Data Processing Agreement

Overview

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer") and Coniva.ai ("Processor") and governs the processing of personal data by Coniva.ai on behalf of Customer in connection with the Coniva.ai service.

This DPA ensures compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and Singapore Personal Data Protection Act (PDPA).

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person processed through the Coniva.ai service.
• "Data Controller" means the Customer who determines the purposes and means of processing Personal Data.
• "Data Processor" means Coniva.ai, which processes Personal Data on behalf of the Data Controller.
• "Sub-processor" means any third party appointed by Coniva.ai to process Personal Data.
• "Data Protection Laws" means applicable data protection and privacy laws including GDPR, CCPA, and PDPA.

2. Scope and Purpose of Processing

2.1 Subject Matter

Coniva.ai processes Personal Data to provide AI-powered conversational agents and related services as described in the Terms of Service.

2.2 Duration

Processing will continue for the duration of the service agreement and as required for legitimate business purposes or legal compliance.

2.3 Purpose

Personal Data is processed for:

• Providing the Coniva.ai conversational AI service
• Training and improving AI models for Customer's specific use case
• Customer support and technical assistance
• Billing and account management
• Security monitoring and fraud prevention

2.4 Categories of Data Subjects

Personal Data may relate to:

• Customer's employees and authorized users
• Customer's end users who interact with AI agents
• Individuals mentioned in uploaded documents or training data

2.5 Types of Personal Data

Categories of Personal Data may include:

• Identity data (names, usernames, contact information)
• Communication data (chat conversations, messages)
• Technical data (IP addresses, browser data, device information)
• Usage data (interaction patterns, feature usage)
• Content data (uploaded documents, training materials)

3. Processor Obligations

3.1 Processing Instructions

Coniva.ai will process Personal Data only on documented instructions from the Customer, including transfers to third countries or international organizations, unless required by applicable law.

3.2 Confidentiality

Coniva.ai ensures that persons authorized to process Personal Data are subject to confidentiality obligations and receive appropriate training on data protection.

3.3 Security Measures

Coniva.ai implements appropriate technical and organizational measures including:

• Encryption of Personal Data in transit and at rest
• Regular security assessments and penetration testing
• Access controls and authentication mechanisms
• Employee background checks and security training
• Incident response and business continuity procedures

3.4 Sub-processors

Customer provides general authorization for Coniva.ai to engage sub-processors. Current sub-processors include cloud infrastructure providers (AWS), AI model providers (OpenAI, Anthropic), and payment processors (Stripe).

4. Data Subject Rights

Coniva.ai will assist Customer in fulfilling data subject rights requests including:

• Right of access to Personal Data
• Right to rectification of inaccurate Personal Data
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object to processing

Customer remains responsible for responding to data subject requests within applicable timeframes.

5. Data Breaches

Coniva.ai will notify Customer without undue delay (within 72 hours where feasible) upon becoming aware of a personal data breach affecting Customer's data. The notification will include:

• Description of the nature of the breach
• Categories and approximate number of affected data subjects
• Likely consequences of the breach
• Measures taken or proposed to address the breach

6. International Transfers

Personal Data may be transferred to and processed in countries outside the Customer's jurisdiction. Coniva.ai ensures appropriate safeguards through:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions by relevant data protection authorities
• Binding corporate rules where applicable
• Specific derogations as permitted by law

7. Data Retention and Deletion

Coniva.ai will delete or return Personal Data at the end of the service provision, except where retention is required by applicable law. Upon Customer's request, Coniva.ai will:

• Delete Personal Data within 30 days of request
• Provide confirmation of deletion
• Remove data from backups within 90 days
• Ensure sub-processors comply with deletion requirements

8. Audit and Compliance

Coniva.ai will make available to Customer information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, by Customer or an auditor mandated by Customer.

Customer may request compliance documentation including security certifications, audit reports, and policy documentation.

9. Liability and Indemnification

Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service. Coniva.ai will indemnify Customer against claims arising from Coniva.ai's non-compliance with this DPA, subject to the limitations in the Terms of Service.

10. Contact Information

For questions about this DPA or to exercise data protection rights: