Data Processing Agreement (DPA)
Last Updated: January 2026
This Data Processing Agreement forms part of the Terms of Service between AutEvo AI ("Processor") and the Customer ("Controller") and governs the processing of personal data in connection with the AutEvo AI service.
1. Definitions
- "Controller" — the Customer who determines the purposes and means of processing personal data.
- "Processor" — AutEvo AI, processing personal data on behalf of the Controller.
- "Personal Data" — any information relating to an identified or identifiable natural person.
- "Processing" — any operation performed on Personal Data.
- "GDPR" — General Data Protection Regulation (EU) 2016/679 and any equivalent applicable data protection law.
2. Scope and Purpose
AutEvo AI processes Personal Data solely for the purpose of providing the contracted services as described in the Terms of Service. Processing shall only occur on documented instructions from the Controller, unless required by law.
Categories of Personal Data Processed
- Customer contact information (name, email, phone, address)
- Employee and team member data (name, email, role, time records)
- Financial transaction data (invoices, payments — excluding raw card data)
- Job site and project information
- Communication records (emails, SMS logs)
Categories of Data Subjects
- The Controller's customers and prospects
- The Controller's employees, subcontractors, and team members
3. Processor Obligations
AutEvo AI shall:
- Process Personal Data only on documented instructions from the Controller
- Ensure that authorised personnel are bound by appropriate confidentiality obligations
- Implement appropriate technical and organisational security measures (see Section 5)
- Not engage sub-processors without prior written authorisation from the Controller (general authorisation is granted per Section 6)
- Assist the Controller in responding to data subject requests
- Notify the Controller without undue delay (within 72 hours where feasible) of any Personal Data breach
- Delete or return all Personal Data upon termination of services
- Make available all information necessary to demonstrate compliance
4. Controller Obligations
The Controller shall:
- Have a lawful basis for all Personal Data submitted to the Service
- Ensure data subjects have been informed of processing as required by applicable law
- Provide AutEvo AI with clear, documented instructions for processing
- Notify AutEvo AI promptly of any changes to applicable data protection requirements
5. Security Measures
AutEvo AI maintains the following technical and organisational measures:
- Encryption at Rest: AES-256 encryption for stored data
- Encryption in Transit: TLS 1.2+ for all data transfers
- Access Controls: Role-based access and multi-factor authentication
- Audit Logging: Comprehensive audit trails retained per retention policy
- Backups: Daily encrypted backups with tested restore procedures
- Vulnerability Management: Regular security assessments and patching
- Incident Response: Documented data breach response procedures
6. Sub-processors
The Controller grants general written authorisation for AutEvo AI to engage the following sub-processors. AutEvo AI will notify the Controller of any intended changes and allow 30 days to object before engaging a new sub-processor.
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure & storage | USA (us-east-1) |
| Stripe Inc. | Payment processing | USA |
| Twilio Inc. | SMS & voice communications | USA |
| SendGrid (Twilio) | Transactional email delivery | USA |
| Google LLC | Maps & geolocation services | USA |
7. International Data Transfers
Where Personal Data is transferred outside the European Economic Area (EEA), AutEvo AI relies on Standard Contractual Clauses (SCCs) as approved by the European Commission or other appropriate transfer mechanisms.
8. Data Subject Rights Assistance
AutEvo AI provides built-in tools to assist with data subject requests:
- Export: Customer data export via GDPR tools in the app
- Deletion: Customer data anonymisation / erasure tools
- Portability: JSON export of all customer records
The Controller retains responsibility for verifying data subject identity before actioning requests.
9. Audit Rights
The Controller may, with 30 days' written notice, request an audit of AutEvo AI's data processing activities. Audits shall be conducted at the Controller's expense and in a manner that minimises disruption to service operations.
10. Term and Termination
This DPA is coterminous with the Terms of Service. Upon termination, AutEvo AI will delete all Personal Data within 30 days unless retention is required by law. Upon request, AutEvo AI will provide written confirmation of deletion.
11. Contact
For data processing enquiries or to exercise DPA rights, contact:
Data Protection Officer, AutEvo AI
Email: dpo@autevo.ai