ElevenLabs Data Processing Addendum
ElevenLabs Data Processing Addendum
Last Updated: November 11, 2025
This ElevenLabs Data Processing Addendum (“DPA”) forms part of the agreement between the Customer and ElevenLabs that references or otherwise incorporates this DPA. This DPA may be updated by ElevenLabs from time to time to the extent permitted by applicable law. For entities using Self-Serve Services (defined below), references to “Agreement” herein refer to the Terms, and references to “Customer” herein refer to “you” as provided in the Terms.
1. Definitions and Interpretation
Capitalized and undefined terms and expressions used in this DPA shall have the meanings ascribed to such terms in the Agreement (or if not defined therein, under Applicable Data Protection Laws).
“Applicable Data Protection Laws” means any privacy or data protection legislation or regulations applicable to such Party’s Processing of Personal Data under the Agreement, which may include, without limitation, European Data Protection Laws, the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA”), and/or Brazil’s General Data Protection Law (Lei Geral de Proteção de Dados – LGPD).
“Brazil SCCs” means the Brazil Standard Contractual Clauses approved by the Brazilian National Data Protection Authority (Autoridade Nacional de Proteção de Dados – ANPD), as updated or replaced from time to time.
“Controller” shall be interpreted consistent with Applicable Data Protection Laws and includes, at a minimum and where applicable, “controller”, as such term is defined under European Data Protection Laws and Applicable Data Protection Laws in the U.S., and “business”, as such term is defined under the CCPA.
"Customer Personal Data" means any Personal Data Processed by ElevenLabs as a Processor on behalf of Customer pursuant to the Agreement.
“Data Subject” shall be interpreted consistent with Applicable Data Protection Laws, and includes, at a minimum and where applicable, “data subject” as such term is defined under European Data Protection Laws and “consumer” as such term is defined under the CCPA and Applicable Data Protection Laws in the U.S.;
“Data Subject Rights” means the rights granted to Data Subjects under Applicable Data Protection Laws, which may include, as applicable, rights to information, access, rectification, erasure, restriction, portability, objection, and the right to withdraw consent.
"Data Transfer" means a disclosure of Customer Personal Data by an organization subject to Applicable Data Protection Laws in the EEA, UK, Switzerland, or Brazil to another organization located outside of such respective jurisdiction.
"DPA" means this Data Processing Agreement;
"EEA" means the European Economic Area;
“EEA SCCs” means the clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council as amended or replaced from time to time;
"European Data Protection Laws" means the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC), their national implementations in the EEA, including the European Union, and all other data protection laws of the EEA, the United Kingdom (“UK”), and Switzerland, each as applicable, and as may be amended or replaced from time to time;
“EU-US Data Privacy Framework” means the adequacy decision laid down in the Commission Implementing Decision of July 10, 2023, pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework, C(2023) 4745 final;
“Personal Data” shall be interpreted consistent with Applicable Data Protection Laws, and includes at a minimum and where applicable “personal data” as that term is defined under European Data Protection Laws and “personal information” as the term is defined under the CCPA.
“Process” and “Processing” shall be interpreted consistent with Applicable Data Protection Laws;
“Processor” shall be interpreted consistent with Applicable Data Protection Laws, and includes, at a minimum and where applicable, a “processor” as such term is defined under European Data Protection Laws and “service provider” or “contractor” as such terms are defined under the CCPA;
“SCCs” means the EEA SCCs, UK Addendum, or Brazil SCCs, as applicable.
“Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data transmitted, stored, or otherwise processed under the Agreement;
"Services" means the software provided by ElevenLabs to Customer under the Agreement;
"Subprocessor" means any entity appointed by ElevenLabs to Process Customer Personal Data on behalf of the Customer in connection with the Agreement;
“Third-Party Controller” means, in relation to Customer Personal Data Processed in connection with the Agreement, a Controller for which the Customer is a Processor; and
“UK Addendum” means the addendum to the SCCs issued by the UK Information Commissioner under Section 119A(1) of the UK Data Protection Act 2018 (version B1.0, in force March 21, 2022).
