Data Processing Addendum
What the DPA covers
The Convo DPA governs how Convo processes personal data on behalf of an institutional customer (a “Controller” under GDPR, a “Business” under CCPA) when that customer uses the Convo platform to publish tours and receive visitor analytics. It supplements our standard Terms of Service and incorporates the EU Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum where applicable.
Key terms in plain English
What Convo processes. Reference materials uploaded by institutional staff; staff account details (email address and authentication metadata) for the admin portal; visitor account details (email address and authentication metadata) for the visitor app; visitor interaction data (tour starts, stops played, questions asked, language selected) tied to a visitor session.
What Convo does not process. Visitor or staff passwords (sign-in uses one-time email passcodes, not passwords), names, phone numbers, mailing addresses, or payment card details (payment data is handled directly by Stripe).
Retention. Reference materials are retained for the life of the subscription plus thirty days. Visitor interaction logs and visitor account records are retained for the life of the institution’s subscription; specific retention windows for visitor data can be configured in the institution’s order form.
Sub-processors. See the live security and sub-processor page. Material changes are notified by email to the institution’s billing contact in advance — typically at least 30 days before the change takes effect.
Region. All processing happens in the United States today (Vercel and Supabase US-East). EU-region hosting is on the roadmap; institutions whose legal teams require EU-region processing should raise it during procurement so we can confirm timing. Transfers to the United States are governed by the EU Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable).
Data subject requests. Convo assists the institution in responding to access, rectification, deletion, and portability requests from data subjects. The institution remains the controller and primary point of contact for those requests.
Security incidents. Convo notifies the institution’s designated contact within 72 hours of becoming aware of a personal data breach affecting that institution’s data, with the information required by Article 33 of the GDPR.
How to execute the DPA
Email legal@convo.app with your institution’s legal entity name and the country it operates in. We’ll send the current DPA as a PDF (or Word, if your office prefers) and a DocuSign link. If your team needs to redline, we generally accept reasonable changes and respond promptly.
Where this fits in the contract
The DPA is incorporated by reference into the Convo Terms of Service and any institutional Order Form. In the event of a conflict between the DPA and the Terms of Service with respect to personal data processing, the DPA controls.