1. This Data Processing Agreement is entered into between COVVE VISUAL NETWORK LIMITED (hereinafter referred to as " Processor") and the User (hereinafter referred to as "Controller") in the context of the provision by the Processor to the Controller of the Covve address book mobile application, in accordance with the Terms and Conditions ("Terms") as these are set out at https://covve.com/terms-conditions, and which Terms incorporate as an integral part thereof the present DPA;
2. Personal data specified in paragraph 4 hereof (hereinafter referred to as "Data") will be processed by the Processor from the date of creation of the Controller's account on the Covve address book platform by virtue of accepting the Terms, for the sole purpose of the Processor providing the service as per the Terms (" Service"). Data will continue to be processed for as long as the Controller has an account on the Covve address book platform, unless otherwise directly instructed by the Controller.
3. The Controller engages the Processor to provide Service to the Controller.
Data may also be processed in order to comply with disclosure requirements arising by virtue of operation of law. In this case the Processor shall notify the Controller in advance about such requirements as set forth in paragraph 5 below.
The Processor will not access the data, unless this is necessary in order to improve the quality of the Service or where he is obliged to do so in order to comply with a legal obligation, or unless otherwise instructed to do so by the Controller.
4. The following categories of Data of the following categories of data subjects will be processed:
| Categories of data subjects | Categories of Data |
|---|---|
| Any person whose business card the Controller sends to the Processor for the purposes of scanning | Image of the person's business card with all data mentioned therein such as name, company, job title, phone number and email. |
| Any person who is added to Covve as a contact by the Controller | Contact information relating to the contact such as name, company, job title, phone number, email, address, profile picture, notes, social profile link, communications date and reminders. |
| Any person who is sent a digital business card via Covve by the Controller |
5. The Processor is obliged to adhere to all applicable data privacy regulations. In particular, the following obligations apply:
a. The Processor processes the Data only on documented instructions from the Controller, including with regard to transfers of Data to a third country or an international organisation, unless required to do so by European Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. Unless otherwise directly instructed by the Controller, this Agreement constitutes such written instruction of the Controller for the processing of Data. The Processor ensures that access to Data is granted to persons under its authority only on a need to know basis and such persons authorised to process Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. In particular Processor's employees as well as any Sub-processors or their employees, shall have committed themselves to confidentiality or shall be under an appropriate statutory obligation of confidentiality.
b. The Processor takes all measures required pursuant to Article 32 of the GDPR.
c. The Processor shall engage sub-processors for the provision of the Services and the Controller hereby approves the sub-processors listed in the table below:
| Name | Place of processing | Purpose of Use |
|---|---|---|
| Microsoft | Europe | Microsoft Azure is used for the hosting of the entire solution. |
| Rapid7 LLC | Ireland | Logentires (by Rapid7) is used for managing server logs for the solution. |
| F5 | Europe | F5 provides CDN and Web Application Firewall services for increased performance and security of the service. |
| Automattic Inc | USA | Gravatar is used to find profile pictures of contacts. |
| Google Inc | Europe | To provide analysis services used in the process of scanning. |
| OpenAI LLC | USA | Used for the "draft with AI" and "Covve assistant" features |
The Processor shall inform the Controller of any intended changes concerning the addition or replacement of other sub-processors, thereby giving the Controller the opportunity to object to such changes. The Controller may object to the addition or replacement of sub-processors within 7 days after the Processor's notification of the intended change. If the Controller neither approves nor objects within such period, the respective sub-processor shall be deemed as approved. The Controller shall not unreasonably object to any intended change.
d. Where the Processor engages a sub-processor for carrying out specific processing activities on behalf of the Controller, the same data protection obligations as set out in this Agreement shall be imposed on the sub-processor. Where the sub-processor fails to fulfil its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of the sub-processor's obligations.
e. Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights pursuant to Chapter III of the GDPR.
f. Further, the Processor assists the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor. If the Processor needs any information or other assistance from the Controller to make the processing of Data in line with GDPR, the Processor shall directly inform the Controller about that.
g. At the choice of the Controller, the Processor shall delete or return all the Data to the Controller after the end of the provision of Service relating to Data processing and shall delete existing copies unless European Union and/or Member State law requires storage of the Data.
h. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this Agreement and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other European Union or Member State data protection provisions.
i. The Processor guarantees that it implemented all appropriate technical and organisational measures to ensure that processing of Data will meet GDPR requirements and data subjects' rights will be protected as well as to ensure confidentiality, integrity and availability of Data processed on behalf of the Controller. Namely, the Processor deployed technical security measures appropriate to the provision of the Services including use of firewalls and data encryption and undertakes regular staff training.
6. This Agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the law of the Republic of Cyprus.