Data Processing Agreement

This page summarizes the Data Processing Agreement (“DPA”) under which Hutytech ICT Resources Limited (“Coveton”) processes personal data on behalf of customers. It is an overview for transparency. The full, executable DPA is available to customers on request and is included with enterprise plans.

1. Roles of the parties

When a customer organization uses Coveton to process the personal data of its members, contacts or end users, the customer is the data controller and Coveton is the data processor. Coveton processes personal data only on the customer’s documented instructions, as set out in the DPA, these Terms and the customer’s use of the Service.

2. Scope and subject matter

The DPA covers the processing of personal data that occurs when the customer uses the Service: account and member data, device and session metadata, operational logs, and the ciphertext of communications. The nature and purpose of processing is the provision of zero-knowledge communication infrastructure. The duration is the term of the customer’s subscription, plus any limited retention period.

3. Processing instructions

Coveton will process personal data only to provide and secure the Service, in accordance with the customer’s instructions and applicable law. If we believe an instruction violates data-protection law, we will inform the customer. We will not use customer personal data for our own purposes, advertising or model training.

4. Confidentiality

Coveton ensures that personnel authorized to process personal data are bound by appropriate confidentiality obligations and access data only on a least-privilege, need-to-know basis.

5. Security measures

Coveton maintains technical and organizational measures appropriate to the risk, including end-to-end encryption of content, encryption in transit and at rest, role-based access controls, device authorization and revocation, comprehensive audit logging, network protections and regular security review. Because keys live on customer devices, even Coveton cannot decrypt customer content.

6. Sub-processing

The customer authorizes Coveton to engage sub-processors to provide the Service. We impose data-protection terms on each sub-processor no less protective than those in the DPA, and we remain responsible for their performance. No sub-processor ever receives decryption keys. Our current list is available at Sub-processors, and customers may subscribe to change notifications.

7. Assistance with data subject requests

Taking into account the nature of the processing, Coveton provides reasonable assistance to help the customer respond to requests from data subjects to exercise their rights (access, rectification, erasure, restriction, portability and objection). Because content is encrypted with keys we do not hold, much of it is accessible only to the customer and its users.

8. Personal data breach notification

Coveton will notify the customer without undue delay, and in any case within 72 hours of becoming aware of a personal data breach affecting the customer’s data, and will provide information reasonably necessary for the customer to meet its own notification obligations.

9. Audits

Coveton makes available information necessary to demonstrate compliance with the DPA and allows for and contributes to audits, including inspections, conducted by the customer or an agreed independent auditor, subject to reasonable confidentiality and security conditions.

10. Return and deletion of data

Upon termination of the Service, and at the customer’s choice, Coveton will return or delete the personal data it processes on the customer’s behalf, except where storage is required by law. Ciphertext for which keys have been lost is, by design, unrecoverable.

11. International transfers

Where the DPA involves transfers of personal data out of the European Economic Area, the United Kingdom or Switzerland, the parties rely on the Standard Contractual Clauses and equivalent UK and Swiss mechanisms, supplemented by Coveton’s encryption measures.

12. Getting the full DPA

This overview does not replace the executable DPA. To request and sign the full DPA, email legal@coveton.com. Enterprise plans include the DPA as standard. For general privacy questions, contact privacy@coveton.com.