Data Processing Addendum

This DPA describes how Cogliva processes personal data and customer content submitted into Cogliva workspaces. It applies where Cogliva processes personal data on behalf of a customer (a “customer controller”) in the course of providing the service. In this DPA, “Cogliva”, “we”, “us”, and “our” refer to the operator of the Cogliva service, and “you”, “customer”, and “user” refer to the organization or individual using Cogliva.

Where this DPA and our Terms of Service or Privacy Policy address the same topic, this DPA governs in relation to the processing of customer personal data, unless otherwise agreed in writing.

Cogliva may act in two roles depending on the type of data involved:

• As controller for account data, billing data, product usage, security, support, communications, and website analytics. For this data, Cogliva determines the purposes and means of processing, as described in our Privacy Policy.
• As processor for customer content submitted into Cogliva workspaces, including diagnostics, strategy content, uploaded strategy documents, organization and project records, strategic signal profiles, workbench content, systems-related content, and AI-generated outputs created for the customer. For this content, the customer acts as controller and Cogliva processes it on the customer’s instructions through normal use of the service.

When acting as a processor, Cogliva may process the business and personal data that customers and their users choose to submit, such as business challenges and context, diagnostics, strategies and tactical plans, organization and project records, strategic signal profiles and their settings, workbench topics and notes, systems-related content, uploaded documents, and the AI-generated outputs produced from this content. This may include personal data relating to the customer’s own staff, clients, suppliers, or other individuals where the customer chooses to include it.

Cogliva processes customer content to provide and improve the requested service, generate outputs, maintain security, and operate the platform. Processing is carried out to deliver the features the customer uses and to support the customer’s own work and judgment, subject to applicable law and technical limitations.

Customers and users are responsible for ensuring they have the necessary rights, permissions, authority, and lawful basis to upload, submit, or process any customer, client, employee, supplier, third-party, or confidential business information in Cogliva.

Customers are also responsible for configuring access appropriately, managing who they invite to shared organizations and projects, and ensuring their use of the service complies with applicable law.

Cogliva will process customer content to provide the service, apply reasonable technical and organizational safeguards, and make reasonable efforts to assist the customer with the matters described in this DPA where technically and commercially feasible. Cogliva does not sell customer content.

Cogliva uses AI to help generate diagnostics, strategies, tactical plans, signal profiles, management recommendations, summaries, and other outputs. Customer content may be processed by AI service providers or infrastructure providers where needed to deliver the service. Outputs should be reviewed by users before being relied upon for business decisions.

Cogliva uses customer content to provide and improve the requested service, generate outputs, maintain security, and operate the platform. Cogliva does not sell customer content. AI processing is carried out through trusted infrastructure and service providers, subject to applicable law and technical limitations.

When users upload strategy documents or other business materials, Cogliva may process those documents to extract context, generate suggestions, pre-fill fields, create strategies, create tactical plans, support diagnostics, or generate related outputs. Users are responsible for ensuring they are authorized to upload and process those documents.

Cogliva treats customer content as confidential and uses it only to provide and operate the service as described in this DPA, unless otherwise agreed in writing. Customers remain responsible for their own confidentiality obligations and for deciding what business information is appropriate to submit.

Cogliva is not designed for processing special-category personal data, protected health information, government identifiers, payment card data, highly sensitive financial account data, or other regulated sensitive information. Users should not submit such information unless Cogliva has expressly agreed appropriate terms in writing.

Cogliva uses trusted third-party service providers to deliver the service, including for hosting and database, authentication, storage, email, payments, analytics and security, web context extraction, and AI processing. These providers process customer content only as needed to support the relevant feature.

The current list of named subprocessors, including provider names and locations where available, is maintained by Cogliva and available on request at privacy@cogliva.com.

Cogliva applies reasonable technical and organizational safeguards to help protect customer content. These may include access controls, authentication, two-factor authentication where enabled or required, automatic session timeout after inactivity, leaked-password protection where enabled, encrypted transport where available, role-based permissions, database and storage access controls, and the security measures of our infrastructure providers.

No method of transmission or storage is completely secure, and these safeguards are provided on a reasonable-efforts basis subject to applicable law and technical limitations.

Cogliva retains customer content for as long as needed to provide the service and for legitimate legal, security, and operational purposes. Customers may request deletion or export of customer content by contacting us at privacy@cogliva.com, and Cogliva will provide reasonable assistance where technically and commercially feasible, subject to any legal retention obligations.

Cogliva will provide reasonable assistance with data subject requests where technically and commercially feasible. Where Cogliva acts as a processor, requests from individuals are generally handled by the customer as controller, and Cogliva will support the customer in responding. Complex, bespoke, or enterprise-specific compliance requests may require a separate written agreement.

Cogliva will notify affected customers without undue delay after confirming a personal data breach involving customer personal data, subject to investigation, legal requirements, and the availability of reliable contact information. Customers are responsible for keeping their contact details current so we can reach them.

Cogliva is operated from outside the European Union and uses service providers that may process data in different regions. Where customer content is transferred internationally, Cogliva aims to apply reasonable, good-practice safeguards, subject to applicable law and technical limitations.

Cogliva may update its subprocessors and the terms of this DPA from time to time, for example as providers or features change. When we make material changes, we will update the effective date above and communicate changes where appropriate. Continued use of the service after changes means you accept the updated terms, unless otherwise agreed in writing.

For questions about this DPA or to make a request, contact us at privacy@cogliva.com. You can also review our Terms of Service, Privacy Policy, and Trust & Responsible AI page, or update your Cookie settings.