Data Processing Agreement

1. Definitions

For the purposes of this DPA:

• “Controller” means the customer organization that determines the purposes and means of processing personal data.
• “Processor” means Eval LogiQ, which processes personal data on behalf of the Controller.
• “Personal Data” means any information relating to an identified or identifiable natural person contained in documents or data uploaded to the Service.
• “Processing” means any operation performed on personal data, including storage, analysis, extraction, and transmission.
• “Sub-processor” means any third party engaged by Eval LogiQ to process personal data in connection with the Service.
• “Data Subject” means the individual to whom personal data relates.
• “Service” means the Eval LogiQ AI legal document intelligence platform available at evallq.com.

2. Scope and Nature of Processing

2.1 Subject Matter

Eval LogiQ processes personal data solely to provide the Service to the Controller, including AI-powered document analysis, timeline extraction, evidence mapping, and case intelligence generation.

2.2 Duration

Processing continues for the duration of the Controller’s active subscription and ceases upon account termination, subject to the data retention periods set out in our Data Retention Policy.

2.3 Types of Personal Data

The personal data processed may include:

• Names, contact details, and identifiers of individuals referenced in case documents
• Medical records, treatment history, and health-related information
• Financial records and billing information referenced in documents
• Legal case details, witness statements, and court records
• Employment records and HR-related documents
• Any other personal data contained in documents uploaded by the Controller

2.4 Categories of Data Subjects

Data subjects may include clients, opposing parties, witnesses, medical providers, employers, and any other individuals referenced in uploaded case documents.

3. Controller Obligations

The Controller represents and warrants that:

• It has a lawful basis for processing personal data and for sharing that data with Eval LogiQ
• It has provided appropriate notice to data subjects regarding the use of AI processing tools where required by applicable law
• It is solely responsible for the accuracy, quality, and legality of the personal data uploaded to the Service
• It has assessed and accepted the risks associated with transmitting potentially privileged or confidential documents to third-party AI providers as described in Section 6
• It will not upload special category data (as defined under GDPR Article 9) beyond what is reasonably necessary for case analysis purposes

4. Processor Obligations

Eval LogiQ agrees to:

• Process personal data only on documented instructions from the Controller (i.e., use of the Service) and not for any other purpose
• Never use personal data contained in uploaded documents to train AI models or develop competing products
• Ensure that all personnel with access to personal data are subject to appropriate confidentiality obligations
• Implement and maintain appropriate technical and organizational security measures as described in Section 5
• Notify the Controller without undue delay upon becoming aware of a personal data breach affecting the Controller’s data
• Assist the Controller in responding to data subject rights requests to the extent technically feasible
• Delete or return all personal data upon termination of the agreement, as described in our Data Retention Policy
• Make available all information reasonably necessary to demonstrate compliance with this DPA

5. Security Measures

Eval LogiQ implements the following technical and organizational security measures:

5.1 Technical Measures

• AES-256 encryption for all data at rest
• TLS 1.3 encryption for all data in transit
• Isolated processing environments — documents are not co-mingled across organizations
• Row-level security policies enforced at the database layer
• Role-based access controls restricting data access to authorized users only
• Secure document storage via Cloudflare R2 with access-controlled signed URLs

5.2 Organizational Measures

• Access to customer data restricted to personnel who require it to operate the Service
• Real-time error monitoring and security incident detection via Sentry
• Regular review of sub-processor security postures
• Confidentiality obligations for all personnel with data access

6. Sub-processors

The Controller hereby grants general authorization for Eval LogiQ to engage the following sub-processors. Eval LogiQ will notify the Controller of any material changes to this list with reasonable advance notice.

7. Data Subject Rights

The Controller is responsible for handling data subject rights requests (access, deletion, portability, correction, objection) from individuals whose data is contained in uploaded documents. Eval LogiQ will, upon written request from the Controller, assist with technically feasible aspects of fulfilling such requests, including:

• Providing an export of data associated with the Controller’s account
• Deleting specific cases, documents, or analysis results
• Deleting the Controller’s entire account and all associated data

Requests should be directed to support@evallq.com. We will respond within 30 days.

8. Data Breach Notification

In the event of a personal data breach affecting the Controller’s data, Eval LogiQ will:

• Notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach
• Provide a description of the nature of the breach, categories and approximate number of data subjects affected, and the likely consequences
• Describe the measures taken or proposed to address the breach
• Cooperate with the Controller in meeting any regulatory notification obligations

Breach notifications will be sent to the primary account email address on file.

9. Audits and Compliance

Eval LogiQ will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA. Enterprise customers may request a written compliance summary by contacting legal@evallq.com. On-site audits may be accommodated by agreement and at the Controller’s expense with reasonable advance notice.

10. Data Retention and Deletion

Upon termination of the Controller’s account, Eval LogiQ will delete all personal data associated with the account within 30 days, except where retention is required by applicable law. For full retention schedules, see our Data Retention Policy.

The Controller may request early deletion of specific data at any time by contacting support@evallq.com. We will process deletion requests within 14 business days.

11. CCPA Service Provider Terms

For the purposes of the California Consumer Privacy Act (CCPA), Eval LogiQ is a “Service Provider” and processes personal data solely for the purpose of providing the Service under the terms of this DPA. Eval LogiQ will not:

• Sell personal information as defined under CCPA
• Retain, use, or disclose personal information for any commercial purpose other than providing the Service
• Retain, use, or disclose personal information outside of the direct business relationship with the Controller

12. Governing Law

This DPA shall be governed by the same governing law as the underlying Terms of Service between the parties. Where EU GDPR applies, the parties agree to the standard contractual clauses as adopted by the European Commission, which are incorporated herein by reference.

13. Changes to This DPA

Eval LogiQ may update this DPA from time to time to reflect changes in applicable law, sub-processors, or processing activities. Material changes will be communicated to the Controller with at least 30 days’ advance notice via email. Continued use of the Service after the effective date of any update constitutes acceptance of the revised DPA.

14. Contact

For DPA-related inquiries, countersigned DPA requests, or data protection questions: