governs such Processing.
1.2. Details of Processing. Inworld AI will only Process Customer Data for the purposes of delivering the Services to Customer pursuant to the Agreement and this DPA. Details regarding the nature, duration, as well as the types of Customer Data and categories of Data Subjects involved, are set out in Schedule 1 (Details of Processing) to this DPA. Inworld AI and Customer each agree to comply with their respective obligations under Data Protection Laws in connection with the Services.
  1. Inworld AI Obligations.
2.1. Customer Instructions. The Parties agree that this DPA, the Agreement (including the Order Form), and any instructions provided via the configuration tools and other tools within the Services made available by Inworld AI within the Services, constitute Customer’s documented instructions regarding Inworld AI’s processing of Customer Data (“Customer Instructions”). Inworld AI will process Customer Data only in accordance with Customer Instructions, unless required to do so by applicable law to which Inworld AI is subject, in which case Inworld AI will inform Customer of this requirement prior to processing unless legally prohibited from doing so.
2.2. Notices to Customer. Inworld AI will promptly inform Customer in writing if, in Inworld AI’s opinion, a Customer Instruction violates Data Protection Laws. Inworld AI will, to the extent legally permitted, inform Customer if Inworld AI receives a legally binding request for disclosure of Customer Data by a law enforcement authority.
2.3. Confidentiality. Inworld AI will ensure that all persons authorized by Inworld AI to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
2.4. Data Subject Requests. Inworld AI will, to the extent legally permitted, inform Customer if Inworld AI receives a request to exercise data subject rights pursuant to Data Protection Laws (“Data Subject Request) in respect of Customer Data. Inworld AI will not respond to any such request without Customer’s prior written authorization, except that Customer authorizes Inworld AI to redirect Data Subject Requests as necessary to allow Customer to respond directly. Taking into account the nature of the processing, Inworld AI will assist Customer by implementing appropriate technical and organizational measures, in so far as this is possible, to allow Customer to respond to Data Subject Requests.
2.5. Security. Inworld AI will implement and maintain reasonable and appropriate organizational and technical security measures to protect Customer Data, as set forth in the Agreement and Schedule 2.
2.6. Assistance to Customer. Inworld AI will, taking into account the nature of the processing and the information available to Inworld AI, provide reasonable assistance to Customer to help Customer comply with its obligations under Data Protection Laws including, where appropriate, the preparation of data protection impact assessments with respect to Inworld AI’s processing of Customer Data and, where necessary, the Customer consulting with a supervisory authority with jurisdiction over such processing, if such consultation is required by Data Protection Laws.
2.7. Personal Data Breaches. Inworld AI will notify Customer without undue delay after becoming aware of any Personal Data Breach. Inworld AI will provide reasonable assistance to Customer to help Customer comply with its obligations under Data Protection Laws in respect of such Personal Data Breach.
2.8. Assessing Compliance. Inworld AI will, on Customer’s reasonable written request and to the extent required by
Data Protection Laws: (i) no more than once per year, provide Customer with Inworld AI’s privacy and security policies and other such information necessary to demonstrate compliance with Inworld AI’s obligations under this DPA; and (ii) provided that the Parties have an appropriate confidentiality agreement in place, allow for and contribute to audits or inspections by, or on behalf of, Customer at Customer’s sole expense. Such audit or inspection must be: (A) conducted in a manner that is minimally disruptive to Inworld AI’s business; (B) necessary to confirm that Inworld AI is processing Customer Data in a manner consistent with this DPA; and
(C) occur no more than once per year. Where permitted by Data Protection Laws, Inworld AI may instead make available to Customer a summary of the Audit Reports relevant to Inworld AI’s compliance with this DPA. Such results and documentation, including the results of any audits or inspections, shall be the Confidential Information of Inworld AI.
