Evarist

Version 2026-07-17 · operated by Wisepops

Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms and governs Evarist's (Wisepops's) processing of personal data on behalf of the Customer.

1. Roles and scope

The Customer is the controller and Evarist (Wisepops) is the processor of visitor personal data collected through the Evarist tracker. We process that data only to provide the analytics service and only on the Customer's documented instructions, which comprise the Terms, this DPA, and the Customer's configuration and use of the product.

2. Sub-processors

The Customer authorises the sub-processors listed at /subprocessors. We will give notice before adding or replacing a sub-processor, and the Customer may object on reasonable data-protection grounds.

3. Security measures

We apply technical and organisational measures appropriate to the risk, including: strict logical isolation so each customer can access only their own data; storage of connection tokens in hashed form; masking of visitor IP addresses before storage; access controls on production systems; and encryption of data in transit.

4. International transfers

Personal data may be processed in the United States by our hosting provider (AWS). More generally, where any sub-processor listed at /subprocessors processes personal data outside the European Economic Area or the United Kingdom, the transfer relies on the EU-US Data Privacy Framework and/or the European Commission's Standard Contractual Clauses, together with the UK International Data Transfer Addendum, as applicable.

5. Data-subject requests

Taking into account the nature of the processing, we assist the Customer by appropriate technical and organisational measures, insofar as possible, in responding to requests from data subjects.

6. Personal-data breaches

We notify the Customer without undue delay after becoming aware of a personal-data breach affecting their data, with the information reasonably available to us to support the Customer's own notification obligations.

7. Deletion and return

On termination, and otherwise on the Customer's documented instruction, we delete or return the Customer's personal data, subject to the documented retention period (25 months for identifiable visitor data) and to any retention required by law.

8. Audit

We make available the information necessary to demonstrate compliance with this DPA. The Customer's audit right is satisfied through our security documentation and our responses to reasonable written questionnaires; on-site inspections are not provided unless required by law.

9. Duration

This DPA applies for as long as we process personal data on the Customer's behalf.

Terms · Privacy · DPA · Sub-processors