This page summarizes the Data Processing Agreement (DPA) that governs how Evercontact processes personal data on your behalf, and the compliance program behind it. It applies to all paid plans and forms part of our terms of service.
Data Processing Agreement
When you use Evercontact, you are the data controller and Evercontact acts as your data processor. We process personal data only on your documented instructions and only to provide the service.
01Roles & scope
This DPA covers the processing of personal data contained in email signatures that Evercontact reads to extract, enrich, and syndicate contact records. It applies for as long as we process data on your behalf.
- Controller — you, the customer, who determines the purpose of processing.
- Processor — Evercontact (One More Company Inc.), acting on your instructions.
- Subject matter — extraction of professional contact details from inbound email signatures.
02Data we process
We deliberately keep the scope narrow. Evercontact reads inbound email signatures only — never the message body, never outbound mail, never private conversation content.
| Category | Examples |
|---|---|
| Identifiers | Name, email address, phone number |
| Professional | Job title, company, office location |
| Derived | Seniority, company size, deduplicated identity |
We do not intentionally process special categories of data. Contact details originate from signature blocks that individuals publish themselves.
03Sub-processors
We use a short, vetted list of sub-processors to deliver the service. Each is bound by data-protection terms at least as protective as this DPA. We publish the current list and notify customers in advance of any material change, giving you the opportunity to object.
| Sub-processor | Purpose | Region |
|---|---|---|
| Amazon Web Services | Cloud hosting & storage | United States |
| Qoddi App Platform | Cloud hosting & storage | United States |
| Google / Microsoft | Mailbox API access (OAuth) | Global |
| SparkPost (MessageBird) | Transactional & contact-form email | United States |
04Security measures
We maintain technical and organizational measures appropriate to the risk, including:
- Encryption in transit (TLS 1.3) and at rest (AES-256).
- Per-tenant logical isolation and least-privilege internal access.
- Immutable, exportable audit logging with configurable retention.
- OAuth-based access that you can revoke at any time.
- No use of customer data to train any model.
For the full picture, see our Security & Privacy page.
05International transfers
Evercontact processes data on hardened AWS infrastructure in the United States. Where personal data originates in the EEA, UK, or Switzerland, transfers are covered by the EU Standard Contractual Clauses (and the UK Addendum), together with supplementary technical measures. EU data residency is available on Enterprise plans.
06Data-subject rights
We assist you in responding to requests from individuals to exercise their rights. Through the product and our support team you can:
- Access and export the contact data we hold.
- Correct or delete specific records.
- Erase all data associated with your account.
We action verified requests within statutory windows and confirm completion in writing.
07Term & deletion
This DPA remains in effect for the duration of your subscription. On termination, we delete or return personal data within 30 days, except where retention is required by law. For one-time ContactRescue jobs, source mail is discarded once extraction completes — you keep the contacts.
Compliance program
Our controls are independently assessed and mapped to the frameworks our customers rely on. We treat compliance as continuous, not a once-a-year exercise.
08Frameworks
| Framework | Status | Covers |
|---|---|---|
| SOC 2 Type II | Audited annually | Security, availability, confidentiality |
| GDPR | Aligned | Lawful basis, DPA, data-subject rights, transfers |
| Google CASA | Tier 2 assessed | App & API security for Workspace data and OAuth scopes |
We do not claim certifications we don't hold. Where a framework is described as "aligned," it means our practices map to its requirements without a formal certificate.
09Documentation requests
Reviewing Evercontact for your organization? Our security team can provide our SOC 2 report, Google CASA assessment summary, a signed DPA, and standard contractual clauses under NDA.