2.9. Engagement of Sub-processors. Customer hereby provides a general authorization to Inworld AI to engage the Sub-Processors listed in the Sub-Processor List to process Customer Data in connection with the Services. Inworld AI will notify Customer of any changes to the Sub-Processor List via blog post, notification within the Services or other reasonable means, or via email. Customer may object to the use of such additional Sub-processor within 30 days of receiving notice of the change by following the instructions set forth in the Sub-Processor List or by contacting privacy@inworld.ai. In such case, Inworld AI will work with Customer to address its concerns and offer commercially reasonable alternatives or solutions. If none of the alternatives or solutions are commercially feasible, in Inworld AI’s reasonable judgment, or if the objections have not been resolved to the satisfaction of the Parties within 30 days of Inworld AI’s receipt of Customer’s objection notice, then either Party may terminate the Agreement or any Order Forms or usage regarding the Services that cannot be provided without the use of the new Sub-Processor. In such case, Customer will be refunded any applicable pre-paid fees to the extent they cover periods or terms following the date of such termination.
2.10. Sub-processor obligations. Inworld AI shall enter into contractual arrangements with each Sub-Processor that imposes on them obligations comparable to those imposed on Inworld AI under this DPA. Subject to the limitations of liability included in the Agreement, Inworld AI will remain liable for the acts and omissions of its Sub-Processors to the same extent Inworld AI would be liable under this DPA if it performed such acts or omissions itself.
2.11. Data Return or Deletion. Following expiry or termination of the Agreement, Inworld AI will, at Customer’s instruction, return or delete Customer Data, and existing copies unless retention of Customer Data is required under applicable laws, in which case Inworld AI will isolate and protect it from any further processing except to the extent required by applicable laws.
  1. Customer Obligations.
3.1. Notices and authorizations. Customer represents, warrants and covenants that it has provided all necessary notices, and has and shall maintain throughout the Term all necessary rights, consents and authorizations, to the extent required under Data Protection Laws, to provide the Customer Data to Inworld AI and to authorize Inworld AI to process Customer Data in connection with the Agreement, including this DPA.
3.2. Cooperation. Customer shall reasonably cooperate with Inworld AI to assist Inworld AI in performing any of its obligations under applicable Data Protection Laws.
3.3. Configurations. Without prejudice to Inworld AI’s security obligations in Section 2.5 of this DPA, Customer acknowledges and agrees that it is responsible for certain configurations and design decisions for the Services and for implementing such configurations and design decisions (e.g., retention periods, deletion, etc.) in a manner that complies with applicable Data Protection Laws.
  1. International Data Transfers.
4.1. EEA and Swiss Data. Customer Data processed by Inworld AI under this DPA may fall within the scope of the Data Protection Laws of the European Economic Area or Switzerland (“EEA and Swiss Data”). Customer hereby instructs Inworld AI to process any EEA and Swiss Data in compliance with this DPA and with the SCCs as amended by the EU Addendum, which are deemed entered into (and incorporated into this DPA by this reference) and completed as described in Schedule 1.
4.2. UK Data. Customer Data processed by Inworld AI under this DPA may fall within the scope of the Data Protection Laws of the United Kingdom (“UK Data”). Customer hereby instructs Inworld to process any UK Data in compliance with this DPA and with the SCCs as amended by the UK Addendum, which are deemed entered into (and incorporated into this DPA by this reference) and completed as described in Schedule 1.
