Data Processing Addendum

Last updated: June 2026

This Data Processing Addendum ("DPA") forms part of the agreement between the customer ("you", "Customer", the data controller) and Kovatron ("we", "us", the data processor) for use of the Kovatron service (the "Service"), and supplements our Terms of Service and Privacy Policy. Where you process personal data of individuals in jurisdictions with applicable data-protection laws (e.g. the GDPR/UK GDPR or US state privacy laws), this DPA applies to our processing of that personal data on your behalf.

1. Roles & scope

You are the controller of the personal data you submit to or collect through the Service ("Customer Data"). Kovatron processes Customer Data as a processor (or "service provider") solely to provide the Service and only on your documented instructions, which include your use of the Service's features and this DPA.

2. Nature & purpose of processing

Subject matter: provision of the Kovatron AI marketing-agent platform.
Purpose: to operate the Service — generating marketing recommendations and drafts, connecting to the marketing platforms you authorize, and performing the actions you approve.
Duration: for the term of your use of the Service, plus the limited retention/deletion windows described below.

3. Categories of data & data subjects

Data subjects	Categories of personal data
Your authorized users; your contacts/leads/customers as present in the marketing platforms you connect	Account identifiers (name, email); authentication data; conversation content you provide; connected-platform access tokens; marketing metrics and any personal data contained in the platform data you choose to retrieve

You control what data the Service can access by choosing which platforms to connect and what to share in conversations. Please do not submit special-category data unless necessary, and ensure you have a lawful basis to process any personal data you bring into the Service.

4. Our obligations as processor

Instructions. We process Customer Data only to provide the Service and on your instructions, unless required by law (in which case we'll notify you where permitted).
No sale, no training. We do not sell Customer Data and do not use it to train AI models. Customer Data is not used for advertising or any purpose other than providing the Service to you.
Confidentiality. Personnel authorized to process Customer Data are bound by confidentiality obligations.
Security. We implement appropriate technical and organizational measures, described on our Security page (including encryption of tokens at rest with AES-256-GCM, TLS in transit, access controls, MFA, tenant isolation, and recurring security review).
Assistance. Taking into account the nature of the processing, we assist you (by appropriate measures) in responding to data-subject requests and in meeting your security, breach-notification, and impact-assessment obligations.
Breach notification. We will notify you without undue delay after becoming aware of a personal-data breach affecting Customer Data.
Deletion / return. On termination, or on your request, we delete Customer Data within a commercially reasonable period, except where retention is required by law. You may also delete your account and data yourself at any time (see Data Deletion).
Audits. We make available information reasonably necessary to demonstrate compliance with this DPA and will respond to reasonable audit requests, subject to confidentiality and proportionality.

5. Subprocessors

You authorize us to engage the subprocessors listed on our Security page (currently: Anthropic, Supabase, Vercel, Stripe, Resend, and — when the relevant features are used — Perplexity, Replicate, and Pexels). We impose data-protection terms on each subprocessor no less protective than this DPA and remain responsible for their performance. We will give reasonable notice of any new subprocessor; if you have a reasonable, data-protection-based objection, you may raise it with us and, if unresolved, terminate the affected part of the Service.

6. International transfers

Our subprocessors are located primarily in the United States. Where Customer Data is transferred from the EEA, UK, or Switzerland, such transfers are made under an appropriate transfer mechanism (such as the EU Standard Contractual Clauses and the UK Addendum), which are incorporated by reference where applicable.

7. Liability & precedence

Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Terms of Service. If there is a conflict between this DPA and the Terms regarding the processing of personal data, this DPA controls.

8. Signed copy & contact

A countersigned copy of this DPA is available for business customers on request. To request one, or for any data-protection question, contact us at hello@kovatron.com.