Data Processing Agreement

1. Definitions

Terms not defined here have the meanings given in the Terms of Service or, if not defined there, in the GDPR.

• GDPR — Regulation (EU) 2016/679, together with the UK GDPR and the UK Data Protection Act 2018 where applicable.
• Personal Data, Controller, Processor, Data Subject, Processing, Sub-processor — carry the meanings given in Article 4 of the GDPR.
• Services — the audit-logging service provided by Evelmo under the Terms of Service, including the API, SDK, dashboard, and supporting infrastructure.
• Customer Data — Personal Data that the Controller, or another party acting on its behalf, submits to the Services.
• SCCs — the Standard Contractual Clauses approved by the European Commission in Decision 2021/914, Module 2 (Controller to Processor), as amended or replaced.

2. Roles and scope

The Controller is the controller of the Customer Data. Evelmo acts as Processor on the Controller's behalf. This DPA applies exclusively to Evelmo's processing of Customer Data in connection with the Services. Processing details — purpose, nature, categories of Data Subjects, and categories of Personal Data — are set out in Annex A.

Evelmo is Controller of the limited account and billing data it collects about the Controller itself — name, email, organization name, API key hashes, billing details. That processing is governed by the Privacy Policy rather than this DPA.

3. Controller instructions

Evelmo will process Customer Data only on the documented instructions of the Controller, including with regard to transfers to third countries, unless required by EU or Member State law.

The following constitute the Controller's initial documented instructions:

• This DPA and the Terms of Service.
• The use of the Services by the Controller (or any party acting on its behalf) as configured through the dashboard and API — including event submissions, retention settings, subprocessor exposure, and integrations.
• Support, debugging, and incident-response activities carried out by Evelmo personnel strictly as necessary to provide, secure, or restore the Services.

Evelmo will promptly notify the Controller if, in its opinion, an instruction infringes the GDPR or other applicable data protection law.

4. Confidentiality

Evelmo will ensure that every person authorized to process Customer Data is bound by a written confidentiality obligation or a statutory duty of confidentiality of no lesser scope. Access to Customer Data is limited to personnel who need it to deliver the Services.

5. Security measures

Evelmo has implemented and will maintain the technical and organizational measures described in Annex B, designed to protect Customer Data from unauthorized or unlawful processing and from accidental loss, destruction, or damage. Taking into account the state of the art and the costs of implementation, these measures are appropriate to the risks presented by the processing.

6. Sub-processors

The Controller grants Evelmo a general authorization to engage Sub-processors to process Customer Data in connection with the Services, subject to the conditions in this section. The current list of Sub-processors is available at evelmo.com/subprocessors and summarized in Annex C.

Evelmo will impose, by written contract, data protection obligations on every Sub-processor that are materially equivalent to those in this DPA, and will remain liable for each Sub-processor's performance of those obligations.

Evelmo will notify the Controller at least 30 days in advance of any intended addition or replacement of Sub-processors. The Controller may object in writing to the addition during that period. If Evelmo cannot reasonably accommodate the objection, the Controller may terminate the Services without penalty with respect to the Services that cannot be provided without the objected-to Sub-processor.

7. Assistance with Data Subject requests

Taking into account the nature of the processing, Evelmo will provide reasonable technical and organizational assistance, insofar as possible, to enable the Controller to fulfill its obligation to respond to requests for the exercise of Data Subject rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, objection, and rights relating to automated decision-making).

Evelmo will promptly forward any Data Subject request it receives regarding the Controller's Customer Data to the Controller and will not respond directly unless required by law. Export endpoints are available in the Services; erasure requests are actioned by Evelmo on the Controller's written instruction within 30 days of receipt.

