Data Processing Addendum
This Data Processing Addendum ("DPA") forms part of the Terms of Service between eVamb Technologies Inc. ("Processor") and the customer ("Controller") and applies when the Processor processes Personal Data on behalf of the Controller within the meaning of GDPR Art. 28, UK GDPR Art. 28, Quebec Law 25, and PIPEDA.
1 · Definitions
"Personal Data," "Processing," "Controller," "Processor," "Sub-processor," and "Data Subject" carry the meanings given in GDPR Art. 4. "Applicable Data Protection Law" means any law applicable to the Processing — including GDPR, UK GDPR, CCPA/CPRA, PIPEDA, Quebec Law 25, LGPD, DPDP, PIPL, POPIA, and successor legislation.
2 · Subject matter, duration, nature, purpose
The Processor processes Personal Data on the Controller's behalf for the duration of the Terms of Service, for the sole purpose of providing the agreed Service. Categories of Personal Data and Data Subjects are described in the relevant product privacy documentation.
3 · Controller obligations
The Controller warrants it has a lawful basis to process the Personal Data and that its instructions to the Processor comply with Applicable Data Protection Law.
4 · Processor obligations
- Process Personal Data only on documented instructions from the Controller.
- Ensure persons authorised to process Personal Data are bound by confidentiality.
- Implement appropriate technical and organisational measures (see Security).
- Engage Sub-processors only with prior general written authorisation; current list available on request.
- Assist the Controller with Data Subject rights requests and notify the Controller of any received directly.
- Notify the Controller without undue delay (and in any case within 72 hours) of becoming aware of a Personal Data breach.
- At the Controller's choice, delete or return all Personal Data after the end of the Service.
- Make available all information necessary to demonstrate compliance, and allow for audits with reasonable notice.
5 · International transfers
Where Personal Data is transferred outside the EEA / UK / Canada, the Processor relies on Standard Contractual Clauses (EU 2021/914) and applicable supplementary measures. Quebec residents' data is processed in accordance with Law 25 transfer-impact assessments.
6 · Sub-processors
The Controller authorises the engagement of Sub-processors. A current list of Sub-processors is available on request from privacy@evamb.com. The Processor will notify the Controller of any intended addition or replacement and the Controller may object within 14 days.
7 · Audits
The Processor will make available, on reasonable request, summary audit reports (e.g. SOC 2 Type II when available), or accept an audit conducted by the Controller or a mutually agreed auditor, no more than once per year (except in case of a breach).
8 · Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.
9 · Order of precedence
In the event of any conflict between this DPA and the Terms of Service, this DPA prevails to the extent of the conflict and only in respect of the Processing of Personal Data.
10 · Contact
To execute a counter-signed DPA or for any related question: privacy@evamb.com.