Data Processing Agreement
Last Updated: March 3, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between Converra, Inc. ("Converra," "Processor") and the entity agreeing to the Agreement ("Customer," "Controller"), and governs the processing of personal data by Converra on behalf of Customer in connection with the Service.
This DPA is designed to meet the requirements of Article 28 of the EU General Data Protection Regulation (GDPR), the UK GDPR, and applicable U.S. state privacy laws including the California Consumer Privacy Act (CCPA/CPRA).
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Converra as part of Customer Data.
- "Customer Data" has the meaning given in the Agreement and includes all data, content, prompts, conversations, traces, agent inputs and outputs, simulation data, evaluation results, files, memories, contexts, embeddings, metrics, and other information submitted to the Service.
- "Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.
- "Subprocessor" means any third party engaged by Converra to process Personal Data on behalf of Customer.
- "Data Protection Laws" means all applicable data protection and privacy laws, including the GDPR, UK GDPR, CCPA/CPRA, and other U.S. state privacy laws.
2. Roles and Scope
2.1 Controller and Processor
Customer is the Controller of Customer Data. Converra processes Customer Data as a Processor solely on behalf of Customer and in accordance with Customer's documented instructions as set forth in the Agreement and this DPA.
2.2 Processing Purpose
Converra processes Customer Data solely to provide the Service, including:
- Analyzing AI agent traces, prompts, and conversation patterns
- Generating prompt variants and optimization recommendations
- Running simulations using persona- and scenario-based models
- Evaluating and scoring variants against performance metrics
- Providing insights, analytics, and governance dashboards
- Storing memories, contexts, and embeddings for retrieval
2.3 Types of Personal Data
Customer Data may contain the following categories of Personal Data, depending on what Customer submits to the Service:
- End-user identifiers (names, email addresses, user IDs) present in agent traces or conversation logs
- Conversation content and natural language inputs/outputs
- Usage metadata (timestamps, IP addresses, session data)
- Any other Personal Data included by Customer in prompts, traces, or uploaded content
2.4 Data Subjects
Data subjects may include Customer's end users, employees, contractors, and any individuals whose Personal Data is included in Customer Data submitted to the Service.
3. Customer Instructions
Converra will process Personal Data only in accordance with Customer's documented instructions, which include: (a) the Agreement and this DPA; (b) Customer's configuration of the Service (including automation levels, governance rules, and integration settings); and (c) any additional written instructions agreed by the parties.
If Converra believes an instruction infringes Data Protection Laws, Converra will promptly notify Customer and may suspend processing of the affected data until Customer issues a lawful instruction.
4. No Training on Customer Data
Converra will not use Customer Data to train, fine-tune, or improve any machine learning model, foundation model, or AI system, whether Converra's own or any third party's. Customer Data is used solely to provide the Service to the specific Customer that submitted it. This prohibition is also codified in Section 5.6 of the Terms of Service.
Converra engages third-party LLM providers exclusively under enterprise or API-tier agreements that contractually prohibit those providers from training on Customer Data. If any third-party provider materially changes its terms to permit training on data submitted through its API, Converra will cease transmitting Customer Data to that provider within a commercially reasonable timeframe and will notify affected Customers.
5. Confidentiality
Converra ensures that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Customer Data is limited to personnel who require such access to perform Converra's obligations under the Agreement.
6. Security Measures
Converra implements and maintains appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include:
- Encryption in transit: TLS 1.2+ for all data transmitted to and from the Service
- Encryption at rest: AES-256 encryption for stored data via infrastructure providers
- Access controls: Role-based access control (RBAC) with tenant-scoped isolation
- Authentication: Secure session management with HTTP-only cookies; OAuth/SSO support
- Tenant isolation: Logical isolation via per-customer tenant identifiers with application-layer enforcement
- Monitoring: Logging and monitoring of key operations, errors, and security events
- Dependency management: Automated vulnerability scanning via Dependabot
For additional detail, see the Trust & Security page.
7. Subprocessors
7.1 Authorized Subprocessors
Customer authorizes Converra to engage the following subprocessors to process Customer Data:
| Subprocessor | Purpose | Location |
|---|---|---|
| MongoDB Atlas | Primary database (storage, queries, backups) | US |
| Render | Application hosting and compute | US |
| OpenAI | AI model inference for simulation, evaluation, and optimization | US |
| Anthropic | AI model inference for simulation, evaluation, and optimization | US |
| Google AI | AI model inference for simulation, evaluation, and optimization | US |
| Stripe | Payment processing and billing | US |
| Resend | Transactional email delivery | US |
| Pinecone | Vector database for embeddings | US |
| Upstash | Managed Redis (caching, rate limiting) | US |
| AWS S3 | File and document storage | US |
| PostHog | Product analytics (anonymized usage data only) | US/EU |
| Google OAuth | Authentication identity provider | US |
7.2 Subprocessor Changes
Converra will notify Customer at least 30 days before adding or replacing a subprocessor that processes Customer Data. Customer may object to a new subprocessor by notifying Converra in writing within 30 days of receipt of notice. If Converra cannot reasonably accommodate the objection, Customer may terminate the affected portion of the Service.
