This Data Processing Addendum (“DPA”) forms part of the EvalFlow Terms of Service, Order Form, subscription agreement, or other written agreement between Logiciel EvalFlow Inc., operating as EvalFlow (“EvalFlow,” “we,” “us,” or “our”), and the organization, company, or legal entity using the EvalFlow Service (“Customer,” “you,” or “your”).
This DPA applies where EvalFlow processes Personal Data on behalf of Customer in connection with the EvalFlow platform, website, applications, artificial intelligence features, integrations, support services, and related services collectively referred to as the “Service.”
This DPA is designed to address controller/processor obligations under applicable privacy and data protection laws, including the GDPR where applicable. GDPR Article 28 requires processing by a processor to be governed by a contract that sets out the subject matter, duration, nature, purpose, types of personal data, categories of data subjects, and the obligations and rights of the controller.
1. Definitions
For purposes of this DPA:
“Agreement” means the EvalFlow Terms of Service, this DPA, any applicable Order Form, and any other written agreement between Customer and EvalFlow governing the Service.
“Applicable Data Protection Laws” means all privacy, data protection, data security, and data transfer laws applicable to the processing of Personal Data under the Agreement, including, where applicable, the GDPR, UK GDPR, Swiss data protection law, Canada’s PIPEDA, Quebec privacy laws, and similar laws.
“Customer Data” means all data, content, files, text, employee information, feedback, reviews, goals, OKRs, recognition, surveys, tasks, comments, prompts, outputs, configurations, and other information submitted to, uploaded to, generated within, stored in, or processed through the Service by or on behalf of Customer.
“Data Subject” means an identified or identifiable individual to whom Personal Data relates.
“GDPR” means Regulation (EU) 2016/679, the General Data Protection Regulation.
“Personal Data” means any information relating to an identified or identifiable individual that is processed by EvalFlow on behalf of Customer through the Service.
“Processing” or “process” means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, restriction, erasure, or destruction.
“Security Incident” means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed by EvalFlow on behalf of Customer.
“Sensitive Data” means special categories of personal data or highly sensitive information, including health information, biometric data, government identifiers, financial account information, criminal records, union membership, religious or political beliefs, racial or ethnic origin, sexual orientation, precise geolocation, or other sensitive data under Applicable Data Protection Laws.
“Subprocessor” means a third party engaged by EvalFlow to process Personal Data on behalf of Customer in connection with the Service.
Terms such as “controller,” “processor,” “personal data,” “process,” “data subject,” and “supervisory authority” have the meanings given to them under Applicable Data Protection Laws.
2. Scope of this DPA
This DPA applies only to Personal Data that EvalFlow processes on behalf of Customer as a processor, service provider, or equivalent role.
This DPA does not apply to information that EvalFlow processes as an independent controller for its own business purposes, such as billing, account administration, website analytics, marketing, fraud prevention, legal compliance, or business communications. Such processing is described in EvalFlow’s Privacy Policy.
If there is a conflict between this DPA and the Agreement regarding the processing of Personal Data, this DPA controls.
3. Roles of the Parties
As between Customer and EvalFlow:
a. Customer is the controller, business, or equivalent entity that determines the purposes and means of processing Personal Data; and
b. EvalFlow is the processor, service provider, or equivalent entity that processes Personal Data on behalf of Customer.
Customer instructs EvalFlow to process Personal Data as necessary to provide, secure, support, maintain, and improve the Service in accordance with the Agreement, this DPA, Customer’s configuration of the Service, Customer’s use of the Service, and Customer’s written instructions.
Customer is responsible for ensuring that its instructions comply with Applicable Data Protection Laws.
EvalFlow will notify Customer if EvalFlow believes, in its reasonable opinion, that an instruction infringes Applicable Data Protection Laws, unless prohibited from doing so by law.
