Data Processing Agreement
Last updated: June 1, 2026
To request an executed DPA for your organization, email info@evolveedgeai.com with subject line “DPA Request — Evolve Edge”. UK and Canadian customers may also request Standard Contractual Clauses or IDTA addendums.
This Data Processing Agreement (“DPA”) forms part of the agreement between the Customer and Evolve Edge (“Evolve Edge”) governing the Customer’s use of the Evolve Edge platform and services (the “Services”). This DPA is incorporated by reference into the Evolve Edge Terms of Service.
1. Scope and Definitions
This DPA applies to the processing of Personal Data by Evolve Edge on behalf of the Customer in connection with the delivery of the Services.
- “Personal Data” means any information relating to an identified or identifiable natural person processed under this DPA.
- “Processing” means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
- “Controller” means the entity that determines the purposes and means of processing Personal Data.
- “Processor” means the entity that processes Personal Data on behalf of the Controller.
- “Sub-processor” means any third party engaged by Evolve Edge to assist in processing Personal Data.
2. Roles of the Parties
The Customer acts as the Controller of Personal Data processed in connection with the Services. Evolve Edge acts as the Processor, processing Personal Data solely on behalf of and under the documented instructions of the Customer.
3. Processing Purposes
Evolve Edge processes Personal Data solely to deliver the contracted Services, including:
- Account management and authentication
- Compliance workflow execution and audit delivery
- AI risk assessments and evidence management
- Billing and subscription management
- Platform security and fraud prevention
Evolve Edge will not process Personal Data for any other purpose without the Customer’s prior written consent or as required by law.
4. Data Subjects and Categories of Personal Data
The categories of data subjects whose Personal Data may be processed include:
- Customer’s employees and authorized end users of the platform
- Customer’s business contacts referenced in compliance workflows
Categories of Personal Data that may be processed:
- Identification data (name, email address, job title)
- Authentication credentials (hashed passwords, session tokens)
- Usage data and audit logs
- Compliance documentation and evidence files uploaded by the Customer
5. Technical and Organizational Security Measures
Evolve Edge implements and maintains appropriate technical and organizational security measures, including:
- Encryption in transit using TLS 1.2 or higher for all data transfers
- Encryption at rest for stored Personal Data
- Strong password hashing (one-way, salted)
- Comprehensive audit logging of data access and modifications
- Role-based access controls with principle of least privilege
- Regular security reviews and vulnerability management
- Incident detection and response procedures
- Employee security training and confidentiality obligations
6. Sub-Processors
Evolve Edge engages the following sub-processors to assist in delivering the Services:
| Sub-processor | Purpose |
|---|---|
| Stripe | Payment processing and billing management |
| Resend | Transactional email delivery |
| n8n | Workflow automation and audit delivery |
| HubSpot | CRM and lead management |
| OpenAI | AI processing for assessments and reports (primary) |
| Anthropic | AI processing for assessments and reports (alternate provider) |
| Neon | Database hosting (Postgres) |
| PostHog | Product analytics (aggregate, anonymized usage data) |
| Crisp | Customer support chat |
| Vercel | Application hosting and CDN |
Evolve Edge will notify the Customer of any intended changes to this sub-processor list (additions or replacements) with at least 14 days’ notice, providing the Customer with the opportunity to object on reasonable grounds.
7. Data Subject Rights
Evolve Edge will provide reasonable assistance to the Customer in fulfilling its obligations to respond to data subject rights requests (access, rectification, erasure, portability, restriction, and objection). Upon receipt of a data subject request, Evolve Edge will promptly notify the Customer and take technically feasible steps to assist in responding within applicable legal timeframes.
8. Data Breach Notification
In the event of a confirmed Personal Data breach, Evolve Edge will notify the Customer without undue delay and in any event within 72 hours of becoming aware of the breach. Notification will include, to the extent known: the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach. Evolve Edge will cooperate with the Customer in meeting any regulatory notification obligations.
9. International Data Transfers
Personal Data is primarily processed and stored in the United States. For transfers of Personal Data from the European Economic Area (EEA), United Kingdom, or Switzerland, Evolve Edge relies on the Standard Contractual Clauses (EU SCCs 2021) adopted by the European Commission as the lawful transfer mechanism. Customers requiring executed SCCs may contact us at info@evolveedgeai.com.
10. Return and Deletion of Data
Upon termination of the Services, Evolve Edge will, at the Customer’s election, return or securely delete Customer Personal Data within 30 days, unless retention is required by applicable law. Evolve Edge will provide written confirmation of deletion upon request.
11. Audit Rights
Evolve Edge will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA and applicable data protection laws. Evolve Edge will cooperate with audits or inspections conducted by the Customer or an authorized third-party auditor, subject to reasonable advance notice and confidentiality obligations.
12. Contact
For questions about this DPA or to request executed Standard Contractual Clauses, please contact us at: info@evolveedgeai.com.