8. Assistance with Articles 32–36

Evelmo will provide reasonable assistance to the Controller in ensuring compliance with its obligations under GDPR Articles 32–36, taking into account the nature of processing and the information available to Evelmo. This includes:

• Providing the information described in this DPA, the Privacy Policy, and the Security page needed for the Controller's Records of Processing Activities (Article 30).
• Supporting the Controller's data protection impact assessments where reasonably required, to the extent the required information is in Evelmo's possession.
• Providing information about Personal Data breaches as set out in section 10.

9. International transfers

Customer Data is currently stored and processed in Google Cloud's us-central1 region (Iowa, USA). Transfers from the EEA, the UK, or Switzerland to Evelmo and its Sub-processors are carried out on the basis of the SCCs, which are deemed incorporated by reference into this DPA under the terms described in Annex D, unless an adequacy decision under Article 45 GDPR, or another valid transfer mechanism, applies.

EU data residency is available on request for Business-plan customers. Contact privacy@evelmo.com.

10. Personal Data breaches

Evelmo will notify the Controller without undue delay, and in any case within 72 hours, of becoming aware of a Personal Data breach affecting Customer Data. The notification will describe:

• The nature of the breach, including, where possible, the categories and approximate number of Data Subjects and records concerned.
• The likely consequences of the breach and the measures taken or proposed to address it and mitigate possible adverse effects.
• A point of contact from whom further information can be obtained.

Evelmo's notification is not an acknowledgment of fault or liability. The Controller remains responsible for any notifications to supervisory authorities and Data Subjects required under Articles 33 and 34 GDPR.

11. Audit rights

Evelmo will make available to the Controller the information necessary to demonstrate compliance with this DPA, including the Security page, subprocessor list, TOMs in Annex B, and, on reasonable request, completed security questionnaires and third-party audit reports once available.

The Controller may request an on-site audit (or mandate an independent third-party auditor, bound by confidentiality obligations no less protective than this DPA) once per calendar year, at the Controller's expense, on at least 30 days' prior written notice, subject to reasonable security and confidentiality requirements. Evelmo may satisfy any audit request by providing an up-to-date SOC 2 Type II or equivalent report once available.

12. Return and deletion

On termination or expiry of the Services, the Controller has 30 days to export all Customer Data through the Services. After that period, on written request, Evelmo will delete Customer Data from its production systems within 30 days, except where retention is required by applicable law. Backups will be purged in the ordinary backup-rotation cycle, up to 90 days after termination.

Evelmo will certify deletion in writing on request.

13. Liability

Each party's liability arising out of or relating to this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Claims brought under this DPA are subject to the overall limit of liability of the Terms of Service, and this DPA does not increase that limit.

14. Changes

Evelmo may update this DPA from time to time to reflect changes required by law, new Sub-processors, or improvements in the Services. Material changes will be announced by email to the admin contact on the Controller's account at least 30 days before they take effect. Continued use of the Services after the effective date constitutes acceptance. If the Controller does not agree, it may terminate the Services in accordance with the Terms of Service.

15. Governing law

This DPA is governed by the law that governs the Terms of Service, subject to the SCCs, which are governed by the law specified in clause 17 of Module 2 of the SCCs (Irish law unless otherwise agreed in writing).

16. Execution

This DPA takes effect when:

• The Controller countersigns a PDF copy of this DPA that Evelmo sends on request, or
• The Controller accepts it through the dashboard, where that option is provided, or
• Both parties sign a mutual order form that incorporates this DPA by reference.

To request a counter-signed copy, email privacy@evelmo.com with the legal entity name, registered address, and signatory contact details.

Annex A — Details of processing

Subject matter and nature

Storage, indexing, cryptographic hash-chaining, retrieval, export, and deletion of audit events submitted to the Services by the Controller or by parties acting on its behalf.

Purpose

Providing the Services — enabling the Controller to record, search, verify, and export an integrity-protected trail of its application events for compliance, security, and operational use.

Duration

For the term of the Services, and for the retention window defined by the Controller's plan or configured settings, after which events are pruned.

