Data Processing Agreement
Version 1.1 — Last updated: March 2026
This Data Processing Agreement ("DPA") forms part of the service agreement between the Customer ("Controller") and Covren ("Processor"). It describes how Covren processes personal data on behalf of the Customer in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.
1. Definitions
- Controller — the Customer who determines the purposes and means of processing personal data via the Covren service.
- Processor — Covren, which processes personal data on behalf of the Controller.
- Sub-processor — a third party engaged by the Processor to process personal data on behalf of the Controller.
- Personal Data — any information relating to an identified or identifiable natural person.
- Data Subject — the identified or identifiable natural person to whom the personal data relates.
- Processing — any operation performed on personal data, including collection, storage, use, and deletion.
2. Scope of Processing
2.1 Subject matter
The Processor provides a change intelligence platform that ingests product changes, classifies customer impact using AI, generates documentation drafts, and distributes approved content.
2.2 Categories of data subjects
- Customer employees (console users): email addresses, names, role assignments
- Customer end-users (widget users): anonymized interaction data (page URLs, click events)
2.3 Types of personal data
- Account data: email address, display name, organization name
- Usage data: login timestamps, feature usage, session data
- Content data: change descriptions, documentation drafts
2.4 Purpose of processing
- Providing the documentation intelligence service
- AI-powered classification and draft generation
- Billing and account management
- Service monitoring and security
2.5 Duration
Processing continues for the duration of the service agreement plus 30 days for data deletion upon termination.
3. Obligations of the Processor
3.1 Instructions
The Processor shall process personal data only on documented instructions from the Controller, unless required by applicable law. If the Processor is required by law to process data beyond the Controller's instructions, the Processor shall inform the Controller of that legal requirement before processing (unless prohibited by law).
3.2 Confidentiality
The Processor ensures that all persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.3 Data subject rights
The Processor assists the Controller in responding to data subject requests (access, rectification, erasure, restriction, portability, objection) by providing the necessary tools and data exports. The bulk data export feature enables Controllers to fulfill data access and portability requests.
3.4 Audits
The Processor makes available all information necessary to demonstrate compliance with this DPA and allows for and contributes to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
4. Sub-processors
4.1 Current sub-processors
| Sub-processor | Purpose | Data processed | Location |
|---|---|---|---|
| Anthropic | AI classification and draft generation | Code change metadata (redacted) | United States |
| Stripe | Payment processing | Billing name, email, payment method | United States |
| Railway | Infrastructure hosting (application, database, Redis) | All application data (encrypted) | United States |
| SendGrid | Transactional email delivery | Email address, email content | United States |
For the full sub-processor list, see Covren Sub-processors.
4.2 Changes to sub-processors
The Processor shall notify the Controller at least 30 days in advance of any intended addition or replacement of sub-processors, providing the Controller an opportunity to object. If the Controller objects on reasonable grounds, the parties shall discuss the concern in good faith.
5. Security Measures
The Processor implements the following technical and organizational measures to protect personal data:
- Encryption at rest — AES-256 for all stored data
- Encryption in transit — TLS 1.2+ for all network communications
- Access control — role-based access control with four permission levels (viewer, editor, manager, admin)
- Authentication — bcrypt password hashing with brute-force protection and session management
- Audit logging — append-only audit logs for all data operations and administrative actions
- Rate limiting — Redis-backed request rate limiting to prevent abuse
- AI data protection — automated redaction of secrets, API keys, tokens, and PII before AI processing
- Infrastructure isolation — per-tenant data isolation at the application and database level
For additional details, see our Security page.
6. Data Breach Notification
The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a personal data breach affecting the Controller's data.
The notification shall include:
- The nature of the breach, including categories and approximate number of data subjects affected
- The name and contact details of the Processor's point of contact
- The likely consequences of the breach
- The measures taken or proposed to address the breach and mitigate its effects
The Processor shall cooperate with the Controller and provide timely updates as additional information becomes available.
7. Data Deletion
Upon termination of the service agreement, the Processor shall delete all personal data within 30 days, unless retention is required by applicable law. The Controller may request a full data export before termination.
The Controller may also request deletion of all data at any time through the console settings. Deletion requests include a 14-day grace period during which the request can be cancelled. After the grace period, deletion is permanent and irreversible.
The Controller may configure a custom data retention period (90, 180, 365, or 730 days) to automatically remove older data. See our Privacy Policy for details.
8. Standard Contractual Clauses
For transfers of personal data from the European Economic Area, United Kingdom, or Switzerland to jurisdictions that do not provide an adequate level of data protection, the parties agree to the Standard Contractual Clauses (SCCs) adopted by the European Commission.
The applicable module is Module 2: Controller to Processor (Commission Implementing Decision (EU) 2021/914).
In addition to the SCCs, the Processor implements the security measures described in Section 5 of this DPA as supplementary measures to ensure an essentially equivalent level of data protection.
This DPA is governed by the same law as the underlying service agreement. For questions, contact privacy@covren.com.