Version 1.0 · Effective 15 July 2026 · CodeRock Ltd, St Helier, Jersey

Plain-English summary
  • Read-only by default. In Shadow Mode, Cove cannot write to your Zendesk and never sends a reply. It reads, drafts, and shows you the draft.
  • Your AI keys, your provider. Drafting runs on your own Anthropic or OpenAI account. We add no AI markup and never train models on your data.
  • Encrypted and isolated. Credentials are encrypted at rest (AES-based), everything moves over TLS, and each company's data is kept separate in the app.
  • Walk away and we purge. If an evaluation pilot never converts, we delete the data we imported within 30 days.
  • Delete on request, any time. Ask us to delete your data and we will. It is a contractual commitment, not a favour.
  • We tell you fast if something goes wrong. We notify you of a personal-data breach without undue delay, and within 72 hours of becoming aware.

This box is a non-binding summary for convenience. The numbered clauses below are the agreement.

This Data Processing Agreement (the "DPA") forms part of the agreement between you (the "Customer") and CodeRock Ltd, a company registered in St Helier, Jersey, which operates the Cove helpdesk product at covesupport.io ("CodeRock", "we", "us"). It governs our processing of personal data on your behalf when you use Cove.

Where this DPA and our Terms of Service conflict on the subject of data protection, this DPA prevails. Terms used here that are defined in the UK GDPR or EU GDPR (such as "controller", "processor", "personal data", "processing", "data subject", and "personal data breach") carry those meanings.

1. Parties and roles

For the personal data contained in the support tickets, messages, knowledge-base documents, and account records you bring into Cove, you are the controller and CodeRock is the processor. You determine the purposes and means of the processing; we act on your behalf.

You confirm that you have a lawful basis for the personal data you place into Cove and for instructing us to process it, and that your own privacy notices to your end-users cover this processing. We are responsible for processing that data in line with this DPA.

2. Subject matter, duration, nature and purpose

Subject matter
Our provision of the Cove helpdesk service to you, including its evaluation "Shadow Mode".
Duration
For the term of your Cove account or evaluation, and for the short retention windows described in clause 10 after it ends.
Nature of the processing
Importing, storing, indexing, and displaying your support data; computing local text embeddings on our own infrastructure to enable retrieval; assembling context and passing it to the AI provider you designate under your keys so that draft replies can be generated; and, in live mode only, sending replies your team approves.
Purpose
To let your support team triage, research, draft, and answer customer messages with AI assistance and cited sources.

3. Personal data and data subjects

Categories of data subjects

  • Your end-users and customers who contact your support team.
  • Your own agents and staff who use Cove.

Types of personal data

  • Contact details in support correspondence: names and email addresses of your end-users.
  • The content of support tickets, emails, and their attachments, which may contain whatever personal data your end-users choose to include.
  • Knowledge-base documents you upload, to the extent they contain personal data.
  • Agent account data: names, email addresses, and role.

Cove is a general-purpose support tool and is not designed for special-category data. You should not route special categories of personal data (Article 9) or children's data through Cove unless you have first agreed the necessary safeguards with us in writing.

4. Processing on documented instructions

We process personal data only on your documented instructions, including on transfers, unless we are required to do otherwise by law that applies to us. Your instructions are made up of this DPA, our Terms of Service, your configuration of the product (for example, whether an account runs in read-only Shadow Mode or in live mode, and which AI provider you designate), and any further written instructions you give us.

If a law requires us to process beyond your instructions, we will tell you before doing so unless that law prohibits it. If we believe an instruction infringes data-protection law, we will tell you.

5. Confidentiality

We keep your personal data confidential. Access is limited to the people who need it to operate and support the service, each of whom is bound by a duty of confidentiality (by employment or contract) and is instructed to process the data only as this DPA allows.

6. Security of processing

Taking account of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, we implement appropriate technical and organisational measures under Article 32. Cove is built to be secure by architecture rather than by after-the-fact controls. Our current measures include:

  • Read-only evaluation by construction. Shadow Mode connects to your existing helpdesk with a read-only Zendesk API token. Cove cannot write back to your helpdesk and does not send replies in Shadow Mode.
  • Encryption of credentials at rest. The credentials we hold on your behalf (read-only Zendesk API token in Shadow Mode; IMAP/SMTP or Gmail OAuth credentials in live mode) are encrypted at rest using Fernet, an AES-based symmetric-encryption scheme.
  • Encryption in transit. Data moves over TLS.
  • Per-company isolation. Each customer's data is segregated at the application layer so one company's data is not exposed to another.
  • Local embeddings. The text embeddings that power retrieval are computed on our own infrastructure with an open-source model (MiniLM). No third-party embeddings API receives your customer data.
  • Bring-your-own AI keys. Drafting calls run against your own AI provider account under your keys and your agreement with that provider. We do not use your data to train models, and we add no AI markup.

We are a small vendor and we describe our posture honestly. We do not hold, and do not claim, SOC 2, ISO 27001, or any other certification. We may change specific measures over time provided the overall level of security is not reduced.

