Contact us

Privacy Policy | Terms & Conditions
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

DATA PROCESSING AGREEMENT

DATA PROCESSING AGREEMENT

This Data Processing Agreement (“DPA”) forms part of and is incorporated by reference into the Agreement between Evercam and the customer entity entering into the Agreement (“Customer”).This DPA applies automatically to the extent that Evercam processes Personal Data on behalf of Customer in connection with the Services. This DPA applies to the Processing of Personal Data subject to any applicable Data Protection Laws worldwide. The parties acknowledge that, depending on the location of the Customer, Data Subjects, or Processing activities, different Data Protection Laws may apply concurrently.The terms used in this DPA shall have the meanings set forth herein. Terms not otherwise defined herein shall have the meaning given to them in the Agreement.  Except as modified below, the terms of the Agreement shall remain in full force and effect.   By entering into the Agreement, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Affiliates for which Evercam processes Personal Data as Processor.In the event of conflict between this DPA and the Agreement, this DPA shall prevail with respect to the Processing of Personal Data.

1. Definitions

All capitalized terms not defined herein shall have the meaning set forth in the Agreement. The following additional definitions apply in this DPA.

“CCPA” means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018).

Controller” means the Customer or the entity, alone or jointly with others, that determines the purposes and means of the Processing of Personal Data.  

Data Subject” means an identified or identifiable natural person.

“Data Protection Laws” means all applicable laws, regulations and binding regulatory requirements relating to privacy, data protection or the Processing of Personal Data in any jurisdiction in which Personal Data is Processed under the Agreement, including without limitation the EU General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK GDPR and Data Protection Act 2018, Switzerland Federal Act on Data Protection (FADP), the California Consumer Privacy Act as amended by the CPRA and other applicable U.S. state privacy laws, Brazil LGPD, Canada PIPEDA, Singapore PDPA, Australia Privacy Act, South Africa POPIA, and any similar or successor legislation.

“Delete” means to remove or obliterate Personal Data such that it cannot be recovered or reconstructed.

Personal Data” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a Data Subject. 

Personal Data Breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data processed by Evercam or its Sub-processors.

“Process”, “Processed” or “Processing” means any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Processor” means an entity that Processes Personal Data on behalf of the Controller.  

Standard Contractual Clauses” means the European Commission Implementing Decision (EU) 2021/914, the UK International Data Transfer Addendum, or any other standard contractual clauses, model clauses, or approved transfer mechanisms adopted or approved by a competent authority for cross-border transfers of Personal Data and shall apply only where required under applicable Data Protection Laws.

“Sub-processor” means any third party processor engaged by Evercam or its Affiliates engaged in the Processing of Personal Data.

2. INTRODUCTION

  1. In providing the Services under the Agreement, Evercam may be required to process Personal Data on Customer’s behalf. The parties record their intention that Customer and its Affiliates (as applicable) shall be the Controller and Evercam shall be a Processor. The parties shall exercise their rights hereunder acting in good faith and in a reasonable manner.
  2. Customer (and any Affiliates) shall at all times comply with their respective obligations as Controller and shall be responsible for Processing of all Personal Data processed under or in connection with the Agreement by their Authorised Users in accordance with their obligations under applicable Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer  acquires the Personal Data.
  3. Customer represents and warrants that it has a valid legal basis under applicable Data Protection Laws for the Processing of Personal Data under the Agreement including, where required, obtaining any necessary consents and shall cause appropriate notices to be provided to, Data Subjects, in each case that are necessary for Evercam to Process (and have Processed by Sub-processors) Personal Data under or in connection with this DPA in accordance with Data Protection Laws. Furthermore, Customer shall not, by act or omission, cause Evercam to violate Data Protection Laws, as a result of Evercam or its Sub-processors Processing the Personal Data in accordance with this DPA.
  4. Annex 1 to this DPA sets out information as required under Data Protection Laws regarding Evercam and its Sub-processors Processing of the Personal Data.
  5. Customer hereby instructs Evercam (and consents and authorises Evercam to instruct each Sub-processor) to process Personal Data as reasonably necessary for the provision of the Services. 

