Version 2026-07-17 · operated by Wisepops
Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the Terms and governs Evarist's (Wisepops's) processing of personal data on behalf of the Customer.
1. Roles and scope
The Customer is the controller and Evarist (Wisepops) is the processor of visitor personal data collected through the Evarist tracker. We process that data only to provide the analytics service and only on the Customer's documented instructions, which comprise the Terms, this DPA, and the Customer's configuration and use of the product.
2. Sub-processors
The Customer authorises the sub-processors listed at /subprocessors. We will give notice before adding or replacing a sub-processor, and the Customer may object on reasonable data-protection grounds.
3. Security measures
We apply technical and organisational measures appropriate to the risk, including: strict logical isolation so each customer can access only their own data; storage of connection tokens in hashed form; masking of visitor IP addresses before storage; access controls on production systems; and encryption of data in transit.
4. International transfers
Personal data may be processed in the United States by our hosting provider (AWS). More generally, where any sub-processor listed at /subprocessors processes personal data outside the European Economic Area or the United Kingdom, the transfer relies on the EU-US Data Privacy Framework and/or the European Commission's Standard Contractual Clauses, together with the UK International Data Transfer Addendum, as applicable.
5. Data-subject requests
Taking into account the nature of the processing, we assist the Customer by appropriate technical and organisational measures, insofar as possible, in responding to requests from data subjects.
6. Personal-data breaches
We notify the Customer without undue delay after becoming aware of a personal-data breach affecting their data, with the information reasonably available to us to support the Customer's own notification obligations.
7. Deletion and return
On termination, and otherwise on the Customer's documented instruction, we delete or return the Customer's personal data, subject to the documented retention period (25 months for identifiable visitor data) and to any retention required by law.
8. Audit
We make available the information necessary to demonstrate compliance with this DPA. The Customer's audit right is satisfied through our security documentation and our responses to reasonable written questionnaires; on-site inspections are not provided unless required by law.
9. Duration
This DPA applies for as long as we process personal data on the Customer's behalf.
Terms · Privacy · DPA · Sub-processors