Data Processing Agreement
April 27, 2024
This Data Processing Agreement (DPA) sets forth the terms under which personal data shall be processed in connection with the Services provided as detailed in the Order Form and governed by the accompanying Terms and Conditions (T&C). This DPA is designed to ensure compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and any other applicable data protection laws. The provisions of this DPA are hereby incorporated into and form an integral part of the Order Form and T&C.
For the purposes of this DPA, Customer Data means the electronic data or Material you provide us via the Services we offer to you. Personal Data means any Customer Data that could be used to identify a natural person.
Background
For the purposes of this DPA, Customer Data means the electronic data or Material you provide us via the Services we offer to you. Personal Data means any Customer Data that could be used to identify a natural person.
1. Our Roles
This DPA covers Converta’s processing of Personal Data relating to the Services as a Processor.
For the purposes of this DPA:
You are the Data Controller of the Personal Data; and
Converta is the Data Processor of the Personal Data (which we describe in more detail in Annex A).
All Personal Data that Converta processes under the Agreement remains your property. At no point will Converta act as a Data Controller of your Data.
Instructions
We both agree that any agreement for the Services (including this DPA) and our use of the Service make up our complete instructions about how Personal Data is processed. We will refer to this as our Instructions. Any further Instructions will be set out in writing and agreed between both of us.
We both agree that the subject matter, nature, purpose and duration of the processing under this DPA will be as described in Annex A. This includes the types and categories of Personal Data.
3 What Customer needs to do
Converta will comply with the Privacy Laws that apply at all times, but in particular:
Converta will only process Personal Data as agreed with you in Annex A in order to provide the Service, unless required to do so by law. If there is a legal requirement for Converta to process Personal Data outside of these Instructions, Converta will inform you promptly, unless the law does not allow Converta to.
You are responsible for making sure that any Personal Data is accurate.
You will make sure that you have the right to send Personal Data to us.
What Converta will do
Converta will comply with the Privacy Laws that apply at all times, but in particular:
Converta will only process Personal Data as agreed with you in Annex A in order to provide the Service, unless required to do so by law. If there is a legal requirement for Converta to process Personal Data outside of these Instructions, Converta will inform you promptly, unless the law does not allow Converta to.
Converta will ensure that its staff:
are fully aware of their responsibilities under this DPA; and
have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality in accordance with Privacy Laws (Art. 28(3)(b) GDPR).
Converta will maintain appropriate technical and organizational security measures to protect Personal Data from a Data Breach in accordance with Privacy Laws (Art. 32 GDPR). These measures are set out in Annex B. These may be updated over time, but any changes will not reduce the level of protection. Upon request, Converta will provide you with the latest documents to support the above. This includes any certificates or reports from Converta or third parties.
In the event of a confirmed Data Breach, Converta will notify you without undue delay, but in any event within 24 hours. If the information below is not available at the time of the notice, Converta will send you the details as soon as they are available. This notice will contain details of:
the nature of the Data Breach;
details, where possible, of the categories and number of records involved;
the likely consequences of the Data Breach;
the steps taken or that will be taken to address the Data Breach and/or mitigate its effects; and
any other information required under Privacy Laws.
Converta will provide you with reasonable assistance in meeting your responsibilities in the event of a Data Breach. This includes taking commercially reasonable steps to help with investigating, mitigating, and rectifying the cause of the Data Breach.
Converta will provide you with commercially reasonable support in responding to a Data Subject exercising a right under applicable Privacy Laws. If Converta receives a direct request from a Data Subject, we will direct the Data Subject to you, unless prohibited by law.
Converta will promptly let you know if, in our opinion, any Instruction infringes Privacy Laws. In this case, Converta is entitled to refuse to process Personal Data.
If Converta receives a communication from a Supervisory Authority that relates to the processing under this DPA, we will inform you promptly.
When Converta engages any Sub-Processor, we will only do so as set out in Section 5.
You are allowed to audit Converta, and we will support this as set out in Section 7.
Sub-Processors
Converta has your general written authorization to use the Sub-Processors listed in Annex A as of the Start Date.
the Sub-Processor will only process Personal Data in a manner consistent with your Instructions; and
to protect the Personal Data in a manner consistent with the requirements of this DPA (including implementing and maintaining appropriate technical and organizational measures consistent with Annex B of this DPA).
Converta's use of Sub-Processors requires Converta to agree via a written contract.
Converta will remain liable to you for the processing carried out by any Sub-Processor under this DPA.
If Converta needs to make a change to the processing carried out by Sub-Processors or add a new Sub-Processor in order to provide the Service, we will inform you at least 30 days before any such change via email.
This notice will describe the changes, including what activity is being carried out and the name and location of the new Sub-Processor (if applicable).
You may object to any notice that Converta provides under Section 5.4. Any objection must be reasonable and given within 14 days of the notice Converta provides you. In this case, Converta will work with you in good faith to address any concerns.
If these concerns are not resolved, you may either:
instruct Converta not to begin or to cease the proposed processing activity, in which case this DPA will continue unaffected; or
terminate the Agreement immediately and receive from Converta a pro rata refund of any pre-paid fees for Services unused after the date of termination.
In the event you do not respond within the aforementioned period as described in Section 5.e, the approval of the new Sub-Processor shall be deemed to have been granted by you.
Storage & Transfer
Converta may transfer Personal Data outside of the European Union solely for the purposes of our Affiliates or Sub-Processors accessing Personal Data in order to provide the Service.
Any transfers of Personal Data outside of the European Union will be subject to the Standard Contractual Clauses (SCCs) and other requirements of Chapter 5 of the GDPR, including:
Data transfer impact assessments;
Third country assessments; and
Agreeing to additional safeguards as necessary.
Converta will not volunteer any information about your Data. If Converta or our Sub-Processors receive a Government Request relating to Personal Data under this DPA, we will:
take reasonable steps to confirm the request is valid;
inform the government authority explaining that we are a Processor of your Data;
attempt to direct the government authority to you; and
notify you about the Government Request to allow you to seek your own remedy.
Agreement Mechanics
Converta will assist you in ensuring that you comply with your legal obligations, taking into account the nature of the processing and the information available to us. This assistance shall only apply to the extent that applicable legislation obligates Converta as a Data Processor.
You (or a representative you appoint, under signed non-disclosure commitments) are entitled to audit Converta's activities under this DPA. We will both agree on the timing of the audit and the resources required. This will be at least 14 days before any on-site inspection.
Any request for information or audit shall be carried out by electronic disclosure as far as possible to reduce any time required for an on-site inspection. Any on-site inspection will be carried out in a way that does not disrupt Converta's usual business operations or obligations to a third party.
The obligations under this DPA shall begin on the Start Date and continue for as long as Converta processes your Data under the Agreement.
Any obligations that, due to their nature, are meant to survive the expiry of this DPA shall remain in force after the expiry of the Agreement.
Any deletion of data by Converta is always subject to any legal requirements for us to retain data.
Liability
Each party shall be liable to the other for any loss or damage incurred as a result of that party's breach of their obligations under this DPA or Privacy Laws.
Liability is governed by applicable Privacy Laws (including Art 82 GDPR). Nothing in this section 8 shall limit either party's liability in relation to a fine or penalty issued by a Supervisory Authority or court of law. In no event shall either party limit their liability with respect to any individual's data protection rights under this DPA or otherwise.
Each party is obligated to pay only the part of the damages or administrative fine that corresponds to the liability for damage confirmed in the final decision of a Supervisory Authority or a court of law.
Except as set out in sections 8.2 and 8.3 above, to the maximum extent allowed by law, neither party is liable to the other in tort (including negligence or breach of statutory duty), contract, or otherwise for any:
loss of profits, business, goodwill, or similar losses;
pure economic loss; or
indirect or consequential loss, costs, damages, or expenses however they may arise.
Subject to section 8.4, each party's liability to the other under this DPA shall not exceed the amount of Fees paid or payable for the Services for the most recent 12-month period, or €10,000 (whichever is higher).
9. General
Any claims brought under or in connection with this DPA shall be subject to the governing law and exclusive jurisdiction of Germany.
Both of us will try to resolve any dispute or claim concerning or relating to this DPA through commercial discussions and negotiations.
In the event of any conflict between terms and conditions for the supply of Services and this DPA in relation to the subject matter of this DPA, the terms of the DPA will prevail
Definition
We use a number of different defined words throughout the Agreement. Below is a list of what these are and what they mean.
Affiliates
means a subsidiary, parent company or other group company owned by the same parent company of either of us.
Agreement
means all of the legal terms between us, including the Order Form, Terms and this DPA.
Data Breach
means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Personal Data.
Customer Data
means the electronic data or Material you provide in relation to the Service.
Data Controller
means the natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal information are, or are to be, processed. For the purpose of this DPA, you are the Data Controller.
Data Subject
means an identified or identifiable individual who is the subject of Personal Data.
Data Processor
means any natural or legal person who processes the data on behalf of the Data Controller. For the purpose of this DPA, Converta is the Data Processor.
Fees
any charges related to Services as set out in a separate agreement.
Instructions
has the meaning given to it in section 2.1 of this DPA.
Material(s)
means any content, whether physical or electronic, databases, software, designs, domain names, images or source code owned, created or developed by one of us. This may also be confidential information. It also includes any changes to these items, copies or other work created from them.
Personal Data
means any of your data that could be used to identify a natural person, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Privacy Laws
Means: - the General Data Protection Regulation (EU) 2016/679 (the “GDPR”), - the Data Protection Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019/419 (the “UK GDPR”), - the Privacy and Electronic Communications (EC Directive) Regulations 2003, - any corresponding or equivalent national laws or regulations replacing, amending, extending, re-enacting or consolidating any of the above, and - specifically in relation to the Customer, all data protection and/or privacy laws in which Data Subjects processed via the Services are located.
Processing
means any operation or set of operations which is performed on Personal Data or sets of personal data using automated means or manually, such as data collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Service
means the services provided by Converta to you, as summarized in Annex A and/or as outlined in a separate agreement.
Start Date
means the date we agree this DPA or the Services begin, whichever is earliest.
Supervisory Authority
means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Privacy Laws.
Annexes
Annexes A: Processing Details
List of Parties
Data Processor
Name: The Converta entity described at the beginning of this DPA.
Address: The address listed for the Converta entity at the beginning of this DPA.
Contact: security@converta.ai
Relevant Activities: The Data Processor operates a cloud-based meeting recording, transcription, and analysis platform, including artificial intelligence-based tools and services.Data Controller
Name: The Customer entity described at the beginning of this DPA.
Address: The address listed for the Customer entity at the beginning of this DPA.Description of Transfer
Categories of data subjects: May include your employees, your (prospective) customers , their employees.
Categories of Personal Data: May include: • First and last name; • Email address; • Telephone number; • Business address; • Communications (conversations and timestamps)
Sensitive data: Reading access to: • Google Calendar; • Google Contacts; • Google Other Contacts
Frequency of Transfer: On a continuous basis for the duration of the supply of the Services to the Data Controller.
Nature of Processing: In providing the Service, Converta will: • Record and transcribe your customer-facing meetings; • Analyze transcripts; • Enrich, combine, and extract;
Purpose of Transfer & Processing: Data Processor will host and process Personal Data in the course of providing its Service to the Data Controller. The Data Processor will minimize the personal data it collects in sales transcriptions by anonymising it. The techniques used to minimize and anonymise personal data are described in Annex B.
Retention: The duration of the Agreement and for up to three months after termination or expiry.
Sub-Processors: AWS RDS (Database) with servers in Frankfurt, Germany ( eu-central 1). Vercel, Inc. (Hosting) Vercel is used to deploy web projects, with automatic scaling and support for modern web technologies like serverless functions and is using servers that are located in Frankfurt, Germany (fra1). Microsoft, Inc. (LLM Services) Microsoft Azure Open AI services is used to process conversation transcripts and meta data for the purpose of capturing conversational insights and is using servers that are located in the US or Europe. Mistral AI (LLM Services) Mistral AI service is used to process conversation transcripts and metadata for the purpose of capturing conversational insights with servers that are located in the EU. OpenAI L.L.C. (LLM Services) OpenAI API service is used to process conversation transcripts and metadata for the purpose of capturing conversational insights with servers that are located in the US. Mixpanel (Tracking) Processing of username, email, avatar image for the purpose of tracking user behavior to improve usability with servers that are located in the EU.
Annex B: Technical & Organisational Security Measures
Description of the technical and organizational security measures implemented by Converta (the Data Processor) for the protection of the Personal Data shared by you (the Data Controller) in connection with the Service.
Data minimization measures (Pseudonymisation)
Pursuant to Article 32(1) of the GDPR, Converta provides security features enabling you to designate certain categories of Personal Data (such as email addresses and phone numbers) for masking during processing. This approach is designed to minimize direct identification of individuals and to prevent the unnecessary accumulation of Personal Data by Converta. In the rare event that any Personal Data is not masked by our services, we ensure that the amount retained is minimal and that we employ reasonable technical measures to limit data collection to what is necessary.
Encryption measures
Measures to ensure Confidentiality
In compliance with Article 32(1)(b) of the GDPR:
Physical access control
Converta implements reasonable measures to prevent unauthorized physical access to Personal Data. We require Sub-Processors to adhere to equivalent safety measures.
Logical access control
- Personal and individual user logins.
- A password procedure that requires personal and individual login credentials, including the use of special characters and a minimum length.
- Monitoring and limiting password reset attempts.
- Maintaining database access logs.
- Utilizing antivirus and spyware filters.
- Restricting the number of authorized employees.
- Regularly reviewing access lists.
Data access controls
Converta ensures that authorized individuals can only access Personal Data in accordance with their access rights, and that data cannot be read, copied, changed, or removed without authorization during Processing. Measures include, but are not limited to:
Role-based authorization for all functions.
Logging of data changes and exports.
Data access controls
Converta has implemented measures to ensure that data collected for different purposes are processed separately, and that such data is segregated from other data and systems to prevent unintended use for other purposes. Measures include, but are not limited to:
Separate production and test environments.
Role-based authorization for all functions within the Service dashboard and database.
Measures to ensure Integrity
In accordance with Article 32(1)(b) of the GDPR:
Transmission Control
Converta implements measures to ensure that it is possible to verify and determine to which entities Personal Data may be or has been transmitted or made available using data communication equipment. These measures also ensure the confidentiality and integrity of data during transmission. Personal Data cannot be read, copied, modified, or removed without authorization during transmission or transport. Measures include, but are not limited to:
Ensuring all data transmissions are secured with TLS (version 1.2 or higher) security, utilizing strong encryption suites.
Employing tunneled Remote Access (VPN) for secure connections.
Providing a secured WLAN for wireless communications.
Input Control
Converta has implemented measures to ensure that it is possible to retrospectively verify and ascertain whether and by whom Personal Data have been entered into, modified, or removed from data processing systems. These measures are designed to maintain the integrity of the data and provide a clear audit trail of interactions with Personal Data.
Measures to ensure Availability & Resilience
In accordance with Article 32(1)(c) of the GDPR:
Availability Control
Converta has implemented measures to ensure that Personal Data is protected against accidental destruction or loss. Measures include, but are not limited to:
Data recovery plan.
Resilience Control
Converta has implemented measures to ensure that system functions are available and that malfunctions are promptly reported. Measures include, but are not limited to:
Automatic monitoring and alerting systems for all errors and critical server resources to ensure prompt response to issues.
Replication of all critical application components to maintain service continuity.
Testing and evaluation of the security of Data Processing
In accordance with Article 32(1)(d) of the GDPR:
Procedures for Regular Testing, Assessment, and Evaluation
- Documented incident response management.
- Documented data protection management.
- No third-party data processing without corresponding instructions from Converta.
As described in this DPA, Converta shall retain the collected Personal Data for no longer than necessary to achieve the purpose for which the information was collected, up to a maximum duration as specified in the Order Form.