4. Customer Responsibilities
Customer is responsible for:
a. complying with Applicable Data Protection Laws in its use of the Service;
b. determining the lawful basis for processing Personal Data;
c. providing all required notices to employees, contractors, managers, administrators, and other Data Subjects;
d. obtaining all required consents, approvals, authorizations, works council approvals, union approvals, or internal approvals;
e. ensuring that Personal Data submitted to the Service is accurate, lawful, relevant, and necessary;
f. configuring user permissions and access controls appropriately;
g. responding to Data Subject requests, unless applicable law requires EvalFlow to respond directly;
h. determining whether Customer’s use of the Service requires a data protection impact assessment, transfer impact assessment, legitimate interest assessment, employee monitoring assessment, or similar review; and
i. ensuring that Customer does not submit Sensitive Data unless expressly authorized in writing by EvalFlow.
Customer acknowledges that EvalFlow does not control Customer’s employment decisions, workplace policies, employee communications, legal basis for processing, or internal HR practices.
5. Subject Matter of Processing
The subject matter of processing is the provision of the EvalFlow Service to Customer.
EvalFlow processes Personal Data to provide a performance management platform that may include functionality for employee feedback, performance reviews, goals, OKRs, one-on-one meetings, recognition, employee profiles, pulse surveys, analytics, AI-assisted workflows, integrations, notifications, reporting, and related HR/performance-management processes.
6. Duration of Processing
EvalFlow will process Personal Data for the duration of the Agreement and for any additional period necessary to:
a. provide the Service;
b. complete deletion, export, or transition activities;
c. comply with legal obligations;
d. maintain security, backup integrity, and fraud prevention;
e. resolve disputes;
f. enforce agreements; or
g. establish, exercise, or defend legal claims.
7. Nature and Purpose of Processing
The nature and purpose of processing includes:
a. hosting, storing, organizing, retrieving, displaying, transmitting, securing, backing up, and deleting Personal Data;
b. enabling Customer to manage performance-management workflows;
c. enabling Customer to create and manage employee profiles, feedback, reviews, goals, OKRs, recognition, pulse surveys, one-on-one meetings, tasks, analytics, and reports;
d. providing AI-assisted drafting, summarization, analysis, search, and insight features;
e. providing integrations with third-party systems enabled by Customer;
f. sending notifications and service communications;
g. providing customer support, troubleshooting, and maintenance;
h. monitoring and securing the Service;
i. preventing fraud, abuse, unauthorized access, and technical issues; and
j. complying with applicable legal obligations.
8. Categories of Data Subjects
Personal Data may relate to the following categories of Data Subjects:
a. Customer employees;
b. Customer contractors;
c. Customer managers;
d. Customer administrators;
e. Customer executives;
f. Customer HR personnel;
g. invited users;
h. users of the Service; and
i. other individuals whose information is submitted to the Service by or on behalf of Customer.
9. Categories of Personal Data
Personal Data processed through the Service may include:
a. names;
b. email addresses;
c. job titles;
d. departments;
e. reporting relationships;
f. manager names;
g. employment-related profile information;
h. user account information;
i. role and permission information;
j. goals and OKRs;
k. performance feedback;
l. performance reviews and ratings;
m. recognitions;
n. pulse survey responses;
o. comments, notes, and messages entered into the Service;
p. one-on-one meeting content;
q. tasks, projects, and work-related records;
r. AI prompts and AI-generated outputs;
s. integration data enabled by Customer;
t. usage logs and audit logs;
u. authentication and security metadata; and
v. other information submitted by Customer or Authorized Users.
10. Sensitive Data
Customer must not submit Sensitive Data to the Service unless expressly authorized in writing by EvalFlow.
EvalFlow is not designed to process health records, biometric identifiers, payroll data, benefits data, background-check data, criminal records, immigration records, medical data, regulated health information, or other highly sensitive categories of Personal Data.
If Customer submits Sensitive Data without EvalFlow’s written authorization, Customer is solely responsible for all resulting legal, regulatory, contractual, operational, and security consequences.
EvalFlow may delete, restrict, or quarantine Sensitive Data if EvalFlow reasonably believes it has been submitted in violation of this DPA or the Agreement.
