Data Processing Addendum

This DPA applies to the processing of personal data by Ergova Technologies, Inc. ("Processor") on behalf of the customer ("Controller") in connection with the services provided under the Terms of Service. The duration of processing is the term of the agreement between the parties, plus any post-termination period required for deletion or return of data.

Processing is carried out for the purpose of providing the Ergova platform and related services (e.g., scheduling, dispatch, invoicing, analytics, support) as described in the agreement and in accordance with the Controller's documented instructions.

Personal data processed may include: account and contact information; billing information; usage and device data; content and communications submitted by users; and other categories necessary to provide the services as specified in the order or configuration. The Controller is responsible for ensuring it has a lawful basis for providing such data to the Processor.

Data subjects may include the Controller's employees, contractors, customers, and other individuals about whom data is submitted to the services through the Controller's use of Ergova.

The Controller determines the purposes and means of processing. The Processor processes personal data only on documented instructions from the Controller, including with regard to transfers, unless required by law. The Processor will inform the Controller if it believes an instruction infringes applicable data protection law.

The Processor will ensure that persons authorized to process personal data are bound by appropriate confidentiality obligations (contractual or statutory).

The Processor will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as described in our Privacy Policy and security documentation. Measures include encryption (in transit and at rest where applicable), access controls, and regular review of our security practices.

The Controller generally authorizes the Processor to engage subprocessors. A list of subprocessors is maintained at /subprocessors. The Processor will inform the Controller of any intended changes (e.g., new subprocessors or material changes) and give the Controller an opportunity to object where required by law.

The Processor will assist the Controller in responding to data subject requests (e.g., access, rectification, erasure, restriction, portability) and in ensuring compliance with the Controller's obligations regarding security, breach notification, and data protection impact assessments, to the extent required by applicable law and within the scope of the Processor's capabilities.

Upon termination or at the Controller's request, the Processor will delete or return all personal data in accordance with the agreement and applicable law, unless the Processor is required to retain data by law. The Controller may request a certification of deletion where feasible.