Data Processing Agreement

Last Updated: January 1, 2026

1. Purpose of this Agreement

This Data Processing Agreement (DPA) outlines the obligations of Coreveo ("Data Processor") and the Client ("Data Controller") regarding the processing of personal and enterprise data in accordance with global data protection laws, including the GDPR and CCPA.

2. Nature of Data Processing

Coreveo processes data strictly to provide the operational visibility and intelligence services outlined in our Master Service Agreement (MSA) and Terms & Conditions. The types of data processed include business metrics, employee usage data, customer identifiers, and operational telemetry.

3. Security Measures

Coreveo implements rigorous technical and organizational measures to ensure a level of security appropriate to the risk. These include:

  • End-to-end encryption (AES-256) for data at rest and TLS 1.3 for data in transit.
  • Strict adherence to the principle of least privilege (PoLP) for internal employee access.
  • Regular third-party penetration testing and compliance audits (SOC 2 Type II).

4. Sub-processors

Coreveo may engage third-party sub-processors (such as AWS or Google Cloud) to provide infrastructure services. We maintain a current list of all sub-processors and will notify Data Controllers of any intended changes concerning the addition or replacement of sub-processors.

5. Incident Response and Breach Notification

In the event of a confirmed personal data breach affecting Client data, Coreveo will notify the Client without undue delay and provide sufficient information to allow the Client to meet any obligations to report the breach to regulatory authorities.

If you have any questions regarding this policy, please contact us at support@coreveo.io.