11. EvalFlow Processing Obligations
EvalFlow will:
a. process Personal Data only on documented instructions from Customer;
b. ensure that personnel authorized to process Personal Data are subject to confidentiality obligations;
c. implement appropriate technical and organizational measures designed to protect Personal Data;
d. assist Customer with Data Subject requests where legally required and reasonably possible;
e. assist Customer with data protection impact assessments and supervisory authority consultations where legally required and reasonably possible;
f. notify Customer without undue delay after becoming aware of a Security Incident affecting Personal Data;
g. impose appropriate data protection obligations on Subprocessors;
h. delete or return Personal Data as described in this DPA; and
i. make available information reasonably necessary to demonstrate compliance with this DPA.
12. Confidentiality
EvalFlow will ensure that persons authorized to process Personal Data are subject to confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
EvalFlow will limit access to Personal Data to personnel, contractors, advisors, service providers, and Subprocessors who need access to provide, secure, support, maintain, or improve the Service.
13. Security Measures
EvalFlow will implement and maintain appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.
These measures may include, as applicable:
a. encryption in transit;
b. encryption at rest;
c. role-based access controls;
d. tenant isolation;
e. database-level row-level security;
f. authentication controls;
g. access restrictions for personnel;
h. audit logs and monitoring;
i. secure software development practices;
j. backup and recovery controls;
k. server-side secret management;
l. least-privilege access principles;
m. security review of critical systems;
n. incident response procedures; and
o. other measures described on EvalFlow’s Security page.
Customer acknowledges that no system can be guaranteed to be completely secure and that EvalFlow’s security obligations are obligations to maintain appropriate safeguards, not to guarantee absolute security.
14. Security Incidents
EvalFlow will notify Customer without undue delay after becoming aware of a confirmed Security Incident affecting Personal Data processed on behalf of Customer.
EvalFlow’s notice may include, where available and legally permitted:
a. a description of the Security Incident;
b. the categories of Personal Data affected;
c. the categories of Data Subjects affected;
d. the likely consequences of the Security Incident;
e. measures taken or proposed to address the Security Incident; and
f. recommended steps for Customer.
Customer is responsible for determining whether it must notify Data Subjects, regulators, employees, unions, works councils, customers, or other third parties.
EvalFlow is not responsible for Security Incidents caused by Customer, Customer’s Authorized Users, Customer’s systems, Customer’s credentials, Customer’s integrations, Customer’s misconfiguration, or third-party services not controlled by EvalFlow.
EvalFlow’s notification of a Security Incident is not an admission of fault or liability.
15. Data Subject Requests
Customer is responsible for responding to requests from Data Subjects exercising rights under Applicable Data Protection Laws, including requests for access, correction, deletion, restriction, portability, or objection.
If EvalFlow receives a Data Subject request relating to Personal Data processed on behalf of Customer, EvalFlow may redirect the Data Subject to Customer unless legally required to respond directly.
EvalFlow will provide reasonable assistance to Customer in responding to Data Subject requests, taking into account the nature of processing and the information available to EvalFlow.
EvalFlow may charge reasonable fees for assistance that requires significant manual effort, unless prohibited by law or otherwise agreed in writing.
16. Subprocessors
Customer gives EvalFlow general authorization to engage Subprocessors to process Personal Data in connection with the Service.
EvalFlow will maintain a list of Subprocessors in its Privacy Policy, Security page, or a dedicated Subprocessor List page.
EvalFlow will impose contractual obligations on Subprocessors that are materially no less protective than the obligations in this DPA.
EvalFlow remains responsible for Subprocessors’ processing of Personal Data to the extent required by Applicable Data Protection Laws.
EvalFlow may add or replace Subprocessors from time to time. Where required by Applicable Data Protection Laws, EvalFlow will provide notice of material Subprocessor changes by posting an updated list, sending notice, or using another reasonable method.
Customer may object to a new Subprocessor on reasonable data protection grounds by notifying EvalFlow in writing within ten (10) days of receiving notice or publication of the new Subprocessor.