  1. Further Requirements. To the extent U.S. Privacy Laws apply:
5.1. Inworld AI agrees to (a) not provide Customer with monetary or other valuable consideration in exchange for Customer Data from Customer. The parties acknowledge and agree that Customer has not “sold” (as such term is defined by
U.S. Privacy Laws) Customer Data to Inworld AI; (b) not “sell” (as such term is defined by U.S. Privacy Laws) or “share” (as such term is defined by the CCPA) Personal Data; (c) to the extent that Customer permits or instructs Inworld AI to process Customer Data subject to U.S. Privacy Laws in a de-identified form as part of the Services, Inworld AI shall (i) adopt reasonable measures to prevent such deidentified data from being used to infer information about, or otherwise being linked to, a particular natural person or household; (ii) publicly commit to maintain and use such deidentified data in that form and not attempt to re-identify the information, except as may be permitted by U.S. Privacy Laws; and (iii) before sharing de-identified data with any other party, including Sub-Processors, contractually obligate any such recipients to comply with the requirements of this provision (c)(i)-(iii); and (d) where the Customer Data is subject to the CCPA (i) not retain, use, disclose, or otherwise process Customer Data except as necessary for the business purposes specified in the Agreement, including without limitation as set out in Schedule 1 of this DPA; (ii) not retain, use, disclose, or otherwise process Customer Data in any manner outside of the direct business relationship between Inworld AI and Customer; (iii) not combine any Customer Data with Personal Data that Inworld AI receives from or on behalf of any other third party or collects from Inworld AI’s own interactions with individuals, provided that Inworld AI may so combine Customer Data for a purpose permitted under the CCPA if directed to do so by Customer or as otherwise permitted by the CCPA; (iv) notify Customer without undue delay if Inworld AI determines that it can no longer meet its obligations under the CCPA; and (v) if Customer reasonably believes that Inworld AI’s Processing of Customer Data is not consistent with the requirements of the CCPA and upon Customer’s reasonable notification of the same to Inworld AI, the Parties will work together in good faith to remedy the issue, or, if after working together Customer reasonably determines that the issue cannot be remedied, Inworld AI will stop Processing the affected Customer Data upon written instruction from Customer.
5.2. Customer agrees to not take any action that would (a) render the provision of Customer Data to Inworld AI a “sale” under U.S. Privacy Laws or a “share” under the CCPA (or equivalent concepts under U.S. Privacy Laws); or (ii) render Inworld AI not a “service provider” under the CCPA or “processor” under U.S. Privacy Laws.
  1. Definitions.
Customer Data” means Personal Data processed by Inworld AI on behalf of Customer to provide the Services.
Data Controller” has the meaning assigned to the term “controller” (or another analogous term) under Data Protection Laws.
Data Processor” has the meaning assigned to the term “processor” (or another analogous term) under Data Protection Laws.
Data Protection Laws” means data privacy and data protection laws applicable to Inworld AI’s processing of Customer Data in connection with the Services.
Data Subject” has the meaning assigned to the term “data subject” (or another analogous term) under Data Protection Laws.
GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
Personal Data” has the meaning assigned to the term “personal data” or “personal information” (or another analogous term) under Data Protection Laws.
Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data stored, transmitted or otherwise processed by Inworld AI, its Sub-Processors, or any other third parties acting on Inworld AI’s behalf.
Processing” has the meaning assigned to the term “processing” (or another analogous term) under Data Protection Laws.
SCCs” means the standard contractual clauses for the transfer of personal data to third countries adopted by the EU Commission on June 4, 2021 (as may be amended, updated or replaced from time to time).
Sub-Processors” means the sub-processors engaged by Inworld AI to process Customer Data in connection with the Services, listed in the Sub-Processor List.
Sub-Processor List” means the list available at the following address: https://trust.inworld.ai/
UK Addendum” means the UK addendum to the EU SCCs issued by the Information Commissioner under section 119A(1) of the Data Protection Act 2018.
U.S. Privacy Laws” means the subset of Data Protection Laws applicable to residents of the United States, including without limitation the California Consumer Privacy Act (“CCPA”).
Schedule 1Details of Processing
  1. Nature and Purpose:
The performance of the Services under the Agreement.
  1. Duration:
The Term and such time required thereafter for the Parties to perform their applicable obligations following the end of the Term, including data deletion.
  1. Categories of Customer Data:
Customer may submit Personal Data to the Services, the categories of which will depend upon Customer’s use of the Services which is determined and controlled by Customer in its sole discretion, but it may include, but is not limited to names, contact information, demographic information, or any other information provided by Customer’s End Users in unstructured data.
