Legal

    Data Processing Agreement

    Last updated: 20 April 2026

    Back to top

    This Data Processing Agreement (“DPA”) is incorporated into and forms an integral part of the agreement (the “Agreement”) between Coachnova Limited, a company incorporated in Republic of Ireland with the incorporation No 802869 and registered address at 71 Lower Baggot Street, Dublin 2, D02P593, Republic of Ireland (“Coachnova”, “We”, “Us”, or “Our”), and a coaching professional acting within their trade, business, craft or profession in accessing or using our AI-powered coaching platform and using our Services (“Coach”, “You”, or “Your”). Coachnova and You are hereinafter jointly referred to as the “Parties” and individually as a “Party”.

    This DPA applies to our processing of Personal Data on your behalf in order to provide services to you pursuant to the Agreement. Where this DPA conflicts with the Agreement, this DPA shall prevail with respect to the processing of Personal Data.

    The following shall form part of the DPA:

    Capitalised terms that are used but not defined in this DPA shall have the meaning set out in the Coachnova Terms of Service for the Coaches.

    1. Definitions and Interpretation

    Back to top

    In this DPA, the following terms shall have the meanings set out below:

    1. 1.1 “Applicable Data Protection Laws” means any nationally or internationally binding data protection laws, case law, and regulations, including those (i) applicable within the European Union (the “EU”), including the EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”), the United Kingdom General Data Protection Regulation, which is the GDPR as incorporated into UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018 and amended by The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (“UK GDPR”), and all other privacy and data protection laws of the European Economic Area (“EEA”) and the United Kingdom and (ii) the Swiss Federal Act on Data Protection of 19 June 1992; as of September 1, 2023, its totally revised version of 25 September 2020 (“Swiss FADP”), as amended, superseded or replaced.
    2. 1.2 “Coach Content” means: (a) Coach's Input (as defined below); (b) Coachee's Input (as defined below); and (c) all Output generated through the Services.
    3. 1.3 “Coach's Input” means all data, materials, recordings and information that You upload, submit, or input to the Platform.
    4. 1.4 “Coachee's Input” means responses provided by the Coachee through the Platform, including: (a) responses to session notes and summaries shared by their Coach; (b) responses to session preparation materials; and (c) responses to nudges that have been approved by their Coach.
    5. 1.5 “Non-Adequate Country” means a country not providing an adequate level of protection pursuant to the Data Protection Laws.
    6. 1.6 “Output” means the output generated via the Platform's AI based functionality by using the Coach's Input, including, but not limited to, summaries, insights, transcripts, suggestions, nudges.
    7. 1.7 “Personal Data” means Coach Content that (i) relates to an identified or identifiable natural person, or (ii) constitutes “personal data”, “personal information” or any similar term within the meaning of Applicable Data Protection Laws.
    8. 1.8 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.
    9. 1.9 “Platform” means Coachnova's AI-powered coaching platform, including the web application, and any related tools and features.
    10. 1.10 “Standard Contractual Clauses” or “SCCs” means the Standard Contractual Clauses for the transfer of personal data to Non-Adequate Countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.
    11. 1.11 “Sub-processor” means any Processor engaged by us to process your Personal Data in connection with the Services.
    12. 1.12 “Services” means the Platform, support services, training, documentation, and all related services provided by Coachnova under the Agreement.

    The terms “Data Subject”, “Processing”, “Controller”, and “Processor” as used in this DPA have the meanings given by Applicable Data Protection Laws.

    2. Processing of the Personal Data

    Back to top

    2.1 Roles and Responsibilities

    The parties acknowledge and agree that with regard to the processing of Personal Data under the DPA, you are the Controller and Coachnova is the Processor. Each party shall comply with its respective obligations under Applicable Data Protection Laws.

    2.2 Details of Processing

    The subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects in respect of the processing of Personal Data are set out in Schedule 1.

    2.3 Your Instructions

    We shall process Personal Data only in accordance with your documented instructions and in compliance with the Applicable Data Protection Laws. If we reasonably believe that any instruction from you violates Applicable Data Protection Laws, we shall promptly inform you. We may suspend the performance of the relevant instruction until you confirm its lawfulness or modify such instruction.

    2.4 Confidentiality

    We shall ensure that all personnel authorised to Process Personal Data is subject to appropriate confidentiality obligations (whether by contract or statutory duty) and receive adequate training on data protection compliance. Coachnova shall ensure that Coachnova's access to Personal Data is limited to those employees and other persons performing Services in accordance with the Agreement.

    3. Security Measures

    Back to top

    Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The technical and organisational measures implemented by us are described in Schedule 3. We may update these measures from time to time, provided that such updates do not result in the degradation of the overall security of the Services.

