Legal
Data Processing Agreement
Effective: upon acceptance of the Prova Terms of Service
1. Parties
This Data Processing Agreement ("DPA") is entered into between Cobound Ltd ("Processor", "we", "us") and the customer entity that has agreed to the Prova Terms of Service ("Controller", "you"). This DPA supplements the Prova Terms of Service.
2. Scope and Purpose
The Processor processes personal data on behalf of the Controller solely for the purpose of providing the Prova AI control plane (the Audit Vault, Policy Engine, detectors, and risk scoring) as described in the Terms of Service. The categories of data subjects are: end users whose AI interactions are recorded as receipts. The categories of personal data are: the receipt payload (the content of each AI decision, which may contain personal data), receipt metadata, and usage records.
3. Processor Obligations
The Processor shall:
- ·Process personal data only on documented instructions from the Controller.
- ·Ensure that persons authorised to process the personal data have committed to confidentiality.
- ·Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
- ·Assist the Controller in ensuring compliance with data subject rights obligations.
- ·Delete or return all personal data to the Controller at the end of the service provision.
- ·Make available all information necessary to demonstrate compliance with this DPA.
4. Subprocessors
The Controller authorises the Processor to engage the subprocessors listed at prova.cobound.dev/trust/subprocessors. The Processor will notify the Controller of any intended changes to subprocessors with reasonable notice.
5. International Transfers
By default, data is processed in infrastructure located in the United States (Supabase, Render, Vercel) and may be sent to Anthropic (US) for LLM inference used by the groundedness detector. Enterprise customers may request EU data residency to restrict processing to EEA infrastructure.
6. Data minimisation and retention
The signed receipt is the audit trail, so the payload the Controller sends is stored. The Controller decides what to include in each payload and can request deletion of receipts at any time; self-hosted deployments keep all receipts inside the Controller's own perimeter. The legacy reasoning verifier additionally accepts a retain flag so that reasoning-chain text is processed in memory and not persisted.
7. Contact
For DPA-related queries, contact privacy@cobound.dev. For a signed DPA, contact kian@cobound.dev.