1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between CoverProof AI, Inc. ("Processor") and the Customer ("Controller") for the provision of the CoverProof AI platform services.
2. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Processing" means any operation performed on Personal Data.
- "Data Subject" means the individual to whom Personal Data relates.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data.
3. Scope and Purpose
The Processor processes Personal Data on behalf of the Controller solely for the purpose of providing the CoverProof AI services, including:
- Processing insurance questionnaire data
- Connecting to and syncing data from authorized integrations
- Generating compliance evidence and reports
- Providing user authentication and access control
4. Categories of Data
The following categories of Personal Data may be processed:
- User account information (names, email addresses, job titles)
- Authentication data (hashed passwords, MFA tokens)
- Integration data (user directories, device inventories, security configurations)
- Usage logs and audit trails
5. Processor Obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Controller
- Ensure personnel are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Assist the Controller with Data Subject requests
- Notify the Controller of any Personal Data breach without undue delay
- Delete or return Personal Data upon termination of services
- Make available information necessary to demonstrate compliance
6. Security Measures
The Processor implements the following security measures:
- Encryption of data in transit (TLS 1.3) and at rest (AES-256)
- Access controls with role-based permissions
- Multi-factor authentication
- Regular security assessments and penetration testing
- Audit logging of all data access
- Secure data centers with SOC 2 certification
- Employee security training and background checks
7. Sub-processors
The Controller authorizes the Processor to engage Sub-processors. Current Sub-processors include:
- Amazon Web Services (AWS) - Cloud infrastructure (US)
- Stripe - Payment processing (US)
- OpenAI - AI processing (US)
- SendGrid - Email delivery (US)
The Processor will notify the Controller of any intended changes to Sub-processors, allowing the Controller to object.
8. International Transfers
Personal Data may be transferred to countries outside the EEA. Such transfers are protected by:
- EU-US Data Privacy Framework certification
- Standard Contractual Clauses (SCCs)
- Additional technical and organizational measures
9. Data Subject Rights
The Processor shall assist the Controller in responding to Data Subject requests including:
- Access to Personal Data
- Rectification of inaccurate data
- Erasure ("right to be forgotten")
- Data portability
- Restriction of processing
- Objection to processing
10. Data Breach Notification
In the event of a Personal Data breach, the Processor shall:
- Notify the Controller within 72 hours of becoming aware
- Provide details of the breach, affected data, and remediation steps
- Cooperate with the Controller's investigation and notification obligations
11. Audit Rights
The Controller may audit the Processor's compliance with this DPA. The Processor shall make available:
- SOC 2 Type II reports
- Penetration test summaries
- Security questionnaire responses
12. Data Retention and Deletion
Upon termination of services:
- The Controller may export their data within 30 days
- Personal Data will be deleted within 30 days of termination
- Audit logs may be retained for up to 1 year for compliance purposes
13. Liability
Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service.
14. Term
This DPA remains in effect for the duration of the Processor's processing of Personal Data on behalf of the Controller.
15. Contact
For DPA-related inquiries, contact: dpa@coverproof.ai