- 1. Terms of Service
- 2. Privacy Policy
- 3. Data Processing Addendum (DPA)
- 4. Acceptable Use Policy (AUP)
- 5. Service Level Agreement (SLA)
- 6. Product-Specific Terms
- 7. AI Ethics & Usage Guidelines
- 8. Security & Compliance Overview
- 9. Data Retention Policy
- 10. Suspension Policy
- 11. Account Lifecycle Policy
- 12. Cookies & Tracking Policy
- 13. Subprocessor List
- 14. Legal Updates Log
Cocopipe Data Processing Addendum (DPA)
Last Updated: 10/11/2025
This Data Processing Addendum (“Addendum” or “DPA”) is incorporated into and forms part of the Cocopipe Terms of Service (“Agreement”) between Cocopipe OÜ (“Cocopipe”, “Processor”, “we”, “our”) and the customer (“Customer”, “Controller”, “you”, or “your”) that uses the Cocopipe App or related services (“Services”).
This DPA governs Cocopipe’s processing of personal data on behalf of the Customer in accordance with Article 28 of the EU General Data Protection Regulation (GDPR) and other applicable data protection laws.
1. Definitions
For the purposes of this Addendum:
- “Data Protection Laws” means all applicable privacy and data protection laws, including the GDPR (EU Regulation 2016/679).
- “Customer Data” means any personal data processed by Cocopipe on behalf of the Customer under the Agreement.
- “Controller” means the Customer who determines the purposes and means of processing.
- “Processor” means Cocopipe, which processes personal data on behalf of the Customer.
- “Subprocessor” means any third party engaged by Cocopipe to process personal data.
- “Data Subject” means an identified or identifiable natural person.
- “Personal Data Breach” means any security incident leading to accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of personal data.
2. Roles of the Parties
For the avoidance of doubt:
- The Customer acts as the Data Controller, and
- Cocopipe acts as the Data Processor in relation to all Customer Data processed through the Services.
Cocopipe shall process Customer Data only on documented instructions from the Customer, unless required to do so by law.
3. Nature and Purpose of Processing
Cocopipe processes Customer Data for the duration of the Customer’s subscription. Upon account deletion, Cocopipe will:
- Retain Customer Data for 30 days to allow export,
- Permanently delete all Customer Data from production systems thereafter, and
- Maintain anonymized backups for up to 90 days for disaster recovery and audit purposes.
See also the Data Retention Policy.
4. Duration of Processing
Cocopipe processes Customer Data solely for:
- Providing, maintaining, and supporting the Services,
- Performing analytics, diagnostics, and service improvements,
- Preventing, detecting, and investigating security incidents or misuse,
- Fulfilling contractual and legal obligations,
- Training and optimizing AI models in aggregated, anonymized, and non-identifiable form.
No other processing will occur unless expressly authorized by the Customer.
5. Subprocessing
Cocopipe may engage Subprocessors to perform limited data processing activities on its behalf.
- A current list of authorized Subprocessors is available upon request from [email protected].
- Cocopipe ensures that Subprocessors are bound by data protection obligations no less protective than those set out in this DPA.
- Cocopipe remains fully liable for the actions or omissions of its Subprocessors.
Customers will be notified of material Subprocessor changes in advance via email or in-app notification.
6. International Data Transfers
Customer Data is stored and processed within the European Union (EU). Where transfers outside the EU/EEA occur, Cocopipe shall:
- Use the European Commission’s Standard Contractual Clauses (SCCs), or
- Ensure that the destination country has an adequacy decision under GDPR Article 45.
Cocopipe will not transfer personal data internationally without appropriate safeguards.
7. Security Measures
Cocopipe implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption of personal data in transit and at rest,
- Network and system access controls,
- Multi-factor authentication and intrusion detection,
- Regular vulnerability testing and patch management,
- Staff confidentiality agreements and training.
Cocopipe reviews these measures periodically and updates them as necessary.
8. Data Subject Rights
Cocopipe will assist the Customer in fulfilling data subject rights requests under GDPR (Articles 12–23), including:
- Access, rectification, erasure, restriction, data portability, and objection.
Requests received directly by Cocopipe will be forwarded promptly to the Customer unless prohibited by law.
9. Data Breach Notification
In the event of a Personal Data Breach, Cocopipe shall:
- Notify the Customer without undue delay and, where feasible, within 72 hours of becoming aware of the breach,
- Provide information about the nature of the breach, affected data, likely consequences, and remedial actions taken,
- Cooperate with the Customer and supervisory authorities as required by law.
10. Confidentiality
All Customer Data processed by Cocopipe is treated as confidential. Cocopipe ensures that only authorized personnel with a need-to-know basis have access to such data and are bound by confidentiality obligations.
11. Audits and Compliance
Upon reasonable written request, the Customer may obtain information to demonstrate compliance with this DPA, including:
- Relevant documentation, certifications (ISO 27001 / SOC 2 or equivalent), or audit summaries.
Cocopipe may also allow third-party audits where required by law, subject to reasonable notice, scope, and confidentiality conditions.
12. Return or Deletion of Data
Upon termination or expiration of the Agreement:
- Cocopipe will delete or return all Customer Data upon request,
- Except where retention is required by law or legitimate business necessity (e.g., tax records, security logs).
Deletion confirmations can be provided upon written request.
13. Liability and Indemnity
All Customer DaThe liability of each party under this DPA shall be subject to the limitations set forth in the Terms of Service. Nothing in this DPA limits a party’s liability for willful misconduct, gross negligence, or breach of data protection obligations.
14. Governing Law and Jurisdiction
This DPA is governed by the laws of Estonia. Any disputes arising from or relating to this Addendum shall be resolved in accordance with Section 12 (“Dispute Resolution”) of the Cocopipe Terms of Service.
15. Contact
For data protection or DPA-related inquiries, please contact:
📧 [email protected]
📍 Registered address: [To be added – Tallinn, Estonia]