Data Processing Agreement (DPA)

Controller and processor obligations for customer data.

Version: 1.0 · Effective Date: April 18, 2026

This DPA supplements the applicable governing service agreement between Evident Technologies LLC (Processor) and Customer (Controller).

For enterprise engagements, this DPA supplements executed MSA and Order Form. For self-serve memberships, this DPA supplements the applicable Membership Agreement and accepted plan terms.

1. Scope

Processor processes personal data only to provide contracted services and documented instructions.

2. Roles

  • Controller: Customer
  • Processor: Evident Technologies LLC
  • Sub-processors: listed in schedules

3. Data categories and purposes

  1. Account and billing data.
  2. Evidence and metadata.
  3. Processing outputs, transcripts, OCR text, and analytics artifacts.
  4. Audit and custody event logs.

Purpose: service delivery, security operations, billing, and lawful compliance.

4. Processor obligations

  1. Process only on documented instructions.
  2. Maintain confidentiality obligations for authorized personnel.
  3. Implement appropriate technical and organizational measures.
  4. Assist Controller with data-subject requests where legally required.
  5. Assist with DPIA and regulatory inquiries when applicable and reasonable.
  6. Delete or return data at termination, subject to legal retention obligations.

5. Security measures

Security controls are defined in schedule documents and may include encryption in transit and at rest, access control, audit logging, integrity verification, and incident response procedures.

6. Sub-processors

  1. Controller authorizes listed sub-processors in schedule.
  2. Processor will provide notice of material sub-processor changes.
  3. Processor will flow down data-protection obligations to sub-processors.

7. Data-subject rights

Processor will provide commercially reasonable assistance for access, deletion, correction, portability, and objection requests to the extent legally required.

8. Security incident notice

Processor will notify Controller without undue delay after confirming an incident affecting Controller personal data and provide known details needed for response obligations.

9. International transfer framework

If applicable, transfers are governed by approved transfer mechanisms and required supplementary measures.

10. Liability and precedence

This DPA is subject to governing agreement liability terms unless mandatory law requires otherwise. If conflict exists, this order controls for data-protection topics: (1) this DPA, (2) governing agreement, (3) applicable schedules under documentation .

11. Non-legal-practice boundary

This DPA governs data-processing operations only and does not alter the legal-services disclaimer. Evident does not provide legal advice or legal representation.