Evaluat is in private access. Demos open through June. Book a slot
Legal

Data Processing Agreement

Last updated: 1 June 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between Evaluat Digital Limited (“Evaluat”, “we”, “us”, “our”) and the customer (“Customer”, “you”, “your”) that is bound by our Terms & Conditions (the “Terms”). It governs our processing of personal data contained in your Customer Content when we act as your processor, as described in our Privacy Policy and the Terms.

This DPA applies automatically, without separate signature, whenever the Terms apply to you and we process personal data on your behalf. If you require a signed copy, contact privacy@evaluat.com and we will provide a counterpart for signature. Capitalised terms used but not defined in this DPA have the meaning given in the Terms.

For Customer Personal Data, you act as the controller and we act as your processor. Where you are yourself a processor acting for a third-party controller, references to the controller apply to that third party, and you confirm that you have its authority to engage us as a sub-processor on these terms.

1. Definitions and interpretation

In this DPA:

  • “Customer Personal Data” means the personal data contained in Customer Content that we process on your behalf in providing the Service.
  • “Customer Content” has the meaning given in the Terms, and includes the test scenarios, Target Systems and any credentials you supply for them, datasets, executions, console and network logs, session recordings, screenshots, and results that you and your Authorised Users upload, configure, or generate using the Service.
  • “Data Protection Laws” means all laws relating to data protection and privacy that apply to our processing of Customer Personal Data under this DPA, including the UK GDPR, the Data Protection Act 2018, and, where it applies to you, the EU GDPR, in each case as amended or replaced.
  • “UK GDPR” means the General Data Protection Regulation as it forms part of the law of the United Kingdom, and “EU GDPR” means Regulation (EU) 2016/679.
  • “Restricted Transfer” means a transfer of Customer Personal Data to a country outside the UK or the EEA that is not covered by an adequacy decision or adequacy regulation.
  • “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission in Decision (EU) 2021/914.
  • “UK Addendum” means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner, and “UK IDTA” means the UK International Data Transfer Agreement, as applicable.
  • “Sub-processor” means a third party we engage to process Customer Personal Data in providing the Service.

The terms “controller”, “processor”, “data subject”, “personal data”, “personal data breach”, “processing”, and “supervisory authority” have the meanings given in the UK GDPR. Other capitalised terms (including Service, Authorised User, Order, Team, Target System, Fees, and Documentation) have the meaning given in the Terms. This DPA is to be read consistently with the Data Protection Laws.

2. Roles and scope

  • Our roles. For Customer Personal Data, you are the controller and we are your processor. Where you act as a processor for a third-party controller, we act as your sub-processor, and you warrant that you have that controller’s authority to give the instructions and authorisations in this DPA.
  • Our own processing. This DPA does not cover personal data for which we are the controller (for example, account, billing, and website-visitor data). That processing is described in our Privacy Policy.
  • Scope and details. This DPA applies to our processing of Customer Personal Data in connection with providing the Service under the Terms. The subject matter, duration, nature and purpose of the processing, the types of personal data, and the categories of data subjects are set out in Annex 1.

3. Processing on your instructions

  • We process Customer Personal Data only on your documented instructions, including in relation to transfers, unless we are required to process it by UK or EU law to which we are subject. In that case, we will inform you of the legal requirement before processing, unless the law prohibits this on important grounds of public interest.
  • Your instructions are made up of the Terms, this DPA, your Order, your configuration and use of the Service, and any further written instructions you give us. The Service is designed to be operated by you, and your use of it is an instruction to process Customer Personal Data as needed to provide the Service.
  • If we cannot process Customer Personal Data in line with your instructions, we will tell you without undue delay.

4. If an instruction may infringe the law

We will inform you without undue delay if, in our opinion, an instruction infringes the Data Protection Laws. We may suspend the affected processing until the instruction is confirmed, changed, or withdrawn. We are not obliged to give you legal advice or to monitor your instructions for compliance.

