Last Updated: February 10, 2025
This Data Processing Agreement (“DPA”) is entered into by and between Corvic, Inc. (“Corvic,” “we,” or “our”) and the user of our Platform (“User”) (collectively, the “Parties”).
This DPA is supplemental to the Terms and sets out the terms that apply when Personal Data (defined below) is processed by Corvic under the Terms. The purpose of the DPA is to ensure such processing is conducted in accordance with applicable Data Protection Laws (defined below) and with due respect for the rights and freedoms of individuals whose Personal Data is processed.
All capitalized terms not defined in this DPA shall have the meanings set forth in the Terms, or Corvic’s Privacy Policy as applicable.
1.1 “Authorized Sub-Processor” means a third-party who has a need to know or otherwise access User’s Personal Data to enable Corvic to perform its obligations under this DPA or the Terms, and who is authorized under Section 4.2 of this DPA.
1.2 “User” means a customer of the Services.
1.3 “Data Exporter” means User.
1.4 “Data Importer” means Corvic.
1.5 “Data Protection Laws” means any applicable laws and regulations in any relevant jurisdiction relating to the use or processing of Personal Data including: (i) US state privacy laws, including, but not limited to, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”); (ii) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR” or “GDPR”), (iii) the Swiss Federal Act on Data Protection, (iv) the EU GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”); (v) the UK Data Protection Act 2018; (vi) the Privacy and Electronic Communications (EC Directive) Regulations 2003; and (xii) other privacy laws governing the processing of Personal Data or Personal Information; in each case, as updated, amended or replaced from time to time. The terms “processing”, “processor,” “controller,” and “supervisory authority” shall have the meanings set forth under applicable Data Protection Laws.
1. 6 “Data Subject” means an individual that is protected under any applicable Data Protection Law.
1.7 “EU SCCs” means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of personal data to countries not otherwise recognized as offering an adequate level of protection for personal data by the European Commission (as amended and updated from time to time), the current version of which is available here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.
1.8 “ex-EEA Transfer” means the transfer of Personal Data, which is processed in accordance with the GDPR, from the Data Exporter to the Data Importer (or its premises) outside the European Economic Area (the “EEA”), and such transfer is not governed by an adequacy decision made by the European Commission in accordance with the relevant provisions of the GDPR.
1.9 “ex-UK Transfer” means the transfer of Personal Data, which is processed in accordance with the UK GDPR and the Data Protection Act 2018, from the Data Exporter to the Data Importer (or its premises) outside the United Kingdom (the “UK”), and such transfer is not governed by an adequacy decision made by the Secretary of State in accordance with the relevant provisions of the UK GDPR and the Data Protection Act 2018.
1.10 “Order Form” means the purchase order form agreed to by both Parties.
1.11 “Personal Data” or any such variation of the term (such as “Personal Information” or “Personally Identifiable Information”) shall have the meaning set forth under applicable Data Protection Laws.
1.12 “Security Incident” means any unauthorized action by a known or unknown person which should reasonably be considered one of the following: an attack, penetration, disclosure of confidential user or other sensitive information, misuse of system access, unauthorized access or intrusion (hacking), virus intrusion, or scan of Corvic’s systems or networks, all to the extent they affect the security, confidentiality, or integrity of User Personal Data or User Confidential Information (as defined in the Terms) received, stored, processed, or maintained by Corvic.
1.13 “Services” shall have the meaning set forth in the Terms.
1.14 “Standard Contractual Clauses” means the EU SCCs.
1.15 "UK Addendum” means the international data transfer addendum to the EU SCCs issued by the UK Information Commissioner for entities making restricted transfers under the UK GDPR, the current version of which is available at: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf.
1.16 “UK IDTA” means the international data transfer agreement adopted by the United Kingdom and adopted by the UK Information Commissioner for entities making restricted transfers under the UK GDPR, the current version of which is available here: https://ico.org.uk/media/for-organisations/documents/4019538/international-data-transfer-agreement.pdf.
2.1 The Parties acknowledge and agree that with regard to the processing of Personal Data, User is a “controller” and Corvic is a “processor” (as those terms are defined under applicable Data Protection Laws).
2.2 Corvic shall not process Personal Data (i) for purposes other than those set forth in the Terms and (ii) in a manner inconsistent with the terms and conditions set forth in this DPA or any other documented instructions provided by User.