7. Sub-processors

You give us general authorisation to engage sub-processors to help deliver the service. Where we do, we impose data-protection obligations on them that are no less protective than those in this DPA, and we remain responsible to you for their performance. Our current sub-processors are:

Sub-processorPurposeData involved
Our infrastructure provider (dedicated servers operated by CodeRock) Hosting the Cove application and stored data on dedicated servers we manage All customer data at rest
Your designated AI model provider (e.g. Anthropic, OpenAI) Generating draft replies. Customer-directed: this runs under your own account, keys, and agreement with that provider Ticket context you send for drafting

The AI model provider is designated by you and processes under your own keys and terms, so this is strictly customer-directed processing; we list it here for transparency. We do not engage analytics, advertising, or CRM sub-processors on your customer ticket data.

We will give you reasonable prior notice of any intended addition or replacement of a sub-processor so that you have an opportunity to object on reasonable data-protection grounds. If you object and we cannot offer a reasonable alternative, you may terminate the affected service.

8. Assistance with data-subject rights

Taking into account the nature of the processing, we assist you by appropriate technical and organisational measures, insofar as possible, to respond to requests from data subjects exercising their rights (access, rectification, erasure, restriction, portability, and objection). Because your data in Cove is per-company and searchable, in most cases you can locate and act on a record directly. Where you need our help, contact hello@covesupport.io and we will assist without undue delay.

We also assist you, taking into account the information available to us, with your obligations on security, breach notification, data-protection impact assessments, and prior consultation under Articles 32 to 36.

9. Personal-data breach notification

If we become aware of a personal-data breach affecting your data, we will notify you without undue delay and — as a contractual commitment that goes beyond what Article 33 requires of processors — in any event within 72 hours of becoming aware. Our notice will describe, to the extent known, the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address it. We will provide further information as it becomes available and cooperate reasonably with your own notification obligations to regulators and data subjects.

10. Return and deletion of data

At the end of the provision of services, and at your choice, we will delete or return your personal data and delete existing copies, unless a law that applies to us requires storage.

Evaluation pilots that never convert
If an evaluation or Shadow Mode pilot expires or is declined without becoming a paid account, we purge the data we imported for it within 30 days.
On termination of a paid account
Consistent with our Terms of Service, your data is exported and then deleted within 60 days of termination, unless a legal hold applies.
Deletion on request
You can ask us to delete your data at any time, and we will. This is a contractual commitment.

11. Audit and information rights

We make available to you the information reasonably necessary to demonstrate compliance with Article 28, and we allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate. As a small vendor, audits are handled remote-first: we will respond to a reasonable security questionnaire or written information request, and hold a review call where helpful, at reasonable frequency (ordinarily no more than once a year, absent a specific incident or regulator requirement) and on reasonable notice. On-site inspection is available where genuinely required by you or a regulator, arranged so as not to disrupt our operations, and subject to confidentiality.

12. International transfers

CodeRock Ltd is established in Jersey, Channel Islands. Jersey benefits from an EU adequacy decision and, as part of the UK's arrangements, is treated as an adequate destination for transfers from the UK. Transfers of personal data from the UK or EEA to us in Jersey therefore rely on that adequacy. If we transfer personal data to a country without an adequacy decision, we will put an appropriate transfer mechanism in place (such as the relevant Standard Contractual Clauses or the UK Addendum) before doing so. Where you designate an AI provider under your own keys, any transfer to that provider is governed by your agreement with them.

13. General

This DPA takes effect on the date the Customer accepts it and remains in force for as long as we process personal data on your behalf. If any clause is held invalid, the rest stays in effect. This DPA is governed by the law of Jersey, and the courts of Jersey have exclusive jurisdiction over any dispute arising from it. We may update this DPA to reflect changes in the service or in law; material changes will be notified, and continued use of Cove after an update constitutes acceptance of the updated version.

14. Acceptance and signatures

This DPA is accepted either by countersignature of the block below or by in-product click-through when you activate or continue your Cove account. Either method makes it binding; you do not need to do both. If you need a countersigned copy for your records, print this page (it is formatted for print), complete the block, and email a scan to hello@covesupport.io. We will return a signed copy.

Cove DPA v1.0 · Effective 15 July 2026

For the Customer (Controller)

Signature
Name and title
Company · Date

For CodeRock Ltd (Processor)

Signature
Name and title
CodeRock Ltd · Date

CodeRock Ltd · St Helier, Jersey · hello@covesupport.io

/ Talk to us

Questions about the DPA?

Four fields. We reply within a working day, usually faster. We will not put you in a sales sequence; we will read what you wrote and write back.

Run by founders. Read by founders. Replied to by founders.

or email hello@covesupport.io
Asking about:
Please enter your name (2-80 characters).
Please enter a valid email address.
Please pick a team size.
Please write a short message (5-4000 characters).
Thanks. We've got your message and will reply within a working day.

Or email hello@covesupport.io directly. Same inbox, same humans.