Data Processing Agreement (DPA)

1. Roles & Processing Details

Evnao (“Processor”) will process “Customer Data” on behalf of Customer (“Controller”). Each party will comply with applicable data protection laws (e.g. Jordan PDPL, GDPR, CCPA). The Processor will process Customer Data solely to perform the Services described in the TOS. Categories of data include Customer account data and end-user support content; categories of data subjects include the Customer’s employees and customers.

2. Customer Instructions

The Controller authorizes the Processor to process data as necessary to provide the Service. The Processor will follow written instructions from the Controller (e.g. configurations set in the admin panel). If a law requires the Processor to use data beyond these instructions, the Processor will notify the Controller unless legally barred.

3. Processor Obligations

• Confidentiality: Processor personnel are bound by confidentiality.
• Security: Processor will implement appropriate technical and organizational measures (e.g. encryption, access logs, intrusion detection).
• Data Subject Requests: If a data subject requests access or deletion of data, Processor will notify Controller and assist (but will not respond without instruction).
• Subprocessors: Controller authorizes existing subprocessors. Processor will contractually bind subprocessors to similar protections. Changes to the Subprocessor List will be notified 10 days in advance.
• Breaches: Processor will report any data security breach to Controller without undue delay. Processor will provide details and assistance for notifying regulators and data subjects as required by law (e.g. GDPR Article 33, Jordan PDPL Article 20).

4. Data Return/Deletion

Upon termination or expiration, Processor will delete or return all Customer Data as instructed by Controller, within 30 days. If law requires retention (e.g. accounting regulations), Processor will isolate such data until that law’s requirements are satisfied.

5. International Transfers

Controller instructs Processor to transfer data as needed for the Services. For EU data, Processor uses SCCs; for UK data, UK-addendum SCCs are used. Jordanian data will not be exported by Processor unless Controller consents in writing, as Jordan PDPL prohibits transfers to lower-protection jurisdictions.

6. CCPA/CPRA Provisions

If Controller’s Customer Data includes California personal information, the parties agree that Processor is a “service provider” under CCPA. Processor will not sell or share Personal Information, will use it only for Business Purposes, and will comply with Model Clauses for handling Consumer requests.

7. Audit Rights & Liability

Controller may audit Processor’s compliance once per year, subject to confidentiality, by providing reasonable notice. Alternatively, Processor may provide a third-party audit report (e.g. SOC2) to demonstrate compliance. Each party’s liability is governed by the TOS.