3. DATA PROTECTION OBLIGATIONS

  1. To the extent that Evercam Processes Personal Data pursuant to the Agreement, Evercam warrants, represents and undertakes to Customer that it shall:
    1. Process Personal Data only on the Customer’s documented instructions including the Agreement. Evercam will immediately inform Customer if, in its opinion, an instruction infringes Data Protection Laws or other data protection provisions;
    2. Process any Personal Data only to the extent required to provide the Services and in such a manner and at all times in accordance with all Data Protection Laws, unless required to do otherwise by law, in which case, where legally permitted, Evercam shall inform Customer of such legal requirement before Processing;
    3. not Process Personal Data for any purpose other than for the business purposes specified in Agreement or otherwise retain, use or disclose Personal Data outside of the direct business relationship between Evercam and Customer;
    4. taking into account the nature and extent of Processing, implement and maintain technical and organisational measures to ensure a level of security appropriate to the risk presented by Processing the Personal Data, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data Processed. 
    5. Process Personal Data in any jurisdiction in which Evercam, its Affiliates, or Sub-processors operate, provided that such Processing complies with applicable Data Protection Laws and that appropriate safeguards are implemented where required for international transfers;
    6. cooperate as reasonably requested by Customer to enable Customer to comply with any exercise of rights by a Data Subject under the Data Protection Laws in respect of Personal Data processed by Evercam under this DPA and shall implement and maintain appropriate technical and organisational measures to assist Customer in responding to such requests from Data Subjects and shall notify Customer promptly upon receipt of any such request from a Data Subject, to the extent legally required. Evercam will not respond to any request from a Data Subject except on the documented instructions of Customer or as required by law, in which case Evercam shall to the extent permitted by law inform Customer of that legal requirement before Evercam responds to the request;  
    7. upon Customer’s request, Evercam shall provide Customer with reasonable cooperation and assistance needed to fulfil Customer’s obligations under Data Protection Laws, including with regards to data privacy impact assessments and consultations with supervisory authorities, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Evercam. Cooperation may include the provision of appropriate technical and organisational measures, where possible, through the Evercam Services and/or as outlined in the User Documentation. Any such reasonable assistance shall be at the cost of Customer;
    8. maintain proper up to date records of any Personal Data Processed by or on behalf of Evercam pursuant to this DPA;
    9. ensure that any person authorised to process the Customer’s Personal Data: (i) have committed themselves to appropriate contractual confidentiality obligations or are under an appropriate statutory obligation of confidentiality; (ii) Processes the Personal Data solely on behalf and in accordance with the instructions from Customer; and (c) are appropriately reliable, qualified, and trained in relation to their Processing of Personal Data;
    10. appoint and identify to Customer a named individual within Evercam to act as a point of contact for any enquiries from Customer relating to Personal Data and cooperate in good faith with Customer concerning all such enquires within a reasonable time period; and
    11. at Customer's option within forty five (45) days of a request in writing to Evercam, either: (i) return to Customer (by way of Customer retrieving a final export via Evercam APIs); or (ii) Delete from its systems and records all Personal Data and any copies, records, analysis, memoranda or other notes to the extent containing or effecting any Personal Data, subject to any mandatory retention requirements under applicable law and standard backup retention cycles, provided such Personal Data remains subject to this DPA until securely deleted. Evercam shall provide a certificate of confirmation from a senior authorised representative of Evercam that this paragraph 3.1.11 has been complied with in full in accordance with Evercam procedures.

4. PERSONAL DATA BREACH

  1. Without prejudice to the other provisions of this DPA, Evercam shall promptly upon becoming aware and in any event within twenty four (24) hours of becoming aware of a confirmed Personal Data Breach affecting Personal Data Processed under this DPA, notify Customer of the Personal Data Breach where the Personal Data Breach directly affects Personal Data Processed under this DPA or the Services being offered to Customer. 
  2. Evercam shall, at no additional cost to Customer (save that Customer shall reimburse Evercam's reasonable costs where Evercam has complied fully with its obligations under this DPA and such Personal Data Breach is not due to Evercam default or neglect), provide sufficient information and assistance to Customer in ensuring compliance with its obligations in relation to notification of Personal Data Breaches, and communication of Personal Data Breaches to Data Subjects where the breach is likely to result in a high risk to the rights of such Data Subjects, and take such reasonable commercial steps, taking into account the nature of the breach and the information available to Evercam, as are directed by Customer to assist in the investigation, mitigation and remediation of such Personal Data Breach.
  3. Evercam shall assess and document Personal Data Breaches and maintain records sufficient to demonstrate compliance with applicable Data Protection Laws.