2.3 The Parties agree that the details of the data processing subject to this DPA are outlined in Exhibit A.
2.4 Following completion of the Services, at User’s choice, Corvic shall return or delete User’s Personal Data, unless further storage of such Personal Data is required or authorized by applicable Data Protection Laws. If return or destruction is impracticable or prohibited by law, rule, or regulation, Corvic shall take measures to block such Personal Data from any further processing (except to the extent necessary for its continued hosting or processing required by law, rule, or regulation) and shall continue to appropriately protect the Personal Data remaining in its possession, custody, or control.
2.5 CCPA. The Parties acknowledge that their relationship under the CCPA is governed by the CCPA Addendum to this DPA, listed in Exhibit E.
3.1 Corvic shall ensure that any person it authorizes to process Personal Data is subject to a duty of confidentiality. Corvic shall ensure that such persons are prohibited from further disclosing Personal Data they receive pursuant to this Terms except for the purpose of performing obligations under the Terms or exercising any rights granted in the Terms.
4.1 User acknowledges and agrees that Corvic may engage its sub-processors to access and process User Personal Data in connection with the Services.
4.2 User agrees that Corvic may use any Authorized Sub-Processors to process User Personal Data pursuant to the Terms that are listed in Exhibit D. Corvic will provide User with notice of any new sub-processors it uses in relation to the processing of User Personal Data by updating the List. User may have the right to object to the use of such additional sub-processors under applicable Data Protection Laws.
4.3 Corvic will enter into an agreement with its Authorized Sub-processors imposing on the Authorized Sub-processors data protection obligations comparable to those imposed on Corvic under this DPA and consistent with applicable Data Protection Laws with respect to the protection of User Personal Data.
4.4 If User and Corvic have entered into Standard Contractual Clauses as described in Section 6 (Transfers of Personal Data), (i) the above authorizations will constitute User’s prior written consent to the subcontracting by Corvic of the processing of Personal Data if such consent is required under the Standard Contractual Clauses, and (ii) the Parties agree that the copies of the agreements with Authorized Sub-Processors that must be provided by Corvic to User pursuant to Clause 9(c) of the EU SCCs or the UK IDTA or UK Addendum (as applicable) may have commercial information, or information unrelated to the Standard Contractual Clauses or their equivalent, removed by Corvic beforehand, and that we will provide such copies only upon request by User.
5.1 Taking into account the context of the processing, Corvic shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing User Personal Data. Such security measures shall be consistent with our security obligations in the Terms. Exhibit C sets forth additional information about our technical and organizational security measures.
5.2 Corvic shall notify User of all known Security Incidents within the time periods required under applicable Data Protection Laws. Corvic’s notice to User regarding such Security Incidents shall include all of the information required under applicable Data Protection Laws.
6.1 The Parties agree that Corvic may transfer Personal Data processed under this DPA outside the EEA, the UK, or Switzerland as necessary to provide the Services. If we transfer Personal Data protected under this DPA to a jurisdiction for which the European Commission has not issued an adequacy decision, we will ensure that appropriate safeguards have been implemented for the transfer of Personal Data in accordance with Data Protection Laws.
6.2 Ex-EEA Transfers. The Parties agree that ex-EEA Transfers are made pursuant to the EU SCCs, which are deemed entered into (and incorporated into this DPA by this reference) and completed as follows:
6.2.1 Module Two (Controller to Processor) of the EU SCCs apply when User is a controller and Corvic is processing Personal Data for User as a processor pursuant to Section 2 of this DPA.
6.3 For each module, where applicable the following applies:
6.3.1 The optional docking clause in Clause 7 does not apply.
6.3.2 In Clause 9, Option 2 (general written authorization) applies, and the minimum time period for prior notice of sub-processor changes shall be as set forth in Section 4.2 of this DPA;
6.3.3 In Clause 11, the optional language does not apply;
6.3.4 All square brackets in Clause 13 are hereby removed;
6.3.5 In Clause 17 (Option 1), the EU SCCs will be governed by Irish law;
6.3.6 In Clause 18(b), disputes will be resolved before the courts of Ireland;
6.3.7 Exhibit B to this DPA contains the information required in Annex I of the EU SCCs;
6.3.8 Exhibit C to this DPA contains the information required in Annex II of the EU SCCs; and
6.3.9 By entering into this DPA, the Parties are deemed to have signed the EU SCCs incorporated herein, including their Annexes.
6.4 Ex-UK Transfers. The Parties agree that ex-UK Transfers are made pursuant to the provisions in this section or the UK International Data Transfer Agreement (“IDTA”) set forth in Exhibit D, whichever applies.
6.4.1 Data Exports from the United Kingdom under the Standard Contractual Clauses. For ex-UK Transfers where the EU SCCs also apply, the Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the UK Information Commissioner’s Office (“ICO”) and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as revised under Section 18 of those Mandatory Clauses ("Approved Addendum") shall apply. The information required for Tables 1 and 3 of Part One of the Approved Addendum is set out in Exhibits A, B, and C of this DPA (as applicable). The information required for Table 2 is set out in Section 6 of this DPA. For the purposes of Table 4 of Part One of the Approved Addendum, the importer may end the Approved Addendum when it changes.
6.5 Transfers from Switzerland. The Parties agree that transfers from Switzerland are made pursuant to the EU SCCs with the following modifications:
6.5.1 The terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” as utilized in the EU SCCs shall be interpreted to include the Federal Act on Data Protection of 19 June 1992 (the “FADP,” and as revised as of 25 September 2020, the “Revised FADP”) with respect to data transfers subject to the FADP.
6.5.2 The terms of the EU SCCs shall be interpreted to protect the data of legal entities until the effective date of the Revised FADP.
6.5.3 Clause 13 of the EU SCCs is modified to provide that the Federal Data Protection and Information Commissioner (“FDPIC”) of Switzerland shall have authority over data transfers governed by the FADP and the appropriate EU supervisory authority shall have authority over data transfers governed by the GDPR. Subject to the foregoing, all other requirements of Clause 13 shall be observed.
6.5.4 The term “EU Member State” as utilized in the EU SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from exercising their rights in their place of habitual residence in accordance with Clause 18(c) of the EU SCCs.
6.6 Supplementary Measures. In respect of any ex-EEA Transfer or ex-UK Transfer, the following supplementary measures shall apply:
6.6.1 As of the date of this DPA, the Data Importer has not received any formal legal requests from any government intelligence or security service/agencies in the country to which the Personal Data is being exported, for access to (or for copies of) User’s Personal Data (“Government Agency Requests”);
6.6.2 If, after the date of this DPA, the Data Importer receives any Government Agency Requests, Vendor shall attempt to redirect the law enforcement or government agency to request that data directly from User. As part of this effort, Vendor may provide User’s basic contact information to the government agency. If compelled to disclose User’s Personal Data to a law enforcement or government agency, Vendor shall give User reasonable notice of the demand and cooperate to allow User to seek a protective order or other appropriate remedy unless Vendor is legally prohibited from doing so. Vendor shall not voluntarily disclose Personal Data to any law enforcement or government agency. Data Exporter and Data Importer shall (as soon as reasonably practicable) discuss and determine whether all or any transfers of Personal Data pursuant to this DPA should be suspended in the light of such Government Agency Requests; and
6.6.3 The Data Exporter and Data Importer will meet as needed to consider whether:
6.6.4 If Data Protection Laws require the Data Exporter to execute the Standard Contractual Clauses applicable to a particular transfer of Personal Data to a Data Importer as a separate agreement, the Data Importer shall, on request of the Data Exporter, promptly execute such Standard Contractual Clauses incorporating such amendments as may reasonably be required by the Data Exporter to reflect the applicable appendices and annexes, the details of the transfer and the requirements of the relevant Data Protection Laws.
6.6.5 If either (i) any of the means of legitimizing transfers of Personal Data outside of the EEA or UK set forth in this DPA cease to be valid or (ii) any supervisory authority requires transfers of Personal Data pursuant to those means to be suspended, then Data Importer may by notice to the Data Exporter, with effect from the date set out in such notice, amend or put in place alternative arrangements in respect of such transfers, as required by Data Protection Laws.
7.1 Corvic shall notify User upon receipt of a request by a data subject to exercise the Data Subject’s rights under applicable Data Protection Laws (such requests individually and collectively “Data Subject Request(s)”). If we receive a Data Subject Request in relation to User’s Personal Data or the Personal Data of an Authorized User of the User, we will follow User’s instructions in relation to complying with such Data Subject Request, including by completing the request on User’s behalf to the extent that it is technically feasible. If User asks Corvic to comply with a Data Subject Request on its behalf, User will provide adequate information to us in order for the request to be fulfilled.
8.1 Corvic shall provide User with reasonable cooperation and assistance where necessary for User to comply with its obligations under Data Protection Laws to conduct a data protection impact assessment and/or to demonstrate such compliance.
8.2 Upon User’s request and to the extent required under applicable Data Protection laws, Corvic shall allow for, and contribute to, reasonable audits and inspections by User or the User’s designated auditor, Such audits shall only take place annually. If User and Corvic have entered into Standard Contractual Clauses as described in Section 6 (Transfers of Personal Data), the Parties agree that the audits described in the EU SCCs and the UK IDTA and UK Addendum shall be carried out in accordance with this Section 8.2.
9.1 Except as expressly modified by the terms of this DPA, all the terms and conditions of the Terms will remain in full force and effect and apply to the terms described in this DPA. To the extent there is any conflict between the terms of the Terms and the terms of this DPA, the terms of this DPA will govern with respect to the subject matter hereof.
9.2 This DPA and the Terms constitute the entire agreement between the Parties with respect to the subject matter hereof and merge all prior and contemporaneous communications. The Terms will not be further modified except by a written agreement dated subsequent to the Effective Date and signed on behalf of both Parties.
9.3 This DPA shall remain in effect as long as Corvic processes User Personal Data.
9.4 The effective date of this DPA is the same date as the effective date of the Terms.
Corvic will process User’s Personal Data as necessary to provide the Services under the Terms, for the purposes specified in the Terms and this DPA, and in accordance with User’s instructions as set forth in this DPA.
Corvic will process User’s Personal Data as long as required (i) to provide the Services to User under the Terms; (ii) for our legitimate business needs; or (iii) by applicable law or regulation.
Names and email addresses of individuals employed by User, as well as information about any other individuals provided by User.
Any categories of information inputted by User in relation to our Services, including names, email addresses, and other categories of personal information provided by User.
User is prohibited from providing sensitive data or special categories of data to Corvic.
The following includes the information required by Annex I and Annex III of the EU SCCs, and Appendix 1 of the UK SCCs.
[Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]
Name: As identified in the Order Form
Address: As identified in the Order Form
Contact person’s name, position and contact details: As identified in the Order Form
Activities relevant to the data transferred under these Clauses: As described in Section 2 of the DPA.
Role (controller/processor): Controller
[Identity and contact details of the data importer(s), including any contactperson with responsibility for data protection]
Name: Corvic, Inc.
Address: As identified in the Order Form
Email: As identified in the Order Form
Activities relevant to the data transferred under these Clauses: As described in Section 2 of the DPA.
Role (controller/processor): Processor
The personal data transferred concern the following categories of data: Any categories of information inputted by User in relation to our Services, including names, email addresses, and other categories of personal information provided by User.
The personal data transferred concern the following categories of data: Any categories of information inputted by User in relation to our Services, including names, email addresses, and other categories of personal information provided by User.
Data exporters are prohibited from providing sensitive data or special categories to data importer.
Data is processed in order for Corvic to offer its Services to User.
To fulfill each party’s obligations under the Terms.
During the term of the Terms
During the term of the Terms on a periodic basis and/or at the discretion of User.
The list includes the sub-processors identified in Exhibit C.
The supervisory authority shall be the supervisory authority of the Data Exporter, as determined in accordance with Clause 13.
Measures of pseudonymisation and encryption of personal data
Use strong encryption protocols for data both at rest and in transit. Ensure that encryption keys are stored securely and separately from the encrypted data.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
Ensure that the hardware and software used in processing the Personal Data are reliable and protected against all kinds of malicious software and viruses.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
Have a secure method of disposal for back-ups, disks and print outs containing Personal Data.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing
Conduct regular security audits, vulnerability assessments, and penetration testing. Implement a continuous monitoring system for security threats and compliance with security policies. Review and update security policies and procedures periodically based on the assessment results.
Measures for user identification and authorization
Implement multi-factor authentication (MFA) for accessing systems that process personal data.
Measures for the protection of data during transmission
Use secure transmission protocols, such as TLS (Transport Layer Security), to encrypt data in transit.
Measures for the protection of data during storage
Implement secure methods of storing Personal Data and control access to the Personal Data.
Control remote access and ensure that Personal Data is not downloaded to portable devices unless strictly necessary and only then if encrypted.
Measures for ensuring physical security of locations at which personal data are processed
Use password protection on computer systems on which Personal Data is stored.
Measures for ensuring events logging
Implement comprehensive logging and monitoring of all access and changes to personal data. Ensure logs are tamper-proof and regularly reviewed for suspicious activities. Maintain logs in a secure, centralized system with restricted access.
Measures for ensuring system configuration, including default configuration
Ensure systems are configured securely by default, following best practices and security guidelines. Regularly review and update system configurations to address emerging threats and vulnerabilities.
