This Data Processing Addendum ("DPA") forms part of the agreement between EvenRound ("Processor") and the customer ("Controller") for use of the Service. It applies where the Controller's use of the Service involves processing personal data subject to the EU GDPR, the UK GDPR, or comparable data-protection law.
1. Definitions
"Personal data", "processing", "data subject", "controller", and "processor" have the meanings given in Article 4 GDPR.
2. Scope and roles
The Controller decides the purposes and means of processing. The Processor processes personal data only on documented instructions from the Controller, including transfers to third countries.
3. Categories of data and data subjects
Personal data processed under this DPA may include: names, email addresses, IP addresses, group membership, expense descriptions, amounts, dates, payment metadata, and receipt images. Data subjects may include the Controller's employees, contractors, group members, and end users.
4. Subprocessors
The Controller authorises the Processor to engage the following subprocessors:
- Vercel Inc. - application hosting, edge network, analytics infrastructure (US/EU).
- Supabase - managed Postgres and auth infrastructure (EU, Frankfurt).
- Resend - transactional email delivery.
- OpenAI and Anthropic - AI receipt OCR and line-item extraction. Inputs are not retained for training.
The Processor will give the Controller 30 days' notice of any new subprocessor and offer a right to object on reasonable grounds.
5. Confidentiality
The Processor ensures that personnel authorised to process personal data are bound by confidentiality obligations.
6. Security
The Processor implements appropriate technical and organisational measures, including:
- Encryption in transit (TLS 1.3) and at rest (AES-256).
- Role-based access control with least privilege.
- Regular dependency and vulnerability scanning.
- Audit logging for administrative actions.
- Backups stored in EU regions with 30-day retention.
7. International transfers
Where data is transferred outside the EEA or UK, the Processor relies on the European Commission's Standard Contractual Clauses (Module 2 or 3 as applicable) and conducts transfer impact assessments.
8. Data subject requests
The Processor will, taking into account the nature of the processing, assist the Controller in responding to data subject requests under Articles 15–22 GDPR within 30 days of request.
9. Personal data breaches
The Processor will notify the Controller without undue delay (and in any event within 72 hours of becoming aware) of a personal data breach affecting Controller data, providing the information required by Article 33(3) GDPR.
10. Audit
The Processor will make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR and will allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, no more than once per year unless required by a supervisory authority.
11. Return or deletion
Upon termination, the Processor will, at the Controller's choice, delete or return all personal data and delete existing copies unless EU or Member State law requires storage.
12. Liability
Liability under this DPA is subject to the limitations set out in the underlying Terms of Service.
13. Contact
Data Protection Officer: legal@evenround.com.