5. UNITED STATES STATE PRIVACY LAWS

  1. To the extent Evercam Processes Personal Data subject to applicable United States state privacy laws (including without limitation the CCPA/CPRA and similar laws in other states), the following provisions apply:
    1. Roles of the Parties. To the extent required by applicable U.S. state privacy laws, Evercam shall act as a “Processor” or “Service Provider” (as applicable) and Customer shall act as a “Controller” or “Business. 
    2. Responsibilities. The parties agree that Evercam will Process Personal Data as a Service Provider strictly for the purpose of performing the processing activities ("Business Purpose") or as otherwise permitted by the CCPA.
    3. Evercam will process Personal Data on behalf of the Customer and, not retain, use, or disclose that data for any purpose other than the Business Purpose, as otherwise set out in the Agreement or as permitted under the CCPA;
    4. In no event, will Evercam sell, retain, use, or disclose any Personal Data made available by Customer other than for the Business Purpose, as otherwise set out in the Agreement or as permitted under the CCPA;
    5. Evercam certifies that it understands all its contractual restrictions and will comply with them; 
    6. Evercam shall not “sell” or “share” Personal Data as those terms are defined under applicable U.S. privacy laws, except as instructed by Customer; and
    7. the parties understand that the CCPA remains subject to amendment and regulations that have not yet been promulgated and agrees to comply with such amendments and regulations when they become effective, subject to Evercam’s right to terminate the Agreement if the CCPA materially impacts the processing activities or Evercam’s rights and obligations under the Agreement.

6. SUB-PROCESSORS

  1. Customer confirms its prior general consent to sub-processing of the Personal Data by Evercam’s current Sub-processors, an up to date list of which is maintained by Evercam and set out in Annex 1 and which may be updated in accordance with Clause 6.2. The Sub-processor list shall include the identities of the Sub-processors, their country of location as well as a description of the processing they perform. Evercam may engage Sub-processors located in any jurisdiction, provided that appropriate safeguards are implemented where required under applicable Data Protection Laws and Evercam complies with the requirements of clause 6.2.
  2. Evercam shall provide Customer with written notice with sufficient detail of any proposed additional or replacement Sub-processors prior to the introduction of any such addition or replacement. Customer may, acting reasonably, object to any particular proposed Sub-processor. If no written objections have been received within thirty (30) calendar days of the date of notice, the proposed Sub-processor shall be deemed accepted. 
  3. Evercam shall ensure that: (i) it shall enter into an agreement with the Sub-processor and the terms governing the engagement between Evercam and any Sub-processor are not less protective with respect to Processing of Personal Data compared to the provisions of this DPA and any other relevant provisions of the Agreement to the extent those requirements are applicable to the nature of the services provided by the Sub-processor; and (ii) Evercam will remain responsible and liable for the Sub-processor’s compliance with its obligations and for any acts or omissions of such Sub-processor.

7. DATA TRANSFERS

  1. Where the Processing of Personal Data involves a transfer to a jurisdiction that does not provide an adequate level of protection under applicable Data Protection Laws, Evercam shall implement appropriate safeguards as required by such laws. Such safeguards may include:
    1. EU Standard Contractual Clauses (2021/914);
    2. UK International Data Transfer Addendum;
    3. other approved contractual clauses;
    4. binding corporate rules;
    5. certification mechanisms; or
    6. any other legally recognized transfer mechanism.
  2. The applicable transfer mechanism shall depend on the origin of the Personal Data and the relevant Data Protection Laws. Where required under applicable Data Protection Laws, Evercam shall conduct and document an assessment of the laws and practices of the destination jurisdiction and implement supplementary measures where necessary to ensure an essentially equivalent level of protection.
  3. Without limiting the generality of the foregoing, Evercam will enter into (and will cause its Sub-processors to enter into) any additional agreements or adhere to any additional contractual terms and conditions related to the Processing, including cross border data transfer of Personal Data as necessary to comply with Data Protection Laws.

