Last updated: March, 19, 2025
This Data Processing Addendum ("DPA") is entered into between Convoy ("Processor" or "Service Provider") and the User ("Controller" or "Business"), collectively referred to as the "Parties," and forms an integral part of the Terms of Service or other applicable agreement governing the use of Convoy's services (the "Agreement").
This DPA outlines the responsibilities and obligations of the Parties regarding the processing of personal data under applicable data protection laws, including but not limited to the General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, the California Consumer Privacy Act (CCPA), and other relevant privacy laws. It includes provisions on data processing, security measures, international data transfers, and data subject rights.
1.1 "Applicable Data Protection Laws": Refers to all laws and regulations relating to privacy and data protection, including GDPR, UK GDPR, CCPA, and any other applicable laws governing personal data processing.
1.2 "Personal Data": Any information relating to an identified or identifiable natural person as defined under the GDPR, CCPA, or other applicable laws.
1.3 "Processing": Any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, restriction, erasure, or destruction.
1.4 "Sub-Processor": Any third party engaged by Convoy to process Personal Data on behalf of the User.
1.5 "Standard Contractual Clauses (SCCs)": The contractual clauses adopted by the European Commission for the lawful transfer of Personal Data outside the EEA.
2.1 Roles of the Parties: The User acts as the Controller, and Convoy acts as the Processor in relation to Personal Data. Where applicable, Convoy may act as a "Service Provider" under the CCPA.
2.2 Processing Purposes: Convoy processes Personal Data solely to provide webhook delivery and related services, in accordance with documented User instructions. Convoy shall not process Personal Data for any other purposes.
3.1 Controller Instructions: Convoy shall process Personal Data only in accordance with the User's documented instructions unless required by law. If Convoy is required by law to process Personal Data beyond the agreed instructions, it shall notify the User unless legally prohibited.
3.2 Confidentiality: Convoy ensures that personnel authorized to process Personal Data are subject to confidentiality obligations.
3.3 Security Measures: Convoy implements appropriate technical and organizational measures to protect Personal Data against unauthorized access, loss, alteration, or destruction, including:
3.4 Assistance to the Controller: Convoy shall assist the User in ensuring compliance with GDPR obligations, including responding to Data Subject requests and conducting data protection impact assessments.
3.5 Controller Attestation Requirement: The User/Controller warrants that the personal data provided to Convoy has been collected and processed in accordance with GDPR requirements, including obtaining valid consent from data subjects where required, or having another lawful basis and providing necessary privacy notices. The User/Controller further acknowledges responsibility for the lawfulness of the data provided.
4.1 Authorized Sub-Processors: The User authorizes Convoy to engage Sub-Processors for service delivery. Convoy shall ensure Sub-Processors meet the same data protection obligations.
4.2 Notice of Changes: Convoy shall provide advance notice of new Sub-Processors. The User may object to new Sub-Processors based on reasonable privacy concerns.
4.3 A list of Convoy's current authorized Sub-Processors (the “List”) is available to the User at https://trust.getconvoy.io/subprocessors. Such List may be updated by Convoy from time to time.
4.4. If the User reasonably objects to an engagement in accordance with Section 4.2, and Convoy cannot provide a commercially reasonable alternative within a reasonable period of time, the User may discontinue the use of the affected Service by providing written notice to Convoy. Discontinuation shall not relieve the User of any fees owed to Convoy under the Main Agreement.
4.5. If the User does not object to the engagement of a Sub-Processor in accordance with Section 4.2 within fourteen (14) days of notice by Convoy, that Sub-Processor will be deemed an authorized Sub-Processor for the purposes of this DPA.
4.6. Convoy shall only disclose the personal data to a Sub-Processor on documented instructions from the User or in alignment with this DPA.
5.1 Data Residency: Convoy operates separate environments in the EU and the US. EU Personal Data is processed within the EU.
5.2 Standard Contractual Clauses (SCCs): If data transfers outside the EU are necessary, Convoy shall rely on SCCs as the legal basis.
5.3 Description of Transfers: This section outlines the processing activities that Convoy will carry out on behalf of the User, as detailed in Appendix A below.
5.4 Notification of Conflicting Local Laws: Convoy will promptly notify the User if it becomes aware of any local laws, regulations, or practices in its country of operation that may prevent it from fulfilling its obligations under the Standard Contractual Clauses. In such cases, Convoy will cooperate with the User to assess the impact and, where required, implement appropriate supplementary safeguards to ensure the protection of personal data.
6.1 User Assistance: Convoy shall assist the User in responding to data subject requests under GDPR and CCPA.
6.2 Deletion Requests: Convoy shall delete Personal Data upon request from the user unless legally required to retain it.
6.3 Requests Notification: Convoy will promptly notify the User/Controller of any data subject request (including rectification, erasure, objection, or restriction) received directly, unless prohibited by law. Convoy will not respond to such requests without written instruction from the User/Controller.
7.1 Incident Response: Convoy shall notify the User without undue delay upon becoming aware of a Personal Data Breach.
7.2 Breach Details: The notification shall include the nature of the breach, affected data, mitigation steps, and recommendations.
8.1 Data Retention: Personal Data is retained for the duration of the User's active account. Webhook data retention is configurable by the User.
8.2 Data Deletion: Upon termination of services, Convoy shall delete or return Personal Data within 60 days unless required by law to retain it.
9.1 Applicable Law: This DPA is governed by the laws of the State of California unless EU data protection laws require otherwise.
9.2 Dispute Resolution: Any disputes shall be resolved through arbitration or as agreed in the primary Agreement.
10.1 Regular Compliance Reviews: Convoy will conduct periodic reviews to ensure continued compliance with applicable data protection laws and the Standard Contractual Clauses (SCCs). Any amendments to the SCCs, changes in applicable Data Protection Laws, or outcomes of internal compliance reviews will be reflected in updates to this DPA.
10.2 DPA Changes: Convoy reserves the right to amend or update this DPA at any time to reflect changes in legal requirements, business practices, or SCC amendments.
Convoy’s liability under or in connection with this DPA, including under the SCCs, is subject to the exclusions and limitations on liability contained in the Main Agreement.
If any provision of this DPA is, for any reason, held to be invalid or unenforceable, the other provisions of the DPA will remain enforceable.
This DPA is the final, complete and exclusive agreement of the parties with respect to the subject matter hereof and supersedes and merges all prior discussions and agreements between the parties with respect to such subject matter.
This appendix outlines the subject matter, duration, and scope of processing activities as required under Article 28(3) of the GDPR. Convoy maintains records of processing activities and ensures regulatory compliance.
This DPA, including its annexes and SCCs, forms an essential part of the Agreement between Convoy and the User, ensuring compliance with all applicable data protection laws.
Description of Transfers (SCC Annex I)
| Specification | Details |
|---|---|
| Data Subjects | Administrative users, end customers, third-party providers. |
| Categories of Personal Data | Name, email, IP address, authentication data, webhook payloads, metadata. |
| Sensitive Data | Not applicable unless customers include such data. |
| Frequency of Transfers | Continuous and on-demand webhook processing. |
| Nature of Processing | Webhook transmission, event routing, logging, monitoring. |
| Purpose of Transfer | Delivering webhook services securely and reliably. |
| Data Retention | Data is retained based on user configuration or deleted upon request. |
| Supervisory Authority | The EU member state's data protection authority where the User is based. |
For questions about this DPA or to exercise your rights, please contact us at [email protected].