Measures for internal IT and IT security governance and management
Provide an appropriate level of information governance for all Personal Data.
Take reasonable steps to ensure the reliability of individuals who have access to the Personal Data, including but not limited to ensuring all such individuals understand the confidential nature of the Personal Data and the issues which arise if proper care is not taken in the use of the Personal Data and that all such individuals are properly trained in how to comply with Data Protection Laws prior to accessing the Personal Data.
Measures for certification/ assurance of processes and products
Conduct regular internal and external audits to ensure compliance with security standards and certifications.
Measures for ensuring data minimization
Implement data minimization principles by collecting only the personal data necessary for specific purposes and provided by Users. Regularly review data collection practices.
Measures for ensuring data quality
Implement procedures for regularly reviewing and updating personal data to ensure accuracy and completeness.
Measures for ensuring limited data retention
Establish and enforce data retention policies that specify the minimum period for retaining personal data. Regularly review stored data and securely delete or anonymize data that is no longer needed for its intended purpose.
Measures for ensuring accountability
Assign clear roles and responsibilities for data protection and security within the organization. Implement a data protection management system to monitor compliance with data protection laws and policies. Maintain documentation of processing activities and security measures.
Measures for allowing data portability and ensuring erasure
Implement processes and tools to facilitate data portability requests, ensuring data is provided in a commonly used, machine-readable format. Establish procedures for responding to data erasure requests promptly and securely delete personal data from all systems and backups.
Technical and organizational measures of sub-processors
Ensure sub-processors implement equivalent security measures as those required by the data importer. Conduct due diligence and regular audits of sub-processors to verify compliance with security and data protection standards. Include contractual obligations for sub-processors to adhere to security measures and data protection laws.
Corvic may use the following Authorized Sub-Processors to process Personal Data pursuant to the Terms, including by transferring Personal Data to such entities:
To the extent applicable, this CCPA addendum (“Addendum”) regulates the processing of Personal Information (as defined in the CCPA) of California residents pursuant to the CCPA by Corvic under the Terms and the DPA. To the extent that there is any inconsistency between this Addendum and the Terms or the DPA with regard to the processing of Personal Information regulated under the CCPA, this Addendum shall control.
Any capitalized term in this Addendum that is not otherwise defined in the DPA shall have the meaning given to that term in the CCPA.
2.1 Corvic represents and warrants that it is a Service Provider or Contractor for the purposes of the services it provides to User pursuant to the DPA and the Terms.
3.1 Corvic shall process User Personal Data it receives pursuant to the Terms only for the limited and specified purposes outlined in Exhibit A and is prohibited from using User Personal Data for any other purpose.
3.2 Corvic shall comply with all applicable sections of the CCPA, including by providing the same level of protection to User Personal Data as required by User under the law.
3.3 Corvic agrees that User has the right to take reasonable and appropriate steps to ensure that we use User Personal Data that we receive from or process on behalf of User in a manner consistent with User’s obligations under the CCPA.
3.4 Corvic agrees that User has the right to take reasonable and appropriate steps to stop and remediate our unauthorized use of Personal Data.
3.5 Corvic shall notify User as soon as possible after we determine that it can no longer meet its obligations under the CCPA.
3.6 If Corvic engages Sub-Processors in relation to providing services to User pursuant to the Terms, we shall have a contract with the Sub-Processor that complies with the CCPA and has the same restrictions on the processing of Personal Data as outlined in this Addendum.
4.1 Corvic shall not Sell or Share User Personal Data it receives from or processes on behalf of User, for purposes outside of those outlined in the DPA and exhibits incorporated by reference in the DPA.
4.2 Corvic shall not retain, use, or disclose User Personal Data it receives from or processes on behalf of User for any purpose (including any Commercial Purpose) other than for the purposes specified in the Terms, DPA, and except as otherwise permitted by the CCPA.
4.3 Corvic shall not retain, use, or disclose User Personal Data it receives from or processes on behalf of User outside of the direct business relationship between Corvic and User, except as otherwise permitted under the CCPA.
4.4 Corvic shall not combine the User Personal Data it receives from or processes on behalf of User with Personal Data it receives from or on behalf of another person or which it collects from its own interaction with another individual, provided that we may combine Personal Data to perform any Business Purpose, such as to analyze how users interact with Services, or as otherwise permitted under the CCPA.
5.1 User agrees to: (i) inform Corvic of any consumer request made pursuant to the CCPA that they must assist User to comply with and (ii) provide the information necessary for Corvic to comply with the request.
