Legal
Data Processing Agreement
Standard DPA. Version 2026-05-07. Governs processing of personal data on behalf of our customers.
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Clonvo (Sole Proprietor) ("Processor", "Clonvo") and the customer that has accepted those Terms ("Controller"). It applies whenever Clonvo processes Personal Data on the Controller's behalf in the course of providing the Clonvo service.
A signed PDF copy of this DPA is available on request. Email dpo@clonvo.chat with your organization name and the legal entity that should appear on the signed copy.
1. Definitions
"Controller", "Processor", "Personal Data", "Processing", "Sub-processor", "Data Subject", and "Supervisory Authority" have the meanings given in the EU General Data Protection Regulation 2016/679 ("GDPR") and the UK GDPR.
2. Subject matter, nature & purpose of processing
- Subject matter: processing of Personal Data necessary to deliver the Clonvo service to the Controller.
- Nature: message routing, AI inference, retrieval-augmented generation, analytics, conversation storage, template management, broadcasts.
- Purpose: to enable the Controller to operate customer conversations across WhatsApp, Instagram and Messenger.
- Duration: for the term of the Controller's subscription, plus deletion grace period (30 days).
- Categories of Data Subjects: the Controller's employees and agents (account users), and end-users who initiate or receive messages via the channels the Controller has connected.
- Categories of Personal Data: name, email, phone number, social-handle, message content, message metadata, uploaded knowledge-base content, billing identifiers.
3. Obligations of the Processor (Clonvo)
- Process Personal Data only on documented instructions from the Controller, including those reflected in the Terms and the Controller's configuration choices in the dashboard.
- Ensure that personnel authorised to process Personal Data are bound by confidentiality.
- Implement appropriate technical and organisational measures (see Annex II below).
- Not engage a Sub-processor without the Controller's general authorisation, and notify the Controller in writing of any intended changes (Section 6).
- Assist the Controller in fulfilling Data Subject requests (access, rectification, erasure, portability, restriction, objection) within 30 days of request.
- Notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach.
- On termination, delete or return Personal Data within 30 days unless retention is required by law.
4. Obligations of the Controller
- Ensure a lawful basis exists for the processing, including (where required) collecting valid opt-in consent from end-users for WhatsApp / Instagram / Messenger communications.
- Maintain the accuracy of the Personal Data uploaded to the service.
- Configure access controls in the dashboard appropriately and rotate credentials when team members leave.
5. Security (Annex II)
- TLS 1.2+ in transit. AES-256-GCM at rest for all secrets.
- Role-based access control with separation of duties between platform staff and Controller users.
- Multi-factor authentication enforced for Clonvo staff. Customers can require it through Clerk.
- Per-tenant data isolation. Every database query and vector-store namespace is scoped to a single organization.
- Daily encrypted backups, 30-day retention.
- Vulnerability management; responsible disclosure handled at security@clonvo.chat.
6. Sub-processors (Annex III)
The Controller authorizes the following Sub-processors. We will notify subscribers in writing at least 30 days before adding or replacing a Sub-processor that materially changes how their data is handled.
| Sub-processor | Purpose | Region |
|---|---|---|
| Clerk | Authentication & user management | United States |
| Supabase | Postgres database hosting | Singapore (ap-southeast-1) |
| Amazon Web Services (Amplify, EC2, S3) | Web hosting, background workers, encrypted media storage | United States / Asia-Pacific |
| Meta Platforms (WhatsApp, Instagram, Messenger APIs) | Message delivery on Meta channels | United States / European Union |
| YCloud | WhatsApp Business API infrastructure partner | Singapore |
| Syrow | WhatsApp Business API infrastructure partner | Singapore |
| OpenAI | Large-language-model inference (fallback path) | United States |
| Groq | Primary low-latency LLM inference & Whisper transcription | United States |
| Google (Gemini) | Secondary LLM inference & embeddings | United States / European Union |
| Qdrant (self-hosted on EC2) | Vector database for retrieval-augmented generation | Asia-Pacific (ap-southeast-1) |
| Merchant-of-Record processor (Lemon Squeezy / 2Checkout / Paddle) | Subscription billing, tax compliance and chargeback handling | United States / European Union |
7. International transfers
Where Personal Data is transferred from the EEA, UK or Switzerland to a country without an adequacy decision, the parties incorporate the European Commission's Standard Contractual Clauses (SCCs, Module 2: Controller-to-Processor) by reference. The UK Addendum applies to UK transfers; the Swiss DPA applies to Swiss transfers.
8. Audits
The Controller may, no more than once per twelve-month period (and in addition any time after a confirmed breach), audit our compliance with this DPA by submitting a written questionnaire that we will answer within 30 days. On-site audits are available for Enterprise customers under NDA.
9. Liability
Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Terms.
10. Order of precedence
In the event of a conflict between this DPA and the Terms, this DPA prevails to the extent it relates to the processing of Personal Data.
11. Governing law
This DPA is governed by the laws of the Islamic Republic of Pakistan. Where mandatory data-protection law (e.g. GDPR / UK GDPR) applies, that law prevails over this clause to the extent of any conflict.
12. Signatures
Acceptance of the Terms via account creation, or use of the service, constitutes acceptance of this DPA. A signed counterpart is available on request from dpo@clonvo.chat.