Data Processing Agreement (DPA)
1. Definitions
1.1. Terms
"Agreement" means this Data Processing Agreement.
"Controller" means the Customer who determines the purposes and means of processing Personal Data.
"Processor" means Evaste, who processes Personal Data on behalf of the Controller.
"Personal Data" means any information relating to an identified or identifiable natural person.
"Processing" means any operation performed on Personal Data.
"Data Subject" means an identified or identifiable natural person.
"Sub-processor" means any third party engaged by Evaste to process Personal Data.
"Standard Contractual Clauses" or "SCCs" means the EU Commission approved standard contractual clauses for international data transfers.
"Supervisory Authority" means an independent public authority established by an EU Member State pursuant to GDPR Article 51.
2. Scope and Purpose
2.1. Scope
This Agreement applies to the processing of Personal Data by Evaste on behalf of the Customer in connection with the Services provided under the Terms of Service.
2.2. Subject Matter
The subject matter of data processing is the provision of cookie consent management, privacy compliance tools, and related services.
2.3. Duration
Processing will continue for the duration of the Services Agreement plus any retention period required by law or as specified in this Agreement.
2.4. Nature and Purpose of Processing
| Purpose | Description |
|---|---|
| Consent Management | Collecting, storing, and managing user consent |
| Cookie Scanning | Detecting and categorizing cookies |
| Analytics | Generating compliance reports |
| Support | Providing customer assistance |
2.5. Types of Personal Data
| Category | Examples |
|---|---|
| Identification | IP address, device ID, cookie ID |
| Consent Data | Consent choices, timestamps |
| Technical Data | Browser type, OS, screen size |
| Usage Data | Pages visited, interactions |
2.6. Categories of Data Subjects
- Website visitors of Customer
- Customer employees and authorized users
3. Customer Obligations (Data Controller)
3.1. Lawful Processing
Customer warrants that:
- It has a lawful basis for collecting Personal Data
- Required consents have been obtained
- Data subjects have been properly informed
- Processing instructions to Evaste are lawful
3.2. Data Accuracy
Customer is responsible for:
- Accuracy of Personal Data provided
- Rectifying inaccurate data
- Deleting data that is no longer necessary
3.3. Instructions
- Customer shall provide documented processing instructions
- The Terms of Service constitute the initial instructions
- Additional instructions must be in writing
3.4. Legal Compliance
Customer must comply with applicable data protection laws including:
- GDPR (where applicable)
- KVKK (where applicable)
- CCPA (where applicable)
- Other local laws
4. Evaste Obligations (Data Processor)
4.1. Processing Instructions
Evaste shall:
- Process Personal Data only on documented instructions from Customer
- Inform Customer if an instruction infringes data protection law
- Not process data for purposes other than providing the Services
4.2. Confidentiality
Evaste shall:
- Ensure authorized personnel have committed to confidentiality
- Limit access to Personal Data to those who need it
- Not disclose Personal Data to third parties except as permitted
4.3. Security
Evaste shall implement appropriate technical and organizational measures (see Section 7).
4.4. Sub-processors
Evaste shall comply with sub-processor requirements (see Section 5).
4.5. Data Subject Rights
Evaste shall assist Customer in responding to data subject requests (see Section 9).
4.6. Deletion/Return
Upon termination, Evaste shall:
- Delete or return all Personal Data (at Customer's choice)
- Delete existing copies unless required by law
- Provide certification of deletion upon request
5. Sub-processors
5.1. Authorization
Customer provides general authorization for Evaste to engage sub-processors.