    4. Sub-processors

    Back to top

    4.1 General Authorisation

    You grant us general written authorisation to engage Sub-processors for the processing of Personal Data, subject to the conditions set out in this Section 4. The current list of Sub-processors is set out in Schedule 2 of this DPA, which is the single source of truth for the Sub-processors engaged by Coachnova and may be updated from time to time.

    4.2 Notification of New Sub-processors

    You may subscribe to receive notifications by email if We make changes to the Sub-processors listed in Schedule 2 of this DPA by following the subscription instructions provided in that Schedule. If you opt in to receive such email, We will notify you at least 30 (thirty) days prior to any such change. You acknowledge that accessing Schedule 2 or subscribing to updates constitutes receipt of notice. You may object to Coachnova's appointment of a new Sub-processor on reasonable grounds relating to data protection by notifying Coachnova in writing within fifteen (15) days of receiving notice of the intended appointment. Such objections must be based on legitimate concerns regarding the Sub-processor's ability to comply with Applicable Data Protection Laws; and include sufficient detail to enable Coachnova to assess the validity of the objection. If you object to a new Sub-processor, we shall work together in good faith to find a commercially reasonable alternative solution. If no such solution can be found within thirty (30) days of Coachnova receiving your objection, either party may terminate the affected Services by providing written notice. This termination right is Your sole and exclusive remedy if You object to any new Sub-processor.

    4.3 Sub-processor Requirements

    We shall: (a) enter into a written agreement with each Sub-processor imposing data protection obligations that are substantially equivalent to those imposed on Coachnova under this DPA, to the extent applicable to the nature of the services provided by such Sub-processor; (b) ensure that each Sub-processor complies with the obligations to which We are subject pursuant to this DPA and Applicable Data Protection Laws; (c) remain fully liable to you for the performance of the Sub-processor's obligations.

    5. Data Subject Rights

    Back to top

    5.1 Assistance with Data Subject Requests

    Taking into account the nature of the Processing, We shall provide reasonable assistance to You, including through appropriate technical and organisational measures, to enable You to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Laws.

    5.2 Forwarding Requests

    If We receive a Data Subject request directly, We shall promptly forward such request to You and shall not respond to such request except on Your documented instructions or as required by Applicable Data Protection Laws. You shall be solely responsible for responding to Data Subject requests.

    6. Personal Data Breaches

    Back to top

    6.1 Notification

    We shall notify You without undue delay after becoming aware of a Personal Data Breach. Such notification shall include, to the extent available: (a) a description of the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (b) the likely consequences of the Personal Data Breach; and (c) a description of the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects. Coachnova's notification of, or response to, a Personal Data Breach will not be construed as an acknowledgement by Coachnova of any fault or liability with respect to the Personal Data Breach.

    6.2 Reporting the Breach

    You are responsible for informing the competent governmental authority and/or affected Data Subjects on the Personal Data Breach, insofar this is required under the Applicable Data Protection Laws.

    6.3 Cooperation

    We shall cooperate with you and take reasonable steps to remediate or mitigate the effects of the Personal Data Breach and shall provide You with timely information and cooperation as You may reasonably require to fulfil Your obligations under Applicable Data Protection Laws regarding Personal Data Breaches.

    7. International Data Transfers

    Back to top

    7.1 Data Transfers

    We may transfer Personal Data to Sub-processors located in a Non-Adequate Country. We will ensure that the transfer is subject to adequate safeguards as required by Chapter V of the GDPR and may for this purpose rely on the Standard Contractual Clauses, provided that the clauses, including any supplementary security measures, ensure an essentially equivalent level of protection.

    7.2 Standard Contractual Clauses

    The parties acknowledge and agree that Coachnova will enter into SCCs Module Three (processor to sub-processor) with each Sub-processor located in a Non-Adequate Country together with jurisdiction-specific addenda to the SCCs (such as UK and Switzerland) as required by Applicable Data Protection Laws.

    7.3 Precedence

    To the extent that there is any conflict between the terms of this DPA, the Agreement, and the terms of the SCCs, the terms of the following documents will prevail (in order of precedence): (i) the SCCs; (ii) this DPA; and (iii) the Agreement.

    8. Assistance and Cooperation

    Back to top

    Taking into account the nature of the data processing and the information available to the parties, parties shall provide each other with all necessary assistance in complying with the obligations that rest upon them under the Applicable Data Protection Laws, in particular the obligations in relation to the security of Personal Data, Personal Data Breach notification duties, information duty and the execution of data protection impact assessments, including prior consultation of the relevant governmental authority.

    9. Audits

    Back to top

    You may at your own expenses and upon prior consultation with Coachnova perform an audit on the data processing system used by Coachnova to process Personal Data to examine whether the reasonable technical and organisational security measures that have been taken in relation to the Personal Data processed in the context of this DPA are in line with the measures described in Section 3 of this DPA. You may use the results of an audit only for the purposes of meeting your regulatory audit requirements and/or confirming compliance with the requirements of the DPA.

