01Purpose and roles of the parties
This Data Processing Addendum (“DPA”) forms part of the agreement between you (the “Customer”) and EvlarSoft LLC (“EvlarSoft”) for the provision of the Products (the “Agreement”) and applies to the extent EvlarSoft processes Personal Data on the Customer's behalf in the course of providing the Products. In the event of a conflict between this DPA and the Agreement regarding data protection, this DPA controls.
With respect to Personal Data that the Customer submits to the Products, the Customer is the controller (or “business”) and EvlarSoft is the processor(or “service provider”). EvlarSoft processes such Personal Data only on the Customer's documented instructions, including as set out in the Agreement, this DPA, and the Customer's configuration and use of the Products, unless required to do otherwise by applicable law (in which case EvlarSoft will inform the Customer, unless legally prohibited).
02Definitions
“Personal Data,” “processing,” “controller,” “processor,” “data subject,” and “personal data breach” have the meanings given in applicable data-protection law, including the EU and UK General Data Protection Regulation (“GDPR”) and, where relevant, U.S. state privacy laws such as the CCPA/CPRA. “Applicable Data Protection Law” means all privacy and data-protection laws that apply to a party's processing of Personal Data under the Agreement. “Subprocessor” means any third party engaged by EvlarSoft to process Personal Data on the Customer's behalf.
03Scope and details of processing
The details of the processing are as follows: the subject matter is the provision of the Products; the nature and purpose is to host, store, transmit, process, and return the data the Customer submits so the Products function as intended; the duration is the term of the Agreement plus any retention period described in our Privacy Policy; the types of Personal Data and categories of data subjectsare those the Customer chooses to submit — typically the Customer's own end users and the content of the Customer's requests.
The Customer is responsible for ensuring it has a lawful basis to submit Personal Data to the Products and to instruct EvlarSoft to process it, and for the accuracy, quality, and legality of that Personal Data and the means by which it was obtained.
04EvlarSoft's obligations
EvlarSoft will:
- process Personal Data only on the Customer's documented instructions;
- ensure that persons authorized to process Personal Data are bound by an appropriate duty of confidentiality;
- implement and maintain appropriate technical and organizational measures to protect Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing;
- taking into account the nature of the processing, assist the Customer by appropriate measures, insofar as possible, to respond to requests from data subjects exercising their rights;
- assist the Customer in ensuring compliance with its security, breach-notification, and data-protection-impact-assessment obligations, taking into account the information available to EvlarSoft;
- at the Customer's choice, delete or return all Personal Data at the end of the provision of the Products, and delete existing copies unless retention is required by law;
- not sell or share Personal Data, and not retain, use, or disclose it for any purpose other than providing the Products or as permitted by Applicable Data Protection Law.
05Security measures
EvlarSoft maintains a security program with administrative, technical, and organizational measures appropriate to the risk, which may include encryption of data in transit, access controls and authentication, network protection, logging and monitoring, and regular review of its practices. The Customer is responsible for its own security within its use of the Products, including safeguarding credentials and configuring the Products appropriately.
06Subprocessors
The Customer provides general authorization for EvlarSoft to engage the Subprocessors listed on our Subprocessorspage to process Personal Data in connection with the Products. EvlarSoft will impose on each Subprocessor, by written contract, data-protection obligations no less protective than those in this DPA, and will remain responsible for each Subprocessor's performance. EvlarSoft will provide a mechanism to notify the Customer of intended additions or replacements of Subprocessors so the Customer may object on reasonable, data-protection-related grounds; if the parties cannot resolve a reasonable objection, the Customer may, as its sole remedy, terminate the affected Product.
07International transfers
Where processing of Personal Data under this DPA involves a transfer to a country that does not provide an adequate level of protection under Applicable Data Protection Law, the parties will rely on a valid transfer mechanism — such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or another lawful mechanism — which is incorporated into this DPA by reference to the extent required, and completed by reference to the details of processing set out above.
08Personal data breach notification
EvlarSoft will notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer's Personal Data, and will provide the Customer with the information reasonably available to enable the Customer to meet its own obligations to notify supervisory authorities and affected data subjects. Such notification is not an acknowledgment by EvlarSoft of any fault or liability.
09Audits and demonstration of compliance
EvlarSoft will make available to the Customer, on reasonable written request and subject to confidentiality obligations, the information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to reasonable audits, including inspections, conducted by the Customer or an auditor mandated by the Customer. Where available, EvlarSoft may satisfy this obligation by providing third-party certifications or audit reports. Audits will be limited in scope and frequency to what is required by Applicable Data Protection Law and conducted so as to minimize disruption.
10Liability and general
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. Except as amended by this DPA, the Agreement remains in full force. If any provision of this DPA is invalid or unenforceable, the remainder is unaffected. This DPA is governed by the law specified in the Agreement, except where Applicable Data Protection Law requires otherwise.
11Requesting a signed DPA
If your organization requires a countersigned copy of this DPA, the Standard Contractual Clauses, or a version tailored to your regulatory requirements, please contact EvlarSoft and we will arrange it.
Questions about this document, or about which EvlarSoft entity you're dealing with?
Contact EvlarSoft →