A Data Processing Agreement (DPA) is a legally binding contract required under Article 28 of the General Data Protection Regulation (GDPR). It governs the relationship between a data controller (the organization that determines why and how personal data is processed) and a data processor (the organization that processes data on behalf of the controller).
In the context of voice AI, the data controller is the company building the product. The data processor is the TTS provider whose API synthesizes the text into audio.
Why it matters
Text submitted to a TTS API frequently contains personal data: customer names, addresses, medical information, financial account details, legal documents, personal correspondence. Under GDPR, any provider processing this data must operate under a signed DPA. Without one, both the controller and the processor are in violation of GDPR Article 28, exposing both parties to enforcement action.
For EAA-regulated deployments, the compliance chain is clear: the EAA requires accessible digital services, accessible services often require TTS, TTS processes text that may contain personal data, and personal data processing requires a DPA. A missing DPA breaks the entire compliance chain.
What a DPA must contain
GDPR Article 28(3) specifies the minimum contents:
| Requirement | What it means |
|---|---|
| Subject matter and duration | What data is processed and for how long |
| Nature and purpose | Why the data is being processed (e.g., speech synthesis) |
| Type of personal data | Categories: names, addresses, health data, financial data |
| Categories of data subjects | Whose data: customers, employees, patients |
| Controller obligations and rights | What the controller can require of the processor |
| Sub-processor disclosure | All third parties that also process the data |
| Data deletion or return | What happens when the contract ends |
| Audit rights | The controller’s right to verify compliance |
Evaluating TTS providers
When selecting a TTS provider for regulated deployments, verify:
- Signed DPA available: the provider offers a standard or negotiable DPA.
- Sub-processor list: all entities that handle the data are disclosed.
- Data residency: where the data is processed (EU or non-EU).
- Retention policy: whether the provider retains submitted text or generated audio after synthesis.
- Training data usage: whether submitted text is used to train or improve the provider’s models.
A provider that deletes all data immediately after synthesis and offers EU data residency presents the lowest compliance risk. See the EAA Voice Accessibility Guide for provider evaluation criteria.
Frequently Asked Questions
What is a DPA?
A DPA (Data Processing Agreement) is a legally binding contract between a data controller and a data processor, required under GDPR Article 28. It defines how personal data is processed, stored, and protected.
Why do TTS providers need a DPA?
Text submitted to a TTS API may contain personal data: names, addresses, medical information, financial details. Under GDPR, any provider processing this data on behalf of a customer must have a signed DPA in place.
What must a DPA contain?
A DPA must specify the subject matter and duration of processing, the type of personal data involved, the categories of data subjects, the obligations and rights of the controller, data deletion or return procedures, and sub-processor disclosure.
Is a DPA required for all TTS usage?
A DPA is required when the text being synthesized may contain personal data of EU residents. If you are synthesizing only generic, non-personal content, a DPA may not be strictly required, but it is best practice to have one in place regardless.
What happens if a TTS provider does not offer a DPA?
Using a provider without a DPA to process personal data violates GDPR Article 28. This creates compliance risk for both the provider and the customer, and may result in fines of up to EUR 20 million or 4% of annual worldwide turnover.