Legal
Evoro Data Processing Addendum
This Data Processing Addendum ("DPA") forms part of the agreement between the customer ("Customer") and EVORO INT LTD trading as Evoro, a company registered in England and Wales (no. 13376248), registered office 167-169 Great Portland Street, 5th Floor, London W1W 5PF ("Evoro") under which Evoro provides the Evoro service (the "Agreement").
It governs the Processing of Customer Personal Data by Evoro on behalf of the Customer. In the event of conflict, this DPA prevails over the Agreement on matters of data protection.
1. Definitions
Capitalised terms not defined here have the meaning in the Agreement.
- "Data Protection Laws" — all laws applicable to the Processing of Personal Data under the Agreement, including the UK GDPR, the Data Protection Act 2018, the EU GDPR (Regulation 2016/679) where applicable, and any successor or implementing legislation.
- "Controller", "Processor", "Data Subject", "Personal Data", "Processing", "Personal Data Breach", "Special Category Data", "Supervisory Authority" — as defined in the Data Protection Laws.
- "Customer Personal Data" — Personal Data contained within Customer Data that Evoro Processes on the Customer's behalf in providing the Services.
- "Customer Data" — data the Customer (or its users, or its connected systems) provides, connects or makes available to the Services, including call recordings, transcripts and connected CRM and telephony data, and outputs derived from it.
- "Sub-processor" — any third party engaged by Evoro (or an Evoro Affiliate) to Process Customer Personal Data in connection with the Services.
- "Restricted Transfer" — a transfer of Customer Personal Data to a country not subject to an adequacy decision under the applicable Data Protection Laws.
- "SCCs" — the EU Standard Contractual Clauses (Commission Decision 2021/914); "UK IDTA" — the UK International Data Transfer Agreement; "UK Addendum" — the UK Addendum to the SCCs, each as applicable.
- "TOMs" — the technical and organisational measures in Annex 2.
2. Roles, scope and instructions
2.1 As between the parties, the Customer is the Controller (or, where the Customer Processes Customer Personal Data on behalf of its own customers, a Processor) and Evoro is the Processor (or sub-processor). Each party complies with its obligations under the Data Protection Laws.
2.2 Evoro Processes Customer Personal Data only to provide and support the Services and on the Customer's documented instructions, including as set out in this DPA, the Agreement, the Order Form, the Documentation, and the Customer's use and configuration of the Services. Annex 1 sets out the subject-matter, duration, nature, purpose, data types and categories of Data Subjects.
2.3 Evoro will inform the Customer if, in its opinion, an instruction infringes the Data Protection Laws (without obligation to provide legal advice). Where Evoro is required by law to Process otherwise than on instruction, it will (unless legally prohibited) inform the Customer first.
2.4 Where Evoro Processes Personal Data for its own business purposes (e.g. website enquiries, sales, billing, account administration), Evoro acts as Controller, and that Processing is governed by the Evoro Privacy Policy, not this DPA.
3. Customer obligations and lawful basis
3.1 The Customer is responsible for the lawfulness of the Customer Data it provides and instructs Evoro to Process, including establishing a lawful basis, and for providing all required notices and obtaining any required consents — including call-recording notices, workplace-monitoring notices, and privacy notices to its staff, agents, callers, customers, prospects and other Data Subjects.
3.2 The Customer warrants it has the right to transfer, connect or make available the Customer Data to Evoro for Processing as contemplated by the Agreement.
4. Confidentiality
Evoro ensures that personnel authorised to Process Customer Personal Data are bound by appropriate confidentiality obligations and access it only on a need-to-know basis to provide the Services.
5. Security
Evoro implements and maintains the technical and organisational measures in Annex 2, appropriate to the risk under Article 32, to protect Customer Personal Data against unauthorised or unlawful Processing, loss, destruction or damage. Evoro may update the TOMs provided the level of protection is not materially reduced.
