Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Terms of Service ("Agreement") between you ("Customer") and Chevvi Pty Ltd (ABN 54 682 793 602, "Chevvi") and applies whenever Chevvi processes Personal Data on Customer's behalf in connection with the Services. It is intended to comply with the EU General Data Protection Regulation ("GDPR"), the UK GDPR, and the Australian Privacy Act 1988 (Cth) (the "Privacy Act").

This DPA is automatically incorporated into the Agreement when Customer accepts the Terms; no separate signature is required. If you require a counter-signed version (for example, for procurement records), email legal@chevvi.com.

1. Definitions

Capitalised terms used but not defined here have the meanings given in the Agreement or the GDPR.

Personal Data — any information relating to an identified or identifiable natural person that Chevvi processes on Customer's behalf in connection with the Services.
Data Subject — the individual whose Personal Data is processed.
Controller / Processor — as defined in the GDPR.
Sub-processor — any third party engaged by Chevvi to process Personal Data on Customer's behalf.
SCCs — the Standard Contractual Clauses approved by the European Commission Decision 2021/914 of 4 June 2021.
UK Addendum — the International Data Transfer Addendum to the SCCs issued by the UK ICO under section 119A of the Data Protection Act 2018.

2. Roles and scope

For Personal Data processed in connection with the operation of Customer's account, agents, and conversations: Customer is the Controller and Chevvi is the Processor.
For Personal Data Chevvi collects directly from Customer's personnel (e.g., billing contacts, support correspondence) and from website visitors to owlish.bot, Chevvi is an independent Controller, governed by our Privacy Policy.
This DPA applies for the duration of the Agreement and survives termination as long as Chevvi processes Personal Data on Customer's behalf.

3. Customer obligations

Customer warrants that it has all rights and lawful bases (including consents and notices) necessary for Chevvi to process Personal Data on Customer's behalf as contemplated by the Agreement.
Customer is solely responsible for the accuracy, quality, and legality of Personal Data, the means by which it acquired Personal Data, and the lawfulness of any instructions it provides to Chevvi.
Customer will inform Data Subjects, where required, of the processing activities described in this DPA, including any international transfers to Chevvi and its Sub-processors.

4. Processing instructions

Chevvi will process Personal Data only on documented instructions from Customer. The Agreement (including this DPA, your Order, configuration of the Services, and reasonable use of the Services in accordance with the Documentation) constitutes Customer's complete and final instructions.
Additional instructions outside the scope of the Agreement require a separate written agreement, which Chevvi may reasonably refuse or charge for.
Chevvi will inform Customer if it believes an instruction infringes the GDPR or other applicable data protection law.

5. Confidentiality of personnel

Chevvi ensures that any personnel authorised to process Personal Data are bound by appropriate confidentiality obligations, are trained on data protection, and access Personal Data only on a need-to-know basis.

6. Security measures (Article 32)

Chevvi implements and maintains the technical and organisational measures set out in Annex II to ensure a level of security appropriate to the risk. The measures may evolve over time to reflect new threats and capabilities, provided the level of protection is not materially diminished.

7. Sub-processors

Customer authorises Chevvi to engage the Sub-processors listed in Annex III below.
Chevvi will impose data protection obligations on each Sub-processor that are no less protective than those in this DPA, and Chevvi remains liable for the acts and omissions of its Sub-processors as if they were its own.
Chevvi will give Customer at least 30 days' notice (by email or in-product banner) before engaging a new Sub-processor that materially affects the Services. If Customer reasonably objects to the new Sub-processor on data protection grounds within that notice period, Customer may terminate the affected Services and receive a pro-rated refund of any pre-paid unused fees.
The most current Sub-processor list is published at this URL and supersedes Annex III if updated.

8. International data transfers

Chevvi processes Personal Data primarily in the United States (Google Cloud region us-central1) and may transfer Personal Data to other jurisdictions where its Sub-processors operate.
For Personal Data transferred from the EEA, the SCCs (Module Two: Controller-to-Processor) are incorporated into this DPA by reference, with the elections in Annex I below.
For transfers from the United Kingdom, the UK Addendum is incorporated by reference, completed using the elections in Annex I.
For transfers from Switzerland, the SCCs apply with references to "EU" replaced by "Switzerland" and the FDPIC as the supervisory authority.
For transfers from Australia, Chevvi takes reasonable steps under APP 8 to ensure that overseas recipients comply with the APPs through written agreements, encryption, and access controls.
Where Chevvi or one of its Sub-processors is certified under the EU‑US Data Privacy Framework, the relevant transfer mechanism applies for so long as the certification is valid.

