How EcoVeraZ processes Customer Personal Data on your behalf when you become a customer.
This page is a starting draft prepared by EcoVeraZ ahead of qualified legal review. It is not a binding agreement and should not be relied on as legal advice. The counsel-reviewed version will be published at this URL with a confirmed effective date. For the current full draft or to discuss commercial terms, contact contact@ecoveraz.com.
Effective date: [pending counsel review] · Last updated: 2026-06-29 (draft) · Documents: Terms of Service · Privacy Policy · Data Processing Addendum
This Data Processing Addendum ("DPA") forms part of the agreement between EcoVeraZ, Inc. ("EcoVeraZ", "Processor") and the customer ("Customer", "Controller") for use of the EcoVeraZ platform. It applies where EcoVeraZ processes Customer Personal Data on the Customer's behalf. For data where EcoVeraZ is the controller, the Privacy Policy applies.
EcoVeraZ processes Customer Personal Data only to provide and support the platform, in accordance with the Customer's documented instructions and the agreement. The subject matter is the operation of the EcoVeraZ platform; the duration is the term of the agreement plus the retention periods below. Categories of data subjects and data are determined by the Customer and typically include the Customer's authorised platform users (name, email, role, tenant binding) and the operational and evidence data the Customer chooses to upload or connect.
The Customer authorises EcoVeraZ to engage subprocessors to provide parts of the platform (for example hosting, monitoring, and email delivery). EcoVeraZ maintains a current subprocessor list available on request, imposes data-protection obligations on each subprocessor no less protective than this DPA, and remains responsible for their performance. EcoVeraZ will give notice of intended changes to subprocessors and a reasonable opportunity to object.
EcoVeraZ applies technical and organisational measures appropriate to the risk, including encryption in transit and at rest, role-based access control, audit logging, tenant isolation, and malware scanning of uploads. A summary of the security posture and supporting documentation is available to prospects and customers under NDA. See the Security page.
Taking into account the nature of processing, EcoVeraZ will assist the Customer with appropriate technical and organisational measures, insofar as possible, to fulfil the Customer's obligations to respond to data-subject requests and to meet the Customer's security, breach-notification, impact-assessment and consultation obligations under applicable data-protection law.
EcoVeraZ will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and will provide information reasonably available to help the Customer meet its notification obligations.
The platform is hosted in EcoVeraZ's primary region; a Customer may select a different primary region at onboarding where available. Where personal data is transferred across borders, transfers are governed by Standard Contractual Clauses (SCCs) or another lawful transfer mechanism, as applicable.
EcoVeraZ will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, subject to reasonable confidentiality, scheduling and security conditions.
On termination, EcoVeraZ will, at the Customer's choice, return or delete Customer Personal Data in accordance with the agreement, except where retention is required by law. Audit logs may be retained for a defined period to support security and compliance obligations.
For DPA questions or to request the current full draft, contact contact@ecoveraz.com.