The terms, "Commission", "Member State", and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
The terms, “Business Purpose”, “Share”, and “Shared” shall have the same meaning given to them under the CCPA. The terms “Sell” and “Selling” shall have the meaning defined in Applicable Data Protection Laws in the U.S.
2. Scope
2.1 This DPA applies to the extent ElevenLabs Processes Customer Personal Data as a Processor on behalf of Customer, where Customer is acting as a Controller or as a Processor for a Third-Party Controller. Details regarding the subject matter, nature, and purposes of the Processing, including the types of Customer Personal Data to be Processed and the categories of Data Subjects whose Personal Data will be Processed, are set out in Annex I, which is an integral part of this DPA.
2.2 As between the parties, Customer is responsible for compliance with the requirements of Applicable Data Protection Laws applicable to Controllers. In particular, and where applicable, Customer acknowledges and agrees that it will provide notice to Data Subjects about the Processing of Personal Data by ElevenLabs as described in this DPA, and obtain Data Subjects’ consent to such Processing by ElevenLabs as necessary to comply with Applicable Data Protection Law. In Processing Customer Personal Data hereunder, ElevenLabs shall comply with the relevant obligations under Applicable Data Protection Laws applicable to Processors.
2.3 Notwithstanding the foregoing, if Customer is a Processor on behalf of a Third-Party Controller, then Customer: (i) is the single point of contact for ElevenLabs; (ii) must obtain all necessary authorizations from such Third-Party Controller in connection with this DPA; (iii) will ensure that the Third Party Controller provides notice and obtains any consents necessary for Processing by ElevenLabs as set forth in this DPA; and (iv) as between the parties, undertakes to issue all instructions and exercise all rights on behalf of such other Third-Party Controller.
3. Processing of Customer Personal Data
3.1 ElevenLabs shall not Process Customer Personal Data other than: (i) on Customer’s relevant documented instructions, which, for avoidance of doubt, are set forth in the Agreement (including this DPA); or (ii) as expressly permitted by Applicable Data Protection Laws.
3.2 To the extent permitted by Applicable Data Protection Laws, Customer has the right to take reasonable and appropriate steps to ensure that ElevenLabs uses Customer Personal Data consistent with Customer’s obligations under Applicable Data Protection Laws.
3.3 If ElevenLabs becomes subject to a legal obligation that requires ElevenLabs to Process Customer Personal Data in contravention of Customer’s instructions issued per Section 3.1 hereof, ElevenLabs will inform Customer of such obligation to the extent legally permitted, to the extent required under Applicable Data Protection Laws.
4. Personnel
Without limitation to the obligations of confidentiality set forth in the Agreement, ElevenLabs shall use commercially reasonable efforts to ensure, in relation to the protection of Customer Personal Data: (i) the reliability of any employee, agent, or contractor who may have access to the Customer Personal Data; and (ii) access to Customer Personal Data is strictly limited to those individuals who need to know and access the relevant Customer Personal Data in carrying out the rights and obligations under the Agreement.
5. Security
5.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the specific risks presented by the Processing of Customer Personal Data and the severity of a Personal Data Breach for the rights and freedoms of natural persons, ElevenLabs shall, in relation to the Customer Personal Data, implement appropriate technical and organizational measures designed to ensure a level of security appropriate to that risk, including, as relevant and applicable, the measures listed in Annex II.
6. Subprocessing
6.1. Customer hereby grants ElevenLabs a general authorization to engage Subprocessors in accordance with this Section 6. A list of ElevenLabs’ Subprocessors is maintained at https://compliance.elevenlabs.io (“Subprocessor List”).
6.2. ElevenLabs will enter into a written agreement with such Subprocessors which imposes relevant privacy and data security obligations in respect of the Customer Personal Data, which shall be substantially as protective as the terms set forth in this DPA.
6.3. ElevenLabs will notify Customer at least thirty (30) days prior to appointing any new or replacement Subprocessor (“Notice Period”) by updating the Subprocessor List. Customer may, on reasonable grounds relating to data privacy or data security, object to the addition or replacement of a Subprocessor by providing written notice detailing the grounds of such objection within the Notice Period. In such case, Customer and ElevenLabs will work together in good faith to address Customer’s objection. To the extent the Parties are unable to reasonably resolve the objection, either Party may, within thirty (30) days of the concluded negotiations, terminate the Services requiring the use of such Subprocessor upon written notice.