If Customer reasonably objects and the parties cannot resolve the objection, Customer may stop using the affected feature or terminate the affected Service as Customer’s sole and exclusive remedy.
17. Current Categories of Subprocessors
EvalFlow may use Subprocessors for the following categories of services:
a. cloud hosting and infrastructure;
b. database and authentication services;
c. AI model/API services;
d. email delivery and notifications;
e. payment processing;
f. analytics and product usage monitoring;
g. customer support and CRM;
h. error tracking and logging;
i. file storage;
j. communication and collaboration integrations;
k. HRIS or productivity integrations enabled by Customer; and
l. security, monitoring, and operational tools.
EvalFlow may use Merge.dev or similar unified API providers to enable Customer-authorized HRIS and workplace software integrations.
18. International Transfers
Customer authorizes EvalFlow and its Subprocessors to process Personal Data in Canada, the United States, and other jurisdictions where EvalFlow or its Subprocessors operate.
Where Personal Data is transferred from the European Economic Area, United Kingdom, Switzerland, or another jurisdiction with data-transfer restrictions to a country that does not provide an adequate level of protection, the parties agree to use appropriate transfer safeguards.
For transfers from the EEA, the parties agree that the European Commission Standard Contractual Clauses may apply as the transfer mechanism where required. The European Commission issued modernized Standard Contractual Clauses under the GDPR for transfers from controllers or processors in the EU/EEA to recipients outside the EU/EEA.
For transfers from the United Kingdom, the parties agree that the UK International Data Transfer Addendum or another valid UK transfer mechanism may apply where required. The UK ICO explains that the UK Addendum allows organizations to rely on the EU SCCs for restricted transfers under the UK GDPR.
For transfers from Switzerland, the parties agree to apply appropriate safeguards required under Swiss data protection law, including Swiss-specific modifications to the SCCs where applicable.
Customer is responsible for determining whether Customer must complete a transfer impact assessment, employee notice, works council consultation, or other transfer-related compliance step.
19. Standard Contractual Clauses
Where the Standard Contractual Clauses are required, the parties agree as follows:
a. the applicable module will be determined by the roles of the parties under Applicable Data Protection Laws;
b. where Customer is a controller and EvalFlow is a processor, Module Two applies;
c. where Customer is a processor and EvalFlow is a subprocessor, Module Three applies;
d. Customer is the data exporter where Customer transfers Personal Data to EvalFlow from the EEA or otherwise makes Personal Data subject to the SCCs;
e. EvalFlow is the data importer where EvalFlow receives Personal Data in a country requiring transfer safeguards;
f. the details in this DPA constitute the required annexes to the SCCs; and
g. if there is a conflict between this DPA and the SCCs, the SCCs control to the extent of the conflict.
The parties agree that execution of the Agreement constitutes execution of the SCCs where required by Applicable Data Protection Laws.
20. Assistance with Compliance
Taking into account the nature of processing and information available to EvalFlow, EvalFlow will provide reasonable assistance to Customer with:
a. responding to Data Subject requests;
b. security obligations;
c. Security Incident assessment and notification;
d. data protection impact assessments;
e. prior consultation with supervisory authorities where required; and
f. documentation reasonably necessary to demonstrate compliance with this DPA.
EvalFlow may charge reasonable fees for assistance that requires significant manual effort, unless prohibited by law or otherwise agreed in writing.
21. Audits and Information Rights
EvalFlow will make available information reasonably necessary to demonstrate compliance with this DPA.
Customer may request reasonable security, privacy, and compliance documentation, including EvalFlow’s Security page, Privacy Policy, Subprocessor List, and relevant written responses to security questionnaires.
On-site audits are not permitted unless required by Applicable Data Protection Laws and only if the requested information cannot reasonably be provided through documentation or written responses.
Any audit must be:
a. subject to at least thirty (30) days’ prior written notice;
b. conducted during normal business hours;
c. limited to systems, documents, and personnel relevant to Customer’s Personal Data;
d. conducted in a way that does not compromise the security, confidentiality, or availability of EvalFlow’s systems or other customers’ data;
e. subject to confidentiality obligations;
f. conducted no more than once per year unless required by law or following a confirmed Security Incident affecting Customer; and
g. performed at Customer’s expense.
