Data Processing Agreement
Last Updated: January 1, 2026
1. Purpose of this Agreement
This Data Processing Agreement (DPA) outlines the obligations of Coreveo ("Data Processor") and the Client ("Data Controller") regarding the processing of personal and enterprise data in accordance with global data protection laws, including the GDPR and CCPA.
2. Nature of Data Processing
Coreveo processes data strictly to provide the operational visibility and intelligence services outlined in our Master Service Agreement (MSA) and Terms & Conditions. The types of data processed include business metrics, employee usage data, customer identifiers, and operational telemetry.
3. Security Measures
Coreveo implements rigorous technical and organizational measures to ensure a level of security appropriate to the risk. These include:
- End-to-end encryption (AES-256) for data at rest and TLS 1.3 for data in transit.
- Strict adherence to the principle of least privilege (PoLP) for internal employee access.
- Regular third-party penetration testing and compliance audits (SOC 2 Type II).
4. Sub-processors
Coreveo may engage third-party sub-processors (such as AWS or Google Cloud) to provide infrastructure services. We maintain a current list of all sub-processors and will notify Data Controllers of any intended changes concerning the addition or replacement of sub-processors.
5. Incident Response and Breach Notification
In the event of a confirmed personal data breach affecting Client data, Coreveo will notify the Client without undue delay and provide sufficient information to allow the Client to meet any obligations to report the breach to regulatory authorities.