6. Sub-processors
6.1 The Customer provides general authorisation for Evoro to engage the Sub-processors listed in Annex 3 to Process Customer Personal Data.
6.2 Evoro imposes on each Sub-processor, by written contract, data-protection obligations no less protective than those in this DPA, and remains liable for each Sub-processor's performance.
6.3 Evoro will give the Customer prior notice of any intended addition or replacement of a Sub-processor (by the means stated in the Order Form or Documentation). The Customer may object on reasonable data-protection grounds within the notice period; the parties will work in good faith to resolve it, failing which the Customer may terminate the affected Services.
6.4 AI Processing. Evoro does not permit third-party AI model providers (including Anthropic) to use Customer Data to train their general-purpose foundation models.
7. Data Subject rights
Taking into account the nature of the Processing, Evoro assists the Customer by appropriate technical and organisational measures, insofar as possible, to fulfil the Customer's obligation to respond to Data Subject requests (access, rectification, erasure, restriction, portability, objection). Evoro forwards to the Customer any request it receives directly relating to the Customer's Customer Personal Data and does not respond except on the Customer's instruction or as legally required.
8. Assistance
Taking into account the nature of Processing and the information available to it, Evoro assists the Customer in ensuring compliance with its obligations under Articles 32–36 (security, breach notification, data protection impact assessments and prior consultation).
9. Personal Data Breach
Evoro notifies the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and provides the information reasonably available to enable the Customer to meet its own notification obligations (including under Articles 33–34).
10. Deletion and return
10.1 On expiry or termination of the Agreement, Evoro will, at the Customer's choice, delete or return the Customer Personal Data and delete existing copies, save where retention is required by law.
10.2 Default retention is as set out in the Privacy Policy retention schedule (see Annex 1), including: call recordings — 30 days from capture (unless an extended period is agreed in an Order Form); transcripts and derived data — for the subscription term plus a 30-day post-termination export window; system backups — a rolling 35-day cycle.
11. Audit
11.1 Evoro makes available to the Customer the information reasonably necessary to demonstrate compliance with this DPA and allows for and contributes to audits, including inspections, conducted by the Customer or an auditor it mandates.
11.2 The Customer must give reasonable prior notice, conduct audits during business hours, no more than once per twelve months (unless required by a Supervisory Authority or following a Personal Data Breach), subject to confidentiality, without unreasonable disruption, and at the Customer's cost. Evoro may satisfy an audit request by providing third-party audit reports, certifications or a security summary where these reasonably address the request.
12. International transfers
12.1 Evoro may transfer and Process Customer Personal Data outside the UK/EEA as described in Annex 1 and the Privacy Policy. In particular, transcript content may be transferred to Anthropic in the United States to generate analysis.
12.2 For any Restricted Transfer, the parties enter into and comply with the applicable transfer mechanism — the SCCs, the UK IDTA, and/or the UK Addendum — which are incorporated by reference and completed as set out in Annex 4, together with any required transfer risk assessment. Where the SCCs apply, the relevant modules and the Annexes thereto are populated using Annex 1 (details of processing), Annex 2 (security measures) and Annex 3 (sub-processors) of this DPA.
13. Liability and precedence
Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Agreement. This DPA prevails over the Agreement to the extent of any conflict on data-protection matters; the SCCs/UK IDTA prevail over this DPA to the extent of any conflict.
14. General
14.1 Term. This DPA is coterminous with the Agreement and survives to the extent of any continuing Processing or retention obligation.
14.2 Governing law and jurisdiction. England and Wales (without prejudice to the governing law of any incorporated transfer mechanism).
14.3 Changes. Evoro may update this DPA to reflect changes in Data Protection Laws, guidance, Sub-processors or the Services, provided the level of protection is not materially reduced.
Annex 1 — Details of Processing
- Subject-matter: Evoro's provision of the Services under the Agreement.