5.2. Current Sub-processors
The current list of sub-processors is available at: https://evaste.co/legal-center/sub-processors
| Sub-processor | Location | Purpose |
|---|---|---|
| AWS | USA/EU | Cloud infrastructure |
| Google Cloud | USA/EU | Backup infrastructure |
| Cloudflare | USA/Global | CDN, security |
| Stripe | USA/Ireland | Payment processing |
| Intercom | USA/Ireland | Customer support |
| SendGrid | USA | Email delivery |
| Sentry | USA | Error monitoring |
5.3. Notification of Changes
- Evaste will notify Customer at least 30 days before adding or replacing sub-processors
- Notification via email to the Customer's registered email
- Updated list published on website
5.4. Objection Right
- Customer may object to new sub-processors within 15 days
- Objections must be in writing with reasonable grounds
- Parties will negotiate in good faith to resolve objections
- If unresolved, Customer may terminate affected Services
5.5. Sub-processor Obligations
Evaste shall ensure sub-processors:
- Are bound by written data protection obligations
- Provide at least the same level of protection as this DPA
- Process data only as necessary for the Services
6. International Data Transfers
6.1. Transfer Restrictions
Personal Data shall not be transferred outside the EEA unless:
- The destination has an adequacy decision
- Standard Contractual Clauses are in place
- Other valid transfer mechanisms apply
6.2. Transfer Mechanisms
For transfers to non-adequate countries, Evaste relies on:
- EU-US Data Privacy Framework (DPF) - For DPF-certified US companies
- Standard Contractual Clauses (SCCs) - 2021 EU Commission SCCs, Module 2 (Controller to Processor), Module 3 (Processor to Processor) for sub-processors
- Supplementary Measures - Technical measures (encryption, pseudonymization), Organizational measures (access controls), Contractual measures (audit rights)
6.3. Transfer Impact Assessment
Evaste has conducted Transfer Impact Assessments (TIAs) for transfers to:
- United States
- Other relevant jurisdictions
TIA summaries available upon request.
6.4. Government Access
If Evaste receives a government request for Personal Data:
- Notify Customer promptly (unless legally prohibited)
- Challenge requests that appear unlawful
- Provide minimum data required by law
- Seek protective orders where possible
7. Security Measures
7.1. Technical Measures
Evaste implements the following technical security measures:
- Encryption: TLS 1.2+ for data in transit, AES-256 for data at rest
- Access Control: Multi-factor authentication, Role-based access control, Unique user identification
- Network Security: Firewalls, Intrusion detection, DDoS protection
- Application Security: Input validation, Secure coding practices, Regular security testing
7.2. Organizational Measures
- Security policies and procedures
- Employee background checks
- Confidentiality agreements
- Security training
- Access management processes
7.3. Physical Security
- Secure data centers (AWS)
- Access controls
- Environmental controls
- Surveillance
7.4. Incident Response
- 24/7 security monitoring
- Incident response procedures
- Breach notification processes
- Post-incident reviews
8. Data Breach Notification
8.1. Notification to Customer
In case of a Personal Data breach, Evaste shall:
- Notify Customer without undue delay (within 48 hours)
- Notification via email and Platform notification
- Provide available information about the breach
8.2. Notification Content
The notification shall include:
- Nature of the breach
- Categories and approximate number of data subjects affected
- Categories and approximate number of records affected
- Name and contact details of Evaste's DPO
- Likely consequences of the breach
- Measures taken or proposed to address the breach
8.3. Assistance
Evaste shall assist Customer in:
- Investigating the breach
- Notifying supervisory authorities (if required)
- Notifying data subjects (if required)
- Mitigating adverse effects
8.4. Documentation
Evaste shall maintain records of:
- Facts relating to the breach
- Effects of the breach
- Remedial actions taken
9. Data Subject Rights
9.1. Assistance
Evaste shall assist Customer in responding to requests from data subjects exercising their rights under applicable data protection law:
- Right of access
- Right to rectification
- Right to erasure
- Right to restriction
- Right to data portability
- Right to object
9.2. Response Process
- Customer forwards requests to Evaste if related to Services
- Evaste responds within 10 business days
- Evaste provides necessary information/assistance
9.3. Direct Requests
If Evaste receives a request directly:
- Inform the data subject to contact Customer
- Notify Customer promptly
- Assist Customer in responding
9.4. Charges
Reasonable assistance is included in the Services fee. Complex or excessive requests may incur additional charges (notified in advance).
10. Audit Rights
10.1. Information
Evaste shall make available to Customer information necessary to demonstrate compliance with this DPA.
10.2. Audit Right
Customer has the right to:
- Audit Evaste's compliance with this DPA
- Conduct inspections at Evaste's premises
- Engage third-party auditors (subject to confidentiality)
10.3. Audit Conditions
- 30 days prior written notice
- During normal business hours
- Reasonable scope and duration
- Customer bears audit costs
- No more than one audit per year (unless required by law or breach)
10.4. Third-Party Certifications
Customer may rely on:
- ISO 27001 certification
- SOC 2 Type II reports
- Third-party penetration test summaries
11. Term and Termination
11.1. Term
This DPA is effective from the date Customer accepts it and continues for the duration of the Services.