Categories of Data Subjects

Determined by the Controller. Typically: the Controller's end users, employees, contractors, and — in multi-tenant deployments — the Controller's own customers' end users.

Categories of Personal Data

• Identifiers — actor and target IDs (opaque strings chosen by the Controller), names, and email addresses when included.
• Technical context — IP address, user-agent, and coarse location, when submitted.
• Event descriptors — action, action type, event name, timestamps, and organization / tenant identifiers.
• Free-form metadata — arbitrary JSON the Controller attaches to an event. Content determined entirely by the Controller. Evelmo does not inspect or categorize it.

Special-category data under Article 9 GDPR should not be submitted unless the Controller has a lawful basis and has configured appropriate access controls. Evelmo does not knowingly process special-category data.

Annex B — Technical and organizational measures

Evelmo maintains the following measures, substantively reflected on the security page and summarized here:

• Encryption at rest — AES-256 on MongoDB Atlas-managed storage.
• Encryption in transit — TLS 1.2+ enforced on all public endpoints and internal subprocessor communication.
• Integrity — every audit event is SHA-256-hashed over its canonical representation and linked into a per-organization hash chain. Tampering with an event, deleting an event, or inserting an event retroactively leaves an arithmetic trace.
• Access control — organizational scoping via Clerk; scoped API keys; production access limited and logged; MFA enforced on every underlying service.
• Secrets management — Google Secret Manager; no secrets in source or environment config.
• Logging and monitoring — structured request-level logging with unique request IDs; automated health probes.
• Network — managed edge and origin networking through Vercel and Google Cloud; no public database endpoints.
• Backup and recovery — continuous backups by MongoDB Atlas; recovery procedures documented and tested.
• Incident response — documented process; breach notification within 72 hours.
• Personnel — confidentiality obligations on everyone with production access; onboarding and offboarding revoke access promptly.

Annex C — Sub-processors

Current Sub-processors with processing purpose, region, and DPA links are published and maintained at evelmo.com/subprocessors. That list is incorporated into this DPA by reference. At the effective date of this DPA v1.0, the Sub-processors are Google Cloud, MongoDB Atlas, Vercel, and Clerk.

Annex D — Standard Contractual Clauses

Where Evelmo's processing involves a transfer of Customer Data from the EEA, the UK, or Switzerland to a country not subject to an adequacy decision, Module 2 (Controller to Processor) of the Standard Contractual Clauses approved by the European Commission in Decision 2021/914 is incorporated into this DPA by reference, with the following selections:

• Clause 7 (docking) — applicable.
• Clause 9(a) (sub-processors) — Option 2 (general written authorization), with 30 days' prior notice as described in section 6 of this DPA.
• Clause 11(a) (redress) — optional independent dispute-resolution body not selected.
• Clause 17 (governing law) — Irish law.
• Clause 18(b) (forum) — courts of Ireland.
• Annex I.A (parties) — the Controller and Evelmo, as identified in the Terms of Service or the mutual order form.
• Annex I.B (description of transfer) — as set out in Annex A of this DPA.
• Annex I.C (competent supervisory authority) — the Irish Data Protection Commission, unless the Controller is established in another EU Member State, in which case the supervisory authority of that Member State.
• Annex II (TOMs) — as set out in Annex B of this DPA.
• Annex III (sub-processors) — as set out in Annex C of this DPA.

For transfers of UK Personal Data, the parties also agree to be bound by the UK International Data Transfer Addendum to the SCCs issued by the UK Information Commissioner under Section 119A(1) of the UK Data Protection Act 2018.

For transfers of Swiss Personal Data, references in the SCCs to "the GDPR" additionally refer to the Swiss Federal Act on Data Protection, and references to supervisory authorities additionally refer to the Swiss Federal Data Protection and Information Commissioner, as required for transfers governed by Swiss law.

The current text of the SCCs is available at eur-lex.europa.eu/eli/dec_impl/2021/914/oj.