Legal

Data Processing Agreement

Last updated: 18 June, 2026

This Data Processing Agreement ("DPA") forms part of, and is incorporated by reference into, the Terms of Service ("Terms") between Kaizen Ventures, operator of Converc ("Converc", "we", "us"), and the customer that agrees to the Terms ("Customer", "you"). It applies where Converc processes Personal Data on the Customer's behalf in connection with the Service.

By accepting the Terms or using the Service, the Customer agrees to this DPA. A countersigned copy is available on request at mehul@converc.com for customers that require one.

1. Definitions

  • "Data Protection Laws" means all applicable laws relating to data protection and privacy, including the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and India's Digital Personal Data Protection Act, as applicable.
  • "Personal Data", "Controller", "Processor", "Data Subject", and "Processing" have the meanings given in the applicable Data Protection Laws.
  • "Customer Personal Data" means Personal Data that Converc processes on the Customer's behalf under the Terms — principally information about the Customer's website visitors collected through the widget.
  • "Sub-processor" means any third party engaged by Converc to process Customer Personal Data.

2. Roles and Scope

For Customer Personal Data, the Customer is the Controller and Converc is the Processor. Where the Customer is itself acting as a processor for a third-party controller, Converc acts as a sub-processor. Converc processes Customer Personal Data only to provide and support the Service and as described in Annex I.

3. Processing Instructions

Converc will process Customer Personal Data only on the Customer's documented instructions, including as set out in the Terms and this DPA, unless required to do otherwise by applicable law (in which case Converc will inform the Customer unless legally prohibited). The Customer is responsible for the accuracy and legality of its instructions and for having a lawful basis to collect and process the data, including obtaining any required consents and notices from its visitors.

4. Confidentiality

Converc ensures that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations and process the data only as necessary to provide the Service.

5. Security

Converc implements and maintains appropriate technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as described in Annex II.

6. Sub-processing

The Customer provides general authorization for Converc to engage Sub-processors to process Customer Personal Data. A current list of Sub-processors is set out in Annex III. Converc imposes data-protection obligations on each Sub-processor that are no less protective than those in this DPA, and remains responsible for each Sub-processor's performance. Converc will give the Customer reasonable notice of any intended addition or replacement of a Sub-processor, and the Customer may object on reasonable data-protection grounds.

7. Assistance with Data Subject Rights

Taking into account the nature of the processing, Converc will provide reasonable assistance, through appropriate technical and organizational measures, to help the Customer respond to requests from Data Subjects to exercise their rights under Data Protection Laws. If Converc receives such a request directly, it will, where permitted, direct the Data Subject to the Customer.

8. Personal Data Breach

Converc will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to it to help the Customer meet its breach notification obligations.

9. Impact Assessments and Consultation

Taking into account the nature of processing and information available to Converc, Converc will provide reasonable assistance to the Customer with data protection impact assessments and prior consultations with supervisory authorities, where required by Data Protection Laws.

10. International Transfers

Converc may transfer and process Customer Personal Data in countries other than the Customer's own, including India and the United States. Where such transfers are subject to Data Protection Laws, Converc relies on an appropriate transfer mechanism, such as the European Commission's Standard Contractual Clauses (and the UK Addendum where applicable), which are incorporated into this DPA by reference where they apply.

11. Audits

Converc will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates, subject to reasonable notice, confidentiality, and frequency limits, and conducted so as not to disrupt Converc's operations.

12. Return and Deletion

On termination of the Service, Converc will, at the Customer's choice, delete or return Customer Personal Data and delete existing copies, unless applicable law requires continued storage. Converc's standard deletion timelines are described in the Privacy Policy.

13. Liability and Governing Law

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms. This DPA is governed by the same law and subject to the same jurisdiction and dispute-resolution provisions as the Terms. In the event of a conflict between this DPA and the Terms regarding the processing of Personal Data, this DPA prevails.

Annex I — Details of Processing

  • Subject matter: Provision of the Converc website-embedded calling widget and rep workspace.
  • Duration: For the term of the Terms, plus any retention period described in the Privacy Policy.
  • Nature and purpose: Connecting website visitors with the Customer's representatives via real-time audio/video calls, and related routing, notification, analytics, and support.
  • Categories of Data Subjects: The Customer's website visitors and the Customer's authorized users (representatives/agents).
  • Types of Personal Data: Identifiers (e.g. name, email, phone if provided), IP address and device/browser information, page and referrer data, visitor-submitted answers to qualification questions, call metadata, and call recordings where enabled by the Customer.
  • Special categories: Not intended to be processed; the Customer must not configure the Service to collect special-category data.

Annex II — Technical and Organizational Measures

  • Encryption of data in transit (TLS) and at rest where supported by our infrastructure.
  • Role-based access controls and least-privilege access to production systems.
  • Authentication controls for administrative access.
  • Use of reputable cloud infrastructure and managed database providers.
  • Logical separation of customer data and tenant-scoped access controls.
  • Logging and monitoring of access to production environments.
  • Regular application updates and dependency maintenance.
  • Internal confidentiality obligations for personnel.

Annex III — Sub-processors

Converc engages the following categories of Sub-processors to provide the Service. A current, itemized list with provider names is available on request at mehul@converc.com.

  • Cloud hosting and application infrastructure
  • Managed database and storage
  • Real-time audio/video (WebRTC) infrastructure
  • Payment processing
  • Transactional email delivery
  • Notification integrations (e.g. Slack, Discord) where enabled by the Customer

Contact

The Service is operated by Kaizen Ventures, located at 771/A, Sethia Niwas, 4 Pandit Tarapada Chakravarty Sarani, New Alipore, Kolkata, West Bengal, India - 700053.

For questions about this DPA, contact us at:

mehul@converc.com