11.2. Termination
This DPA terminates automatically upon termination of the Services.
11.3. Data Deletion
Upon termination:
- Evaste will delete or return Personal Data within 30 days
- Customer may request data export before termination
- Backups deleted within 90 days
- Anonymized data may be retained for analytics
11.4. Survival
The following provisions survive termination:
- Confidentiality obligations
- Liability provisions
- Audit rights (for 2 years)
12. Liability
12.1. Liability Cap
Evaste's total liability under this DPA is subject to the limitations in the Terms of Service.
12.2. Indemnification
Each party shall indemnify the other for losses arising from:
- Breach of this DPA
- Breach of applicable data protection law
- Processing outside the scope of instructions
12.3. Data Subject Claims
If Evaste receives claims from data subjects:
- Notify Customer promptly
- Cooperate in defense
- Not admit liability without Customer consent
13. Standard Contractual Clauses
13.1. Incorporation
Where required for international transfers, the Standard Contractual Clauses (SCCs) are incorporated by reference:
- EU Commission Decision 2021/914
- Module 2: Controller to Processor
- UK International Data Transfer Addendum (where applicable)
13.2. Module 2 Selections
For Module 2 (Controller to Processor):
- Clause 7 (Docking clause): INCLUDED
- Clause 9(a) (Sub-processor authorization): OPTION 1 (General authorization)
- Clause 11 (Redress): Optional language NOT INCLUDED
- Clause 17 (Governing law): OPTION 1 - Ireland
- Clause 18(b) (Forum): Courts of Ireland
13.3. Annexes
- Annex I (List of parties): As per Section 2 of this DPA
- Annex II (Technical measures): As per Section 7 of this DPA
- Annex III (Sub-processors): As per Section 5 of this DPA
13.4. Conflicts
In case of conflict between this DPA and the SCCs, the SCCs prevail.
Contact Information
Evaste (Group Taiga)
Address: Levent, Istanbul, Turkey
DPA Inquiries: dpa@evaste.co
Data Protection Officer: dpo@evaste.co
General: info@evaste.co
Web: https://evaste.co
Data Processing Agreement (DPA)
1. Definitions
1.1. Terms
"Agreement" means this Data Processing Agreement.
"Controller" means the Customer who determines the purposes and means of processing Personal Data.
"Processor" means Evaste, who processes Personal Data on behalf of the Controller.
"Personal Data" means any information relating to an identified or identifiable natural person.
"Processing" means any operation performed on Personal Data.
"Data Subject" means an identified or identifiable natural person.
"Sub-processor" means any third party engaged by Evaste to process Personal Data.
"Standard Contractual Clauses" or "SCCs" means the EU Commission approved standard contractual clauses for international data transfers.
"Supervisory Authority" means an independent public authority established by an EU Member State pursuant to GDPR Article 51.
2. Scope and Purpose
2.1. Scope
This Agreement applies to the processing of Personal Data by Evaste on behalf of the Customer in connection with the Services provided under the Terms of Service.
2.2. Subject Matter
The subject matter of data processing is the provision of cookie consent management, privacy compliance tools, and related services.
2.3. Duration
Processing will continue for the duration of the Services Agreement plus any retention period required by law or as specified in this Agreement.
2.4. Nature and Purpose of Processing
| Purpose | Description |
|---|---|
| Consent Management | Collecting, storing, and managing user consent |
| Cookie Scanning | Detecting and categorizing cookies |
| Analytics | Generating compliance reports |
| Support | Providing customer assistance |
2.5. Types of Personal Data
| Category | Examples |
|---|---|
| Identification | IP address, device ID, cookie ID |
| Consent Data | Consent choices, timestamps |
| Technical Data | Browser type, OS, screen size |
| Usage Data | Pages visited, interactions |
2.6. Categories of Data Subjects
- Website visitors of Customer
- Customer employees and authorized users
3. Customer Obligations (Data Controller)
3.1. Lawful Processing
Customer warrants that:
- It has a lawful basis for collecting Personal Data
- Required consents have been obtained
- Data subjects have been properly informed
- Processing instructions to Evaste are lawful
3.2. Data Accuracy
Customer is responsible for:
- Accuracy of Personal Data provided
- Rectifying inaccurate data
- Deleting data that is no longer necessary
3.3. Instructions
- Customer shall provide documented processing instructions
- The Terms of Service constitute the initial instructions
- Additional instructions must be in writing
3.4. Legal Compliance
Customer must comply with applicable data protection laws including:
- GDPR (where applicable)
- KVKK (where applicable)
- CCPA (where applicable)
- Other local laws
4. Evaste Obligations (Data Processor)
4.1. Processing Instructions
Evaste shall:
- Process Personal Data only on documented instructions from Customer
- Inform Customer if an instruction infringes data protection law
- Not process data for purposes other than providing the Services
4.2. Confidentiality
Evaste shall:
- Ensure authorized personnel have committed to confidentiality
- Limit access to Personal Data to those who need it
- Not disclose Personal Data to third parties except as permitted
4.3. Security
Evaste shall implement appropriate technical and organizational measures (see Section 7).
