Data Processing Addendum
Last updated: June 2026 · Version 1.0
Scope
This Data Processing Addendum ("DPA") forms part of the agreement between the customer ("Controller") and EVE NeuroSystems LLC ("EVE", "Processor") for the provision of the EVE AI Core platform and EVE CoreGuard services (the "Services"). It governs the processing of personal data on the Controller's behalf and applies where, and to the extent that, EVE processes personal data subject to the GDPR, UK GDPR, CCPA/CPRA, or other applicable data protection laws. Where this DPA conflicts with the main agreement on data protection matters, this DPA controls.
1. Definitions
- "Controller", "Processor", "Data Subject", "Personal Data", "Processing", and "Sub-processor" have the meanings given in applicable data protection law (including Article 4 GDPR).
- "Customer Personal Data" means personal data contained within the Controller's content that EVE processes on the Controller's behalf to provide the Services.
- "Applicable Data Protection Law" means all laws and regulations applicable to the processing of personal data under the agreement, including the GDPR, UK GDPR, and CCPA/CPRA.
2. Roles of the Parties
For the purposes of this DPA:
- The Controller determines the purposes and means of processing Customer Personal Data and is responsible for the lawfulness of the data it provides to the Services.
- EVE acts as a Processor and processes Customer Personal Data only on the documented instructions of the Controller, including with regard to transfers, unless required to do otherwise by law (in which case EVE will inform the Controller, where legally permitted).
- Where EVE processes data for its own purposes (e.g., billing, account security, aggregated and de-identified service telemetry that does not identify Data Subjects), EVE acts as an independent Controller for that limited processing as described in its Privacy Policy.
3. Subject Matter, Duration, Nature and Purpose of Processing
| Subject matter | Provision of the EVE AI Core platform and EVE CoreGuard decision-governance Services. |
|---|---|
| Duration | For the term of the agreement plus any retention period required by law or expressly agreed in writing. |
| Nature and purpose | Hosting, evaluation, governance enforcement, generation of signed decision-evidence records, audit logging, support, and billing. |
4. Categories of Data Subjects and Personal Data
| Categories of Data Subjects | The Controller's authorized users, administrators, and any individuals whose data the Controller submits to the Services (e.g., applicants or customers within decision logs). |
|---|---|
| Categories of Personal Data | Account identifiers (name, email), authentication metadata, request/response content submitted to the Services, decision context fields supplied by the Controller, audit and usage logs, and billing information. The Controller controls which fields it transmits and is responsible for minimizing the inclusion of special-category data. |
| Special category data | The Services are not intended to process special categories of personal data (Article 9 GDPR). The Controller must not submit such data except as separately agreed in writing with appropriate safeguards. |
5. Processor Obligations
EVE shall:
- Process Customer Personal Data only on the Controller's documented instructions, including those set out in the agreement and this DPA;
- Ensure that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations;
- Implement and maintain the technical and organizational security measures described in Section 8;
- Respect the conditions in Section 6 for engaging Sub-processors;
- Assist the Controller, taking into account the nature of the processing, in responding to Data Subject rights requests (Section 7) and in meeting its obligations under Articles 32–36 GDPR;
- At the Controller's choice, delete or return all Customer Personal Data after the end of the provision of the Services, as set out in Section 10;
- Make available to the Controller information necessary to demonstrate compliance with this DPA and allow for and contribute to audits as described in Section 11;
- Immediately inform the Controller if, in EVE's opinion, an instruction infringes Applicable Data Protection Law.
6. Sub-processors
The Controller provides a general authorization for EVE to engage Sub-processors to support the provision of the Services. EVE imposes data protection obligations on each Sub-processor that are no less protective than those in this DPA and remains responsible for the performance of each Sub-processor's obligations.
The current Sub-processors are categorized below. EVE provides this list and will give the Controller prior notice of any intended addition or replacement of a Sub-processor (no less than 30 days where practicable), giving the Controller the opportunity to object on reasonable data protection grounds.
| Category | Purpose | Region |
|---|---|---|
| Cloud infrastructure / hosting | Compute, storage, and network hosting of the Services | United States |
| Managed data stores | Operational databases, caching, and audit-log persistence | United States |
| Transactional email / notifications | Account, security, and billing notifications | United States |
| Payment processing | Subscription billing and invoicing | United States |
| Error monitoring / observability | Service reliability and incident response | United States |
An up-to-date list of named Sub-processors is available on request at [email protected]. Optional third-party LLM providers are only engaged where the Controller elects to route requests to them or supplies its own keys; in that case the relevant provider acts as a Sub-processor for that routing only.
7. Data Subject Rights
Taking into account the nature of the processing, EVE will assist the Controller by appropriate technical and organizational measures, insofar as possible, to fulfil the Controller's obligation to respond to requests to exercise Data Subject rights (access, rectification, erasure, restriction, portability, and objection). Where EVE receives a request directly from a Data Subject, it will, unless legally prohibited, promptly notify the Controller and will not respond to the request except on the Controller's documented instructions.
8. Security Measures
EVE implements and maintains appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, including, as applicable:
- Encryption of Customer Personal Data in transit (TLS) and at rest;
- Access control with role-based access, least-privilege principles, multi-factor authentication for administrative access, and tenant isolation;
- Audit logging of governance decisions and administrative actions, including tamper-evident, hash-chained and cryptographically signed evidence records;
- Network and application hardening, including a deterministic pre-execution governance gateway, content security policy, and rate limiting;
- Secrets management via a managed secrets store rather than environment defaults;
- Resilience measures including backups, monitoring, and incident response procedures;
- Personnel confidentiality obligations and security awareness practices.
Further detail is available in EVE's Security documentation.
9. Personal Data Breach Notification
EVE will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will, to the extent known, describe the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address it and to mitigate its adverse effects. EVE will cooperate with the Controller and take reasonable steps to mitigate the effects of, and to minimize any damage resulting from, the breach.
10. Return and Deletion of Data
Upon termination or expiry of the Services, and at the Controller's election, EVE will delete or return all Customer Personal Data and delete existing copies, unless retention is required by applicable law. The Services support customer-initiated deletion and, where applicable, generate HMAC-signed, hash-chained deletion receipts that evidence erasure across the relevant data layers. Backups containing Customer Personal Data are deleted in accordance with EVE's documented backup-rotation schedule.
11. Audits
EVE will make available to the Controller information reasonably necessary to demonstrate compliance with this DPA. Upon reasonable prior written notice, and no more than once per twelve-month period (unless required by a supervisory authority or following a Personal Data Breach), the Controller may audit EVE's compliance, including through EVE's most recent third-party reports, security documentation, and where appropriate, a remote review, subject to confidentiality obligations and without compromising the security of other customers.
12. International Data Transfers
The Services are primarily hosted in the United States. Where EVE transfers Customer Personal Data from the EEA, UK, or Switzerland to a country not recognized as providing an adequate level of protection, EVE will rely on an appropriate transfer mechanism, including the European Commission's Standard Contractual Clauses (and the UK Addendum where applicable), which are incorporated into this DPA by reference where required.
13. Liability and Term
The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the main agreement. This DPA takes effect on the effective date of the agreement and remains in force for as long as EVE processes Customer Personal Data on the Controller's behalf.
14. Contact
For data protection matters, including to request the current list of Sub-processors or to exercise audit rights, contact EVE NeuroSystems LLC at [email protected]. See also our Privacy Policy and Terms of Service.
Questions?
If you have any questions about this Data Processing Addendum or need a countersigned copy for your records, please contact us at [email protected].