Data Processing Agreement

• "Personal Data" means any information relating to an identified or identifiable natural person, as defined by applicable data protection laws.
• "Processing" means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
• "Data Controller" means the Customer, who determines the purposes and means of processing Personal Data.
• "Data Processor" means Evidence Pack, which processes Personal Data on behalf of the Controller.
• "Sub-processor" means a third-party service provider engaged by the Processor to assist in processing Personal Data.
• "Data Subject" means the individual whose Personal Data is processed (e.g., security guards, supervisors, employees, or individuals named in incident reports).

Evidence Pack processes Personal Data solely to provide the security operations platform as described in the Terms of Service. This includes:

• GPS-verified guard check-ins and patrol tracking
• Incident report creation, storage, and retrieval
• Scheduling, timekeeping, and payroll data management
• Photo and evidence documentation
• Client portal access and report sharing
• AI-powered report professionalization and compliance checking
• Communication and notification delivery

The following categories of Personal Data may be processed:

• Guard/Employee Data: Names, email addresses, phone numbers, GPS location data, check-in/check-out timestamps, assigned sites, and work schedules.
• Incident Report Data: Descriptions of events, names of individuals involved, contact information, physical descriptions, injury details, and photographic evidence.
• Account Data: Organization name, administrator names, email addresses, and billing information.
• Technical Data: IP addresses, device information, browser type, and usage logs.

Evidence Pack shall:

• Process Personal Data only on documented instructions from the Controller, unless required by applicable law.
• Ensure that all personnel authorized to process Personal Data are bound by confidentiality obligations.
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption of data in transit (TLS) and at rest (AES-256).
• Not engage any Sub-processor without prior written authorization of the Controller, except for those listed in Section 8.
• Assist the Controller in responding to Data Subject requests to exercise their rights under applicable data protection laws.
• Notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data breach.
• Delete or return all Personal Data upon termination of the agreement, at the Controller's election, unless retention is required by law.
• Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits upon reasonable notice.

The Customer (Controller) shall:

• Ensure that Personal Data is collected and provided to the Processor in compliance with applicable data protection laws.
• Provide clear processing instructions and promptly inform the Processor of any changes.
• Ensure that Data Subjects are informed about the processing of their Personal Data through appropriate privacy notices.
• Be responsible for the accuracy and legality of Personal Data submitted to the Service.

Evidence Pack will assist the Controller in fulfilling its obligations to respond to Data Subject requests, including requests to:

• Access their Personal Data
• Rectify inaccurate data
• Erase Personal Data ("right to be forgotten")
• Restrict or object to processing
• Data portability (export in a machine-readable format)

The Controller is responsible for verifying the identity of Data Subjects making requests. Evidence Pack will respond to Controller instructions regarding such requests within 30 days.

Evidence Pack implements the following technical and organizational measures:

• Encryption: TLS 1.2+ for data in transit; AES-256 encryption for data at rest.
• Access Controls: Role-based access control (RBAC) ensuring users can only access data appropriate to their role.
• Authentication: Secure session management with HMAC-SHA256 signed tokens, PIN-based guard authentication.
• Infrastructure: Hosted on reputable cloud providers with SOC 2 compliance; regular backups and disaster recovery procedures.
• Monitoring: Logging of access and processing activities for audit purposes.
• Data Isolation: Multi-tenant architecture with organization-level data isolation.

The Controller authorizes the use of the following Sub-processors. Evidence Pack will notify the Controller at least 30 days before adding or replacing a Sub-processor:

The Controller may object to the appointment of a new Sub-processor within 14 days of notification.

Personal Data is processed and stored in the United States. If the Controller is located in a jurisdiction that restricts international data transfers, Evidence Pack will ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Any additional measures necessary to ensure the protection of Personal Data

Personal Data is retained in accordance with the Customer's subscription plan:

• Starter Plan: 6 Months
• Professional Plan: 1 year
• Business Plan: 3 years

Upon termination, the Controller may request export of their data within 30 days. After this period, all Personal Data will be permanently and securely deleted.

In the event of a Personal Data breach, Evidence Pack will:

• Notify the Controller without undue delay and in any event within 72 hours.
• Provide sufficient information to fulfill any obligation to report the breach.
• Cooperate with the Controller to assist in the investigation, mitigation, and remediation of the breach.

The Controller has the right to audit Evidence Pack's compliance with this DPA. Audits shall be conducted:

• Upon reasonable written notice (at least 30 days)
• During normal business hours
• No more than once per year, unless a data breach has occurred
• At the Controller's expense, unless the audit reveals material non-compliance

Each party's liability under this DPA shall be subject to the limitations of liability set forth in the Terms of Service.

This DPA is effective for the duration of the Customer's use of Evidence Pack and shall automatically terminate upon termination of the Terms of Service. Obligations relating to data deletion, confidentiality, and breach notification shall survive termination.

This DPA shall be governed by the laws of the State of Michigan, without regard to its conflict of law provisions. For Customers located in the EEA, GDPR shall apply to the extent it governs the processing of Personal Data.

For questions or requests related to this Data Processing Agreement, please contact:

Evidence Pack
Data Protection Inquiries
info@getevidencepack.com