Zealtouch AB · GDPR Article 28

Data Processing Agreement

This DPA governs how Everia, operated by Zealtouch AB (Sweden), processes personal data on behalf of its customers — the Customer as Data Controller, Everia as Data Processor — in accordance with Article 28 of the GDPR (EU) 2016/679.

Article 28 GDPR
SCCs & DPF for transfers
30-day subprocessor notice
Swedish law

Version 1.1 · Effective July 9, 2026

Part of the Everia Terms of Service

This Data Processing Agreement ("DPA") forms part of the Everia Terms of Service and applies whenever Everia processes Personal Data on behalf of a Customer in connection with the Everia platform. It is accepted automatically when you create an account or use the Services — no separate signature is required. Enterprise customers may request a countersigned copy at hello@everia.io.

1. Purpose & Roles

This DPA is intended to satisfy the requirements of Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR"). For the purposes of this DPA:

Data Controller

The Customer

Determines the purposes and means of processing the Personal Data stored in its Everia workspace.

Data Processor

Everia (Zealtouch AB)

Processes Personal Data on behalf of the Customer, solely to provide the Everia Services.

2. Scope of Processing

Everia provides cloud-based software for project management, software planning, documentation, collaboration, AI-assisted productivity, and related services (the "Services").

Everia processes Personal Data solely for the purpose of providing the Services in accordance with the Customer's documented instructions and this Agreement.

3. Duration

This DPA remains in effect for as long as Everia processes Personal Data on behalf of the Customer.

4. Categories of Personal Data

Depending on how the Customer uses the Services, Everia may process:

Account Information

Full name, email address, and company name of authorized users.

Workspace Content

The Customer determines what is stored in its workspace: project data, documentation, comments, attachments, and other content submitted by authorized users.

Technical Information

Information necessary for operating the Services: authentication information, audit logs, IP addresses, browser and device information.

AI Requests

If AI-powered features are used, prompts and related workspace content necessary to generate AI responses.

5. Categories of Data Subjects

Personal Data processed under this DPA may relate to:

Customer employees
Administrators
Contractors
Invited collaborators
Other users authorized by the Customer

6. Nature of Processing

Everia performs processing activities including:

CollectionStorageOrganizationRetrievalAuthenticationSynchronizationCollaborationSearchAI-assisted processingBackupRestorationDeletion

7. Processor Obligations

In accordance with Article 28(3) GDPR, Everia shall:

1
Process Personal Data only on documented instructions from the Customer, including with regard to transfers to third countries, unless required to do so by EU or Member State law — in which case Everia informs the Customer of that legal requirement before processing, unless that law prohibits it.
2
Immediately inform the Customer if, in Everia's opinion, an instruction infringes the GDPR or other applicable data protection law.
3
Ensure that personnel authorized to process Personal Data are subject to confidentiality obligations.
4
Implement appropriate technical and organizational measures to protect Personal Data.
5
Notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer data.
6
Assist the Customer, where reasonably possible, in responding to requests from Data Subjects.
7
Assist the Customer in meeting obligations relating to security, breach notifications, and Data Protection Impact Assessments where applicable.
8
Delete or return Personal Data upon termination of the Services, subject to the retention provisions described in this Agreement.
9
Make available to the Customer information necessary to demonstrate compliance with Article 28 GDPR, and allow for and contribute to audits as described in Section 15.

8. Security Measures

Everia implements appropriate technical and organizational measures designed to protect Personal Data (Article 32 GDPR), including:

Encryption of data in transit using TLS
Encryption at rest via infrastructure providers where applicable
Role-based access controls
Authentication & authorization controls
Secure password storage
Daily database backups
Backup verification procedures
Infrastructure monitoring
Audit logging
Least privilege for administrative access
Secure software development practices
Regular security updates & vulnerability management

9. Data Retention & Deletion

Customer data remains under the Customer's control throughout the subscription. When Customer data is deleted:

Backup retention. Deleted data may be retained in backup systems for up to three (3) months for disaster recovery purposes.

Immediate deletion requests. Upon an explicit Customer request, Everia will make commercially reasonable efforts to permanently delete Customer data without undue delay, except where retention is required by applicable law or where data remains within encrypted backup systems pending scheduled expiration.

After the applicable retention period, backup copies are permanently removed through normal backup rotation processes.

10. Subprocessors

The Customer grants Everia a general written authorization (Article 28(2) GDPR) to engage the subprocessors listed below to provide the Services. Everia requires its subprocessors to maintain appropriate safeguards for Personal Data through written agreements imposing data protection obligations no less protective than those in this DPA, and remains fully liable to the Customer for the performance of each subprocessor's obligations.