4.4. Sub-processors
Evaste shall comply with sub-processor requirements (see Section 5).
4.5. Data Subject Rights
Evaste shall assist Customer in responding to data subject requests (see Section 9).
4.6. Deletion/Return
Upon termination, Evaste shall:
- Delete or return all Personal Data (at Customer's choice)
- Delete existing copies unless required by law
- Provide certification of deletion upon request
5. Sub-processors
5.1. Authorization
Customer provides general authorization for Evaste to engage sub-processors.
5.2. Current Sub-processors
The current list of sub-processors is available at: https://evaste.co/legal-center/sub-processors
| Sub-processor | Location | Purpose |
|---|---|---|
| AWS | USA/EU | Cloud infrastructure |
| Google Cloud | USA/EU | Backup infrastructure |
| Cloudflare | USA/Global | CDN, security |
| Stripe | USA/Ireland | Payment processing |
| Intercom | USA/Ireland | Customer support |
| SendGrid | USA | Email delivery |
| Sentry | USA | Error monitoring |
5.3. Notification of Changes
- Evaste will notify Customer at least 30 days before adding or replacing sub-processors
- Notification via email to the Customer's registered email
- Updated list published on website
5.4. Objection Right
- Customer may object to new sub-processors within 15 days
- Objections must be in writing with reasonable grounds
- Parties will negotiate in good faith to resolve objections
- If unresolved, Customer may terminate affected Services
5.5. Sub-processor Obligations
Evaste shall ensure sub-processors:
- Are bound by written data protection obligations
- Provide at least the same level of protection as this DPA
- Process data only as necessary for the Services
6. International Data Transfers
6.1. Transfer Restrictions
Personal Data shall not be transferred outside the EEA unless:
- The destination has an adequacy decision
- Standard Contractual Clauses are in place
- Other valid transfer mechanisms apply
6.2. Transfer Mechanisms
For transfers to non-adequate countries, Evaste relies on:
- EU-US Data Privacy Framework (DPF) - For DPF-certified US companies
- Standard Contractual Clauses (SCCs) - 2021 EU Commission SCCs, Module 2 (Controller to Processor), Module 3 (Processor to Processor) for sub-processors
- Supplementary Measures - Technical measures (encryption, pseudonymization), Organizational measures (access controls), Contractual measures (audit rights)
6.3. Transfer Impact Assessment
Evaste has conducted Transfer Impact Assessments (TIAs) for transfers to:
- United States
- Other relevant jurisdictions
TIA summaries available upon request.
