Data Processing Agreement

• "Controller" — you (the Covant customer), who determines the purposes and means of processing personal data.
• "Processor" — Covant, Inc., which processes personal data on your behalf.
• "Personal Data" — any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
• "Processing" — any operation performed on personal data, including storage, retrieval, and deletion.
• "GDPR" — EU General Data Protection Regulation 2016/679.
• "Sub-processor" — any third party engaged by Covant to process personal data.

Covant processes personal data submitted to the Service by you (the Controller) for the sole purpose of providing the Covant partner program management platform.

Categories of personal data processed:

• Contact information of partners and customers (name, email, company)
• Deal and transaction records
• Commission and payout data
• Account credentials (hashed, managed by Clerk)
• Usage and activity logs

Categories of data subjects: Your employees, your partners, and your partners' contacts who interact with the Covant platform.

Covant agrees to:

• Process personal data only on your documented instructions (i.e., to provide the Service)
• Ensure persons authorized to process personal data are bound by confidentiality
• Implement appropriate technical and organizational security measures (see Security page)
• Assist you in responding to data subject rights requests
• Assist you with breach notification obligations under GDPR Article 33
• Delete or return all personal data upon termination of the Service
• Make available information necessary to demonstrate compliance with GDPR Article 28

You authorize Covant to use the following sub-processors to provide the Service:

We will notify you at least 14 days before adding or changing a sub-processor. You may object to changes within 14 days of notification. If we cannot address your objection, you may terminate the Service for cause.

Personal data processed under this DPA may be transferred to and stored in the United States. Such transfers are based on:

• Standard Contractual Clauses (SCCs) adopted by the European Commission where applicable
• Our sub-processors' participation in recognized transfer mechanisms (e.g., Vercel, Stripe, and Clerk are all US entities with EU SCCs available)

For transfers from the UK, we rely on the International Data Transfer Agreement (IDTA) as the transfer mechanism.

When you receive a data subject rights request (access, correction, deletion, portability), we will:

• Assist you in fulfilling the request within the timelines required by GDPR
• Not respond directly to data subjects about their rights without your authorization, except to direct them to you as the Controller

You can export all data from the Covant dashboard at any time. To request full deletion of an organization's data, email privacy@covant.ai.

Covant maintains appropriate technical and organizational measures to protect personal data against unauthorized access, disclosure, alteration, or destruction. See our Security page.

In the event of a personal data breach affecting your data, Covant will:

• Notify you without undue delay (within 72 hours of becoming aware) at the email address on your account
• Provide details sufficient for you to fulfill your GDPR Article 33 notification obligation to your supervisory authority
• Cooperate with your investigation and remediation efforts

You may request an audit of Covant's processing activities to verify compliance with this DPA. Requests must be:

• Made in writing to privacy@covant.ai
• Made no more than once per 12-month period unless required by a regulatory authority
• At your cost for any third-party auditor

Once SOC 2 Type II certification is complete (target Q4 2026), we will provide our audit report in lieu of a direct audit.

This DPA is in effect for the duration of your Covant subscription. Upon termination:

• Covant will retain your data for 90 days to allow for recovery
• After 90 days, all personal data will be deleted from production systems
• Backup copies will be deleted within 180 days of termination
• You may request immediate deletion at any time

This DPA is automatically incorporated into your agreement with Covant by accepting the Terms of Service. No separate signature is required for standard use.

Enterprise customers requiring a countersigned DPA should email legal@covant.ai. We'll respond within 3 business days.

Covant, Inc. · San Francisco, CA · legal@covant.ai