EvalFlow may refuse or limit any audit request that would create security risk, disclose information about other customers, reveal trade secrets, compromise confidential information, or unreasonably disrupt EvalFlow’s business.
22. Return and Deletion of Personal Data
During the Subscription Term, Customer may export certain Customer Data using available export features or request reasonable assistance from EvalFlow.
Customer is responsible for exporting Customer Data before termination or cancellation.
Upon termination, expiration, or verified written deletion request, EvalFlow will delete or anonymize Personal Data from active systems and backups within ninety (90) days, unless retention is required by law or necessary for legitimate business records, security, fraud prevention, backup integrity, dispute resolution, tax, accounting, or the establishment, exercise, or defense of legal claims.
EvalFlow may retain aggregated, anonymized, or de-identified data that does not identify Customer, Authorized Users, employees, Data Subjects, or other individuals.
EvalFlow is not responsible for Personal Data exported by Customer, stored outside the Service, transmitted to third-party services, retained by Customer, or retained by third-party integrations enabled by Customer.
23. AI Processing
The Service may include AI Features that process Customer Data to generate, summarize, analyze, search, draft, recommend, or assist with HR and performance-management workflows.
EvalFlow does not use Customer Data to train generalized AI models for other customers.
EvalFlow may use third-party AI providers as Subprocessors. Depending on the provider and configuration, AI providers may temporarily process and retain limited inputs, outputs, metadata, or logs for abuse monitoring, security, legal compliance, or service operation purposes.
Customer remains responsible for:
a. determining whether AI Features are appropriate for Customer’s use case;
b. providing legally required notices to employees or other Data Subjects;
c. ensuring that AI outputs are reviewed by qualified humans;
d. ensuring that AI Features are not used as the sole basis for decisions producing legal or similarly significant effects on individuals; and
e. complying with employment, labor, anti-discrimination, workplace monitoring, privacy, and AI laws applicable to Customer.
AI outputs are not legal, HR, employment, compliance, medical, financial, or professional advice.
24. Regulated and High-Risk Use
Customer must not use the Service or AI Features as the sole basis for decisions involving hiring, firing, promotion, demotion, compensation, discipline, legal claims, workplace investigations, eligibility, credit, housing, insurance, healthcare, education, or other decisions that produce legal or similarly significant effects on individuals.
Customer must ensure meaningful human review of AI-assisted outputs before using them in any employment-related process.
Customer is solely responsible for validating AI outputs and ensuring that Customer’s use of the Service complies with applicable employment, labor, human rights, anti-discrimination, privacy, and AI laws.
25. Government and Law Enforcement Requests
If EvalFlow receives a government, regulator, court, law enforcement, or similar request for Personal Data processed on behalf of Customer, EvalFlow will, where legally permitted, notify Customer.
EvalFlow may disclose Personal Data where required by law, court order, subpoena, legal process, or governmental request.
EvalFlow will use commercially reasonable efforts to limit disclosure to what is legally required.
26. Data Accuracy
Customer is responsible for the accuracy, completeness, quality, relevance, and legality of Personal Data submitted to the Service.
EvalFlow has no obligation to verify Personal Data entered by Customer or Authorized Users.
Customer is responsible for correcting or deleting inaccurate Personal Data through the Service or by requesting assistance from EvalFlow where reasonably necessary.
27. Liability
Each party’s liability under this DPA is subject to the limitations, exclusions, and liability caps in the Agreement.
For clarity, EvalFlow’s total aggregate liability arising out of or relating to this DPA, Personal Data, Security Incidents, privacy claims, data protection claims, AI processing, Subprocessors, or international transfers is subject to the liability cap in the Agreement.
Nothing in this DPA limits liability where such limitation is prohibited by Applicable Data Protection Laws.