    10. Deletion and Return of Coach Personal Data

    Back to top

    Upon termination or expiration of the Agreement, or upon Your written request, We shall, at Your choice, delete or return all Personal Data to you, and delete existing copies, unless applicable law requires Coachnova to retain certain Personal Data.

    11. Limitation of Liability

    Back to top

    The liability provisions and limitations thereof set out in the Agreement shall apply to this DPA. Nothing in this DPA shall limit or exclude either party's liability to the extent such limitation or exclusion is prohibited by applicable law.

    12. Governing Law and Jurisdiction

    Back to top

    This DPA shall be governed by and construed in accordance with the laws specified in the Agreement. Any disputes arising from or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts specified in the Agreement.

    Schedule 1: Details of Processing

    Back to top

    Categories of Data Subjects

    1. Coaches registered on the Platform;
    2. Coachees (individuals receiving coaching services from the Coaches and accessing designated Platform features);
    3. Other individuals whose Personal Data is mentioned or otherwise included in the Coach Content and/or Coachee's Input submitted through the Platform.

    Categories of Personal Data

    1. Data of the Coachees and Coaches: first and last name, email address, telephone number, professional data;
    2. Personal Data contained within the Coach Content, including Coachee's Input. Examples include name, demographic information, employment information, professional data;
    3. Document embeddings (vector representations generated from Coach Content and Coachee Input, including identifying metadata such as Coachee name and session references). Embeddings are used for retrieval only, not for model training or fine-tuning.

    Note: The Services are not intended for processing Special Categories of Personal Data (as defined in Article 9 GDPR), unless Coach has obtained explicit consent or has another valid legal basis for such processing. Coach remains responsible for ensuring compliance with applicable laws when using the Services to process any Special Categories of Personal Data.

    Nature and Purpose of Processing

    Nature of Processing: The processing operations include:

    1. Receiving and storing session recordings uploaded by the Coach;
    2. Transcribing audio recordings using automated speech-to-text services;
    3. Analysing transcripts using AI features to generate summaries, insights, and suggested nudges for the Coach's review and approval;
    4. Storing and organising Coach Content in Coach's private knowledge repository;
    5. Semantic search via AI-generated document embeddings;
    6. Calendar synchronisation and availability management;
    7. Product analytics and usage tracking;
    8. Payment processing and subscription management;
    9. In-app feedback collection;
    10. Processing Coachee's Input;
    11. Verifying and maintaining the quality, security, and integrity of the Services;
    12. Debugging to identify and repair errors.

    Purpose of Processing: To provide Services.

    Duration and Frequency

    The term of the Agreement, including any renewal periods, plus the period required for deletion or return of Personal Data upon termination/expiration.

    For Transfers to Sub-processors

    The subject matter, nature and duration of the processing as described above.

    Schedule 2: List of Sub-processors

    Back to top

    Last updated: 20 April 2026

    Coachnova engages the following Sub-processors to assist in providing the Services. This Schedule is the single source of truth for the Sub-processors engaged by Coachnova. The /legal/subprocessors page renders the same list from the same source.

    ServiceLegal EntityEntity CountryData Processing RegionTransfer MechanismPurpose
    Amazon Web ServicesAmazon Web Services EMEA SARLLuxembourgeu-west-1 (Ireland), eu-central-1 (Frankfurt)N/A (EU processing)Object storage for session recordings, transcripts, generated PDFs, and GDPR data exports. Supports Schedule 1 activities (a) and (d).
    VercelVercel, Inc.US (Delaware)US and EU edgeEU-US Data Privacy Framework + SCCsApplication hosting, serverless compute, and scheduled jobs. Supports Schedule 1 activities (f) and (g).
    NeonNeon, Inc.US (Delaware)EUN/A (EU processing)Primary PostgreSQL database and pgvector store for Coach Content metadata, messages, notes, and embeddings. Supports Schedule 1 activities (a) through (e).
    ClerkClerk, Inc.US (Delaware)USStandard Contractual ClausesUser authentication, session management, and OAuth for Coach and Coachee accounts. Supports Schedule 1 activity (f).
    Recall.aiHyperdoc, Inc. (d/b/a Recall.ai)US (Delaware)EUN/A (EU processing)Meeting bot API for session recordings, transcripts, and metadata from video conferencing platforms. Supports Schedule 1 activities (a) and (b).
    AnthropicAnthropic, PBCUS (Delaware)USStandard Contractual Clauses + EU-US Data Privacy FrameworkAI model services (Claude Sonnet and Haiku) for transcript analysis, notes generation, summaries, and suggested nudges for Coach review and approval. Supports Schedule 1 activities (c) and (e).
    Voyage AIVoyage AI Innovations, Inc.US (Delaware)USEU-US Data Privacy Framework + SCCsEmbedding model (voyage-3-lite) for semantic retrieval over Coach Content and Coachee Input. Supports Schedule 1 activities (c) and (d).
    Twilio SendGridTwilio Inc. (US parent); Twilio Ireland Limited (EU counterparty)US (Delaware) / IrelandUS (primary SendGrid infrastructure)EU-US Data Privacy Framework + SCCs via Twilio Ireland LimitedTransactional email delivery, including AI-generated session notes, Coachee messages containing personal data, and platform notifications. Supports Schedule 1 activities (c) and (e).