9. Data Subject requests

Chevvi will, taking into account the nature of the processing, assist Customer by appropriate technical and organisational measures (insofar as possible) to fulfil Customer's obligation to respond to Data Subject requests.
If Chevvi receives a request directly from a Data Subject regarding Personal Data processed on Customer's behalf, Chevvi will (i) not respond on the merits, (ii) refer the Data Subject to Customer where possible, and (iii) promptly notify Customer.

10. Personal Data breaches

Chevvi will notify Customer without undue delay (and in any event within 72 hours of Chevvi becoming aware) of any Personal Data breach affecting Customer's Personal Data.
The notification will include, to the extent known: the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed.
Chevvi will provide reasonable assistance to Customer's notifications to supervisory authorities and Data Subjects.

11. Data Protection Impact Assessments

Chevvi will provide Customer with reasonable assistance for Data Protection Impact Assessments and prior consultations with supervisory authorities, taking into account the nature of the processing and the information available to Chevvi.

12. Deletion or return of Personal Data

On termination or expiry of the Agreement, Customer may export Personal Data through the Services for up to 30 days. After 30 days, Chevvi will delete or anonymise Personal Data in accordance with the retention schedule in the Privacy Policy and section 13 of the Agreement.
Backups containing Personal Data expire on their own retention cycle (up to 35 days) and are then deleted automatically.
Chevvi may retain Personal Data to the extent required by law (e.g., billing records under tax law) or as anonymised audit records that no longer identify any Data Subject.

13. Audits

Chevvi will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA.
Chevvi maintains independent assurance through its Sub-processors (e.g., Google Cloud SOC 2/ISO 27001 reports) and will, on request and subject to confidentiality obligations, provide summaries or attestations.
If Customer reasonably requires further audit information that cannot be addressed by attestations, the parties will agree on the scope, timing, and cost in good faith. Audits must be conducted with at least 30 days' written notice, no more than once per 12 months (except in cases of a confirmed breach), during business hours, and in a manner that does not interfere with Chevvi's operations or other customers' confidentiality.

14. Liability

The liability provisions of the Agreement apply to this DPA. Where the SCCs apply, the liability rules of the SCCs apply with respect to the rights of Data Subjects under the SCCs, but the cap on liability between the parties under the Agreement remains in force.

15. Order of precedence

In case of conflict between (a) the SCCs / UK Addendum, (b) this DPA, and (c) the Agreement, in respect of the processing of Personal Data, the order of precedence is: (a), then (b), then (c).

Annex I — Description of processing

I.A · Parties

Data exporter (Controller): Customer, as identified in the Agreement.
Data importer (Processor): Chevvi Pty Ltd, ABN 54 682 793 602, Sydney, NSW 2000, Australia. Contact: privacy@chevvi.com.

I.B · Description of the transfer

Categories of Data Subjects	Customer's personnel and authorised users; End Users who interact with Customer's agents.
Categories of Personal Data	Identifiers (name, email, IP address, account ID); workspace metadata; chat conversations and any voluntarily submitted attributes; configuration data; billing contact details. No special-category data is intended.
Special-category data	Not contemplated. If Customer chooses to process special-category data, Customer is responsible for the additional safeguards required under Art. 9 GDPR or equivalent law.
Frequency of transfer	Continuous, for the duration of the Agreement.
Nature of processing	Hosting, storage, retrieval, AI inference, search, indexing, transmission, deletion, backup, support, fraud and abuse prevention, billing.
Purpose of processing	Provision of the Services described in the Agreement.
Period of retention	As described in section 8 of the Privacy Policy and section 13 of the Agreement; no longer than necessary for the purposes for which it is processed.
Onward transfers	To Sub-processors listed in Annex III for the purposes set out there.

I.C · Competent supervisory authority

For Personal Data transferred from the EEA, the supervisory authority is the lead authority of the Customer's establishment, or — where Customer is established outside the EEA but its Data Subjects are in the EEA — the Irish Data Protection Commission.

For Personal Data transferred from the UK, the Information Commissioner's Office.

