This Data Processing Addendum (“DPA”) is entered into between Convyro AI (“Processor”) and the Customer (“Controller”) and forms part of the Convyro AI Terms of Service. It sets out the terms on which Convyro AI processes personal data on the Customer's behalf and ensures compliance with the EU General Data Protection Regulation (GDPR) and the UK GDPR. This DPA is effective from the date the Customer first accepts the Terms of Service at convyro.ai.
1. Background and Relationship
Purpose
This Data Processing Addendum ("DPA") forms part of the agreement between Convyro AI and the Customer (as defined in the Terms of Service) and governs the processing of Personal Data by Convyro AI on behalf of the Customer in connection with the Service. In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail in respect of data processing matters.
Roles
The Customer is the Data Controller. Convyro AI is the Data Processor. Where Convyro AI engages sub-processors to assist in delivering the Service, those sub-processors act as sub-processors of Convyro AI.
Incorporation by reference
By using the Service, the Customer agrees to the terms of this DPA. For enterprise customers who require a countersigned copy, please contact [email protected] and we will execute a signed DPA within 5 business days.
2. Definitions
Key definitions
"Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR. "Processing" has the meaning given in Article 4(2) GDPR. "Data Subject" means the natural person to whom Personal Data relates. "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council. "UK GDPR" means the retained EU law version of the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland. "SCCs" means the Standard Contractual Clauses adopted by the European Commission pursuant to Decision 2021/914/EU. "Supervisory Authority" means the relevant data protection authority with jurisdiction over the Customer.
3. Details of Processing (Schedule 1)
Nature of processing
Storage, retrieval, AI-assisted analysis and generation, routing, structuring, and deletion of Customer Content, including customer conversation data, contact records, knowledge base material, and associated metadata.
Purpose of processing
To provide the Convyro AI platform features, including AI-powered auto-reply, lead qualification, appointment booking, inbox management, reporting, and related automation features as subscribed to by the Customer.
Duration
For the duration of the Customer's subscription, plus any post-termination period during which data is retained as permitted under the Terms of Service and this DPA (maximum 90 days following termination, or longer if required by law).
Categories of data subjects
The Customer's employees, contractors, and authorised users; and the Customer's end-customers and contacts whose data the Customer processes through the Service (e.g. leads, prospects, clients, chat participants).
Categories of personal data
Name, email address, phone number, messaging channel identifiers (e.g. WhatsApp number, Instagram handle), conversation content, appointment details, IP address, device identifiers, and any other personal data the Customer chooses to input into the Service.
Special categories
Convyro AI does not intentionally process special categories of personal data (Article 9 GDPR) on behalf of the Customer. The Customer must not input special category data into the Service unless they have assessed the lawfulness of such processing and obtained Convyro AI's prior written consent.
4. Obligations of Convyro AI as Processor
Documented instructions
Convyro AI shall process Personal Data only on documented instructions from the Customer, as set out in this DPA and the Terms of Service. If Convyro AI is required to process Personal Data under EU or Member State law, it will inform the Customer before processing unless prohibited by law.
Confidentiality
Convyro AI shall ensure that all persons authorised to process Personal Data are under an appropriate obligation of confidentiality (whether contractual or statutory).
Security
Convyro AI shall implement and maintain the technical and organisational security measures described in Schedule 2 of this DPA (Section 8), taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity to the rights and freedoms of natural persons.
Sub-processors
Convyro AI shall not engage a sub-processor without prior general written authorisation from the Customer. This DPA constitutes such general authorisation for the sub-processors listed in Schedule 3 (Section 9). Convyro AI will notify the Customer of any intended changes to that list with at least 30 days' advance notice, giving the Customer the opportunity to object.
Data subject rights
Convyro AI shall assist the Customer in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, objection). Convyro AI will respond to Customer instructions regarding data subject requests within 5 business days. Customers may also contact [email protected] directly to submit data subject requests on behalf of their end-users.
