Data Processing Agreement & Global Privacy Addendum

1 Overview

convly is committed to ensuring a high level of protection of Personal Data and to complying with applicable data protection laws, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

This page describes the conditions under which convly processes Personal Data in connection with the provision of its interoperability services between third-party communication platforms (e.g. Slack and Microsoft Teams).

Additional information is available at:

• conv.ly/security
• conv.ly/privacy-policy

2 Role of convly

convly acts strictly as a data processor under GDPR and as a service provider / contractor under CCPA.

• The Customer acts as the Controller / Business
• convly processes Personal Data solely on behalf of the Customer

convly does not determine the purposes or means of processing.

3 Nature of the Service

convly provides a real-time interoperability layer enabling the transmission of messages between third-party communication platforms.

4 Processing Activities

4.1 Permitted Processing

convly processes Personal Data solely for the following purposes:

• Transmission and routing of messages between platforms
• Maintenance of interoperability sessions
• Ensuring delivery, synchronization, and system integrity

4.2 Prohibited Uses

convly does not:

• Store message content or files
• Analyze message content
• Use Personal Data for advertising purposes
• Sell or share Personal Data
• Use Personal Data to train machine learning or AI models

5 Categories of Personal Data

convly processes only data strictly necessary to provide the service, including:

• User identifiers (e.g. name, email, platform user ID)
• Message routing metadata (timestamps, sender/recipient identifiers)
• Channel and workspace identifiers
• Authentication credentials (securely handled)

6 Data Minimization and Storage Limitation

convly applies privacy by design principles:

• Message content is processed transiently only
• Message content is not stored
• Personal Data is limited to the minimum required for interoperability

Personal Data is retained only for the duration necessary to ensure system functionality and security.

7 Security Measures

convly implements appropriate technical and organisational measures to ensure the confidentiality, integrity, and availability of Personal Data.

These measures include:

• Encryption in transit (TLS / AES-256 equivalent)
• Absence of persistent storage of message content
• Access control based on least privilege principles
• Secure management of authentication tokens
• Monitoring and logging mechanisms

Further details are available at: conv.ly/security

8 Sub-processors

convly may engage sub-processors for infrastructure and service delivery purposes.

Current sub-processors

• Slack, USA - Slack workspace data.
• Microsoft, USA - Teams workspace data.
• AWS, USA or EU - data hosting and processing.
• Stripe, USA - payment processing.
• Chargebee, USA - billing data.

convly ensures that all sub-processors:

• Are subject to contractual obligations equivalent to those set forth herein
• Process Personal Data solely for the provision of the service

9 International Data Transfers

Where Personal Data is transferred outside the European Economic Area or the United Kingdom, convly implements appropriate safeguards, including:

• Standard Contractual Clauses (SCCs)
• Supplementary technical measures such as encryption and data minimization

10 Responsibilities of the Customer

The Customer, as Controller / Business:

• Determines the purposes and legal basis of processing
• Ensures compliance with applicable data protection laws
• Is responsible for providing appropriate notices to data subjects

convly processes Personal Data strictly in accordance with the Customer's instructions.

11 Data Subject and Consumer Rights

convly assists the Customer, taking into account the nature of processing, in fulfilling obligations relating to:

• Access requests
• Rectification requests
• Erasure requests
• Restriction or objection requests

Requests may be coordinated via: privacy@conv.ly

12 Data Retention and Deletion

Due to its architecture:

• Message content is not retained
• Metadata is retained only as necessary for operational and security purposes

Upon termination of the service, Personal Data is deleted or irreversibly anonymized without undue delay.

13 Personal Data Breach

In the event of a Personal Data Breach, convly:

• Notifies the Customer without undue delay
• Provides relevant information regarding the nature and impact of the breach
• Implements appropriate mitigation measures

14 Global Privacy Compliance

European Union / United Kingdom

convly acts as a Processor under the General Data Protection Regulation and applicable UK data protection laws.

United States (California)

convly acts as a Service Provider under the California Consumer Privacy Act (as amended by CPRA).

convly:

• Does not sell Personal Information
• Does not share Personal Information for cross-context behavioral advertising
• Does not combine Personal Information across customers

Canada

convly processes Personal Information in accordance with applicable Canadian privacy laws, including PIPEDA, and applies appropriate safeguards.

15 Audit and Compliance

convly makes available information necessary to demonstrate compliance with applicable data protection obligations and may support reasonable audit requests, subject to appropriate confidentiality and security safeguards.

16 Legal Status

• This page forms part of convly's data protection commitments
• A formal Data Processing Agreement may be executed or incorporated into contractual agreements
• In the event of conflict, the executed DPA shall prevail

17 Contact

For any questions regarding data protection: privacy@conv.ly