  1. Categories of data subjects:
The data subjects may include, but are not limited to Customer’s employees, customers, suppliers and generally End Users.
  1. Sensitive data transferred (if applicable):
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
No sensitive data is intended to be transferred unless the user includes it unexpectedly in unstructured data
  1. Frequency:
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous basis depending on Customer’s use of the Services
  1. Transfers to Sub-Processors:
As per Article 2.9 of the DPA, Sub-Processors will Process Customer Data as necessary to perform the Services. Such Processing will be for the duration of the Agreement, unless otherwise agreed in writing.
  1. SCCs information for the transfer of EU Data under Section 4.2:
8.1. Module Two (Controller to Processor) of the SCCs apply when Customer is a Data Controller and Inworld AI is processing Customer Data as a Data Processor. Module Three (Processor to Sub-Processor) of the SCCs apply when Customer is a Data Processor and Inworld AI is processing Customer Data as a sub-processor.
8.2. For each module of the SCCs, where applicable, the following applies: (i) The optional docking clause in Clause 7 does not apply; (ii) In Clause 9, Option 2 (general written authorization) applies, and the minimum time period for prior notice of sub-processor changes shall be as set forth in Section 2.9 of the DPA; (iii) In Clause 11, the optional language does not apply; (iv) All square brackets in Clause 13 are hereby removed; (v) In Clause 17, the SCCs will be governed by the laws in of the EU Member State in which the exporter is established; (vi) In Clause 18(b), disputes will be resolved before the courts in the EU Member State in which the exporter is established; (vii) This Schedule 1 contains the information required in Annex I and Annex III of the SCCs; (viii) Section 2.5 (Security) of the DPA contains the information required in Annex II of the SCCs, (ix) the competent supervisory authority is the data protection authority of the EU Member State in which the exporter is established.
8.3. Data exporter(s): the Customer under the Agreement; Data importer(s): Theai, Inc. dba Inworld AI. 1975 W El Camino Real #300, Mountain View, CA 94040, privacy@inworld.ai
  1. SCCs information for the transfer of UK Data under Section 4.2:
9.1. Module Two (Controller to Processor) of the SCCs apply when Customer is a Data Controller and Inworld AI is processing Customer Data as a Data Processor. Module Three (Processor to Sub-Processor) of the SCCs apply when Customer is a Data Processor and Inworld AI is processing Customer Data as a sub-processor.
9.2. For each module of the SCCs, where applicable, the following applies: (i) The optional docking clause in Clause 7 does not apply; (ii) In Clause 9, Option 2 (general written authorization) applies, and the minimum time period for
prior notice of sub-processor changes shall be as set forth in Section 2.9 of the DPA; (iii) In Clause 11, the optional language does not apply; (iv) All square brackets in Clause 13 are hereby removed; (v) In Clause 17 (Option 1), the SCCs will be governed by the laws of England and Wales; (vi) In Clause 18(b), disputes will be resolved before the courts of England and Wales; (vii) This Schedule 1 contains the information required in Annex I and Annex III of the SCCs; (viii) Section 2.5 (Security) of the DPA contains the information required in Annex II of the SCCs, (ix) the competent supervisory authority is the Information Commissioner’s Office (“ICO”).
9.3. Data exporter(s): the Customer under the Agreement; Data importer(s): Theai, Inc. dba Inworld AI. 1975 W El Camino Real #300, Mountain View, CA 94040, privacy@inworld.ai
Schedule 2
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
The technical and organizational measures implemented by Inworld AI are listed in Inworld AI’s trust center available at https://trust.inworld.ai
Products
Realtime TTS
Realtime Router
Realtime STT
Realtime API
Agent Runtime
Developers
Documentation
API Reference
Models
Playground
Socials
X
LinkedIn
GitHub
Company
Careers
Blog
Security
Resources
Copyright © 2021-2026 Inworld AI
Privacy
Terms
Inworld AI – The #1 Ranked, Most Natural Voice AI