6.4. Government Access
If Evaste receives a government request for Personal Data:
- Notify Customer promptly (unless legally prohibited)
- Challenge requests that appear unlawful
- Provide minimum data required by law
- Seek protective orders where possible
7. Security Measures
7.1. Technical Measures
Evaste implements the following technical security measures:
- Encryption: TLS 1.2+ for data in transit, AES-256 for data at rest
- Access Control: Multi-factor authentication, Role-based access control, Unique user identification
- Network Security: Firewalls, Intrusion detection, DDoS protection
- Application Security: Input validation, Secure coding practices, Regular security testing
7.2. Organizational Measures
- Security policies and procedures
- Employee background checks
- Confidentiality agreements
- Security training
- Access management processes
7.3. Physical Security
- Secure data centers (AWS)
- Access controls
- Environmental controls
- Surveillance
7.4. Incident Response
- 24/7 security monitoring
- Incident response procedures
- Breach notification processes
- Post-incident reviews
8. Data Breach Notification
8.1. Notification to Customer
In case of a Personal Data breach, Evaste shall:
- Notify Customer without undue delay (within 48 hours)
- Notification via email and Platform notification
- Provide available information about the breach
8.2. Notification Content
The notification shall include:
- Nature of the breach
- Categories and approximate number of data subjects affected
- Categories and approximate number of records affected
- Name and contact details of Evaste's DPO
- Likely consequences of the breach
- Measures taken or proposed to address the breach
8.3. Assistance
Evaste shall assist Customer in:
- Investigating the breach
- Notifying supervisory authorities (if required)
- Notifying data subjects (if required)
- Mitigating adverse effects
8.4. Documentation
Evaste shall maintain records of:
- Facts relating to the breach
- Effects of the breach
- Remedial actions taken
9. Data Subject Rights
9.1. Assistance
Evaste shall assist Customer in responding to requests from data subjects exercising their rights under applicable data protection law:
- Right of access
- Right to rectification
- Right to erasure
- Right to restriction
- Right to data portability
- Right to object
9.2. Response Process
- Customer forwards requests to Evaste if related to Services
- Evaste responds within 10 business days
- Evaste provides necessary information/assistance
9.3. Direct Requests
If Evaste receives a request directly:
- Inform the data subject to contact Customer
- Notify Customer promptly
- Assist Customer in responding
9.4. Charges
Reasonable assistance is included in the Services fee. Complex or excessive requests may incur additional charges (notified in advance).
10. Audit Rights
10.1. Information
Evaste shall make available to Customer information necessary to demonstrate compliance with this DPA.
10.2. Audit Right
Customer has the right to:
- Audit Evaste's compliance with this DPA
- Conduct inspections at Evaste's premises
- Engage third-party auditors (subject to confidentiality)
10.3. Audit Conditions
- 30 days prior written notice
- During normal business hours
- Reasonable scope and duration
- Customer bears audit costs
- No more than one audit per year (unless required by law or breach)
10.4. Third-Party Certifications
Customer may rely on:
- ISO 27001 certification
- SOC 2 Type II reports
- Third-party penetration test summaries
11. Term and Termination
11.1. Term
This DPA is effective from the date Customer accepts it and continues for the duration of the Services.
11.2. Termination
This DPA terminates automatically upon termination of the Services.
11.3. Data Deletion
Upon termination:
- Evaste will delete or return Personal Data within 30 days
- Customer may request data export before termination
- Backups deleted within 90 days
- Anonymized data may be retained for analytics
11.4. Survival
The following provisions survive termination:
- Confidentiality obligations
- Liability provisions
- Audit rights (for 2 years)
12. Liability
12.1. Liability Cap
Evaste's total liability under this DPA is subject to the limitations in the Terms of Service.
12.2. Indemnification
Each party shall indemnify the other for losses arising from:
- Breach of this DPA
- Breach of applicable data protection law
- Processing outside the scope of instructions
12.3. Data Subject Claims
If Evaste receives claims from data subjects:
- Notify Customer promptly
- Cooperate in defense
- Not admit liability without Customer consent
13. Standard Contractual Clauses
13.1. Incorporation
Where required for international transfers, the Standard Contractual Clauses (SCCs) are incorporated by reference:
- EU Commission Decision 2021/914
- Module 2: Controller to Processor
- UK International Data Transfer Addendum (where applicable)
13.2. Module 2 Selections
For Module 2 (Controller to Processor):
- Clause 7 (Docking clause): INCLUDED
- Clause 9(a) (Sub-processor authorization): OPTION 1 (General authorization)
- Clause 11 (Redress): Optional language NOT INCLUDED
- Clause 17 (Governing law): OPTION 1 - Ireland
- Clause 18(b) (Forum): Courts of Ireland
13.3. Annexes
- Annex I (List of parties): As per Section 2 of this DPA
- Annex II (Technical measures): As per Section 7 of this DPA
- Annex III (Sub-processors): As per Section 5 of this DPA
13.4. Conflicts
In case of conflict between this DPA and the SCCs, the SCCs prevail.
Contact Information
Evaste (Group Taiga)
Address: Levent, Istanbul, Turkey
DPA Inquiries: dpa@evaste.co
Data Protection Officer: dpo@evaste.co
General: info@evaste.co
Web: https://evaste.co