7.3 Subprocessor Obligations
Converra imposes data protection obligations on each subprocessor that are no less protective than those in this DPA, including obligations regarding confidentiality, security, and restrictions on data use.
8. Data Subject Rights
Converra will assist Customer in fulfilling its obligations to respond to data subject requests under Data Protection Laws (including rights of access, rectification, erasure, restriction, portability, and objection). Converra will promptly notify Customer if it receives a request directly from a data subject and will not respond to such requests without Customer's authorization, unless required by law.
9. Data Breach Notification
9.1 Notification Timeline
Converra will notify Customer without undue delay, and in any event within 72 hours of becoming aware, of any Personal Data breach affecting Customer Data.
9.2 Notification Contents
The notification will include, to the extent available:
- A description of the nature of the breach
- The categories and approximate number of data subjects and records affected
- The likely consequences of the breach
- The measures taken or proposed to address the breach, including mitigation
- The name and contact details of Converra's point of contact
9.3 Cooperation
Converra will cooperate with Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of any breach. Converra will provide ongoing updates as further information becomes available.
10. Data Deletion and Return
10.1 Upon Termination
Upon termination of the Agreement, Converra will, at Customer's election:
- Return Customer Data in a structured, commonly used, machine-readable format; or
- Delete Customer Data from active systems within 30 days.
10.2 Exceptions
Converra may retain Customer Data beyond 30 days only to the extent required by applicable law (such as tax or accounting requirements) or for legitimate business purposes (such as billing records and dispute resolution). Any retained data remains subject to the protections of this DPA.
10.3 Backup Copies
Copies of Customer Data in backup systems will be deleted in the ordinary course of backup rotation, typically within 90 days following deletion from active systems.
11. Audit Rights
11.1 Information and Audit
Converra will make available to Customer, upon reasonable request, information necessary to demonstrate compliance with this DPA. Converra will allow and contribute to audits, including inspections, conducted by Customer or an independent auditor mandated by Customer, subject to the following conditions:
- Customer provides at least 30 days' written notice of an audit request
- Audits are conducted during normal business hours and do not unreasonably disrupt Converra's operations
- Customer bears the cost of any audit, unless the audit reveals a material breach of this DPA
- Audits are limited to once per 12-month period
11.2 Certifications and Reports
Where available, Converra may satisfy audit requests by providing relevant certifications, audit reports (such as SOC 2), or third-party assessment summaries, subject to confidentiality obligations.
12. International Data Transfers
12.1 Transfer Mechanisms
Where Customer Data is transferred from the European Economic Area (EEA), United Kingdom, or Switzerland to a country not recognized as providing an adequate level of data protection, Converra will ensure appropriate safeguards are in place, including:
- EU Standard Contractual Clauses (SCCs): Module 2 (Controller-to-Processor) and, where applicable, Module 3 (Processor-to-Processor) of the European Commission's Standard Contractual Clauses (Decision 2021/914)
- UK International Data Transfer Agreement or UK Addendum to the EU SCCs, as applicable
- Swiss Federal Act on Data Protection (FADP) transfer mechanisms, as applicable
12.2 Data Location
Customer Data is primarily stored and processed in the United States. Enterprise customers may request specific data residency arrangements by contacting security@converra.ai.
13. CCPA/CPRA Provisions
To the extent the California Consumer Privacy Act (CCPA) or California Privacy Rights Act (CPRA) applies:
- Converra acts as a "Service Provider" as defined under the CCPA/CPRA with respect to Customer Data.
- Converra will not sell or share (as defined under CCPA/CPRA) Customer Data.
- Converra will not retain, use, or disclose Customer Data for any purpose other than performing the Service, and will not combine Customer Data with data received from other sources except as permitted under CCPA/CPRA.
- Converra will comply with applicable CCPA/CPRA requirements and assist Customer in responding to verifiable consumer requests.
14. Liability
Each party's liability arising out of or related to this DPA is subject to the limitations of liability set forth in the Agreement. This DPA does not limit either party's liability for breaches of its data protection obligations to the extent such limitation is not permitted under applicable Data Protection Laws.
15. Term
This DPA remains in effect for the duration of the Agreement and for as long as Converra processes Customer Data on behalf of Customer. The obligations of Converra under this DPA survive termination to the extent Converra retains any Customer Data.
16. Conflict
In the event of any conflict between this DPA and the Agreement, this DPA will prevail with respect to the processing of Personal Data.
Contact
For questions about this DPA, data processing practices, or to exercise rights under applicable Data Protection Laws, please contact:
privacy@converra.ai
Converra, Inc.
Delaware, USA