8. AUDIT

  1. Subject to Clause 8.2 and to the extent required by applicable Data Protection Laws, Customer shall have the right to audit Evercam systems, processes, and procedures relevant to the protection of Personal Data. 
  2. An audit under this Clause 8 shall be: (i) carried out no more than once in any twelve (12) month period during the Term (unless it needs to be carried out more than once a year to comply with a request from an authority or a legal or regulatory obligation on the part of the Controller); (ii) conducted during Business Hours over the course of one Business Day; (iii) subject to a minimum thirty (30) days’ prior written notice; and (iv) in relation to the Customer’s Personal Data only. Evercam shall grant to Customer (or representatives of Customer that are not competitors of Evercam) a right of access to Evercam’s premises and/or systems during Business Hours for the purpose of such audit, and Evercam shall give such necessary assistance to the conduct of such audits.
  3. Customer shall bear any and all expenses incurred by Evercam in respect of any such audit and any such audit shall not interfere with the normal and efficient operation of Evercam’s business. Evercam may require, as a condition of granting such access, that Customer (and representatives of Customer) enter into reasonable confidentiality undertakings with Evercam. The parties will work cooperatively to agree an audit plan, scope and timing in advance of any audit.
  4. If the scope of the audit is addressed in an ISO 27001 or similar audit report performed by a qualified third party auditor within the previous twelve (12) months, and Evercam data protection or other relevant officer certifies in writing there are no known material changes in the controls audited, Customer shall agree to accept those reports in lieu of requesting an audit of the controls covered by the report. Evercam will reasonably cooperate with and assist Customer where a Regulator requires an audit of Evercam’s Processing of Personal Data in order to ascertain or monitor Customer’s compliance with Data Protection Laws.

9. INDEMNITY

Each party shall indemnify the other party (“Indemnified Party”) from and against any and all third party claims, suits, demands and actions and for resulting damages, awards of damages, losses, costs, and expenses (including but not limited to reasonable legal and professional fees but excluding administrative fines or penalties imposed directly on the Indemnified Party unless and to the extent caused by the indemnifying party’s breach of this DPA) incurred by a party that result or arise from any breach by a party of the terms and conditions of this DPA and/or Data Protection Laws. Such breaching party shall be liable on a comparative basis for the portion of those damages directly attributable to its breach of its obligations and the indemnity shall be subject to the limitations of liability in the Agreement. If any third party makes a claim against the Indemnified Party, or notifies an intention to make a claim against the Indemnified Party, the Indemnified Party shall: (i) give written notice of the claim against the Indemnified Party to the indemnifying party as soon as reasonably practicable; (ii) not make any admission of liability in relation to the claim against Indemnified Party without the prior written consent of the indemnifying party; (iii) at the indemnifying party’s request and expense, allow the indemnifying party to conduct the defence of the claim against the Indemnified Party including settlement; and (iv) at the indemnifying party’s expense, co-operate and assist to a reasonable extent with the indemnifying party 's defence of the claim against the Indemnified Party.

10. CHANGES IN DATA PROTECTION LAWS

Evercam may propose variations to this DPA which Evercam reasonably considers to be necessary to address the requirements of any Data Protection Laws. The Parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified as soon as is reasonably practicable. Customer shall not unreasonably withhold or delay agreement to any consequential variations to this DPA proposed by Evercam to comply with Data Protection Laws.

11. TERM AND TERMINATION

  1. This DPA will remain in full force and effect so long as:
    1. the Agreement remains in effect; or
    2. the Processor retains any of the Personal Data related to the Agreement in its possession or control.
  2. Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Agreement in order to protect the Personal Data will remain in full force and effect.

12. GOVERNING LAW

  1. Except where required by applicable Standard Contractual Clauses or mandatory law, this DPA shall be governed by the governing law and jurisdiction specified in the Agreement.

Annex 1

Details of Processing of Personal Data

  1. Subject matter and duration of the Processing of Personal Data

The subject-matter of the Processing is the Processing of Personal Data by Evercam on behalf of Customer for the purpose of providing the Services under the Agreement. The duration of the Processing of Personal Data is set out in the Agreement. 

  1. The nature and purpose of the Processing of Personal Data

Evercam will Process Personal Data as necessary to perform the Services pursuant to the Agreement and as further instructed by the Customer in its use of the Services.  

  1. The types of Personal Data to be Processed

Personal Data relating to the following types of data categories. The types of Personal Data may change from time to time, according to any additional or amended Services to be provided by Evercam.

  • Name;
  • Email address;
  • Job title; 
  • License Plate (in case Gate Report is in use);
  • Logfiles (including IP address for  log-in and out);
  • Accidental capture of individuals operating within the boundaries of construction site;
  • Facial images (in case PPE detection tool is in use) solely for safety compliance detection purposes and not for biometric identification unless expressly agreed in writing.
  1. The categories of Data Subject to whom Personal Data relates

Personal Data relating to the following type of Data Subjects: 

  • Authorised Users (as defined in the Agreement )
  • Customer’s customers
  • Incidental capture of individuals within recorded construction site areas via reality capture tools 
  1. The obligations and rights of Customer 

These are as set out in the Agreement and this DPA.

Evercam may provide notice of change to these provisions where an update is required due to changes to services or changes required due to applicable Data Protection Laws, including the interpretation thereof.

