All Legal Documents

Data Processing Agreement

Effective date: April 10, 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Версей ЕООД (Versey EOOD), UIC 208443341, operating as Cove ("Processor", "we", "us") and you ("Controller", "you", "your") and governs the processing of personal data by the Processor on behalf of the Controller in connection with the Cove platform (the "Service").

This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applies to all processing of personal data that the Processor carries out on behalf of the Controller through the Service.

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR
  • "Processing" means any operation performed on Personal Data, as defined in Article 4(2) GDPR
  • "Data Subject" means the identified or identifiable natural person to whom Personal Data relates
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller
  • "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data

3. Scope and Purpose of Processing

3.1 Subject Matter

The Processor provides a business management platform that processes Personal Data on behalf of the Controller for the purposes of invoicing, expense tracking, client management, human resources management, document storage, tax compliance, and related business operations.

3.2 Duration

Processing continues for the duration of the Controller's use of the Service and for such additional period as required for deletion of Personal Data in accordance with this DPA.

3.3 Nature and Purpose of Processing

The Processor processes Personal Data to:

  • Store and manage business records (invoices, expenses, documents)
  • Generate and deliver invoices to the Controller's clients
  • Extract and classify data from documents using AI services
  • Process email integrations to identify and extract business documents
  • Manage employee/HR records as directed by the Controller
  • Provide calendar, reminder, and notification features
  • Generate reports and analytics for the Controller

3.4 Categories of Data Subjects

  • The Controller's clients and customers
  • The Controller's employees and contractors
  • The Controller's business contacts and suppliers
  • Other individuals whose data the Controller uploads to the Service

3.5 Types of Personal Data

  • Names, email addresses, phone numbers, physical addresses
  • Business identifiers (VAT numbers, tax IDs, business registration numbers, national IDs)
  • Financial data (invoices, bank account details, salary information, payment records)
  • Employment data (job titles, contract terms, leave records, performance data)
  • Document content (uploaded files and extracted data)
  • Email metadata and attachment content (when email integration is enabled)

4. Obligations of the Processor

4.1 Processing Instructions

The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data outside the EEA, unless required to do so by EU or Member State law. The instructions are documented in the Terms of Service and this DPA. If the Processor believes an instruction infringes GDPR, it shall immediately inform the Controller.

4.2 Confidentiality

The Processor shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3 Security Measures

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of Personal Data in transit (TLS) and at rest (database-level encryption)
  • Row-Level Security (RLS) ensuring strict data isolation between Controller accounts
  • Multi-factor authentication support
  • Regular security testing and vulnerability assessment
  • Access controls limiting employee/contractor access to Personal Data on a need-to-know basis
  • Security headers on all HTTP responses (HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy)
  • Secure credential storage (password hashing, encrypted OAuth tokens)

4.4 Sub-processors

The Processor currently uses the following sub-processors:

| Sub-processor | Purpose | Location | |---|---|---| | Supabase, Inc. | Database, authentication, file storage | US/EU | | Anthropic, PBC | AI document extraction and classification | US | | Vercel, Inc. | Application hosting and edge compute | US/EU | | Resend, Inc. | Transactional email delivery | US | | Google LLC | Gmail API integration, Google OAuth | US | | Microsoft Corporation | Outlook/Microsoft Graph API integration | US/EU | | Zoho Corporation | Zoho Mail API integration | US/EU/IN | | Translated srl (MyMemory) | Text translation | EU | | VATStack | VAT rate lookup and validation | EU |

A complete, up-to-date list is maintained at joincove.io/legal/sub-processors.

The Controller hereby provides general written authorization for the Processor to engage sub-processors, subject to the following conditions:

  • The Processor shall inform the Controller of any intended changes to the list of sub-processors (additions or replacements) at least 30 days in advance, providing the Controller an opportunity to object
  • If the Controller objects to a new sub-processor on reasonable data protection grounds within 30 days of notification, the parties shall discuss the concerns in good faith. If the concerns cannot be resolved, the Controller may terminate the affected Service features or the entire Service agreement
  • The Processor shall impose data protection obligations on each sub-processor by way of a contract that provides at least the same level of protection as this DPA
  • The Processor remains fully liable for the acts and omissions of its sub-processors

4.5 Data Subject Rights

The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under GDPR (access, rectification, erasure, restriction, portability, objection), taking into account the nature of the processing.

