Meet Corvai, your AI assistant.
Meet Corvai, your AI assistant.
Last updated: 26 March 2026, 00:00 UTC
This Data Processing Agreement ("DPA") forms part of the agreement between Corvox Limited and its customers. It governs the processing of personal data by Corvox Limited on behalf of customers in connection with the Corvai platform and related services. This DPA is incorporated into and subject to the Corvox Terms and Conditions. By using our Services, you agree to the terms of this DPA.
In this DPA, the following terms have the meanings set out below. Terms not defined here have the meanings given in our Terms and Conditions or in applicable data protection law.
"Corvox", "we", "us" and "our" refer to Corvox Limited, a company registered in England and Wales (company number 15101843), with its registered office at Suite 303, Quantrill House, 2 Dunstable Road, Luton, England, LU1 1DX.
"Customer", "you" and "your" refer to the business subscribing to our Services.
"Services" refers to the Corvai platform and any related services provided by Corvox Limited.
"Controller" means the entity that determines the purposes and means of processing personal data. In this DPA, the Customer is the Controller.
"Processor" means the entity that processes personal data on behalf of the Controller. In this DPA, Corvox Limited is the Processor.
"Sub-processor" means any third party engaged by Corvox Limited to process personal data on behalf of the Customer.
"Personal data", "processing", "data subject" and "personal data breach" have the meanings given in the UK GDPR.
"UK GDPR" means the UK General Data Protection Regulation as defined in the Data Protection Act 2018.
The Customer acts as the data Controller with respect to personal data belonging to its customers and end users that is processed through the Corvai platform. Corvox Limited acts as the data Processor, processing that personal data solely on the Customer's behalf and in accordance with the Customer's instructions as set out in these terms. Each party is independently responsible for complying with the obligations applicable to it under UK GDPR and all other applicable data protection laws.
Subject matter: The processing of personal data in connection with the Customer's use of the Corvai platform.
Duration: For the term of the Customer's subscription and for such period thereafter as may be required to fulfil any legal obligations, as set out in our Privacy Policy.
Nature and purpose: Operating the Corvai AI assistant on the Customer's website, storing and processing conversation data, and providing the platform features described in our Terms and Conditions.
Types of personal data: Names, email addresses, phone numbers and any other information voluntarily provided by end users during conversations with the Corvai assistant, as well as any personal data contained in content uploaded by the Customer to the knowledge base.
Categories of data subjects: The Customer's website visitors, customers and end users who interact with the Corvai assistant.
In accordance with Article 28 of the UK GDPR, Corvox Limited as Processor shall:
By agreeing to these terms, the Customer provides general written authorisation for Corvox Limited to engage the following sub-processors to deliver the Services. We have ensured that each sub-processor is bound by data processing obligations that offer an equivalent level of protection to those set out in this DPA.
Amazon Web Services (AWS) — Cloud infrastructure and data storage, operating in the United States and other regions. AWS is certified under multiple international security and compliance frameworks.
OpenAI — AI processing for the generation of responses within the Corvai platform, operating in the United States.
Stripe — Payment processing. Stripe processes billing data but does not process end user conversation data.
We will notify the Customer by email at least 14 days before adding or replacing any sub-processor. If the Customer reasonably objects to a new sub-processor on data protection grounds, the Customer must notify us at hi@corvox.co.uk within 14 days of receiving our notice. If we are unable to accommodate the objection, the Customer may terminate their subscription in accordance with our Terms and Conditions. Continued use of the Services after the 14-day notice period constitutes acceptance of the new sub-processor.
Some of our sub-processors, including AWS and OpenAI, process personal data outside the United Kingdom and the European Economic Area. Where such transfers occur, we ensure that appropriate safeguards are in place in accordance with UK GDPR. These safeguards include standard contractual clauses approved by the UK Information Commissioner's Office, or other recognised transfer mechanisms. We will provide the Customer with further information about the specific transfer mechanisms in place upon request.
The Customer, as Controller, is responsible for ensuring that there is a lawful basis for processing the personal data of its end users through the Corvai platform, that appropriate privacy notices and consents are in place with those end users, that any instructions given to Corvox Limited as Processor comply with applicable data protection law, and that the Customer complies with all applicable obligations under UK GDPR and any other data protection laws applicable in the Customer's jurisdiction. Corvox Limited is not responsible for the Customer's compliance with its obligations as Controller.
We implement and maintain appropriate technical and organisational measures to protect personal data against unauthorised access, loss, alteration, destruction or disclosure. These measures include encryption of data in transit using TLS and at rest using AES-256, strict access controls and authentication requirements for platform access, regular security reviews, and incident response procedures. We conduct ongoing assessments of our security measures to ensure they remain appropriate to the risks involved in the processing we carry out.
If we become aware of a personal data breach affecting the Customer's data, we will notify the Customer without undue delay and in any event within 72 hours of becoming aware of the breach, to the extent reasonably practicable. Our notification will include the nature of the breach, the categories and approximate number of data subjects affected, the categories and approximate number of personal data records affected, the likely consequences of the breach, and the measures taken or proposed to address the breach. We will cooperate with the Customer to assist in meeting any notification obligations the Customer has to the ICO or affected data subjects.
Where we receive a request directly from a data subject exercising their rights under UK GDPR in relation to data processed on behalf of a Customer, we will promptly forward that request to the relevant Customer. We will assist the Customer in responding to data subject requests by providing appropriate technical capabilities and information within our control, taking into account the nature of the processing.
This DPA remains in force for the duration of the Customer's subscription to our Services. Upon termination of the Services for any reason, Corvox Limited will, at the Customer's written request, delete or return all personal data processed on the Customer's behalf, within 30 days of the termination date, and will certify in writing that deletion has been completed unless applicable law requires retention of the data.
This DPA is governed by the laws of England and Wales. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales. Where the Customer is based in the European Union, the EU GDPR also applies and the relevant provisions of this DPA shall be interpreted accordingly.
For any questions about this DPA or to make a request under it, please contact us at hi@corvox.co.uk. Corvox Limited, Suite 303, Quantrill House, 2 Dunstable Road, Luton, England, LU1 1DX.
