Legal
Data Processing Addendum
This Data Processing Addendum ("DPA") forms part of the agreement between coThink and the customer entity that accepts coThink's Terms of Service or a separate order form ("Customer"). This DPA applies when coThink processes Personal Data on behalf of Customer in connection with the Services.
1. Definitions
Personal Data means information relating to an identified or identifiable natural person processed by coThink on behalf of Customer through the Services.
Customer Content has the meaning set forth in the Terms of Service.
Services means coThink websites, applications, APIs, collaboration workspaces, guided sessions, personal advisor features, and related services provided to Customer.
Subprocessor means a third party engaged by coThink to process Personal Data on behalf of Customer.
2. Roles of the Parties
Customer is the controller (or equivalent) of Personal Data it submits to the Services. coThink acts as a processor (or equivalent) with respect to Personal Data processed solely to provide, secure, maintain, and support the Services on Customer's documented instructions.
3. Processing Instructions
coThink will process Personal Data only:
- To provide the Services in accordance with the Terms and Customer configurations;
- As documented in the Privacy Policy and this DPA;
- As required by applicable law, informing Customer where legally permitted.
Customer is responsible for the lawfulness of Personal Data submitted to the Services and for providing any required notices and obtaining any required consents.
4. Confidentiality
coThink ensures that personnel authorized to process Personal Data are subject to appropriate confidentiality obligations.
5. Security Measures
coThink implements commercially reasonable administrative, technical, and organizational measures designed to protect Personal Data, including measures described in the Trust Center Security Overview, such as:
- Encryption in transit and at rest
- Access controls and role-based permissions
- Authentication controls including MFA and passkeys where enabled
- Audit logging and monitoring
- Secure secret management
6. Subprocessors
Customer authorizes coThink to engage Subprocessors listed in the Subprocessor page. coThink will maintain a current list and provide reasonable notice of material changes where required by applicable law or contract.
Customer optional integrations (such as AI providers or calendar systems) are enabled at Customer's direction. When enabled, data may be transmitted to those providers under their terms and privacy policies.
7. Customer Rights and Assistance
coThink will provide reasonable assistance to Customer in responding to data subject requests, security incidents affecting Personal Data, and data protection impact assessments where required by applicable law, taking into account the nature of processing and information available to coThink.
8. Deletion and Return
Upon termination or expiration of the Services, coThink will delete or return Personal Data according to Customer configuration, applicable law, and the Terms, subject to backup retention for a limited period.
9. International Transfers
Personal Data may be processed in jurisdictions where coThink or its infrastructure providers operate. Where required, coThink will implement appropriate safeguards for cross-border transfers consistent with applicable law.
10. Platform Improvement
coThink may process deidentified or aggregated information to improve its own platform capabilities as described in the Privacy Policy and Terms of Service. coThink does not use Customer Content through this program to train third-party foundation models.
11. Audits
Upon reasonable written request and subject to confidentiality and security constraints, coThink will provide information reasonably necessary to demonstrate compliance with this DPA. Formal audit rights may be addressed in an enterprise order form.
12. Contact
Questions regarding this DPA may be submitted through privacy, legal, or support channels listed on wecothink.com.