Part of the Everia Terms of Service
This Data Processing Agreement ("DPA") forms part of the Everia Terms of Service and applies whenever Everia processes Personal Data on behalf of a Customer in connection with the Everia platform. It is accepted automatically when you create an account or use the Services — no separate signature is required. Enterprise customers may request a countersigned copy at hello@everia.io.
1. Purpose & Roles
This DPA is intended to satisfy the requirements of Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR"). For the purposes of this DPA:
Data Controller
The Customer
Determines the purposes and means of processing the Personal Data stored in its Everia workspace.
Data Processor
Everia (Zealtouch AB)
Processes Personal Data on behalf of the Customer, solely to provide the Everia Services.
2. Scope of Processing
Everia provides cloud-based software for project management, software planning, documentation, collaboration, AI-assisted productivity, and related services (the "Services").
Everia processes Personal Data solely for the purpose of providing the Services in accordance with the Customer's documented instructions and this Agreement.
3. Duration
This DPA remains in effect for as long as Everia processes Personal Data on behalf of the Customer.
4. Categories of Personal Data
Depending on how the Customer uses the Services, Everia may process:
Account Information
Full name, email address, and company name of authorized users.
Workspace Content
The Customer determines what is stored in its workspace: project data, documentation, comments, attachments, and other content submitted by authorized users.
Technical Information
Information necessary for operating the Services: authentication information, audit logs, IP addresses, browser and device information.
AI Requests
If AI-powered features are used, prompts and related workspace content necessary to generate AI responses.
5. Categories of Data Subjects
Personal Data processed under this DPA may relate to:
6. Nature of Processing
Everia performs processing activities including:
7. Processor Obligations
In accordance with Article 28(3) GDPR, Everia shall:
8. Security Measures
Everia implements appropriate technical and organizational measures designed to protect Personal Data (Article 32 GDPR), including:
9. Data Retention & Deletion
Customer data remains under the Customer's control throughout the subscription. When Customer data is deleted:
Backup retention. Deleted data may be retained in backup systems for up to three (3) months for disaster recovery purposes.
Immediate deletion requests. Upon an explicit Customer request, Everia will make commercially reasonable efforts to permanently delete Customer data without undue delay, except where retention is required by applicable law or where data remains within encrypted backup systems pending scheduled expiration.
After the applicable retention period, backup copies are permanently removed through normal backup rotation processes.
10. Subprocessors
The Customer grants Everia a general written authorization (Article 28(2) GDPR) to engage the subprocessors listed below to provide the Services. Everia requires its subprocessors to maintain appropriate safeguards for Personal Data through written agreements imposing data protection obligations no less protective than those in this DPA, and remains fully liable to the Customer for the performance of each subprocessor's obligations.
| Subprocessor | Purpose | Location / Hosting | Transfer Mechanism |
|---|---|---|---|
| Supabase | Database hosting, authentication, object storage, realtime services | EU (AWS, EU region) | Processing within the EEA; SCCs where applicable |
| Amazon Web Services (S3) | Storage of customer-uploaded files, media, and backups | EU region | SCCs / EU-U.S. Data Privacy Framework |
| Resend | Transactional email delivery | USA | Standard Contractual Clauses (SCCs) |
| Inngest | Background jobs and email scheduling | USA | Standard Contractual Clauses (SCCs) |
| OpenAI | AI-powered features requested by Customers | USA | Standard Contractual Clauses (SCCs) |
| Stripe | Payment processing and billing | USA | SCCs / EU-U.S. Data Privacy Framework |
Changes to subprocessors — notice & objection
Everia will provide at least ten (10) days' advance notice of the addition or replacement of any subprocessor, by updating the list published on this page and, where the Customer has subscribed to such notifications, by email. The Customer may object on reasonable, documented data protection grounds within the notice period; the parties will then work in good faith to find a mutually acceptable solution. If no solution can be found, the Customer may terminate the affected Services and will receive a pro-rata refund of any prepaid fees for the remaining subscription period.
11. International Data Transfers
Where Personal Data is transferred outside the European Economic Area, Everia shall ensure that appropriate safeguards are implemented, including Standard Contractual Clauses, adequacy decisions (including the EU-U.S. Data Privacy Framework where applicable), or other lawful transfer mechanisms as required under applicable data protection laws.
12. Confidentiality
Everia ensures that individuals authorized to process Personal Data are bound by appropriate confidentiality obligations.
13. Assistance with Data Subject Rights
Taking into account the nature of the processing, Everia shall provide reasonable assistance to enable the Customer to respond to requests concerning:
14. Personal Data Breaches
If Everia becomes aware of a Personal Data Breach affecting Customer Personal Data, Everia will notify the Customer without undue delay and provide available information necessary for the Customer to comply with applicable legal obligations (including Articles 33 and 34 GDPR).
15. Audits
Upon reasonable written request, Everia will provide information reasonably necessary to demonstrate compliance with this DPA. Where legally required, Customers may request a reasonable audit of Everia's compliance, provided that:
16. Return or Deletion of Data
Upon termination of the Services, the Customer can request to export its data prior to account closure.
Following termination, Everia will delete Customer Personal Data in accordance with the retention provisions described in this DPA unless applicable law requires continued retention.
17. Execution, Precedence & Governing Law
This DPA is incorporated into and forms part of the Everia Terms of Service. It is entered into and accepted by the Customer upon account creation or use of the Services — no separate signature is required for it to be legally binding.
In the event of a conflict between this DPA and the Terms of Service with respect to the processing of Personal Data, this DPA prevails. This DPA is governed by the laws of Sweden, and any dispute arising out of or in connection with it is subject to the exclusive jurisdiction of the Stockholm District Court (Stockholms tingsrätt), unless mandatory law provides otherwise.
Need a countersigned copy? Customers that require an executed copy of this DPA for vendor management or compliance records can request one at hello@everia.io. Download the current version as a PDF using the button above.
A. Annex A – Processing Summary
Purpose of Processing
Provision of cloud-based project management, documentation, collaboration, AI-assisted productivity, billing, authentication, and customer support services.
Categories of Personal Data
Name · Email address · Company name · Workspace content submitted by Customers · Technical and authentication information · AI prompts submitted by Customers
Categories of Data Subjects
Employees · Contractors · Administrators · Authorized users
Processing Activities
Collection, storage, retrieval, synchronization, collaboration, AI processing, backup, deletion, and restoration.
B. Annex B – Technical & Organizational Measures
Everia maintains security measures including:
§. Legal Entity & Contact
Data Processor
Zealtouch AB (Everia)
Registered Address
Baldergatan 10, 195 51 Märsta, Stockholm, Sweden
Version 1.1 · Effective July 9, 2026. See also our Privacy Policy and Terms of Service.