Data Processing

In many business use cases, the customer decides what workflows to record, what target application is used, who receives the installer, and what data is processed during execution. For that customer-controlled workflow data, the customer is typically the primary decision-maker.

CONXA makes independent decisions for account administration, billing records, fraud prevention, service security, product analytics, support operations, and legal compliance. For those areas, CONXA may act as an independent controller or equivalent role depending on applicable law.

CONXA may use subprocessors or service providers for hosting, identity, payments, email, support, logging, security, and LLM infrastructure. Examples in the current product include Clerk-style identity services and Razorpay-style checkout services.

Enterprise customers that require a named subprocessor list, notice period, audit terms, cross-border transfer terms, or region-specific controls should capture those requirements in a signed data processing addendum.

Target-application browser sessions are not normal cloud processing inputs. They are local Build Studio or runtime state. Published package output should exclude auth files and browser storage state.

If a customer voluntarily sends logs, screenshots, or files to support, those materials become support data and may be processed for troubleshooting.

Customers can request access, export, correction, deletion, or return of customer-controlled data through support or through product controls where available. CONXA may retain data where needed for billing, security, legal obligations, backups, dispute resolution, or abuse prevention.

End users whose data belongs to a customer workspace may need to contact that customer first. CONXA may route requests to the workspace owner when the customer controls the relevant data.

This page is a public explanation, not a full enterprise data processing addendum. Enterprise customers should use a signed DPA to define controller/processor roles, subprocessors, breach notice, audit rights, retention, cross-border transfers, security exhibits, and deletion assistance.