Evidri beta

Evidri Data Processing Agreement

Version 2 · effective May 25, 2026

Data Processing Agreement (Art. 28 GDPR)

This Data Processing Agreement ("DPA") governs the processing of personal data by Nils Wloka ("Processor") on behalf of you, the Evidri customer ("Controller"). This DPA forms part of the agreement between Controller and Processor for the provision of the Evidri Service ("Service").

1. Subject matter, duration, nature, purpose

  • Subject matter: The processing of personal data contained in content uploaded to the Service by Controller (e.g. interview transcripts).
  • Duration: For as long as the Service is provided to Controller.
  • Nature and purpose: Storage, classification, extraction, and retrieval of evidence as part of providing the Service.
  • Categories of personal data: Identifiers (names, email addresses where present in content), professional information, opinions and statements expressed in interviews, and any other personal data Controller chooses to upload.
  • Categories of data subjects: Persons whose statements appear in content Controller uploads (typically interview participants and end-users of Controller's products).

2. Roles and obligations of Controller

Controller is the controller of the personal data processed under this DPA and is solely responsible for ensuring that:

  • Controller has a lawful basis under the GDPR for the processing.
  • Controller has provided the data subjects with the information required by Art. 13 / 14 GDPR before uploading data to the Service.
  • Controller's instructions to Processor (which take the form of Controller's use of the Service) comply with the GDPR.

3. Obligations of Processor

Processor will:

  1. Process on documented instructions (Art. 28(3)(a)). Controller's use of the Service, together with this DPA and the Privacy Policy, constitutes Processor's documented instructions. Processor will not process Customer Content for any other purpose. If Processor believes an instruction infringes the GDPR, Processor will inform Controller.
  2. Confidentiality (Art. 28(3)(b)). Personnel authorised to process personal data are bound by confidentiality. See Annex 1 §5.
  3. Security (Art. 28(3)(c), Art. 32). Implement the technical and organisational measures set out in Annex 1 of this DPA.
  4. Sub-processors (Art. 28(3)(d), 28(2)). Controller grants Processor general authorisation to engage the sub-processors listed in Annex 2. Processor will inform Controller of any intended additions or replacements of sub-processors with at least 30 days' notice (by email or in-product notice). Controller may object on reasonable grounds; if the parties cannot resolve the objection, Controller may terminate this DPA and the underlying agreement and have its data deleted.
  5. Assist with data subject requests (Art. 28(3)(e)). Where a data subject contacts Processor directly, Processor will forward the request to Controller. Processor will assist Controller, as far as technically possible, in fulfilling Controller's obligations to respond to data subject requests.
  6. Assist with security and breach notification (Art. 28(3)(f), Art. 33). Processor will notify Controller without undue delay, and in any event within 72 hours of becoming aware, of any personal data breach affecting Customer Content. The notification will include the information required by Art. 33(3) GDPR to the extent available.
  7. Return or delete on termination (Art. 28(3)(g)). Within 30 days of the termination of the underlying agreement, Processor will delete all Customer Content from active systems. Backups containing Customer Content will be pruned according to the rolling backup schedule (up to a further 30 days).
  8. Audit (Art. 28(3)(h)). Processor will make available to Controller on request all information necessary to demonstrate compliance with this DPA. On reasonable advance notice, Controller may request a physical or remote audit, which Processor will accommodate at reasonable times and at Controller's expense.

4. International transfers

Where Processor or any sub-processor processes personal data outside the European Economic Area, the parties incorporate the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914) for the relevant module ("controller to processor" or "processor to processor"), supplemented where appropriate by additional safeguards reflecting the Schrems II decision (CJEU C-311/18).

5. Liability

The liability of the parties under this DPA is limited as set out in the Terms of Service. Statutory liability under Art. 82 GDPR is unaffected.

6. Term and termination

This DPA enters into force when Controller accepts it and remains in force for as long as Processor processes personal data on Controller's behalf.

