Data Processing Addendum - World-Meeting

B2B Annex

Version: 1.0

Effective date: 27 May 2026

This Data Processing Addendum, or "DPA", defines the conditions under which World-Meeting processes personal data on behalf of a business Client in connection with the Service.

It supplements the Terms of Use, the Terms of Sale, the Privacy Policy, the Refund and Cancellation Policy and the Legal Notice.

This DPA applies where the Client acts as controller and World-Meeting acts as processor within the meaning of the GDPR or an equivalent applicable data protection law.

This DPA is intended for business Clients and does not necessarily need to be displayed in the main footer of the Site, provided that it is made available to relevant business Clients where required.

The "Client" means the professional entity, organization, association, institution, educational establishment, training organization, company or person acting in a professional context who orders or uses World-Meeting to organize rooms involving its own participants.

"World-Meeting" means the operator of the Service.

The Client and World-Meeting are together the "Parties".

For processing carried out to provide the room according to the settings selected by the Client, including admission of participants, audio/video transmission, translation, subtitles, messages and operation of the room, World-Meeting acts as processor of the Client where the Client determines the essential purposes and means of the processing.

For processing carried out for World-Meeting's own purposes, including payment, billing, tax, fraud prevention, Site security, dispute management, Stripe evidence, Service improvement, aggregated statistics, legal compliance and defense of rights, World-Meeting acts as an independent controller.

This DPA applies only to processing carried out by World-Meeting as processor.

The Client instructs World-Meeting to process the personal data necessary to provide the Service in accordance with:

• the Terms of Use;
• the Terms of Sale;
• the Order;
• the selected room settings;
• the Service documentation;
• this DPA;
• the Client's reasonable, lawful written instructions.

World-Meeting processes personal data as processor only on documented instructions from the Client, unless applicable law requires processing. In that case, World-Meeting informs the Client of that obligation before processing, unless prohibited by law.

World-Meeting may refuse an instruction that is unlawful, disproportionate, technically impossible, contrary to the security of the Service, incompatible with the Terms of Use or Terms of Sale, or likely to infringe the rights of other users.

5.1 Subject Matter

The subject matter of the processing is the provision of online meeting rooms with audio/video, organizer-based admission, automated translation features, subtitles, translated voice, messages, screen sharing, speaking control and related features.

5.2 Duration

The processing lasts for the duration of the Client's use of the Service, then for the retention periods necessary for security, support, operational retention, evidence, legal obligations, disputes and deletion or anonymization.

5.3 Nature of Processing

Processing may include:

• collection;
• recording;
• structuring;
• storage;
• transmission;
• display;
• synchronization;
• technical modification;
• automated translation;
• temporary or finalized transcription;
• temporary hosting;
• limited consultation;
• logging;
• securing;
• deletion;
• anonymization;
• limited evidence extraction where necessary.

5.4 Purposes

The purposes are to:

• allow the Client to create and manage rooms;
• allow participants to request admission;
• allow the organizer to approve or reject access;
• provide audio, video, screen sharing and messages;
• provide requested translations, subtitles and translated voice;
• manage speaking control;
• maintain security and availability;
• provide support;
• handle incidents;
• comply with contractual and legal obligations;
• manage evidence related to the Service.

5.5 Categories of Data

The categories of data may include:

• visible names;
• email addresses where provided;
• technical identifiers of room, participant, organizer or order;
• language preferences;
• admission status;
• text messages;
• audio/video data transmitted in real time;
• screen sharing data;
• subtitles and translations;
• temporary translation recaps;
• speaking control events;
• presence and heartbeat events;
• technical data relating to browser, device, network and errors;
• report or support data;
• security and access metadata.

5.6 Categories of Data Subjects

Data subjects may include:

• organizers;
• participants;
• guests;
• employees, contractors, clients, students, speakers or partners of the Client;
• persons appearing or being heard in a room;
• persons mentioned in a message, screen share, subtitle or translation;
• representatives of the Client.

