Data Processing Agreement
1. Background
In the course of providing the Devolar platform services (IoT, VoIP, ALPR, CCTV), Devolar may process personal data on behalf of the Customer. In such circumstances, the Customer acts as the data controller and Devolar acts as the data processor. This DPA sets out the terms on which Devolar will process that personal data.
By accepting the Terms of Service, Customer also accepts the terms of this DPA. Where a signed DPA is required by Customer's data protection authority or internal policy, Customer may request a countersigned copy from privacy@devolar.net.
2. Definitions
Terms used but not defined in this DPA have the meanings given in the GDPR or in the Terms of Service. In this DPA:
- "Controller" — the Customer entity that determines the purposes and means of processing personal data.
- "Processor" — Devolar, processing personal data on behalf of the Controller.
- "Sub-processor" — any third party engaged by Devolar to assist in processing personal data.
- "Personal Data" — any information relating to an identified or identifiable natural person as defined in GDPR Art. 4(1).
- "Processing" — any operation performed on personal data as defined in GDPR Art. 4(2).
- "Data Subject" — the identified or identifiable individual to whom personal data relates.
- "Supervisory Authority" — the competent data protection authority, primarily the State Data Protection Inspectorate of Lithuania.
3. Scope, Nature & Details of Processing
3.1 Subject matter
Processing of personal data necessary to provide the Devolar platform services as described in the Terms of Service.
3.2 Duration
Processing continues for the duration of the Subscription Term and for such additional period as necessary to comply with legal obligations, after which personal data will be deleted or returned in accordance with Section 10.
3.3 Nature and purpose
Processing is carried out to provide, maintain, secure and improve the Services as instructed by the Controller, and for no other purpose without documented controller instructions.
4. Processor Obligations
Devolar (as Processor) shall:
- Process personal data only on documented instructions from the Controller (which include these Terms), unless required to do so by EU or Member State law; in such case, inform the Controller before processing unless prohibited on important grounds of public interest
- Ensure that persons authorised to process personal data are bound by confidentiality or are under a statutory obligation of confidentiality
- Implement appropriate technical and organisational security measures (see Section 6)
- Respect the conditions for engaging sub-processors (see Section 5)
- Assist the Controller with data subject rights requests, security obligations, breach notifications, DPIAs, and prior consultations to the extent reasonably possible given the nature of processing
- Delete or return all personal data at the end of the services relationship (see Section 10)
- Make available to the Controller all information necessary to demonstrate compliance and allow for audits (see Section 11)
- Immediately inform the Controller if, in Devolar's opinion, an instruction infringes GDPR or applicable data protection law
5. Sub-processors
The Controller provides general authorisation for Devolar to engage sub-processors. The current list of sub-processors is set out in the Annex to this DPA. Devolar will:
- Maintain an up-to-date list of sub-processors accessible at devolar.net/dpa or on request
- Provide at least 30 days' prior notice of any intended change to the sub-processor list (addition or replacement)
- Give the Controller the opportunity to object to changes; if no agreement is reached within 30 days of notice, either party may terminate the relevant Services
- Impose the same data protection obligations on all sub-processors as those in this DPA
- Remain fully liable to the Controller for the acts and omissions of sub-processors
6. Security Measures
Taking into account the state of the art, costs, and the nature, scope, context and purposes of processing, as well as the risks for individuals, Devolar implements and maintains the following technical and organisational measures:
TLS 1.2+ for data in transit; AES-256 for data at rest. End-to-end encryption for VoIP (SRTP) where configured.
Role-based access control (RBAC), principle of least privilege, mandatory MFA for administrative accounts, access logs retained for 12 months.
Data hosted in ISO 27001-certified data centres with 24/7 physical security, biometric access, and CCTV monitoring.
Firewalls, DDoS protection, network segmentation, intrusion detection and prevention systems (IDS/IPS).
Annual penetration testing by independent third parties; quarterly vulnerability scans; continuous automated security monitoring.
Documented incident response plan; trained security team; post-incident review and reporting.
Configuration options enabling customers to apply retention limits. Default anonymisation/deletion schedules applied where no customer configuration is set.
Data protection training for all staff; background checks for roles with elevated access; confidentiality agreements.
7. Personal Data Breach Notification
In the event of a personal data breach affecting Customer personal data, Devolar shall:
- Notify the Controller without undue delay and, where feasible, within 24 hours of becoming aware
- Provide, at minimum: (a) a description of the nature of the breach; (b) categories and approximate number of individuals and records concerned; (c) likely consequences; (d) measures taken or proposed to address the breach
- Cooperate fully with the Controller's investigation and response
- Assist the Controller in notifying the Supervisory Authority (within the GDPR 72-hour window) and affected individuals where required
- Document all breaches, even those not requiring notification
Breach notifications should be sent to the Controller's designated contact. The Controller is responsible for any onward notifications to supervisory authorities and data subjects.
8. Data Protection Impact Assessment Assistance
Where a processing activity is likely to result in a high risk to individuals' rights and freedoms (particularly relevant for ALPR, CCTV with AI analytics, and large-scale IoT deployments), the Controller may be required to conduct a Data Protection Impact Assessment (DPIA) under GDPR Art. 35.
Devolar will provide reasonable assistance to the Controller in conducting DPIAs, including providing:
- Technical and organisational information about the relevant processing activities
- Information about sub-processors and data flows
- Details of security measures implemented
- Identification of relevant risks and mitigations
Requests for DPIA assistance should be submitted to privacy@devolar.net.
9. International Transfers
Devolar's primary infrastructure is located within the EEA. Where personal data is transferred to a country outside the EEA, Devolar ensures an appropriate safeguard is in place, such as:
- An adequacy decision by the European Commission (GDPR Art. 45)
- Standard Contractual Clauses (SCCs) as adopted by the European Commission (GDPR Art. 46(2)(c))
- Binding Corporate Rules (GDPR Art. 47)
Details of any third-country transfers and applicable safeguards are available upon request. By accepting this DPA, the Controller authorises Devolar to transfer personal data in accordance with these safeguards.
10. Deletion and Return of Data
Upon expiry or termination of the Services, and upon the Controller's written request, Devolar shall:
- Provide the Controller with an export of Customer Data in a standard machine-readable format within 30 days of request
- Securely delete all Customer personal data (including copies held by sub-processors) within 60 days of the end of the Subscription Term, unless EU or Lithuanian law requires continued storage
- Upon request, provide written certification of deletion
Data exports must be requested before the 30-day window expires. Devolar is not liable for data that cannot be recovered after deletion is completed.
11. Audit Rights
Devolar shall make available all information necessary to demonstrate compliance with this DPA and GDPR Art. 28. The Controller may exercise audit rights as follows:
- Documentation: Devolar will provide relevant security documentation, certifications (e.g., ISO 27001 certificates) and compliance reports upon written request
- On-site audit: The Controller (or an appointed auditor bound by confidentiality) may conduct an on-site audit no more than once per year with at least 30 days' written notice, at the Controller's cost, during normal business hours and without unduly disrupting operations
- Third-party audit: Where the Controller appoints a third-party auditor, Devolar may object to the appointment on reasonable grounds (e.g., a competitor); both parties will negotiate in good faith to agree an alternative
Audit requests should be directed to privacy@devolar.net.
Annex — Approved Sub-processors
The following sub-processors are approved as of the effective date of this DPA. Devolar will update this list and provide notice of changes per Section 5.
All sub-processors are bound by Data Processing Agreements with Devolar that impose obligations equivalent to or stricter than those in this DPA. All listed sub-processors are located within the EEA or operate under an adequate safeguard for international transfers.