Assistance with compliance
Taking into account the nature of processing and information available to Convyro AI, it shall assist the Customer in ensuring compliance with its obligations under Articles 32–36 GDPR (security, breach notification, DPIAs, and prior consultation).
Deletion or return
Upon termination or expiry of the Service, and at the Customer's election, Convyro AI shall delete or return all Personal Data to the Customer, and shall delete existing copies, unless applicable law requires further storage. To request data deletion or return, the Customer must contact [email protected]. Convyro AI will fulfil such requests within 30 days. Encrypted infrastructure backups may persist for up to 30 additional days before permanent deletion.
Audit rights
Convyro AI shall make available to the Customer all information necessary to demonstrate compliance with the obligations set out in this DPA, and shall allow and contribute to audits and inspections conducted by the Customer or a third-party auditor mandated by the Customer. Audits must be conducted on reasonable notice, during business hours, and no more than once per calendar year unless a specific security incident warrants an additional audit.
5. Personal Data Breach Notification
Notification obligation
Convyro AI shall notify the Customer without undue delay — and in any event within 72 hours of becoming aware — of any Personal Data breach (as defined in Article 4(12) GDPR) affecting Customer Personal Data processed under this DPA.
Content of notification
Breach notifications will include, to the extent information is available: (a) a description of the nature of the breach, including the categories and approximate number of data subjects and Personal Data records affected; (b) the name and contact details of the Data Protection contact; (c) the likely consequences of the breach; (d) the measures taken or proposed to address the breach and to mitigate its effects.
Cooperation
Convyro AI shall cooperate with the Customer in any investigation of the breach, in notifying affected Data Subjects where required, and in reporting to the relevant Supervisory Authority.
6. International Data Transfers
Transfer mechanism
Where Personal Data is transferred from the EEA to a third country (including to sub-processors in the United States), Convyro AI shall ensure such transfers are made on the basis of: (a) the European Commission Standard Contractual Clauses (Module Two — Controller to Processor) adopted by Decision 2021/914/EU; and/or (b) an applicable adequacy decision issued by the European Commission.
UK transfers
For transfers from the United Kingdom, Convyro AI relies on the UK International Data Transfer Addendum (IDTA) issued by the ICO, which supplements the EU SCCs for UK GDPR purposes.
Supplementary safeguards
For transfers to the United States, Convyro AI implements supplementary technical safeguards including TLS encryption for all data in transit and data minimisation practices, ensuring only the minimum Personal Data necessary is transferred to each sub-processor.
SCCs incorporated by reference
The EU Standard Contractual Clauses (Controller-to-Processor, Module 2) are incorporated into this DPA by reference. In the event of any conflict between the SCCs and this DPA, the SCCs shall prevail. Customers who require the SCCs as a standalone executed document may request one from [email protected].
7. Obligations of the Customer as Controller
Lawful basis
The Customer is solely responsible for ensuring it has a lawful basis to collect and process Personal Data that it inputs into the Service, including obtaining any necessary consents from Data Subjects and providing required privacy notices.
Accuracy of instructions
The Customer warrants that its instructions to Convyro AI will not cause Convyro AI to violate applicable data protection law.
Channel compliance
Where the Customer connects third-party messaging channels (WhatsApp, Instagram, email), the Customer is responsible for complying with opt-in, opt-out, and consent requirements imposed by those platforms and by applicable law (including GDPR, PECR, TCPA, and anti-spam legislation).
Data minimisation
The Customer should only input into the Service the minimum Personal Data necessary for the specified purpose. The Customer should not input special category data or data belonging to minors without appropriate safeguards and prior written consent from Convyro AI.
8. Technical and Organisational Security Measures (Schedule 2)
Encryption
All Personal Data is encrypted in transit using TLS 1.2 or higher. All Personal Data is encrypted at rest using AES-256. API keys, OAuth tokens, and payment credentials are subject to additional field-level encryption using envelope encryption.