5.7 Sensitive Data

The Service is not designed to process sensitive data.

The Client undertakes not to transmit, or cause to be transmitted, sensitive, regulated or highly confidential data through World-Meeting, unless there is an appropriate legal basis, information to data subjects, additional measures and a specific written agreement where necessary.

If sensitive data are incidentally shared in a room by the Client or its participants, the Client remains responsible for the lawfulness of that processing.

For processing carried out as processor, World-Meeting undertakes to:

• process data only on documented instructions;
• ensure that persons authorized to process data are subject to a confidentiality obligation;
• implement appropriate security measures;
• reasonably assist the Client in responding to data subject rights requests;
• reasonably assist the Client in complying with its obligations relating to security, personal data breaches, data protection impact assessments and prior consultation where applicable;
• inform the Client where an instruction appears to infringe applicable regulations;
• not engage a further subprocessor except under the conditions of this DPA;
• delete, anonymize or return data at the end of the provision of the Service, according to the available features and subject to legal obligations, disputes, evidence and backups;
• make available reasonable information necessary to demonstrate compliance with this DPA.

The Client undertakes to:

• process data lawfully, fairly and transparently;
• inform participants and data subjects;
• have an appropriate legal basis;
• obtain necessary consents, including for certain audio/video uses, recording, translation, subtitles, sensitive data or specific professional contexts;
• not use World-Meeting for unlawful processing;
• not transmit excessive data;
• configure rooms correctly;
• manage admission and participants;
• respond to rights requests where the Client is controller;
• document its own processing;
• carry out a data protection impact assessment if its use requires it;
• comply with laws applicable in the countries of participants;
• verify that the Service meets its security, confidentiality and compliance requirements.

The Client authorizes World-Meeting to use subprocessors necessary to provide the Service.

These subprocessors may include, in particular, providers of hosting, infrastructure, payment, WebRTC, automated translation, transactional email, security, CDN, monitoring, technical analytics, support, accounting or dispute services.

The main categories of providers and subprocessors are described in the Privacy Policy, including their roles, categories of data concerned, main location where known and transfer safeguards where applicable.

World-Meeting imposes on its subprocessors data protection obligations substantially equivalent to those of this DPA for the relevant processing.

World-Meeting remains responsible toward the Client for the performance of the data protection obligations of its subprocessors to the extent required by applicable law.

World-Meeting may add or replace a subprocessor. Where the change is substantial, World-Meeting may inform the Client by updating the Privacy Policy or provider list, by notice, email or any reasonable means. The Client may object on legitimate data protection grounds within a reasonable time. If the Parties cannot find a reasonable solution, the Client may stop using the affected features or terminate the relevant Order where permitted by law or contract.

World-Meeting and its subprocessors may process data in the European Union, the United States or other countries.

Where personal data are transferred outside the European Union or the European Economic Area to a country that does not benefit from an adequacy decision, World-Meeting implements an appropriate transfer mechanism where required, including:

• Standard Contractual Clauses;
• Data Privacy Framework where available and applicable;
• adequacy decision;
• additional contractual and technical measures;
• encryption, pseudonymization or minimization where appropriate.

The Client authorizes such transfers to the extent necessary to provide the Service.

World-Meeting implements technical and organizational measures appropriate to the risk, including depending on configuration:

• TLS encryption in transit;
• access control to systems;
• admin authentication;
• hashed storage of tokens, organizer secrets and room access tokens where possible;
• OpenAI secrets and API keys kept server-side;
• short-lived temporary client secrets;
• separation of environments where applicable;
• rate limiting;
• protection against abuse;
• logging of critical events;
• minimization of evidence data;
• masking or encryption of certain access data;
• deletion of secrets in exports;
• retention policies;
• backups and restoration according to infrastructure;
• monitoring and alerting;
• restricted access to authorized persons;
• confidentiality clauses with authorized persons or relevant providers.

