Data Processing Agreement

“Data Protection Laws”

all applicable laws relating to data protection and privacy, including the UK GDPR, the EU GDPR, and the Data Protection Act 2018.

“Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing”, “Personal Data Breach”

have the meanings given in the Data Protection Laws.

“Customer Personal Data”

personal data processed by Konversation on behalf of the Controller under the Agreement.

“Subprocessor”

any processor engaged by Konversation to process Customer Personal Data.

“Agreement”

the Terms of Service and any order forms between the parties for the Services.

The parties acknowledge that, for Customer Personal Data, the Controller is the controller (or a processor acting on behalf of a third-party controller) and Konversation is the processor. Konversation processes Customer Personal Data only on behalf of, and in accordance with, the documented instructions of the Controller. Each party will comply with its obligations under the Data Protection Laws.

Konversation will process Customer Personal Data only on the Controller's documented instructions, including those set out in the Agreement and this DPA, unless required to do otherwise by applicable law, in which case Konversation will inform the Controller of that legal requirement before processing, unless prohibited by law. If Konversation believes an instruction infringes the Data Protection Laws, it will notify the Controller. The subject matter, duration, nature, and purpose of processing, the types of personal data, and the categories of data subjects are described in the Agreement and Annex to this DPA.

Konversation ensures that personnel authorised to process Customer Personal Data are bound by appropriate obligations of confidentiality and have received appropriate training on their responsibilities. Access to Customer Personal Data is limited to personnel who need it to provide the Services.

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, Konversation implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, as appropriate:

• encryption of personal data in transit and at rest;
• measures to ensure ongoing confidentiality, integrity, availability, and resilience of systems;
• the ability to restore availability and access to personal data in a timely manner after an incident; and
• a process for regularly testing and evaluating the effectiveness of security measures.

Further detail is set out in our Security Policy.

The Controller provides general authorisation for Konversation to engage Subprocessors to process Customer Personal Data, provided that Konversation:

• imposes data-protection obligations on each Subprocessor that are no less protective than those in this DPA;
• remains liable to the Controller for the performance of each Subprocessor's obligations; and
• maintains a current list of Subprocessors and gives at least 30 days' notice of intended changes, allowing the Controller a 14-day window to object on reasonable data-protection grounds.

The current list is available on our Subprocessors page.

Where the processing of Customer Personal Data involves a transfer outside the United Kingdom or the European Economic Area to a country without an adequacy decision, the parties will rely on an appropriate transfer mechanism, including the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or the EU Standard Contractual Clauses, together with any supplementary measures required to ensure an adequate level of protection.

Taking into account the nature of the processing, Konversation will assist the Controller by appropriate technical and organisational measures, insofar as possible, to respond to requests from data subjects exercising their rights under the Data Protection Laws. If Konversation receives a request directly from a data subject relating to Customer Personal Data, it will, where lawful, forward the request to the Controller and will not respond directly except on the Controller's instruction.

Konversation will notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent available, the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address it. Konversation will provide reasonable cooperation to assist the Controller in meeting its own breach-notification obligations.

Upon termination or expiry of the Agreement, and at the Controller's choice, Konversation will delete or return all Customer Personal Data and delete existing copies, unless applicable law requires continued storage. Following a reasonable wind-down period, residual copies in backups are deleted in the ordinary course of backup rotation and remain protected by this DPA until deleted.

Konversation makes available to the Controller information reasonably necessary to demonstrate compliance with its obligations under this DPA and the Data Protection Laws, and allows for and contributes to audits, including inspections, conducted by the Controller or an auditor it mandates. Audits will be conducted on reasonable prior notice, no more than once per year (unless required by a supervisory authority or following a Personal Data Breach), during business hours, and subject to confidentiality obligations. Konversation may satisfy audit requests by providing relevant certifications, reports, or summaries of independent assessments.

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement. This DPA does not increase the aggregate liability caps agreed in the Agreement.

This DPA is governed by the same governing law and jurisdiction as the Agreement, namely the laws of England and Wales, unless the Data Protection Laws require otherwise. In the event of conflict between this DPA and the Agreement regarding the processing of personal data, this DPA prevails. This DPA was last updated on June 15, 2026.

To execute a countersigned copy of this DPA, or for questions, contact team@konversation.io.