For Personal Data of Australian Data Subjects, the Office of the Australian Information Commissioner (OAIC).

I.D · Optional clauses

Clause 7 (docking) — applicable.
Clause 11(a) (independent dispute resolution) — not selected.
Clause 17 (governing law of the SCCs) — Republic of Ireland.
Clause 18 (forum and jurisdiction of the SCCs) — courts of Ireland.

Annex II — Technical and organisational measures

Chevvi maintains the following measures, which may evolve to reflect technological and operational improvements provided the level of protection is not materially diminished:

Pseudonymisation and encryption

TLS 1.2 or higher (TLS 1.3 preferred) for all data in transit; HSTS enforced on production.
AES-256 encryption at rest using Google Cloud managed keys.
Pseudonymous identifiers (prefixed NanoIDs) are used as primary keys; long-lived deletion-audit records are kept under hashed identifiers.

Confidentiality, integrity, availability, resilience

Multi-tenant isolation enforced at four layers: Firebase Auth JWT, Data Connect GraphQL workspace filters, server-side authorisation checks, and PostgreSQL triggers for critical invariants.
Network isolation: private endpoints for managed databases; public ingress restricted to documented service hostnames.
Daily managed-database backups with point-in-time recovery; backup retention up to 35 days.
Cloud-native monitoring and alerting; health checks and automated rollback for failed deployments.

Restoration after incident

Documented incident response runbook with severity classification, containment, eradication, recovery, and post-incident review steps.
Backups are tested periodically.

Regular testing and evaluation

Continuous secret scanning, dependency vulnerability scanning, and static analysis on every build.
Periodic third-party penetration testing of production hostnames (cadence: at least annually for paid tiers once available; report summaries available on request under NDA).
Annual review of access rights and Sub-processor list.

Identification of users; access governance

Strong authentication (Firebase Auth) with secure password storage (Argon2 / bcrypt).
Role-based access control with per-member toggles and least-privilege defaults.
Production access by Chevvi personnel restricted, audited, and logged.
Background checks for personnel with privileged production access (when implemented as headcount grows).

Data minimisation, quality, retention

Per-tier conversation retention with automated daily purge.
Soft-delete with documented grace period and idempotent hard-delete walkers across the primary database, Firestore, object storage, search indexes, and Sub-processors.
Logging excludes message bodies and other free-form personal content; only event metadata and internal IDs are logged.

Accountability

Pseudonymous deletion-audit records retained for 7 years.
Records of processing activities (RoPA) maintained internally and updated as features change.
Data Protection Impact Assessments performed for high-risk processing activities.

Annex III — Sub-processors

Sub-processor	Service	Location	Transfer mechanism (EEA)
Google Cloud Platform (Cloud Run, Cloud Functions, Cloud SQL, Firestore, Cloud Storage, Vertex AI, Firebase Auth)	Hosting, database, AI inference, authentication.	United States (us-central1).	EU‑US DPF + SCCs.
Anthropic (via Vertex AI)	Optional LLM provider.	United States.	SCCs via Google Cloud DPA.
OpenAI (via Vertex AI)	Optional LLM provider.	United States.	SCCs via Google Cloud DPA.
Stripe Payments Australia / Stripe Inc.	Payment processing and tax invoicing.	United States; Ireland for EU billing.	SCCs / Stripe DPA.
Resend	Transactional email delivery.	United States.	SCCs.
Firecrawl	Discovering URLs from sitemaps for knowledge sources (Map endpoint only — no page content).	United States.	SCCs.
Parallel.ai (Parallel Web Systems Inc.)	Extracting page content from URLs supplied as knowledge sources.	United States.	SCCs.
Google Document AI	OCR fallback.	United States.	EU‑US DPF + SCCs.
PostHog	Product analytics (after consent in EU/UK/AU).	United States today; planned migration to PostHog EU Cloud for EU traffic.	SCCs.
Slack, Microsoft (Teams), Discord	Optional channel integrations chosen by Customer.	United States.	SCCs / vendor DPA.
Cloudflare	Visitor country lookup for cookie-banner gating (via the public `cdn-cgi/trace` endpoint).	Global edge network.	SCCs / Cloudflare DPA.

Annex III is updated from time to time. The current version is published at /legal/dpa#sub-processors and supersedes any previously published version.