7. Data Subject Rights
7.1 Taking into account the nature of the Processing and the information reasonably available to ElevenLabs, ElevenLabs shall provide commercially reasonable assistance to Customer, including by implementing technical and organisational measures, as appropriate, in connection with Customer’s obligation to fulfill requests for the exercise of Data Subject Rights in relation to Customer Personal Data Processed hereunder.
7.2 ElevenLabs shall promptly (upon confirming the request relates to Customer) notify Customer if it receives a request from a Data Subject under any Applicable Data Protection Laws in respect of Customer Personal Data. ElevenLabs will not respond to such request except on the documented instructions of Customer or as required by applicable laws, provided ElevenLabs may respond to confirm the request relates to Customer or to direct the individual to the Customer.
8. Personal Data Breach
8.1 ElevenLabs shall notify Customer without undue delay upon confirming a Security Incident, providing Customer with reasonable information relating to such Security Incident, including information required to be provided by ElevenLabs to Customer under Applicable Data Protection Laws.
8.2 ElevenLabs shall, upon Customer’s reasonable request, provide commercially reasonable assistance and cooperation in connection with Customer’s investigation and mitigation of each such Security Incident.
9. Deletion or Return of Customer Personal Data
9.1. This DPA shall automatically terminate upon the termination of the Agreement.
9.2. Customer Content will be deleted from the Services pursuant to the following:
9.2.1 For Customers licensing ElevenLabs’ enterprise-level Services, Customer Content will be deleted from the Services within thirty (30) days of the expiration or termination of the Agreement, unless Customer consents to retention beyond such period; and
9.2.2 For Customers licensing ElevenLabs’ non-enterprise Services (“Self-Serve Services”), ElevenLabs reserves the right, but has no obligation to, delete Customer Content from such Self-Serve Services after a period of inactivity of one-hundred and eighty (180) days.
9.3 Notwithstanding Section 9.2 or any term to the contrary, ElevenLabs may retain Customer Content to the extent:
9.3.1 Required to comply with applicable law, provided that such Customer Personal Data shall only be used for the specific purpose for which it was retained; and/or
9.3.2 Contained in ElevenLabs’ backup systems pursuant to an automatic archival process, provided such information is purged in accordance with ElevenLabs’ standard retention policies in respect thereof.
9.3.3 Any Customer Content retained pursuant to this Section 9.3 shall remain subject to all relevant obligations of confidentiality set forth in the Agreement for so long as it is retained.
10. Audit rights and Compliance
10.1 Upon the reasonable, written request of Customer, and subject to obligations of confidentiality, ElevenLabs shall make available to Customer a then-current, industry standard third-party audit certification or report, including at a minimum, a SOC 2 Type II report. The Parties hereby agree that the provision of such report(s) shall satisfy any audit rights Customer may have under Applicable Data Protection Laws.
10.2 To the extent Customer is required by Applicable Data Protection Laws to carry out additional audits of ElevenLabs in connection with this DPA, Customer may virtually conduct such additional audits and inspections to the extent required by such Applicable Data Protection Laws, provided: (i) Customer and/or the Customer’s designated auditor agree to appropriate and relevant obligations of confidentiality with ElevenLabs; (ii) such audit or inspection does not unreasonably interfere with the normal conduct of ElevenLabs’ business and does not require the disclosure of the confidential information of third-parties; (iii) Customer and ElevenLabs mutually agree on the details of the audit, including the scope, timing, and duration thereof. Unless the audit or inspection reveals a material breach by ElevenLabs of this DPA, Customer shall bear the costs of the audit or inspection.
10.3 To the extent required to allow Customer to fulfill its obligations under Articles 35 or 36 of GDPR or equivalent provisions of other Applicable Data Protection Laws, ElevenLabs shall provide commercially reasonable assistance to Customer in connection with any data protection impact assessments and prior consultations with Supervisory Authorities or other competent data privacy authorities, to the extent relevant to the Processing of Customer Personal Data by ElevenLabs under the Agreement.
