Data Processing Agreement

“Personal Data” means any information relating to an identified or identifiable natural person as defined under applicable Data Protection Laws.

“Processing” means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.

“Data Protection Laws” means GDPR (EU 2016/679), UK GDPR, CCPA, and any other applicable privacy legislation.

“Sub-processor” means any third party engaged by EvalGuard to process Personal Data on behalf of the Customer.

EvalGuard processes Personal Data solely to provide the Services as described in the Agreement. Categories of data processed may include:

• Account information (name, email, organization)
• Usage data (evaluation runs, trace data, API logs)
• LLM inputs and outputs submitted for evaluation
• Security scan results and compliance reports

EvalGuard will not process Personal Data for any purpose other than providing the Services unless instructed by the Controller.

The Controller warrants that:

• It has a lawful basis for processing Personal Data
• It has provided appropriate notices to data subjects
• It will not submit sensitive personal data (health, financial, biometric) unless explicitly agreed in writing
• All instructions to the Processor comply with applicable Data Protection Laws

EvalGuard shall:

• Process Personal Data only on documented instructions from the Controller
• Ensure persons authorized to process data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures (see Section 6)
• Assist the Controller in responding to data subject rights requests
• Delete or return all Personal Data upon termination of the Agreement
• Make available all information necessary to demonstrate compliance

EvalGuard uses the following sub-processors:

The Controller will be notified at least 30 days before any new sub-processor is engaged. The Controller may object to a new sub-processor by providing written notice within 14 days.

EvalGuard implements the following technical and organizational measures:

• AES-256-GCM encryption for data at rest (BYOK supported)
• TLS 1.2+ for all data in transit
• Role-based access control with row-level security
• API key hashing (SHA-256, never stored in plaintext)
• Audit logging with HMAC-SHA256 tamper detection
• Automated vulnerability scanning (CodeQL, TruffleHog, Trivy)
• Session management with 10-session concurrent limit
• CSRF protection, CSP headers, rate limiting

EvalGuard will notify the Controller of any Personal Data breach without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include:

• Nature of the breach and categories of data affected
• Approximate number of data subjects affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach

Where Personal Data is transferred outside the EEA/UK, EvalGuard ensures appropriate safeguards are in place, including EU Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914).

EvalGuard will assist the Controller in fulfilling data subject requests including: access, rectification, erasure, restriction, portability, and objection. Requests are processed within 30 days.

This DPA remains in effect for the duration of the Agreement. Upon termination, EvalGuard will delete all Personal Data within 90 days unless retention is required by law. The Controller may request a copy of their data in machine-readable format before deletion.

For DPA inquiries, contact:

• Email: [email protected]
• DPO: [email protected]
• Address: EvalGuard, India