List of current Sub-processors

Hetzner

Location: Am Datacenter-Park 1, 08223 Falkenstein/Vogtland, Germany

Reason: data storage 

Categories of personal data: site images captured by cameras including personal data thereon.

Contact: support@hetzner.com

AWS

Location: 4033 Citywest Avenue, Cooldown Commons, County Dublin, Ireland

Reason: data storage 

Categories of personal data: names and email addresses used during registration on Evercam platform; Evercam log files.

  • Name
  • Email
  • Company 
  • License Plate
  • Position
  • Visual recording
  • Logfiles (including log-in and out)

Contact: support@aws.com

Heroku 

Location: managed within AWS serves in Ireland

Reason: data storage 

Categories of personal data: our main database is hosted there including names (project and users) and email addresses used during registration on Evercam platform. 

  • Name
  • Email
  • Company 
  • License Plate
  • Position
  • Visual recording
  • Logfiles (including log-in and out)

Contact:  support@heroku.com

IDrive E2

IDrive is used only when a client specifically requests local storage from a location outside the European Union (USA, UK).

Locations:

United States: Chicago

United Kingdom: London

Reason: data storage 

Categories of personal data: site images captured by cameras including personal data thereon

Contact: support@idrive.com

Annex 2

Information for International Transfers

This Annex applies only where the EU Standard Contractual Clauses or UK Addendum are required under applicable Data Protection Laws.

Categories of data subjects whose personal data is transferred

As described in Annex 1.

Categories of personal data transferred

As described in Annex 1.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

As described in Annex 1.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)

Data is transferred on a continuous basis during the term of the Agreement, unless otherwise specifically agreed elsewhere between Customer and Evercam.

Nature of the processing

Evercam will Process Personal Data as necessary to perform the Services pursuant to the Agreement as further instructed by Customer and/or its Affiliates by virtue of using the Services, including storage, organisation, structuring, disclosure by transmission, dissemination or making available, and other forms of processing.

Purpose(s) of the data transfer and further processing

The Purpose of the data transfer and processing by Evercam is to provide the Services to Customer and, as applicable, its Affiliates, as further specified in the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

As a Processor, Evercam retains Personal Data it collects or receives from the Customer for the duration of the Agreement and consistent with its obligations under applicable law. 

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Evercam uses Sub-processors and will engage Sub-processors solely as necessary to provide the Services to Customer and, as applicable, its Customer Affiliates, and Sub-processors will carry out any processing of personal data only as necessary for such purposes and as further instructed by Customer and/or its Customer Affiliates by virtue of using the Services, including hosting, storage and other forms of processing. Such processing will be no longer than for the duration of the Agreement, unless otherwise agreed upon in writing.

For the purposes of the Standard Contractual Clauses:

  • Clause 9(a) (Module 2 and 3, as applicable): The parties select Option 2. The time period is 30 days.
  • Clause 11(a): The parties do not select the independent dispute resolution option.
  • Clause 17: The parties select Option 1. The parties agree that the governing jurisdiction is Ireland.
  • Clause 18: The parties agree that the forum is Ireland.
  • Annex I(A): The data exporter is Customer (defined above) and the data importer is Evercam (defined above).
  • Annex I(B): The parties agree that Annex 1 describes the transfer.
  • Annex I(C): The competent supervisory authority is the Irish Data Protection Commission.

For the purpose of localizing the Standard Contractual Clauses:

  • United Kingdom
    • For the purposes of transfers of personal data from the UK, the Parties agree to comply with the terms of Part 2: Mandatory Clauses of the Addendum, being the template UK International Data Transfer Addendum B.1.0 issued by the UK Information Commissioner and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 28 January 2022, as it is revised under Section 18 of those Mandatory Clauses. The Parties also agree that the information included in Part 1 of the Addendum shall be as set out above. The parties also agree that the Exporter and Importer may end the Addendum as set out in Section 19 of the Addendum.
    • The parties agree that the Standard Contractual Clauses are deemed amended to the extent necessary that they operate for transfers from the United Kingdom to a Third Country and provide appropriate safeguards for transfers according to Article 46 of the United Kingdom General Data Protection Regulation (“UK GDPR”). Such amendments include changing references to the GDPR to the UK GDPR and changing references to EU Member States to the United Kingdom.
    • Clause 17: The parties agree that the governing jurisdiction is the United Kingdom.
    • Clause 18: The parties agree that the forum is the courts of England and Wales. The parties agree that Data Subjects may bring legal proceedings against either party in the courts of any country in the United Kingdom.