- Duration: the term of the Agreement plus applicable retention periods (Clause 10 / the retention schedule below).
- Nature and purpose: capture, transcription, AI analysis, scoring, coaching support, follow-up support, reporting and decision-support across the Customer's service, sales and retention operations, and integration with the Customer's telephony and CRM systems.
- Types of Personal Data: call recordings; call transcripts; call metadata (phone numbers, times, durations, direction, agent identity); connected CRM data (accounts, contacts, opportunities/deals, cases, notes, follow-up activity); telephony/communications data from connected systems; user account data (name, work email, role, organisation, permissions, login details); derived data (summaries, topics, sentiment, scores, coaching signals, commitments, customer-risk indicators, decisions, reports); Customer corrections/feedback/outcomes; usage data and audit logs.
- Categories of Data Subjects: the Customer's staff, agents and users; the Customer's customers, callers and prospects; contacts within connected CRM systems.
- Special Category Data: not intended; the Service is not designed to Process Special Category Data, and the Customer instructs Evoro only to the extent the Customer has a lawful basis (Clause 3).
- Retention schedule (default): call recordings — 30 days from capture (extendable by Order Form); transcripts and derived data — subscription term + 30-day post-termination export window; system backups — rolling 35-day cycle; anonymised/aggregated insights — indefinitely (do not identify any individual); billing/tax records — 7 years.
Annex 2 — Technical and Organisational Measures
Evoro maintains measures including:
- Encryption of Customer Personal Data in transit and at rest;
- Role-based access controls and least-privilege access;
- Tenant-isolation controls enforcing separation of one Customer's data from another's, verified by structural controls;
- Audit logging of access and key actions;
- Backup and recovery processes with tested restoration;
- Monitoring and alerting (including application error and performance monitoring);
- Secure development practices and change control;
- Sub-processor due diligence and controls;
- Authentication and single sign-on via a managed identity provider;
- Key management for sensitive artefacts such as recordings.
Evoro may provide a security summary for customer due diligence on request.
Annex 3 — Approved Sub-processors
| Sub-processor | Purpose | Processing location |
|---|---|---|
| Amazon Web Services (AWS) | Primary hosting, databases, storage, backups | United Kingdom |
| Fly.io | Application servers and edge | United Kingdom |
| Anthropic | AI inference for analysis of transcripts | United States |
| Speechmatics | Speech-to-text transcription, where used | United Kingdom |
| WorkOS | Authentication and single sign-on | United States |
| Stripe | Payment processing | United States |
| Resend | Transactional email delivery | United States |
| Sentry | Application error and performance monitoring | United States |
This list mirrors the live sub-processor list in the Privacy Policy. Customers are notified of material changes per Clause 6.3.
The Customer's own telephony and CRM platforms — for example RingCentral, Microsoft, Salesforce or HubSpot — are the Customer's systems, not Evoro Sub-processors.
Annex 4 — Cross-border transfer mechanisms
For Restricted Transfers (notably transcript content to Anthropic, United States), the parties rely on:
- any applicable adequacy decision; and/or
- the EU SCCs as supplemented by the UK Addendum, and/or the UK IDTA, completed using Annexes 1–3 of this DPA;
together with a transfer risk assessment where required. Where this DPA is incorporated into an Order Form or other written agreement, the executed transfer-mechanism forms (with module selection, data-importer and data-exporter details, and docking and termination clauses completed) are appended to that agreement.
Regulated and UK-only option
Customers requiring that Personal Data never leave the UK — for example for AI inference — should contact Evoro to discuss available or planned regulated options. Any such arrangement must be agreed in an Order Form or written agreement. Unless expressly agreed, the standard Service may involve AI inference outside the UK as described above.
Contact
For questions about this DPA, contact privacy@evoro.io.
EVORO INT LTD trading as Evoro
167-169 Great Portland Street
5th Floor
London
England
W1W 5PF
ICO registration number: ZC175182