Start free

Data Processing Agreement

Last updated: June 3, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Convot.io ("Processor", "we", "us") and the customer that has accepted our Terms of Service ("Controller", "you") for the provision of the Service (the "Agreement"). It governs the processing of personal data by Convot.io on your behalf and reflects the parties' agreement on the terms governing the processing of personal data under the EU General Data Protection Regulation ("GDPR"), the UK GDPR, and other applicable data-protection laws (collectively, "Data Protection Laws").

Where you act as a processor for your own end customers, you enter into this DPA on behalf of, and in the name of, those controllers. In the event of a conflict between this DPA and the Agreement, this DPA prevails with respect to the processing of personal data.

1. Definitions

Terms such as "personal data", "processing", "controller", "processor", "data subject", and "personal data breach" have the meanings given in the GDPR. "Customer Personal Data" means personal data that we process on your behalf in providing the Service. "Sub-processor" means any third party engaged by us to process Customer Personal Data.

2. Roles and scope of processing

As between the parties, you are the controller (or processor on behalf of a third-party controller) and Convot.io is the processor of Customer Personal Data. We will process Customer Personal Data only:

  • to provide, maintain, secure, and support the Service in accordance with the Agreement;
  • on your documented instructions, including those given through the Service's configuration and features; and
  • as otherwise required by applicable law, in which case we will inform you of that legal requirement before processing, unless the law prohibits such notice.

We will immediately inform you if, in our opinion, an instruction infringes Data Protection Laws. The subject matter, duration, nature, and purpose of processing, the types of personal data, and the categories of data subjects are set out in Annex 1.

3. Confidentiality

We ensure that personnel authorised to process Customer Personal Data are bound by appropriate confidentiality obligations and have received appropriate training on their responsibilities. Access is limited to personnel who need it to provide the Service.

4. Security measures

We implement and maintain appropriate technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, as described in Annex 2 and on our Security page. We may update these measures over time provided the level of protection is not materially reduced.

5. Sub-processors

You grant Convot.io general authorisation to engage Sub-processors to process Customer Personal Data, subject to this section. We:

  • impose data-protection obligations on each Sub-processor that are no less protective than those in this DPA, by written contract;
  • remain liable to you for each Sub-processor's performance of its obligations; and
  • maintain an up-to-date list of Sub-processors (set out in Annex 3) and will give you reasonable prior notice of any intended addition or replacement, giving you the opportunity to object on reasonable data-protection grounds.

6. Assistance with data subject rights

Taking into account the nature of the processing, we provide reasonable assistance through appropriate technical and organisational measures (including the Service's self-service tools) to help you respond to requests from data subjects exercising their rights of access, rectification, erasure, restriction, portability, and objection. If we receive such a request directly from a data subject relating to Customer Personal Data, we will, where permitted, promptly direct the data subject to you.

7. Personal data breach notification

We will notify you without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer Personal Data. The notification will describe, to the extent known, the nature of the breach, the likely consequences, and the measures taken or proposed to address it. We will reasonably cooperate with you in investigating and mitigating the breach.

8. Impact assessments and prior consultation

Taking into account the nature of processing and the information available to us, we provide reasonable assistance to help you carry out data protection impact assessments and, where required, prior consultations with supervisory authorities.

9. International data transfers

We primarily process Customer Personal Data in data centres located in the European Union. Where Customer Personal Data is transferred to a country outside the European Economic Area or the United Kingdom that is not subject to an adequacy decision, such transfer is governed by the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable), which are incorporated into this DPA by reference, together with supplementary measures where appropriate.

10. Audits

We make available to you information reasonably necessary to demonstrate compliance with this DPA, including third-party audit reports or summaries where available. Where you reasonably require further information, you may, no more than once per year and on reasonable prior notice, request an audit, which may be satisfied by our provision of relevant documentation and reports so as not to disrupt the security or confidentiality of other customers' data.

11. Return and deletion

Upon termination or expiry of the Agreement, and at your choice, we will delete or return all Customer Personal Data and delete existing copies, unless applicable law requires continued storage. Backups containing Customer Personal Data are deleted in the ordinary course in line with our retention schedule.

12. Liability and term

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement. This DPA takes effect when you accept the Agreement and continues until all processing of Customer Personal Data has ceased.

Annex 1 - Details of processing

  • Subject matter - provision of the Convot.io customer-messaging, help center, scheduling, and related Service.
  • Duration - the term of the Agreement, plus any post-termination period required to return or delete data.
  • Nature and purpose - hosting, storage, transmission, display, and processing of conversations and related data to operate the Service on your behalf.
  • Categories of data subjects - your end users / website visitors, your agents and team members, and your contacts.
  • Types of personal data - identifiers (name, email, phone, external IDs), conversation content and attachments, technical and device data (IP address, user agent, page URL, approximate location), and any custom attributes you choose to send.
  • Special categories - none are required by the Service; you are responsible for not transmitting special-category data unless you have a lawful basis to do so.

Annex 2 - Technical and organisational measures

A summary of our measures is set out on the Security page, including encryption in transit and at rest, access controls and least-privilege access, network isolation, logical tenant separation, monitoring and logging, secure development practices, backups, and vendor management. These measures are reviewed and updated periodically.

Annex 3 - Sub-processors

We engage a limited set of infrastructure and operational Sub-processors, which may include cloud hosting and database providers, our payment processor (Stripe), our transactional email provider, and error-monitoring and analytics providers. A current list is available on request to [email protected], and material changes are notified in accordance with Section 5.

Questions about this DPA, or to execute a countersigned copy, can be sent to [email protected].