5. Your responsibilities as controller

  • Lawful basis and notices. You are responsible for having a lawful basis to process Customer Personal Data and to have us process it, and for giving any privacy notices and obtaining any consents that data subjects require.
  • Lawful instructions. You warrant that your instructions, and our processing of Customer Personal Data on them, comply with the Data Protection Laws, and that you have the right to transfer Customer Personal Data to us for processing.
  • Special category and sensitive data. The Service is general performance-testing infrastructure and is not designed to handle special categories of personal data (Article 9 of the UK GDPR) or criminal-offence data. You must not enter such data, or other particularly sensitive data, into the Service unless you have first put in place any additional safeguards the law requires. Session recordings, screenshots, console and network logs, datasets, and Target System credentials can capture whatever your test journeys touch, so you are responsible for what your tests expose to the Service.
  • Data minimisation. You are responsible for not sending us more personal data than your testing needs, and for using synthetic or de-identified data where practical.

6. Confidentiality

We ensure that the people we authorise to process Customer Personal Data are subject to a duty of confidentiality, whether a contractual duty or a statutory one, and that access is limited to those who need it to provide, support, or secure the Service.

7. Security

We implement appropriate technical and organisational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risk to data subjects. Our current measures are described in Annex 2. We may update them from time to time, provided the level of protection is not materially reduced.

8. Sub-processors

  • Your authorisation. You give us general authorisation to engage Sub-processors to process Customer Personal Data. The Sub-processors we currently use for this are identified in Annex 3 and on our Sub-processors list.
  • Changes. Before we add or replace a Sub-processor that processes Customer Personal Data, we will give you at least 30 days’ notice by updating our Sub-processors list and, where you have asked to be notified, by email to your Account contact.
  • Objection. You may object to a new Sub-processor on reasonable data-protection grounds within 30 days of our notice. We will work with you in good faith to resolve your concern. If we cannot, you may, as your sole remedy, terminate the part of the Service that requires that Sub-processor by giving us written notice.
  • Terms and liability. We impose on each Sub-processor data-protection obligations that are substantially the same as those in this DPA, in particular as to security, and we remain fully liable to you for each Sub-processor’s performance of its obligations.

9. Assisting with data subject requests

  • The Service gives you and your Authorised Users access to Customer Content through your Team, so that, taking into account the nature of the processing, you can locate, correct, or delete much of it yourself.
  • Where you cannot do so through the Service, we will, taking into account the nature of the processing, assist you by appropriate technical and organisational measures, insofar as this is possible, to respond to requests from data subjects exercising their rights.
  • If we receive a request from a data subject that relates to your Customer Personal Data, we will not respond to it directly, except to confirm that it should be directed to you, and we will tell you about it without undue delay.
  • We may charge a reasonable fee, agreed with you in advance, for assistance that goes beyond the functionality of the Service or is unreasonably repetitive.

10. Assisting with your wider obligations

Taking into account the nature of the processing and the information available to us, we will provide reasonable assistance to help you comply with your obligations relating to: the security of processing (Article 32 of the UK GDPR); notifying personal data breaches to a supervisory authority and to data subjects (Articles 33 and 34); carrying out data protection impact assessments (Article 35); and prior consultation with a supervisory authority (Article 36). The information we make available under this DPA and in Annex 2 forms part of that assistance.

11. Personal data breaches

  • We will notify you without undue delay after becoming aware of a personal data breach affecting Customer Personal Data.
  • Our notification will describe, to the extent known and as more information becomes available, the nature of the breach, its likely consequences, the measures we have taken or propose to take, and a contact point for more information.
  • We will take reasonable steps to contain and remediate the breach and will cooperate with you so that you can meet your own notification obligations. A notification or assistance is not an admission of fault or liability.

12. Return and deletion

  • On termination or expiry of the Service, or earlier on your written request, we will, at your choice, delete or return the Customer Personal Data we process for you, and delete existing copies, unless UK or EU law requires us to keep it.
  • Unless you ask us to return it, we will delete Customer Personal Data within 30 days of the end of the applicable retention period described in our Privacy Policy and the Terms, using reasonable measures. Where you ask for a copy first, we will provide one on the best-efforts basis described in the Terms.
  • Customer Personal Data held in routine backups is isolated from active processing and is deleted in line with our normal backup cycle.
  • Any obligation under the law to retain certain records (such as our own accounting and tax records) survives this DPA to the extent the law requires.

