LEGAL

Data Protection Notice

DPA - Data Processing Agreement

Effective Date: June 1st, 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between EvikNova LLC, a company incorporated in the State of Texas, United States, with its principal place of business in Texas (“Processor”), and the customer or organization using EvikNova services (“Controller”).

1) Definitions

  • “Controller”: Entity determining the purposes and means of processing personal data
  • “Processor”: EvikNova LLC processing personal data on behalf of the Controller
  • “Personal Data”: Any information relating to an identified or identifiable individual
  • “Processing”: Any operation performed on personal data
  • “Applicable Data Protection Laws”: Includes GDPR, UK GDPR, CCPA/CPRA, LGPD, PIPL, DPDP, POPIA, and other applicable laws

2) Scope and Roles

  • The Controller determines the purposes and means of processing
  • EvikNova acts as a Processor (or Service Provider where applicable)
  • This DPA applies where EvikNova processes personal data on behalf of the Controller

3) Processing Instructions and Duration

EvikNova shall process personal data:

  • Only on documented instructions from the Controller
  • As defined in the Terms of Service, this DPA, and service configuration

Processing shall continue for the duration of the services unless otherwise required by applicable law.

4) Nature and Purpose of Processing

Processing includes:

  • Providing platform services (AI, CRM, automation, communication)
  • Storing, organizing, and retrieving data
  • Enabling analytics and system functionality
  • Ensuring security, monitoring, and compliance

5) Types of Personal Data

May include (depending on use case):

  • Account data (name, email, phone)
  • Communication data (voice, chat, transcripts)
  • Customer records (CRM data, bookings, interactions)
  • Payment-related data (via secure providers)
  • Sensitive data (health, financial, education data where applicable)

6) Categories of Data Subjects

  • Customers and end users
  • Employees and contractors
  • Patients (healthcare use cases)
  • Students (education use cases)
  • Clients or users of Controller services

7) Controller Obligations

The Controller shall:

  • Ensure a lawful basis for processing
  • Provide required notices to data subjects
  • Obtain necessary consents
  • Comply with applicable data protection laws

8) Processor Obligations

EvikNova shall:

  • Process data only in accordance with documented instructions
  • Ensure confidentiality of personnel
  • Implement appropriate technical and organizational measures
  • Not use personal data for its own purposes except as permitted
  • Assist the Controller in meeting legal obligations

9) Confidentiality

All persons authorized to process personal data are bound by confidentiality obligations.

10) Security Measures

EvikNova implements safeguards including:

  • Encryption in transit and at rest (where applicable)
  • Role-based access controls (RBAC)
  • Multi-factor authentication (MFA)
  • Logging and monitoring
  • Incident response procedures

Security practices are aligned with industry standards such as SOC 2, ISO 27001, or equivalent frameworks.

11) Subprocessors

  • EvikNova may engage subprocessors to provide services
  • Subprocessors are bound by equivalent data protection obligations

EvikNova shall:

  • Maintain a list of subprocessors (available upon request or via public page)
  • Notify Controllers of new subprocessors
  • Provide opportunity to object on reasonable grounds

EvikNova remains responsible for subprocessors’ compliance.

12) International Data Transfers

Where personal data is transferred across borders, EvikNova implements safeguards such as:

  • Standard Contractual Clauses (SCCs), including:
    • Module 2 (Controller-to-Processor)
    • Module 3 (Processor-to-Processor)
  • Additional technical and organizational measures
  • Data localization where required

13) Data Subject Rights

EvikNova shall assist the Controller in responding to requests for:

  • Access
  • Correction
  • Deletion
  • Portability
  • Restriction or objection

To the extent required by law and technically feasible.

14) Data Breach Notification

EvikNova shall notify the Controller without undue delay upon becoming aware of a personal data breach.

Notification shall include (where available):

  • Nature of the breach
  • Categories of affected data
  • Likely consequences
  • Measures taken or proposed to mitigate impact

15) Government Access Requests

Where legally permitted, EvikNova shall notify the Controller of any legally binding request for disclosure of personal data by a public authority.

16) Data Retention, Return, and Deletion

  • Personal data is retained only as necessary
  • Upon termination, data shall be deleted or returned to the Controller, at the Controller’s choice
  • Data may be retained where required by law

17) Audits and Compliance

EvikNova shall:

  • Make available information necessary to demonstrate compliance
  • Allow reasonable audits or provide third-party certifications (e.g., SOC 2, ISO 27001)

18) Assistance and Cooperation

EvikNova will assist the Controller with:

  • Data Protection Impact Assessments (DPIAs)
  • Regulatory inquiries
  • Compliance obligations

19) Liability

Liability is subject to the limitations set forth in the Terms of Service or applicable agreement.

20) Governing Law

This DPA is governed by the laws specified in the main agreement, unless otherwise required by applicable law.

21) Order of Precedence

In case of conflict:

  1. This DPA
  2. Terms of Service

22) Contact

For data protection inquiries:
Email: privacy@eviknova.com