Legal

Data Processing Agreement

Last updated: December 2024

Download DPA (PDF)

1. Introduction

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between CoverKit, Inc. (“CoverKit,” “we,” “us”) and you (“Customer,” “you”) and governs the processing of personal data by CoverKit on your behalf.

This DPA applies where CoverKit processes personal data as a data processor on behalf of the Customer (as data controller) in connection with the CoverKit API services.

2. Definitions

  • “Personal Data” means any information relating to an identified or identifiable natural person.
  • “Data Controller” means the entity that determines the purposes and means of processing Personal Data.
  • “Data Processor” means the entity that processes Personal Data on behalf of the Data Controller.
  • “GDPR” means the General Data Protection Regulation (EU) 2016/679.
  • “Sub-processor” means any third party engaged by CoverKit to process Personal Data.

3. Scope and Roles

In the context of providing the Services:

  • Customer is the Data Controller of Personal Data submitted through the API
  • CoverKit is the Data Processor acting on Customer's instructions
  • Processing activities include storing, organizing, and transmitting Personal Data as necessary to provide the Services

4. CoverKit Obligations

CoverKit agrees to:

  • Process Personal Data only on documented instructions from Customer
  • Ensure personnel authorized to process Personal Data are bound by confidentiality
  • Implement appropriate technical and organizational security measures
  • Assist Customer with Data Subject requests
  • Assist Customer with data protection impact assessments
  • Delete or return Personal Data upon termination

5. Security Measures

CoverKit implements the following security measures to protect Personal Data:

EncryptionTLS 1.3 in transit, AES-256 at rest
Access ControlRole-based access, MFA required
Monitoring24/7 security monitoring, audit logging
ComplianceSOC 2 Type II certified

6. Sub-processors

CoverKit uses the following categories of sub-processors:

  • Cloud Infrastructure: Google Cloud Platform (US)
  • Payment Processing: Stripe (US)
  • Customer Support: Intercom (US)
  • Analytics: Plausible Analytics (EU)

7. International Data Transfers

Where Personal Data is transferred outside the European Economic Area, CoverKit relies on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Additional supplementary measures where required

8. Data Breach Notification

CoverKit will notify Customer without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data breach.

9. Term and Termination

This DPA remains in effect for the duration of the Terms of Service. Upon termination, CoverKit will delete or return all Personal Data within 30 days, unless retention is required by applicable law.

10. Download

A signed copy of this DPA can be downloaded and countersigned by the Customer:

CoverKit Data Processing Agreement

PDF, 245 KB

Download PDF

11. Contact

For questions about this DPA or to request a signed copy, contact:

  • Email: privacy@coverkit.io
  • Address: CoverKit, Inc., San Francisco, CA