13. Records and audits

  • Information. We will make available to you the information reasonably necessary to demonstrate our compliance with this DPA and with Article 28 of the UK GDPR, primarily by providing, on written request and no more than once in any 12-month period, our then-current security documentation, summaries of the relevant controls, and responses to a reasonable security questionnaire.
  • Inspections. We expect the information described above to satisfy your audit rights. Where it does not, you, or an independent auditor you appoint who is not our competitor and who is bound by confidentiality, may inspect our compliance, but only where (a) a supervisory authority requires it, or (b) you have reasonable grounds, following a personal data breach or a demonstrable inadequacy in the information we have provided, to believe an inspection is necessary.
  • Conduct of inspections. Any inspection takes place on reasonable prior written notice, no more than once in any 12-month period (except where a supervisory authority requires otherwise), during our normal business hours, in a way that does not disrupt our operations, subject to confidentiality, and at your cost. It must not give access to any other customer’s data, to personal data of third parties, or to any part of our systems where access would compromise the security or isolation of other customers.

14. International transfers

  • We process Customer Personal Data primarily within the UK and the EEA (see Annex 1 and Annex 3).
  • Where providing the Service involves a Restricted Transfer of Customer Personal Data (for example, to or by a Sub-processor outside the UK and EEA), that transfer is subject to an appropriate safeguard under the Data Protection Laws. Unless an adequacy decision or regulation applies, the parties enter into:
    • for transfers subject to the EU GDPR, the Standard Contractual Clauses, incorporated into this DPA by reference, with Module Two applying where you are a controller and Module Three where you are a processor; and
    • for transfers subject to the UK GDPR, the UK Addendum (or the UK IDTA where applicable), incorporated into this DPA by reference.
  • For the purposes of the SCCs and the UK Addendum: you are the data exporter and we are the data importer; the Annexes to the SCCs are populated by Annexes 1 to 3 of this DPA; the optional docking clause applies; and, where the UK Addendum applies, the governing law and forum are those of England and Wales.
  • Where there is any conflict between the SCCs or the UK Addendum and the rest of this DPA, the SCCs or the UK Addendum prevail in respect of the transfer they govern.
  • We flow equivalent transfer protections down to any Sub-processor involved in a Restricted Transfer.

15. Liability

  • Each party’s liability under or in connection with this DPA is subject to the limitations and exclusions of liability in the Terms, including the cap on our total liability. The Terms and this DPA are a single agreement for that purpose, and the cap is neither increased nor duplicated by this DPA.
  • Nothing in this DPA or the Terms limits any liability that cannot be limited under the Data Protection Laws, including, as between a party and a data subject, liability under Article 82 of the UK GDPR.
  • As between you and us, you are responsible for your instructions and for your compliance with your obligations as controller, and we are responsible for processing that breaches this DPA or our obligations as processor. Each party’s responsibility for a claim is reduced to the extent the other party caused or contributed to it.

16. Term, precedence, and general

  • Term. This DPA takes effect when the Terms first apply to you and continues for as long as we process Customer Personal Data for you.
  • Precedence. This DPA forms part of the Terms. If there is a conflict between this DPA and the rest of the Terms in relation to the processing of personal data, this DPA prevails. The SCCs and the UK Addendum prevail over this DPA to the extent of any conflict about a transfer they govern.
  • Changes. We may update this DPA from time to time to reflect changes in the Data Protection Laws, our Sub-processors, or our processing, provided the update does not materially reduce the protection of Customer Personal Data. We will tell you about material changes as described in the Terms.
  • Survival. Provisions that by their nature should survive termination (including those on confidentiality, return and deletion, records, liability, and transfers) survive.
  • Governing law. This DPA is governed by the law of England and Wales, and the courts of England and Wales have jurisdiction, as set out in the Terms, except where the SCCs or the UK Addendum require otherwise for a transfer they govern.
  • Notices. Notices under this DPA may be given as set out in the Terms. For data-protection matters, contact privacy@evaluat.com.

17. United States state privacy laws

This section applies where you are subject to US state privacy laws (such as the California Consumer Privacy Act, as amended) in respect of personal information in your Customer Content. We process that personal information only as a “service provider” (or equivalent role), solely to provide the Service to you and as your instructions permit. We do not “sell” or “share” it, we do not retain, use, or disclose it for any purpose other than providing the Service or as the law permits, and we do not combine it with personal information from other sources except as a service provider is permitted to. We will tell you if we determine that we can no longer meet our obligations under those laws. This section is consistent with our Privacy Policy.

