At Convo, we take data protection and privacy seriously. Accordingly, Convo’s Legal and IT departments have worked diligently to ensure compliance with General Data Protection Regulation (“GDPR”) that requires businesses to protect the personal data and privacy of EU citizens.

Convo, as a processor of information, offers a secure and private communication platform for our customers, who are Controller of the underlying information on Convo platform. Pursuant to GDPR, Convo has ensured that several data protection procedures and measures exist, including procedures to:

• Ensure that Convo processes personal data only on the Controller’s instructions;
• Ensure that all Convo personnel who process personal data have committed themselves to confidentiality;
• Assist the Controller in responding to data subject requests;
• Assist the Controller with security breach reporting;
• Notify the Controller without undue delay when Convo becomes aware of a breach;
• Assist the Controller with data protection impact assessments;
• Respond to the Controller’s request related to the destruction or return of all personal data at the end of the contract;
• Demonstrate contractual compliance upon request of the Controller; and
• Notify a Controller if the Controller’s instructions are not compliant with the GDPR.

Pursuant to GDPR requirements, Convo has implemented appropriate technical and organizational measures to ensure level of security appropriate to the risk, including:

• Encryption of personal data;
• Ensuring ongoing confidentiality, integrity, availability and resilience of processing system and services;
• Availability and access to personal data in a timely manner in the event of physical and technical incident; and
• A process of regulating testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring security of the processing.

Pursuant to GDPR, Convo also maintains a record of all categories of personal data processing activities carried out on behalf of a Controller, including:

• The name and contact details of the Controller and any joint Controller, the representative, and the Data Processing Officer;
• The categories of data processing carried out on behalf of each Controller; and
• The details of transfers of data to third countries (for Convo, all user data is maintained on AWS servers in the U.S.).

To ensure compliance with the GDPR, we have updated our contractual terms with our customers, via the following Data Processing Agreement Addendum.

We diligently continue to monitor the guidance around GDPR and continue to make changes to remain in compliance with the GDPR requirements. We will provide our customers with regular updates as needed.

For any legal inquiries, please feel free to reach out to support@convo.com.