SubprocessorPurposeLocation / HostingTransfer Mechanism
SupabaseDatabase hosting, authentication, object storage, realtime servicesEU (AWS, EU region)Processing within the EEA; SCCs where applicable
Amazon Web Services (S3)Storage of customer-uploaded files, media, and backupsEU regionSCCs / EU-U.S. Data Privacy Framework
ResendTransactional email deliveryUSAStandard Contractual Clauses (SCCs)
InngestBackground jobs and email schedulingUSAStandard Contractual Clauses (SCCs)
OpenAIAI-powered features requested by CustomersUSAStandard Contractual Clauses (SCCs)
StripePayment processing and billingUSASCCs / EU-U.S. Data Privacy Framework
Note: Google Analytics is used by Everia for its own website and product analytics in an independent controller capacity and does not process Customer workspace content on the Customer's behalf; it is therefore not a subprocessor under this DPA. Details are provided in the Privacy Policy.

Changes to subprocessors — notice & objection

Everia will provide at least ten (10) days' advance notice of the addition or replacement of any subprocessor, by updating the list published on this page and, where the Customer has subscribed to such notifications, by email. The Customer may object on reasonable, documented data protection grounds within the notice period; the parties will then work in good faith to find a mutually acceptable solution. If no solution can be found, the Customer may terminate the affected Services and will receive a pro-rata refund of any prepaid fees for the remaining subscription period.

11. International Data Transfers

Where Personal Data is transferred outside the European Economic Area, Everia shall ensure that appropriate safeguards are implemented, including Standard Contractual Clauses, adequacy decisions (including the EU-U.S. Data Privacy Framework where applicable), or other lawful transfer mechanisms as required under applicable data protection laws.

12. Confidentiality

Everia ensures that individuals authorized to process Personal Data are bound by appropriate confidentiality obligations.

13. Assistance with Data Subject Rights

Taking into account the nature of the processing, Everia shall provide reasonable assistance to enable the Customer to respond to requests concerning:

Access
Rectification
Erasure
Restriction of processing
Data portability
Objection to processing

14. Personal Data Breaches

If Everia becomes aware of a Personal Data Breach affecting Customer Personal Data, Everia will notify the Customer without undue delay and provide available information necessary for the Customer to comply with applicable legal obligations (including Articles 33 and 34 GDPR).

15. Audits

Upon reasonable written request, Everia will provide information reasonably necessary to demonstrate compliance with this DPA. Where legally required, Customers may request a reasonable audit of Everia's compliance, provided that:

Reasonable prior notice is given
The audit does not unreasonably interfere with Everia's operations
Confidentiality obligations are respected
The audit does not expose confidential information belonging to other Customers

16. Return or Deletion of Data

Upon termination of the Services, the Customer can request to export its data prior to account closure.

Following termination, Everia will delete Customer Personal Data in accordance with the retention provisions described in this DPA unless applicable law requires continued retention.

17. Execution, Precedence & Governing Law

This DPA is incorporated into and forms part of the Everia Terms of Service. It is entered into and accepted by the Customer upon account creation or use of the Services — no separate signature is required for it to be legally binding.

In the event of a conflict between this DPA and the Terms of Service with respect to the processing of Personal Data, this DPA prevails. This DPA is governed by the laws of Sweden, and any dispute arising out of or in connection with it is subject to the exclusive jurisdiction of the Stockholm District Court (Stockholms tingsrätt), unless mandatory law provides otherwise.

Need a countersigned copy? Customers that require an executed copy of this DPA for vendor management or compliance records can request one at hello@everia.io. Download the current version as a PDF using the button above.

A. Annex A – Processing Summary

Purpose of Processing

Provision of cloud-based project management, documentation, collaboration, AI-assisted productivity, billing, authentication, and customer support services.

Categories of Personal Data

Name · Email address · Company name · Workspace content submitted by Customers · Technical and authentication information · AI prompts submitted by Customers

Categories of Data Subjects

Employees · Contractors · Administrators · Authorized users

Processing Activities

Collection, storage, retrieval, synchronization, collaboration, AI processing, backup, deletion, and restoration.

B. Annex B – Technical & Organizational Measures

Everia maintains security measures including:

HTTPS/TLS encryption for all communications
Secure cloud-hosted infrastructure
Daily automated database backups
File and media backups stored separately
Access controls based on user roles
Authentication mechanisms
Logging and monitoring
Disaster recovery procedures
Secure deployment practices
Limited administrative access based on least privilege
Vendor management for subprocessors
Periodic review of security practices

§. Legal Entity & Contact

Data Processor

Zealtouch AB (Everia)

Registered Address

Baldergatan 10, 195 51 Märsta, Stockholm, Sweden

Version 1.1 · Effective July 9, 2026. See also our Privacy Policy and Terms of Service.

GDPR-ready from day one

Ready to get started with Everia?

Built in Sweden. Article 28 DPA included with every plan. Free to start — no credit card required.

Free plan forever. No credit card. Cancel anytime.