The Service provides the Controller with self-service tools to access, export, correct, and delete Personal Data. Where such tools are insufficient, the Processor shall provide reasonable additional assistance upon request.

4.6 Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Data Breach affecting Personal Data processed on behalf of the Controller.

The notification shall include:

  • A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects and records concerned
  • The name and contact details of the Processor's point of contact for further information
  • A description of the likely consequences of the Data Breach
  • A description of the measures taken or proposed to address the Data Breach, including measures to mitigate its possible adverse effects

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of any Data Breach.

4.7 Data Protection Impact Assessment

The Processor shall provide reasonable assistance to the Controller in conducting data protection impact assessments (DPIAs) and prior consultations with supervisory authorities, where required under Articles 35 and 36 GDPR, taking into account the nature of the processing and the information available to the Processor.

4.8 Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations under Article 28 GDPR and this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

Audits shall be conducted with reasonable advance notice (at least 30 days), during normal business hours, and in a manner that minimizes disruption to the Processor's operations. The Controller shall bear the costs of any audit. The Processor may charge reasonable fees for time spent assisting with audits beyond those included in the Service fees.

The Processor may satisfy audit requests by providing relevant third-party audit reports, certifications, or compliance documentation where available.

5. International Data Transfers

Where Personal Data is transferred outside the EEA, the Processor shall ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR, including:

  • Transfers to countries with an adequacy decision by the European Commission
  • Standard Contractual Clauses (SCCs) adopted by the European Commission (Commission Implementing Decision (EU) 2021/914)
  • EU-US Data Privacy Framework certification of the recipient, where applicable

The Processor shall conduct and document Transfer Impact Assessments (TIAs) for transfers to jurisdictions without an adequacy decision and shall implement supplementary measures where necessary.

6. Return and Deletion of Data

Upon termination of the Service agreement, the Processor shall, at the choice of the Controller:

  • Return all Personal Data to the Controller in a structured, commonly used, machine-readable format (via the export features in the Service)
  • Delete all Personal Data and existing copies, unless EU or Member State law requires further storage

The Processor shall complete the deletion within 30 days of termination.

The Controller acknowledges that it is solely responsible for exporting and independently retaining any records required by applicable law (such as tax records under Bulgarian or other national tax legislation) before terminating the Service. The Processor does not retain data on behalf of the Controller after account deletion.

The Processor shall certify the deletion of Personal Data upon the Controller's written request.

7. Controller Obligations

The Controller warrants that:

  • It has a lawful basis for processing all Personal Data submitted to the Service, including consent where required
  • It has provided appropriate privacy notices to Data Subjects whose data is processed through the Service
  • It has obtained necessary consents for the processing of employee data, including for transfers to sub-processors
  • Its instructions to the Processor comply with applicable data protection laws
  • It will not upload special category data (Article 9 GDPR) to the Service unless strictly necessary for HR functions and with appropriate legal basis and safeguards

8. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service, except that no limitation shall apply to either party's liability for breaches of its obligations relating to Data Breach notification or the security of Personal Data to the extent such limitation would be inconsistent with GDPR.

9. Term and Termination

This DPA takes effect when the Controller begins using the Service and remains in effect as long as the Processor processes Personal Data on behalf of the Controller. This DPA automatically terminates when all Personal Data has been returned or deleted in accordance with Section 6.

The obligations and rights under Sections 4.6 (Breach Notification), 4.8 (Audit Rights), 6 (Return and Deletion), and 8 (Liability) survive termination of this DPA.

10. Amendments

This DPA may be amended by the Processor to reflect changes in applicable data protection law or regulatory guidance. Material amendments will be communicated to the Controller at least 30 days in advance in accordance with the notice provisions in the Terms of Service.

11. Contact

For questions regarding this DPA or data processing activities:

  • Data Protection: filip@joincove.io
  • Legal: filip@joincove.io