Annex 1: Details of processing

  • Controller: you (the Customer identified in the account and Order) or, where you act as a processor, the third-party controller on whose behalf you act.
  • Processor: Evaluat Digital Limited, 128 City Road, London, EC1V 2NX, United Kingdom.
  • Subject matter: our processing of Customer Personal Data to provide the Evaluat performance and load testing Service under the Terms.
  • Duration: the term of your subscription and account, plus the wind-down and retention periods described in our Privacy Policy and the Terms, after which the data is deleted or returned under section 12.
  • Nature and purpose: hosting, storing, transmitting, running tests on, analysing, and displaying Customer Content so that you can configure and run performance and load tests and review the results. Processing operations include collection, recording, organisation, storage, retrieval, use, transmission, and erasure.
  • Types of personal data: as determined by you through your configuration and use of the Service. Because you decide what your tests contain, this can include, for example: identifiers and contact details (such as names, usernames, and email addresses); authentication data and credentials (including HTTP authentication credentials you set for a Target System, and any tokens or headers captured in network logs); data in your datasets; and anything captured in session recordings, screenshots, HTML snapshots, and console and network logs while your tests run.
  • Categories of data subjects: as determined by you, which may include your own users, customers, employees, or testers, synthetic or test identities you create, and individuals whose data appears in the systems you test.
  • Special category data: not intended (see section 5).

Annex 2: Technical and organisational measures

We maintain technical and organisational measures appropriate to the risk, including those below. We keep them under review and may change them, provided protection is not materially reduced.

  • Encryption in transit. Connections to the Service use TLS. Cookies are encrypted and set with the HTTP-only and secure attributes.
  • Encryption at rest. Customer Content is held on infrastructure provided by our hosting and storage Sub-processors in EU regions, with encryption at rest provided by those providers.
  • Authentication. Sign-in is passwordless: we issue single-use, time-limited one-time codes by email rather than storing passwords.
  • Access control. Access to the Service is role-based (with distinct roles such as owner, administrator, member, and guest) and scoped to each Team, so customers are isolated from one another. Internal access to Customer Content is limited to authorised personnel who need it to provide, support, or secure the Service.
  • Logging and monitoring. We keep an audit log of significant actions (recording the action, the actor, the time, the IP address, and the user agent, with sensitive fields masked), retained for a limited period. We use error and performance monitoring to detect and investigate issues.
  • Network and abuse protection. We use a reputable content-delivery and security provider, rate limiting on authentication, and automated-abuse protection on our forms.
  • Tenant isolation. Customer data is logically separated by Team, and access is enforced in the application.
  • Payment data. Card payments are handled by our payment Sub-processor; we do not store full card numbers.
  • Secrets and change management. Application secrets are held in managed configuration, not in source code, and changes are deployed through a controlled pipeline.
  • Personnel. Personnel with access to Customer Personal Data are bound by confidentiality.

Annex 3: Sub-processors

The Sub-processors that currently process Customer Personal Data are:

Sub-processorPurposeLocation
Amazon Web ServicesApplication hosting, compute, and object storage (S3) for Customer ContentEU (London and Frankfurt)
ClickHousePerformance and test analytics warehouseEU
SentryError and performance monitoring (may incidentally process Customer Personal Data contained in diagnostic data)EU

Our other providers (such as our CRM, payment processor, website-analytics, geolocation, and map providers) process personal data for which we are the controller, not Customer Personal Data. The current, authoritative list of all our providers is on our Sub-processors list, and changes to Sub-processors that process Customer Personal Data are handled under section 8.

Annex 4: International transfer mechanisms

  • Our processing of Customer Content, including application hosting, the data warehouse, and error monitoring, takes place in the UK and the EEA (see Annex 1 and Annex 3).
  • Where providing the Service involves a Restricted Transfer of Customer Content (for example, a Sub-processor outside the UK and EEA, or support access from outside the UK and EEA), that transfer relies on a lawful transfer mechanism under section 14: an adequacy decision or regulation where one applies, or otherwise the Standard Contractual Clauses (for EU GDPR transfers) and the UK Addendum or UK IDTA (for UK GDPR transfers), incorporated into this DPA by reference, together with any additional safeguards needed.
  • The SCC module selections and the population of the SCC Annexes are as set out in section 14 and Annexes 1 to 3.