28. Indemnity
Customer will defend, indemnify, and hold harmless EvalFlow, its directors, officers, employees, contractors, agents, representatives, Affiliates, and Subprocessors from and against any claims, damages, liabilities, losses, fines, penalties, costs, and expenses, including reasonable legal fees, arising out of or relating to:
a. Customer’s violation of Applicable Data Protection Laws;
b. Customer’s failure to provide required notices, consents, approvals, legal bases, or authorizations;
c. Customer’s submission of Sensitive Data;
d. Customer’s employment, HR, disciplinary, compensation, promotion, termination, or workplace decisions;
e. Customer’s instructions to EvalFlow;
f. Customer’s use of AI Features;
g. Customer’s integrations or third-party services;
h. Customer’s failure to respond to Data Subject requests; or
i. Customer’s processing of Personal Data through the Service.
29. Changes to this DPA
EvalFlow may update this DPA from time to time to reflect changes in law, the Service, subprocessors, security measures, or business operations.
EvalFlow will provide notice of material changes by posting an updated DPA, sending email, providing in-app notice, or using another reasonable method.
Customer’s continued use of the Service after the updated DPA becomes effective constitutes acceptance of the updated DPA.
If Customer objects to a material change, Customer must notify EvalFlow in writing. The parties will work in good faith to resolve the objection. If the objection cannot be resolved, Customer may terminate the affected Service as its sole and exclusive remedy.
30. Contact
Questions about this DPA or data protection matters may be sent to:
Logiciel EvalFlow Inc.
Operating as EvalFlow
Email: info@evalflow.com
Website: https://www.evalflow.com
Annex A — Processing Details
A.1 Subject Matter
EvalFlow’s processing of Personal Data to provide the EvalFlow performance management platform and related services to Customer.
A.2 Duration
The duration of the Agreement and any additional period required for deletion, backup retention, legal compliance, dispute resolution, security, or the establishment, exercise, or defense of legal claims.
A.3 Nature and Purpose
Hosting, storing, organizing, retrieving, transmitting, securing, analyzing, displaying, backing up, deleting, supporting, and otherwise processing Personal Data to provide the Service, including performance management, feedback, reviews, goals, OKRs, recognition, pulse surveys, one-on-one meetings, analytics, AI-assisted workflows, integrations, notifications, support, security, and maintenance.
A.4 Categories of Data Subjects
Customer employees, contractors, managers, administrators, executives, HR personnel, invited users, Authorized Users, and other individuals whose data is submitted to the Service by or on behalf of Customer.
A.5 Categories of Personal Data
Names, email addresses, job titles, departments, reporting relationships, employee profile information, goals, OKRs, performance feedback, reviews, ratings, recognitions, survey responses, one-on-one meeting notes, tasks, projects, comments, AI prompts, AI outputs, usage logs, authentication metadata, permissions, audit logs, and integration data enabled by Customer.
A.6 Sensitive Data
Sensitive Data is prohibited unless expressly authorized in writing by EvalFlow.
Annex B — Technical and Organizational Measures
EvalFlow’s technical and organizational measures may include:
a. encryption in transit;
b. encryption at rest;
c. tenant isolation;
d. database-level row-level security;
e. role-based access controls;
f. least-privilege access;
g. access restrictions for personnel;
h. authentication controls;
i. logging and monitoring;
j. backup and recovery controls;
k. secure secret management;
l. secure development practices;
m. incident response procedures;
n. subprocessor contractual controls;
o. security review of critical systems; and
p. organizational confidentiality obligations.
EvalFlow may update these measures from time to time, provided that updates do not materially reduce the overall level of protection for Personal Data.
Annex C — Subprocessor Categories
EvalFlow may use Subprocessors in the following categories:
a. cloud hosting and infrastructure;
b. database and authentication;
c. AI model/API services;
d. payment processing;
e. email delivery;
f. customer support and CRM;
g. analytics and product usage monitoring;
h. error logging and performance monitoring;
i. file storage;
j. communication integrations;
k. HRIS integrations;
l. productivity integrations; and
m. security and operational tools.
EvalFlow should maintain a separate Subprocessor List identifying the current Subprocessors used to provide the Service.