Legal

Data Processing Agreement

Effective: 1 May 2026

1. Parties

This Data Processing Agreement ("DPA") is entered into between Cobound Ltd ("Processor", "we", "us") and the customer entity that has agreed to the Prova Terms of Service ("Controller", "you"). This DPA supplements the Prova Terms of Service.

2. Scope and Purpose

The Processor processes personal data on behalf of the Controller solely for the purpose of providing the Prova reasoning certificate service as described in the Terms of Service. The categories of data subjects are: end users whose AI reasoning chains are submitted for verification. The categories of personal data are: reasoning chain text (which may contain personal data), certificate metadata, and usage records.

3. Processor Obligations

The Processor shall:

  • --Process personal data only on documented instructions from the Controller.
  • --Ensure that persons authorised to process the personal data have committed to confidentiality.
  • --Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
  • --Assist the Controller in ensuring compliance with data subject rights obligations.
  • --Delete or return all personal data to the Controller at the end of the service provision.
  • --Make available all information necessary to demonstrate compliance with this DPA.

4. Subprocessors

The Controller authorises the Processor to engage the subprocessors listed at prova.cobound.dev/trust/subprocessors. The Processor will notify the Controller of any intended changes to subprocessors with reasonable notice.

5. International Transfers

By default, data is processed in infrastructure located in the United States (Supabase, Render) and may be sent to Anthropic (US) for reasoning extraction. Enterprise customers may request EU data residency to restrict processing to EEA infrastructure.

6. retain=false

When the Controller sets retain=false on an API request, the reasoning chain text is processed in memory and never written to persistent storage. Only certificate metadata (verdict, confidence score, argument graph structure) is stored. This mode is available on Team and Enterprise plans.

7. Contact

For DPA-related queries, contact privacy@cobound.dev. For a signed DPA, contact kian@cobound.dev.