The Client acknowledges that security also depends on its own actions, including preservation of organizer codes, management of invitations, approval of participants, security of devices, networks, browsers and email accounts.

World-Meeting informs the Client without undue delay after becoming aware of a personal data breach affecting data processed as processor, where such notification is required by applicable law.

The notification may include, to the extent reasonably available:

• the nature of the breach;
• the categories of data concerned;
• the categories of data subjects concerned;
• likely consequences;
• measures taken or proposed;
• information allowing the Client to comply with its own obligations.

The Client is responsible for notifying the supervisory authority or data subjects where that obligation falls on the Client as controller.

Where World-Meeting receives a rights request concerning data processed on behalf of the Client, World-Meeting may:

• direct the person to the Client;
• forward the request to the Client;
• request instructions;
• respond directly where World-Meeting also acts as controller or where required by law.

World-Meeting reasonably assists the Client, to the extent technically possible and proportionate, in responding to access, rectification, erasure, restriction, objection or portability requests.

Reasonable fees may be charged if the assistance exceeds standard support, unless contrary legal obligation applies.

World-Meeting provides reasonable assistance to the Client for:

• security of processing;
• data protection impact assessments;
• prior consultation with a supervisory authority;
• requests for information relating to subprocessors;
• available information on technical and organizational measures.

This assistance takes into account the nature of the Service, the information available, World-Meeting's role and the risks of the processing.

At the end of the provision of the Service, World-Meeting deletes, anonymizes or returns personal data processed on behalf of the Client, according to the available features, the nature of the data and the applicable retention periods.

Certain data may be retained where necessary for:

• legal obligations;
• accounting and tax;
• security;
• fraud prevention;
• disputes;
• payment disputes;
• evidence of provision of the Service;
• temporary backups;
• protection of the rights of World-Meeting or third parties.

Data retained after the end of the Service are limited, secured and used only for the purposes justifying their retention.

World-Meeting makes available to the Client reasonable information necessary to demonstrate compliance with this DPA, including documentation, summary of security measures, attestations, questionnaire responses or information about subprocessors where available.

On-site audits or intrusive technical tests are possible only with prior written agreement, reasonable scope, confidentiality, sufficient notice, absence of disruption to the Service and limitation to what is strictly necessary.

The Client must not access data of other clients, secrets, sensitive security information, source code, shared infrastructure or confidential information that is not necessary.

The costs of a specific audit may be borne by the Client, unless mandatory law provides otherwise.

World-Meeting ensures that persons authorized to process personal data are subject to an appropriate contractual, legal or professional confidentiality obligation.

The Client also undertakes to protect World-Meeting's confidential information, including architecture, security measures, secrets, technical information, prices, evidence, reports and non-public documentation.

Where the Client is subject to an applicable U.S. privacy law, including a state privacy law, World-Meeting acts, depending on the context, as service provider, processor or equivalent for data processed on behalf of the Client.

In that context, World-Meeting undertakes, to the extent applicable:

• not to sell personal data processed on behalf of the Client;
• not to share such data for cross-context behavioral advertising, unless lawfully instructed by the Client;
• not to use such data for any purpose other than providing the Service, security, compliance, evidence or purposes authorized by law;
• not to combine the data with other data except in authorized cases;
• to reasonably assist the Client with applicable rights requests.

In the event of a conflict between this DPA and the Terms of Use or Terms of Sale concerning the protection of personal data processed by World-Meeting as processor, this DPA shall prevail.

The Terms of Use and Terms of Sale remain applicable to commercial matters, liability, payment, refunds, disputes, intellectual property and use of the Service.

This DPA applies for the duration of the Client's use of the Service and until deletion, anonymization, return or expiry of the personal data concerned, subject to legal obligations and evidence needs.

Termination of the Terms of Use, Terms of Sale or the Order ends this DPA for future processing, without affecting obligations relating to data retained for legitimate or legal purposes.

For any question relating to this DPA:

• Privacy contact: [email protected]
• General contact: [email protected]