Evolvyx LLC · Last Updated: April 14, 2026
This Data Processing Addendum ("DPA") supplements the Terms of Service and Master Services Agreement between Evolvyx LLC ("Processor" or "Company") and the Customer ("Controller" or "Client"). This DPA governs the processing of personal data by the Company on behalf of the Client.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined under applicable data protection laws (including GDPR and CCPA where applicable).
- "Processing" means any operation performed on Personal Data, including collection, storage, use, modification, transmission, deletion, or destruction.
- "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
- "Subprocessor" means any third party engaged by the Company to process Personal Data on behalf of the Client.
- "Data Breach" means any unauthorized access to, acquisition of, or disclosure of Personal Data that compromises the security, confidentiality, or integrity of such data.
2. Roles and Responsibilities
The Client acts as the Controller of Personal Data and determines the purposes and means of processing. The Company acts as the Processor and processes Personal Data only on behalf of and in accordance with the documented instructions of the Client.
For data collected directly through the Company's Site (such as account registration, billing information, and portal usage), the Company acts as an independent Controller and processes such data in accordance with its Privacy Policy.
3. Categories of Personal Data Processed
The Company may process the following categories of Personal Data depending on the services provided:
| Category | Examples | Applicable Services |
|---|---|---|
| Account & Identity Data | Name, email, phone number, job title | All tiers |
| Billing & Payment Data | Payment method (processed by Stripe), invoice history, billing address | All tiers |
| Organization Data | Company name, organization membership, roles | All tiers (with organizations) |
| Website Content | Text, images, media uploaded for client websites | All tiers |
| Employee/Personnel Data | Employee names, schedules, timesheet entries | Scale tier (business ops) |
| Financial Operations Data | Purchase orders, vendor information, pricing data | Scale tier (business ops) |
| Customer/End-User Data | Data collected through client-built websites or e-commerce stores | Growth and Scale tiers |
| Usage & Analytics Data | Page views, feature usage, session data | All tiers |
4. Processing Instructions
The Company shall process Personal Data only in accordance with the Client's documented instructions, which include: (a) providing the Services as described in the Terms of Service, applicable Quotes, and MSA, (b) complying with applicable data protection laws, and (c) any additional written instructions provided by the Client and acknowledged by the Company. The Company shall promptly inform the Client if it believes an instruction violates applicable data protection law.
5. Subprocessors
5.1 Current Subprocessors
The Client authorizes the Company to use the following Subprocessors:
| Subprocessor | Purpose | Location |
|---|---|---|
| Supabase (supabase.com) | Database hosting, authentication, Edge Functions | United States (AWS) |
| Stripe (stripe.com) | Payment processing, invoicing, subscription management | United States |
| Vercel (vercel.com) | Application hosting, deployment, CDN | United States (Global Edge) |
| DataJelly (datajelly.com) | Pre-rendering service for SEO | United States |
5.2 Changes to Subprocessors
The Company will notify the Client at least thirty (30) days before engaging a new Subprocessor or replacing an existing one. The Client may object to a new Subprocessor by providing written notice within fifteen (15) days of the notification. If the Client objects, the parties will discuss the concern in good faith. If the matter cannot be resolved, the Client may terminate the affected Services.
5.3 Subprocessor Obligations
The Company shall ensure that each Subprocessor is bound by data protection obligations no less protective than those in this DPA. The Company remains liable for the acts and omissions of its Subprocessors.
6. Security Measures
The Company implements and maintains appropriate technical and organizational measures to protect Personal Data, including:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Row Level Security (RLS) policies on all database tables containing Personal Data
- Role-based access control with distinct permissions for Owners, Billing Admins, and Members
- Authentication via Supabase Auth with secure session management
- Webhook signature verification for all Stripe payment events
- Audit logging of administrative actions
- Secrets management for API keys (encrypted at rest)
- Regular dependency updates and security patching
7. Data Breach Notification
In the event of a Data Breach involving Personal Data processed on behalf of the Client, the Company shall:
- Notify the Client without undue delay and in any event within seventy-two (72) hours of becoming aware of the breach
- Provide the Client with sufficient information to assess the nature, scope, and impact of the breach
- Take immediate steps to contain and remediate the breach
- Cooperate with the Client in fulfilling any notification obligations to Data Subjects or supervisory authorities
- Maintain a record of all Data Breaches, including the facts, effects, and remedial actions taken
8. Data Subject Rights
The Company shall assist the Client in responding to requests from Data Subjects exercising their rights under applicable data protection law, including the rights of access, rectification, erasure, restriction of processing, data portability, and objection.
If the Company receives a request directly from a Data Subject, it shall promptly forward the request to the Client and shall not respond to the request directly unless authorized by the Client.
9. Data Retention and Deletion
The Company retains Personal Data only for as long as necessary to fulfill the purposes for which it was collected and to comply with legal obligations.
- Account data is retained for the duration of the Client's subscription and deleted within ninety (90) days of account termination
- Billing and invoice data is retained for seven (7) years to comply with tax and financial reporting obligations
- Employee and operational data processed under Scale tier engagements is retained only for the duration of the engagement and deleted within thirty (30) days of termination
- Audit logs are retained for two (2) years
- Backups containing Personal Data are rotated and deleted within thirty (30) days of the data's deletion from production systems
Upon termination of Services, the Client may request the return or deletion of all Personal Data. The Company will comply within thirty (30) days, except where retention is required by law.
10. International Data Transfers
Personal Data is processed primarily in the United States. If data is transferred to a jurisdiction outside the Client's country, the Company shall ensure that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or equivalent mechanisms approved under applicable data protection law.
11. Audit Rights
The Client may audit the Company's compliance with this DPA upon reasonable written notice (at least thirty days). Audits shall be conducted at the Client's expense during business hours and shall not unreasonably interfere with the Company's operations. The Company may satisfy audit requests by providing relevant certifications, audit reports, or documentation in lieu of on-site inspections, provided these are reasonably sufficient to demonstrate compliance.
12. California Consumer Privacy Act (CCPA)
To the extent the CCPA applies, the Company acts as a "Service Provider" as defined under the CCPA. The Company shall not sell Personal Data, retain, use, or disclose Personal Data for any purpose other than performing the Services, or combine Personal Data with data received from other sources (except as permitted by the CCPA). The Company certifies that it understands and will comply with these restrictions.
13. General Data Protection Regulation (GDPR)
To the extent the GDPR applies, this DPA serves as the data processing agreement required under Article 28 of the GDPR. The Company shall process Personal Data only on documented instructions from the Client, ensure that persons authorized to process the data are bound by confidentiality obligations, and assist the Client with Data Protection Impact Assessments where required.
14. Term and Survival
This DPA remains in effect for the duration of the Company's processing of Personal Data on behalf of the Client. The obligations in Sections 6, 7, 9, and 11 survive termination.
15. Contact
For data protection inquiries:
Evolvyx LLC
Email: legal@evolvyx.io