10.4 Information accessed or generated in connection with this Section 10, including the results of the audits permitted per this Section 10, shall be used by Customer solely for the purposes of meeting its obligations under Applicable Data Protection Laws and shall be deemed the Confidential Information of ElevenLabs.
11. Data Transfers
11.1 Customer hereby authorizes ElevenLabs to perform Data Transfers: (i) to any country deemed to have an adequate level of data protection by the European Commission, including on the basis of the EU-US Data Privacy Framework, or by other competent authorities (including those of UK, Switzerland, and Brazil), as applicable to the Data Transfer; (ii) pursuant to the SCCs referred to in this Section 11, as applicable; or (iii) on the basis of other adequate safeguards (including alternative transfer mechanisms) as permitted by Applicable Data Protection Laws. In respect of the SCCs incorporated herein: (i) the Parties hereby agree such SCCs shall be deemed executed upon this DPA taking effect; (ii) the Parties conclude the relevant module applicable to Controller-to-Processor transfers, or to the extent Customer is a Processor of a Third-Party Controller, the Processor-to-Processure module; (iii) ElevenLabs shall be deemed the “data importer” and Customer shall be deemed the “data exporter”, and each party’s details shall be as set forth in the Agreement; and (iv) Annexes I and II of this DPA shall serve as Annex I and II of the respective SCCs, as applicable.
11.2 The Parties hereby agree the EEA SCCs shall further be completed as follows: (i) the optional docking clause in Clause 7 does not apply; (ii) Option 2 of Clause 9(a) is implemented and the time period therein is specified in Section 6.3 above; (iii) the optional redress clause in Clause 11(a) is struck; (iv) Option 1 in Clause 17 is implemented and the governing law is the law of Ireland; and (v) the courts in Clause 18(b) are the Courts of Ireland.
11.3 With respect to Personal Data transferred from Switzerland for which Swiss law (and not the law in the EEA) governs the Data Transfer(s), and to the extent ElevenLabs leverages the EEA SCCs to carry out such Data Transfers, the EEA SCCs will be deemed to be modified as follows to the extent required by the Swiss Federal Act on Data Protection (“FADP”):
11.3.1 References to the GDPR and the EEA SCCs are understood as references to FADP insofar as the data transfers are subject exclusively to FADPT and not to GDPR;
11.3.2 The term “member state” in the EEA SCCs will not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EEA SCCs.
11.4 The Parties hereby agree the UK Addendum shall further be completed as follows: (i) in Table 2, the first option is selected and the “Approved EU SCCs” are the EEA SCCs referred to in Section 11.2 of this DPA; and (ii) in Table 4, “Importer” is selected.
11.5 The Parties hereby agree the Brazil SCCs shall further be completed as follows: (i) Clause 2 shall be populated with the detail provided in Annex I of this DPA; (ii) for purposes of Clause 3, Option B applies, provided such transfers are consistent with the terms of this DPA; (iii) for purposes of Clause 4, Option A applies, and the Exporter shall be the Designated Party; and (iv) the details to complete Section III are those set forth in Annex II of this DPA.
12. U.S. Data Protection Laws
12.1 To the extent Applicable Data Protection Laws in the U.S. apply in relation to ElevenLabs’ Processing of Personal Data hereunder:
12.1.1 ElevenLabs is prohibited from: (i) Selling Personal Data; (ii) Sharing Customer Personal Data, except as permitted by law; (ii) retaining, using, or disclosing Customer Personal Data for any purpose other than for the specific Business Purpose(s) permitted under the Agreement; (iii) combining Customer Personal Data with Personal Data obtained from, or on behalf of, sources other than Customer, except as otherwise provided herein or expressly permitted under such Applicable Data Protection Laws. For avoidance of doubt, Customer Personal Data may be combined with Personal Data from other sources to the extent the applicable Data Subject maintains an account with ElevenLabs and is subsequently authorized by Customer to access the Services provided hereunder.
