This Data Processing Addendum ("DPA") governs Developum AI Inc.'s processing of Personal Data on behalf of Customer in connection with the EVOLUM platform and other Developum services. It is incorporated into and forms part of our Terms of Service. If Customer requires a signed DPA for internal records, the version at this URL is available on request as an executable document via security@developumaiengine.com.
This DPA is provided as a plain-language reference. It reflects our operational reality. Customers with specific regulatory obligations (large-enterprise GDPR obligations, healthcare data, government contracts) should engage us via email to negotiate a bespoke DPA where required.
Terms used in this DPA have the meanings given in the GDPR unless otherwise defined. For clarity:
Under this DPA, Customer is the data controller and Developum is the data processor for Personal Data submitted to the platform. Each party shall comply with its respective obligations under applicable data-protection law.
Developum processes Personal Data solely to provide the EVOLUM service Customer has subscribed to. This includes:
Developum does not use Personal Data for advertising, does not train external AI models on it, and does not sell it.
Customer authorizes Developum to engage the sub-processors listed at /subprocessors to help deliver the service. That list is kept current. Developum will:
Developum implements the technical and organizational measures documented in our Security Overview and Trust Center. In summary:
Where Customer receives a request from a data subject to exercise their rights (access, rectification, erasure, portability, restriction, objection), Developum will assist Customer to the extent reasonably possible. Customer is responsible for verifying the requestor's identity and responding within regulatory deadlines.
Developum-facilitated requests can be initiated at privacy@developumaiengine.com.
Developum will notify Customer without undue delay — and in any event within 72 hours of becoming aware — of any Personal Data Breach affecting Customer's data. The notification will describe the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and the measures taken or proposed to address it.
Where Personal Data is transferred outside the EEA, UK, or Switzerland, Developum relies on the Standard Contractual Clauses ("SCCs") published by the European Commission and, for UK transfers, the UK International Data Transfer Addendum, in each case as incorporated by reference into this DPA. Copies available on request.
Upon termination of the underlying service, Developum will, at Customer's choice, delete or return all Personal Data within 30 days of termination, subject to any legal obligation to retain certain records. Backups containing Customer data are overwritten in the normal rotation cycle (documented in the DR/BCP).
Customer may audit Developum's compliance with this DPA once per calendar year with 30 days' written notice. Developum will provide reasonable access to relevant records, personnel, and facilities, subject to confidentiality. Where Developum has undergone or engages a third-party audit (including future SOC-2 Type II attestation), the resulting report may satisfy this obligation.
For all DPA-related matters, contact privacy@developumaiengine.com.