Legal
Data Processing Agreement
Version 1.0 · Effective March 2026 · Last reviewed March 2026
This Data Processing Agreement (“DPA”) forms part of the EVIDENCEE Terms of Service and governs the processing of personal data by EVIDENCEE DMCC Ltd (“Processor”) on behalf of the customer (“Controller”) in connection with the EVIDENCEE compliance platform. This DPA reflects the requirements of UK GDPR Article 28.
1. Definitions
- “Controller” means the customer organisation that determines the purposes and means of processing personal data via the EVIDENCEE platform.
- “Processor” means EVIDENCEE DMCC Ltd, which processes personal data on behalf of the Controller.
- “Personal Data” has the meaning given in UK GDPR Article 4.
- “Processing” has the meaning given in UK GDPR Article 4.
- “Sub-processor” means any third party engaged by the Processor to process Personal Data on the Controller's behalf.
2. Subject Matter and Nature of Processing
The Processor provides a compliance management platform. In connection with this, the Processor processes personal data to:
- Manage user accounts and workspace access
- Record and store compliance evidence events ingested from integrated platforms (Shopify, Stripe, GoCardless)
- Operate notice automation, cancellation management, and cooling-off case workflows
- Generate audit bundle exports
- Provide platform analytics and reporting to the Controller
3. Categories of Data Subjects and Personal Data
Data subjects:
- The Controller's team members and users of the EVIDENCEE platform
- The Controller's end-user subscribers (whose hashed identifiers may be ingested via webhooks)
Categories of personal data:
- Identity data: name, email address
- Authentication data: hashed passwords, session tokens
- Subscriber event data: SHA-256 hashed subscriber identifiers, subscription IDs, event timestamps, and event types
- Communication data: notice delivery logs
Note: EVIDENCEE stores subscriber identifiers as SHA-256 hashes only. Plain-text subscriber PII (names, email addresses) from the Controller's end-users is not stored in the EVIDENCEE Evidence Vault.
4. Controller's Instructions
The Processor shall process Personal Data only on documented instructions from the Controller, including those set out in this DPA and the Terms of Service. If the Processor is required by applicable law to process Personal Data beyond those instructions, it shall inform the Controller unless prohibited by law.
5. Processor Obligations
The Processor shall:
- Process Personal Data only for the purposes described in this DPA
- Ensure persons authorised to process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organisational security measures (Article 32 UK GDPR)
- Assist the Controller in responding to data subject rights requests
- Assist with security obligations, breach notifications, DPIAs, and prior consultations
- Delete or return Personal Data upon termination per Section 9
- Make available all information necessary to demonstrate compliance
6. Security Measures
The Processor implements the following technical and organisational measures:
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- SHA-256 payload hashing for evidence integrity
- Role-based access control within workspaces
- Multi-factor authentication support
- Regular backups with point-in-time recovery
- Vulnerability scanning and penetration testing
- Incident response and breach notification procedures
- Employee security training and background checks
7. Sub-processors
The Controller authorises the Processor to engage the following named sub-processors. Each sub-processor is bound by a written data-processing agreement that imposes obligations no less protective than those in this DPA.
| Sub-processor | Purpose | Location |
|---|---|---|
| Vercel Inc. | Application hosting and edge delivery | UK / EU regions |
| Supabase | Managed Postgres database and object storage | UK / EU regions |
| Stripe Payments UK, Ltd. | Subscription billing and payment processing | UK / EU |
| Resend | Transactional and platform notification email delivery | EU |
The Processor will give the Controller at least 30 days' notice of any addition, removal, or replacement of a sub-processor. Controllers may subscribe to notifications by emailing privacy@evidencee.io. The Controller may object in writing within the notice period; if the objection cannot be resolved, either party may terminate the affected service.
8. Data Breach Notification
The Processor shall notify the Controller without undue delay (and in any case within 72 hours of becoming aware) of a Personal Data breach affecting the Controller's data. The notification shall include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.
9. Data Return and Deletion
Upon termination of the Terms of Service, the Processor shall, at the Controller's choice, delete or return all Personal Data and delete existing copies, unless applicable law requires storage of the Personal Data. The Controller may request a data export for 90 days following termination.
10. Audits
The Processor shall provide all information necessary to demonstrate compliance with this DPA and permit audits, including inspections, conducted by the Controller or its mandated auditors, subject to reasonable notice (minimum 30 days) and confidentiality obligations.
11. Contact
For data processing queries: privacy@evidencee.io