Data Processing Agreement

Last updated: February 25, 2026

This Data Processing Agreement (“DPA”) supplements the Terms of Service and the Privacy Policy. It applies when Covala processes personal data on behalf of Customer as a data processor under applicable data protection laws including the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018.

1. Definitions

  • “Controller” means the Customer, who determines the purposes and means of processing personal data.
  • “Processor” means Covala Inc., which processes personal data on behalf of the Controller.
  • “Personal Data” means any information relating to an identified or identifiable natural person that is processed by Covala in connection with the Services.
  • “Sub-processor” means a third-party service provider engaged by Covala to process Personal Data on behalf of the Controller.
  • “Data Protection Laws” means all applicable laws relating to the processing of Personal Data, including the GDPR, UK GDPR, CCPA/CPRA, and other national implementing legislation.

2. Scope of Processing

2.1 Nature and Purpose

Covala processes Personal Data solely to provide the Services as described in the Terms of Service. This includes: authenticating API requests, enforcing rate limits, generating usage reports, processing billing, and providing customer support.

2.2 Categories of Data Subjects

  • API customers and their authorized users
  • Developer dashboard users
  • Website visitors (limited to analytics data)

2.3 Types of Personal Data

  • Account information: email address, display name, company name
  • Authentication data: hashed API Keys, session tokens
  • Usage data: API request logs, IP addresses, timestamps
  • Billing data: payment method details (processed by Stripe)
  • Support data: support requests, feedback, documentation contributions

2.4 What Is Not Personal Data

Product Data served through the API (product specifications, pricing, availability, error codes, maintenance schedules) is factual product information that does not constitute Personal Data.

3. Obligations of the Processor

Covala shall:

  • Process Personal Data only on documented instructions from the Controller, unless required by applicable law.
  • Ensure that persons authorized to process Personal Data have committed themselves to confidentiality.
  • Implement appropriate technical and organizational security measures as described in Section 5.
  • Engage Sub-processors only in accordance with Section 4.
  • Assist the Controller in responding to data subject access requests and exercising data subject rights.
  • Assist the Controller in ensuring compliance with obligations relating to security, breach notification, data protection impact assessments, and prior consultations.
  • At the choice of the Controller, delete or return all Personal Data upon termination of the Services, and delete existing copies unless retention is required by law.
  • Make available to the Controller all information necessary to demonstrate compliance with this DPA.

4. Sub-processors

The Controller authorizes Covala to engage the following Sub-processors:

Sub-processorPurposeLocation
Supabase, Inc.Database hosting, authentication, Edge FunctionsUnited States
Stripe, Inc. (when billing is active)Payment processing, billingUnited States
Cloudflare, Inc.CDN, DDoS protection, edge cachingGlobal (US headquartered)
Vercel, Inc.Application hosting, serverless functionsUnited States
Upstash, Inc.Redis caching, rate limitingUnited States

Covala will notify the Controller at least 30 days before adding or replacing a Sub-processor, via the email address associated with the Customer’s account. The Controller may object to a new Sub-processor on reasonable data protection grounds within 15 days of notification. If the objection cannot be resolved, either party may terminate the affected Services.

Covala imposes data protection obligations on each Sub-processor no less protective than those in this DPA, and remains liable for the acts and omissions of its Sub-processors.

5. Security Measures

Covala implements the following technical and organizational measures to protect Personal Data:

  • Encryption in transit: All data transmitted over the network uses TLS 1.2 or higher.
  • Encryption at rest: All databases use AES-256 encryption at rest.
  • Access control: Row-level security (RLS) enforced on all database tables. API Keys hashed with SHA-256 before storage.
  • Input validation: All inputs validated using schema validation (Zod) to prevent injection attacks.
  • Rate limiting: Protects against brute-force attacks and denial-of-service attempts.
  • Monitoring: Real-time alerting for security events, unauthorized access attempts, and anomalous usage patterns.
  • Secret management: All secrets and credentials managed through Doppler, never stored in code or configuration files.
  • Vulnerability management: Regular security reviews and dependency audits.

6. Data Breach Notification

Covala will notify the Controller without undue delay and in any event within 72 hours after becoming aware of a Personal Data breach. The notification will include: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

7. Data Subject Rights

Covala will assist the Controller in fulfilling its obligations to respond to data subject requests (access, rectification, erasure, restriction, portability, objection). Covala will promptly notify the Controller if it receives a request directly from a data subject, and will not respond to the request except on the Controller’s instructions or as required by law.

8. International Transfers

Covala processes Personal Data in the United States. For transfers of Personal Data from the EEA/UK to the United States, the parties agree to the Standard Contractual Clauses (SCCs) as adopted by the European Commission (Decision 2021/914), which are incorporated into this DPA by reference. The Controller acts as the data exporter and Covala acts as the data importer.

9. Audit Rights

The Controller may audit Covala’s compliance with this DPA, subject to the following conditions: (a) audits will be conducted no more than once per year, (b) the Controller will provide at least 30 days’ written notice, (c) audits will be conducted during normal business hours, and (d) the Controller will bear the costs of the audit. Covala may satisfy audit requests by providing relevant certifications, audit reports, or other documentation demonstrating compliance.

10. Data Return and Deletion

Upon termination of the Services, Covala will, at the Controller’s election: (a) return all Personal Data to the Controller in a standard, machine-readable format, or (b) delete all Personal Data within 90 days. Covala may retain Personal Data only to the extent required by applicable law, and will isolate and protect such data from further processing.

11. Duration and Termination

This DPA is effective for the duration of the Customer’s use of the Services under the Terms of Service. Sections relating to data deletion, confidentiality, and liability survive termination.

12. Contact

For questions about this DPA or to request a signed copy, contact privacy@covala.com.