    Subscribe to Sub-processor Updates

    We will notify subscribers at least 30 days before adding or replacing a sub-processor. To subscribe to updates of this list, email privacy@coachnova.ai with the subject line “Subscribe to sub-processor updates”.

    Schedule 3: Technical and Organisational Measures

    Back to top

    Last updated: 20 April 2026

    Coachnova implements and maintains the following technical and organisational measures to protect your Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures are designed to provide a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature of the Personal Data to be protected.

    1. Access Control

    Physical Access Control:

    1. Data centers operated by certified third-party providers with 24/7 physical security;
    2. Multi-factor authentication and access logging for physical access to facilities;
    3. Surveillance and monitoring systems in data center facilities.

    Logical Access Control:

    1. Role-based access control (RBAC) limiting access to your Personal Data based on job function and need-to-know;
    2. Multi-factor authentication (MFA) for access to production systems and your Personal Data;
    3. Regular review and audit of user access rights and privileges;
    4. Automated deprovisioning of access rights upon termination of employment or change of role;
    5. Logging and monitoring of all access to your Personal Data.

    2. Data Encryption

    Encryption in Transit:

    1. Transport Layer Security (TLS) 1.2 or higher for all data transmitted over public networks;
    2. Encrypted connections between all system components and Sub-processors.

    Encryption at Rest:

    1. AES-256 encryption for your Personal Data stored in databases and file systems;
    2. Encrypted backups with secure key management;
    3. Encryption key management using industry-standard practices and hardware security modules (HSMs) where appropriate.

    3. Network Security

    1. Firewalls and intrusion detection/prevention systems (IDS/IPS) to protect network perimeters;
    2. Network segmentation to isolate production environments from development and testing;
    3. Regular vulnerability scanning and penetration testing by qualified third parties;
    4. DDoS protection and mitigation services;
    5. Security Information and Event Management (SIEM) system for real-time threat detection.

    4. Application Security

    1. Secure software development lifecycle (SDLC) incorporating security best practices;
    2. Regular code reviews and static/dynamic application security testing;
    3. Input validation and output encoding to prevent common vulnerabilities (SQL injection, XSS, etc.);
    4. Regular security patching and updates of systems and dependencies;
    5. Web application firewall (WAF) to protect against web-based attacks.

    5. Data Backup and Recovery

    1. Regular automated backups of your Personal Data with encryption;
    2. Geographically distributed backup storage to ensure availability;
    3. Regular testing of backup restoration procedures;
    4. Business continuity and disaster recovery plans with defined recovery time objectives (RTO) and recovery point objectives (RPO).

    6. Organisational Measures

    Personnel Security:

    1. Background checks for employees with access to Personal Data, where permitted by law;
    2. Confidentiality agreements and data protection obligations in employment contracts;
    3. Regular mandatory security awareness and data protection training for all personnel;
    4. Disciplinary procedures for security policy violations.

    Vendor Management:

    1. Due diligence assessments of Sub-processors before engagement;
    2. Written agreements with Sub-processors including data protection and security obligations;
    3. Regular audits and reviews of Sub-processor security practices.

    Incident Response:

    1. Documented incident response plan and procedures;
    2. 24/7 security monitoring and incident detection capabilities;
    3. Designated incident response team with defined roles and responsibilities;
    4. Regular testing and updating of incident response procedures.

    Data Minimisation and Retention:

    1. Processing limited to Personal Data necessary for the purposes of providing the Services;
    2. Data retention policies aligned with your instructions and legal requirements;
    3. Secure deletion procedures for Personal Data that are no longer required.

    7. Compliance and Certification

    1. Regular internal security audits and assessments;
    2. Documentation of security policies and procedures, reviewed and updated annually.

    8. Updates and Improvements

    Coachnova continuously reviews and updates these technical and organisational measures to ensure they remain appropriate and effective in light of evolving threats, technological developments, and regulatory requirements. We may modify these measures from time to time, provided that such modifications do not result in a material degradation of the overall security of the Services.

    Back to top

    Ready to try it for yourself?

    Try free with your first client. See the session insights. Send your first smart nudges. If it works for your practice, it's €14/client/month from there.*

    *Early adopter price for the first 500 seats. Regular price €19/client/month.

    Join the free webinar