7. Order of precedence

In the event of any conflict between this DPA and the Terms of Service or the Privacy Policy, this DPA prevails with respect to the processing of personal data.

Annex 1 — Technical and Organisational Measures

Annex 1 — Technical and Organisational Measures (Art. 32 GDPR)

1. Confidentiality

  • Access control to systems: All operational systems are accessible only to the Provider via SSH key authentication. No password authentication is enabled.
  • Access control to data: Authentication via OIDC (Zitadel). PostgreSQL Row-Level Security policies restrict every customer's queries to their tenant's data. The application database role is not a superuser.
  • Pseudonymisation: User identifiers in event analytics are hashed OIDC subject identifiers, not raw email addresses.

2. Integrity

  • Transport encryption: TLS 1.2+ for all external network traffic, certificates from Let's Encrypt, automatically renewed.
  • At-rest encryption: PostgreSQL data resides on encrypted Hetzner block storage volumes. Off-site backups uploaded to Backblaze B2 are encrypted at rest by Backblaze.
  • Integrity of code deployments: Code is deployed via GitHub Actions from signed commits. Container images are built reproducibly and identified by content hash.

3. Availability and resilience

  • Backups: Database backups are taken nightly, compressed, and uploaded to a separate cloud provider. Backups older than 30 days are deleted automatically.
  • Restoration: A documented restore procedure exists and is tested on staging before any production restore.
  • Monitoring: Health and readiness probes on every container; Caddy health checks; OpenTelemetry traces exported to a managed collector.

4. Procedures for regular review

  • Sub-processor review: The sub-processor list is reviewed at least quarterly and on any onboarding of a new sub-processor.
  • Vulnerability response: Security advisories from upstream dependencies are monitored via GitHub Security Advisories. Critical vulnerabilities are patched within 7 days.
  • Incident response: A documented incident response process covers detection, containment, notification, and post-incident review.

5. Personnel

The Provider operates the Service as a private individual. No additional personnel have access to Customer data. Should additional personnel be engaged in future, they will be subject to a written confidentiality undertaking before being granted access.

Annex 2 — Sub-processors

The following sub-processors are engaged by Processor as of the effective date of this DPA:

Sub-processor Purpose Country
Hetzner Online GmbH Hosting (servers and storage volumes) Germany
Backblaze, Inc. Encrypted off-site database backups EU (Frankfurt region)
Zitadel GmbH Identity provider (authentication) Germany / Switzerland
PostHog, Inc. Product analytics EU (Frankfurt region)
Crisp IM SARL In-app customer support chat France; data stored in the EU (Netherlands and Germany)
OpenRouter, Inc. LLM gateway — routes inference requests to one of its model-provider partners United States
Anthropic PBC LLM provider (used directly and via OpenRouter) United States
OpenAI, OpCo, LLC Embedding model provider (via OpenRouter) United States

OpenRouter provider partners: For models other than those served directly by Anthropic or OpenAI, OpenRouter forwards inference requests to one of its provider partners. The Service currently uses Qwen-family models for classification, extraction, suggestion, naming, and chat; these requests are typically routed to one of: DeepInfra, NovitaAI, Together AI, Fireworks, or Hyperbolic, each an independent processor in the United States. Controller acknowledges that the set of OpenRouter provider partners can change as OpenRouter onboards or removes partners. Processor commits to monitoring the live list (published at openrouter.ai/<model>/providers for each model) and to notifying Controller under Section 3.4 of this DPA when the set changes materially.

The current list of sub-processors is also published in the Privacy Policy and is updated together with new versions of this DPA.

Signatures

By accepting this DPA in the Service, Controller and Processor sign this agreement electronically. The acceptance is recorded with timestamp, IP address, and user agent for both parties.

  • Processor: Nils Wloka, Niederzielenbach 9, 51597 Morsbach, Germany; contact@evidri.com
  • Controller: the user accepting in the Service.