Data Processing Addendum (DPA-Ready)

1. Roles and Scope

Customer acts as controller (or equivalent role) and EvologikAI acts as processor for personal data processed on Customer's documented instructions for contracted services.

2. Processing Instructions

EvologikAI processes personal data only to deliver contracted services, provide support, maintain security, and meet legal obligations documented in applicable agreements.

3. Security Measures

• Encryption in transit and at rest where applicable.
• Access control with least privilege and role segregation.
• Rate limiting, bot controls, and input validation on public endpoints.
• Security headers and browser-level hardening for public web surfaces.
• Audit logging controls for security and governance evidence.

4. Subprocessors

EvologikAI may use subprocessors for hosting, analytics, communication, and infrastructure operations. Public subprocessor information is available at /security/subprocessors.

5. International Transfers

If personal data is transferred across borders, EvologikAI applies appropriate contractual and technical safeguards to support lawful transfer and protection obligations.

6. Incident Notification

EvologikAI will notify affected customers without undue delay after confirming a security incident involving customer personal data, as required by law and contract.

7. Data Subject Requests

EvologikAI will provide reasonable assistance for controller-led responses to data subject requests, to the extent required by applicable law and the service configuration.

8. Deletion or Return

Upon termination of services and subject to legal retention obligations, personal data will be returned or deleted in accordance with the governing agreement.

9. Audit and Demonstration

EvologikAI provides security and governance evidence suitable for enterprise review. Additional audit rights are governed by executed contractual terms.