BookAmor – Data Processing Agreement (DPA)

This Data Processing Agreement (“Agreement”) forms part of the service arrangement under which a Library (“Controller”) uses the BookAmor platform. Pronunciator LLC (“Processor”) provides and operates BookAmor on behalf of the Controller.

1. Definitions

  • Processor: Pronunciator LLC
  • Controller: The library using BookAmor
    • li>Personal Data: Any information relating to an identified or identifiable natural person
  • Terms not defined here have the meanings set out in the GDPR.

2. Subject Matter, Nature, and Purpose

The Processor provides a hosted, multi-tenant discovery interface (BookAmor) configured specifically for each Library. The Processor loads library configuration, authentication rules, catalog templates, and usage logging settings based on the Library’s instructions.

Purpose of processing:

  • Providing library-authorized access to BookAmor
  • Performing optional IP- or card-based authentication
  • Enabling catalog search and recommendations
  • Providing anonymous usage statistics to the Library
  • Generating text responses for the Ask-AI Reading Aide

3. Categories of Personal Data Processed

Depending on the Library’s configuration, the following data may be processed:

a. Access Information

  • IP address, only to determine eligibility when the Library enables IP-based authentication.
  • Library-card number at the moment the patron enters it. It is validated against pattern rules and is not stored permanently.
  • Opaque authentication tokens (“remember-me” tokens) used to avoid repeated card entry. Tokens do not identify a user.

b. Anonymous Usage Events

The Processor logs anonymous events so the Library may understand usage of BookAmor. Logged fields include:

  • Library ID
  • Action type (e.g., page view, recommendation request, Ask-AI request, find-in-library click)
  • Media type
  • Seed title (truncated)
  • Access method (“ip”, “card”, or “none”)
  • Timestamp

c. Ask-AI Messages

The Ask-AI Reading Aide processes only the item title, media type, and the patron’s question. No personal identifiers or tracking data are sent to OpenAI.

4. Duration

Processing continues for as long as the Library uses BookAmor or until the Controller instructs the Processor to delete data.

5. Processor Obligations

  • Process data only on documented instructions from the Controller.
  • Implement appropriate technical and organizational security measures.
  • Ensure personnel with access are bound by confidentiality.
  • Not engage additional sub-processors without notice, except where necessary for hosting and the Ask-AI endpoint.
  • Assist the Controller in fulfilling GDPR obligations where reasonably possible.
  • Delete or return personal data upon request or at the end of service, noting that BookAmor normally stores minimal or no personal data.

6. Sub-Processors

The Controller authorizes the following sub-processors:

  • Hosting providers used to operate the BookAmor service (United States).
  • OpenAI, used solely for generating Ask-AI responses.

7. International Transfers

The Processor operates in the United States. The Controller acknowledges and consents to data necessary for providing BookAmor being processed in the United States. OpenAI processes text under contractual terms intended to comply with GDPR requirements.

8. Controller Obligations

The Controller is responsible for informing patrons about BookAmor’s operation, selecting appropriate authentication modes, and ensuring the legality of those choices under local rules and policies.

9. Security Measures

  • Secure session handling
  • Secure cookies (httponly, secure, samesite=lax)
  • No storage of library-card numbers
  • No creation of user accounts or reading histories
  • No tracking or analytics cookies
  • Database access controls and minimized event logging
  • Error logging without personal identifiers

10. Liability

Each party is responsible for its own compliance with GDPR. The Processor is liable only for processing performed outside the Controll

BookAmor – Data Processing Agreement (DPA)

This Data Processing Agreement (“Agreement”) forms part of the service arrangement under which a Library (“Controller”) uses the BookAmor platform. Pronunciator LLC (“Processor”) provides and operates BookAmor on behalf of the Controller.

1. Definitions

  • Processor: Pronunciator LLC
  • Controller: The library using BookAmor
    • li>Personal Data: Any information relating to an identified or identifiable natural person
  • Terms not defined here have the meanings set out in the GDPR.

2. Subject Matter, Nature, and Purpose

The Processor provides a hosted, multi-tenant discovery interface (BookAmor) configured specifically for each Library. The Processor loads library configuration, authentication rules, catalog templates, and usage logging settings based on the Library’s instructions.

Purpose of processing:

  • Providing library-authorized access to BookAmor
  • Performing optional IP- or card-based authentication
  • Enabling catalog search and recommendations
  • Providing anonymous usage statistics to the Library
  • Generating text responses for the Ask-AI Reading Aide

3. Categories of Personal Data Processed

Depending on the Library’s configuration, the following data may be processed:

a. Access Information

  • IP address, only to determine eligibility when the Library enables IP-based authentication.
  • Library-card number at the moment the patron enters it. It is validated against pattern rules and is not stored permanently.
  • Opaque authentication tokens (“remember-me” tokens) used to avoid repeated card entry. Tokens do not identify a user.

b. Anonymous Usage Events

The Processor logs anonymous events so the Library may understand usage of BookAmor. Logged fields include:

  • Library ID
  • Action type (e.g., page view, recommendation request, Ask-AI request, find-in-library click)
  • Media type
  • Seed title (truncated)
  • Access method (“ip”, “card”, or “none”)
  • Timestamp

c. Ask-AI Messages

The Ask-AI Reading Aide processes only the item title, media type, and the patron’s question. No personal identifiers or tracking data are sent to OpenAI.

4. Duration

Processing continues for as long as the Library uses BookAmor or until the Controller instructs the Processor to delete data.

5. Processor Obligations

  • Process data only on documented instructions from the Controller.
  • Implement appropriate technical and organizational security measures.
  • Ensure personnel with access are bound by confidentiality.
  • Not engage additional sub-processors without notice, except where necessary for hosting and the Ask-AI endpoint.
  • Assist the Controller in fulfilling GDPR obligations where reasonably possible.
  • Delete or return personal data upon request or at the end of service, noting that BookAmor normally stores minimal or no personal data.

6. Sub-Processors

The Controller authorizes the following sub-processors:

  • Hosting providers used to operate the BookAmor service (United States).
  • OpenAI, used solely for generating Ask-AI responses.

7. International Transfers

The Processor operates in the United States. The Controller acknowledges and consents to data necessary for providing BookAmor being processed in the United States. OpenAI processes text under contractual terms intended to comply with GDPR requirements.

8. Controller Obligations

The Controller is responsible for informing patrons about BookAmor’s operation, selecting appropriate authentication modes, and ensuring the legality of those choices under local rules and policies.

9. Security Measures

  • Secure session handling
  • Secure cookies (httponly, secure, samesite=lax)
  • No storage of library-card numbers
  • No creation of user accounts or reading histories
  • No tracking or analytics cookies
  • Database access controls and minimized event logging
  • Error logging without personal identifiers

10. Liability

Each party is responsible for its own compliance with GDPR. The Processor is liable only for processing performed outside the Controll