Data Processing Addendum

Terms such as "personal data", "processing", "controller", "processor", and "data subject" have the meanings given in the GDPR. The Controller determines the purposes and means of processing; the Processor processes personal data only on documented instructions from the Controller, including as set out in this DPA and the agreement.

The subject matter is the provision of the Service. The Processor processes account identifiers and end-to-end encrypted synced content (which the Processor cannot decrypt) for the duration of the agreement, for the purpose of operating the Service. Categories of data subjects are the Controller's authorised users.

• Process personal data only on the Controller's instructions.
• Ensure persons authorised to process data are bound by confidentiality.
• Implement appropriate technical and organisational security measures (Annex A).
• Assist the Controller with data-subject requests and with security, breach-notification, and impact-assessment obligations.
• Delete or return personal data at the end of the agreement, subject to legal retention requirements.

The Controller authorises the Processor to engage subprocessors listed on the Security page. The Processor imposes data-protection terms on each subprocessor no less protective than this DPA and remains liable for their performance. The Processor will give reasonable notice of new subprocessors and a right to object.

Taking into account the nature of the processing, the Processor assists the Controller by appropriate technical and organisational measures, so far as possible, in fulfilling the Controller's obligations to respond to requests to exercise data-subject rights (access, rectification, erasure, restriction, portability, and objection).

Where the Processor transfers personal data outside the EEA/UK, it relies on an adequacy decision or appropriate safeguards, including the EU Standard Contractual Clauses (and the UK Addendum where applicable), which are incorporated by reference.

Measures include encryption in transit (TLS), end-to-end encryption of synced content, encryption at rest for local credentials, access controls and least-privilege, an auditable egress model, and logging. A detailed Annex A will accompany the executed DPA.

The Processor notifies the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's data, with information reasonably available to assist the Controller's own notification obligations.

The Processor makes available information necessary to demonstrate compliance and allows for and contributes to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to reasonable confidentiality and security conditions.

To execute this DPA for your organisation, contact legal@corvi.sh. This template will be finalised with counsel before launch.