Data Processing Addendum

ABN: 64 108 741 214
Effective date: 4 June 2026
Contact: admin@getkova.co

1. About this Data Processing Addendum

This Data Processing Addendum applies where Kova processes personal information or personal data on behalf of a customer as part of providing the Service.

Kova operates under ABN 64 108 741 214.

This document supplements the Terms of Service and Privacy Policy.

2. Roles of the parties

Unless otherwise agreed in writing:

  • the customer is responsible for determining what data is submitted to Kova and why
  • Kova processes that data to provide the Service
  • where applicable, the customer may act as controller or equivalent
  • where applicable, Kova may act as processor or service provider

3. Processing activities

Kova may process customer data to:

  • provide the Service
  • authenticate users
  • operate workspaces
  • analyse authorised inputs
  • generate delivery outputs
  • operate integrations
  • store project and ticket data
  • provide support
  • maintain security
  • troubleshoot errors
  • comply with legal obligations

4. Categories of data

Processed data may include:

  • user account information
  • business contact details
  • project information
  • Figma files, frames, screenshots, thumbnails, comments, and metadata
  • Jira, Linear, Asana, or other project management data
  • generated tickets and workflow outputs
  • usage logs
  • audit logs
  • support communications
  • billing identifiers

5. Customer instructions

Kova will process customer data in accordance with:

  • the Terms of Service
  • the Privacy Policy
  • this Data Processing Addendum
  • the customer's product configuration
  • written instructions agreed by Kova

Kova may refuse instructions that are unlawful, technically unreasonable, or outside the scope of the Service.

6. Security measures

Kova maintains reasonable technical and organisational measures designed to protect customer data.

These include:

  • access controls
  • encryption of sensitive credentials at rest
  • workspace isolation
  • role-based permissions
  • audit logs
  • secure OAuth flows
  • input validation
  • rate limiting
  • monitoring
  • restricted administrative access

7. Subprocessors

Kova uses subprocessors to provide the Service. A current Subprocessor List is available at www.getkova.co/subprocessors.

Kova will provide at least 30 days written notice to customers before adding a new subprocessor that will process customer personal data, where reasonably practicable. Notice will be provided by updating the Subprocessor List and notifying account owners by email.

If a customer reasonably objects to a new subprocessor, the customer may contact admin@getkova.co to discuss the concern. If the parties cannot agree, the customer may terminate their subscription in accordance with the Terms of Service.

Kova remains responsible for selecting subprocessors appropriate to the Service and requiring them to handle data in accordance with applicable obligations.

8. Data deletion and return

On request, and where technically and legally possible, Kova will delete or return customer data.

Following termination or expiry of a customer's subscription, Kova will delete or render inaccessible customer personal data within 90 days, except where retention is required for legal, billing, audit, security, backup, dispute resolution, or legitimate operational reasons.

Customers may request deletion prior to that period by contacting admin@getkova.co. Kova will use reasonable endeavours to action deletion requests within 30 days.

9. Assistance

Where reasonable and technically possible, Kova will assist customers with:

  • access requests
  • deletion requests
  • security information requests
  • data export requests
  • incident investigations

Additional fees may apply where requests are complex, repetitive, or outside normal support.

10. Incidents and breach notification

If Kova becomes aware of a security incident affecting customer data, Kova will:

  • investigate the incident promptly
  • take reasonable steps to contain and remediate the incident
  • notify affected customers without undue delay, and where required under the Australian Privacy Act 1988 (Cth) Notifiable Data Breaches scheme, within 72 hours of becoming aware that a breach is likely to have occurred
  • provide customers with sufficient information about the incident to allow them to meet their own notification obligations where applicable

Notification will be provided by email to the account owner or by notice within the application.

11. Sub-processor change notice

Kova will provide at least 30 days written notice to customers before adding a new sub-processor that will process customer personal data, where such notice is reasonably practicable.

If a customer reasonably objects to a new sub-processor, the customer may contact admin@getkova.co to discuss the concern. If the parties cannot agree, the customer may terminate their subscription in accordance with the Terms of Service.

12. International processing

Customer data may be processed outside Australia by Kova or its subprocessors where reasonably necessary to provide the Service.

13. Contact

Kova
ABN 64 108 741 214
Email: admin@getkova.co
Website: www.getkova.co

Also available: Privacy Policy · Subprocessors