Access control
Access to production systems containing Personal Data is restricted to authorised personnel only. Access requires multi-factor authentication (MFA) and hardware security keys. Access rights are reviewed quarterly and revoked immediately upon role change or departure.
Network security
Production systems are protected by network-level firewalls, web application firewalls (WAF), and DDoS mitigation controls. All inbound and outbound traffic is logged.
Vulnerability management
Convyro AI monitors dependencies for known vulnerabilities and applies security patches on a priority basis. Critical vulnerabilities are remediated as a matter of urgency. We operate a responsible disclosure programme — security researchers may report issues to [email protected].
Incident response
Convyro AI maintains an internal incident response procedure covering detection, containment, eradication, and recovery. In the event of a confirmed Personal Data breach, Convyro AI will notify affected Customers without undue delay in accordance with Section 5 of this DPA.
Business continuity
Automated encrypted backups of Customer data are performed by our infrastructure providers (Supabase / AWS) on a regular basis. Backups are stored in geographically redundant regions. Recovery time and recovery point objectives are governed by the SLAs of our underlying infrastructure providers.
Personnel
Convyro AI personnel with access to production data are kept to a minimum and are subject to contractual confidentiality obligations. Access is granted on a need-to-know basis and is revoked promptly upon role change or departure.
Physical security
Convyro AI does not operate its own data centres. All physical infrastructure is provided by sub-processors (Vercel, AWS) who are certified to ISO 27001, SOC 2 Type II, and/or equivalent standards.
9. Approved Sub-Processors (Schedule 3)
General authorisation
By entering into this DPA, the Customer provides general written authorisation for Convyro AI to engage the sub-processors listed in the table below. Convyro AI will notify the Customer at least 30 days before adding or replacing a sub-processor, providing the Customer with the opportunity to object in writing.
Sub-processor obligations
Convyro AI imposes data protection terms on each sub-processor that provide at least the same level of protection as this DPA. Convyro AI remains liable to the Customer for the acts and omissions of its sub-processors to the same extent it would be liable if it performed the services directly.
| Sub-processor | Country |
|---|---|
| Vercel Inc. | United States |
| Amazon Web Services (AWS) | United States |
| Supabase Inc. | United States |
| Anthropic PBC | United States |
| OpenAI Inc. | United States |
| Stripe Inc. | United States |
| Twilio Inc. | United States |
| Meta Platforms Inc. | United States |
| Google LLC | United States |
10. Term and Termination
Duration
This DPA is effective as of the date the Customer first accepts the Terms of Service and shall continue in force for as long as Convyro AI processes Personal Data on behalf of the Customer.
Termination
This DPA automatically terminates upon expiry or termination of the Terms of Service. Termination does not affect any obligations that arose prior to termination, including obligations relating to data breaches or ongoing data subject requests.
11. Liability
Liability cap
Each party's total aggregate liability to the other under or in connection with this DPA shall be subject to the liability limitations set out in the Terms of Service.
Indemnification
Each party shall indemnify and hold harmless the other from and against claims, losses, damages, fines, and expenses (including reasonable legal fees) arising from that party's breach of this DPA or applicable data protection law.
12. Governing Law
Applicable law
This DPA is governed by the laws of the Netherlands, without regard to conflict-of-law principles, except to the extent that the Standard Contractual Clauses require otherwise.
Supervisory authority
The lead supervisory authority for Convyro AI is the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). Nothing in this DPA prevents the Customer from lodging a complaint with the supervisory authority in their own jurisdiction.
13. Requesting a Countersigned Copy
This DPA is binding on the Customer by virtue of accepting the Terms of Service. If your organisation requires a countersigned copy — for example for procurement, compliance, or enterprise vendor management purposes — email us and we will provide an executed copy within 5 business days.
Request countersigned DPARelated legal documents