12.1.2 The Parties acknowledge and agree that the exchange of Personal Data between the Parties does not form part of any monetary or other valuable consideration exchanged between the Parties with respect to the Agreement or this DPA.
12.1.3 ElevenLabs shall promptly notify Customer if it determines that it can no longer meet its obligations under U.S. Applicable Data Protection Laws, to the extent required by law. Upon receiving notice from ElevenLabs in accordance with this subsection, Customer may direct ElevenLabs to take reasonable and appropriate steps, to the extent permitted by law, to stop and remediate unauthorized use of Customer Personal Data.
13. Data Residency.
13.1. In certain instances, Customer may specifically request that the Customer Personal Data uploaded to or otherwise contained within the Services be hosted in a particular jurisdiction where ElevenLabs offers data storage (“Data Residency”). Availability of this option is subject to ElevenLabs’ discretion. Notwithstanding any selected or agreed upon Data Residency or any other term to the contrary, Customer Personal Data may nevertheless be processed outside of such Data Residency location, including, but not limited to, the following instances:
13.1.1. Subprocessors: ElevenLabs may engage Subprocessors (per the process set forth in Section 6 hereof) located outside of the selected Data Residency location. In such instances Personal Data shall be transferred and processed in accordance with the relevant safeguards as provided in Section 11 hereof, as applicable.
13.1.2. Support Services: ElevenLabs’ support personnel outside of the Data Residency location may access Personal Data of Customer or Customer’s personnel (e.g., for customer support requests outside of ElevenLabs standard business hours).
13.1.3. Moderation Team: ElevenLabs’ safety team may, in the course of their responsibilities, access Customer Personal Data from outside of the Data Residency location for purposes of reviewing and managing Customer Content, including to ensure compliance with the Prohibited Use Policy.
ANNEX I
DESCRIPTION OF THE TRANSFER
A.LIST OF PARTIES
Data exporter:
- Customer (as defined in the Agreement)
- Role (controller/processor): Controller, or Processor on behalf of Third-Party Controller
Data importer:
- Name: ElevenLabs (as defined in the Agreement)
- Role (controller/processor): Processor on behalf of Customer, or Subprocessor on behalf of Third-Party Controller
B.DESCRIPTION OF INTERNATIONAL DATA TRANSFER
Categories of Data Subjects whose Personal Data is transferred:
Data subjects whose characteristics are present in content uploaded by or on behalf of the Customer.
Categories of Personal Data transferred:
Audio or video recordings, text input, or other content uploaded by or on behalf of the Customer.
Sensitive Data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
N/A
The frequency of the International Data Transfer (e.g. whether the Personal Data Is transferred on a one-off or continuous basis):
On a continuous basis.
Nature of the processing:
Customer Personal Data will be processed and transferred as described in the Agreement.
Purpose(s) of the International Data Transfer and further Processing:
Customer Personal Data will be transferred and further processed for the provision of the Services and as further described in the Agreement.
The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:
Customer Personal Data will be retained as set forth in Section 9 hereof.
For International Data Transfer to (Sub)Processors, also specify subject matter, nature and duration of the Processing:
ElevenLabs may use Subprocessors to assist in providing the Services. The subject matter, nature, and duration of the Processing shall be consistent with the terms applicable to Data Importer herein.
C.COMPETENT SUPERVISORY AUTHORITY
The competent authority for the Processing of Customer Personal Data relating to Data Subjects located in the EEA is the Supervisory Authority of the EU Member State in which the data exporter is established.
The competent authority for the Processing of Customer Personal Data relating to Data Subjects located in the UK is the UK Information Commissioner.
Where the Data Transfer is subject exclusively to FADP and not GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner, and where the transfer is subject to both FADP and GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by FADP, and the supervisory authority is the Supervisory Authority of the EU Member State in which the data exporter is established insofar as the transfer is governed by GDPR.
ANNEX II
TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES DESIGNED TO ENSURE THE SECURITY OF THE DATA
In processing Customer Personal Data hereunder, ElevenLabs will implement the relevant technical and organizational measures set forth in the document titled ‘Annex II (Technical and Organizational Measures)’, available at https://compliance.elevenlabs.io/.