HomeCustomersPricingDocs

Privacy Policy

Legal

Last updated / April 15 / 2025

Introduction

Evervault is committed to protecting the privacy of users’ personal data while delivering secure, encrypted processing services. This policy outlines how we collect, use, share, and secure personal data in compliance with GDPR, CCPA, HIPAA (where applicable), UK GDPR, and POPIA.

Purpose

This policy aims to ensure transparency in how Evervault manages personal data, outlines customer rights, and details our use of third-party service providers. It forms part of our contractual commitment and regulatory obligations.

Policy Statements

Data Collection

We collect and process the following categories of data:

  • Identity & Contact Data (e.g. name, email, phone, roles specific professional information)
  • Financial & Transaction Data
  • Usage, Profile, and Device Data
  • Marketing Preferences and Feedback

Data is obtained directly, through interactions with our services, from cookies and tracking tools, and occasionally from third parties.

Data Usage

We process personal data to:

  • Provide and improve our services
  • Personalize user experiences
  • Deliver support and security
  • Comply with legal obligations
  • Conduct research, training, and quality control
  • Perform marketing within appropriate legal mechanism
  • Facilitate service updates and communications

We do not sell personal data.

Data Sharing

We share personal data only when necessary:

  • Internally within Evervault
  • With vetted third-party service providers (see table below)
  • As authorized by users or required by law
  • During mergers, acquisitions, or corporate changes

We provide relevant customers 60 days’ notice before onboarding new sub-processors in our production stack. Customers may object in that window. We will offer alternatives if needed, as per GDPR requirements, or may terminate the contract.

International Transfers

Evervault may transfer personal data internationally. Such transfers will comply with applicable data protection regulations and rely on adequate safeguards, including Standard Contractual Clauses or adequacy decisions.

Data Security & Retention

We apply technical and organizational safeguards, including:

  • PCI DSS Level 1 compliance
  • External SOC 2 assessments
  • Security, privacy and resilience by design

Data is retained as long as required for service delivery, legal compliance, or legitimate interests in alignment with relevant regulatory requirements.

Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access, correct, or delete personal data
  • Restrict or object to processing
  • Withdraw consent
  • Port your data
  • Lodge a complaint with your regulator

Contact: privacy@evervault.com to exercise any of the above.

Roles and Responsibilities

RoleResponsibility
Evervault (Data Processor & Controller)Manages data in accordance with applicable law and contractual obligations where Evervault are the direct Controller
Customers (Data Controllers for End Users)Inform and manage rights of their own users where Evervault acts as processor
ComplianceOversees compliance, handles rights requests, and engages with supervisory authorities
Service ProvidersProcess data under Evervault instructions, bound by contracts and data protection standards
UsersMaintain updated contact details and exercise rights as required

Service Provider Table

ProviderPurposeData Shared
GoogleAnalytics, collaborationUser data
Mixpanel, HubSpotAnalytics, CRMUser data, contact data
Swan, Customer.io, Plausible, SegmentMonitoring, analytics, tag managementUsage, traffic data
Twilio, SendGridMessagingEmail, contact data
VercelHosting, AnalyticsUser and usage data
Zoom, SlackCommunicationConversational, internal data
StripePaymentsFinancial data
CloudflareBot PreventionWeb traffic
AlgunaInvoicingTransaction Data

Changes to sub-processors are subject to 60-day notice to customers. Customers may opt out of such changes per their contracts and regulatory rights.

Jurisdiction and Regulation Specific addendums

HIPAA

Where Evervault processes Protected Health Information (PHI), we adhere to HIPAA regulations by implementing appropriate safeguards, policies, and training to ensure the confidentiality, integrity, and availability of PHI. It must be noted of course that Evervault only ever processes HIPAA data. HIPAA related data is never stored persistently by Evervault.

CCPA

Under the CCPA, you have the right to request disclosure about the personal information we collect, request deletion of your data, and opt-out of sharing your personal information for targeted advertising. You can exercise these rights by contacting privacy@evervault.com.

Version History

VersionDateSummary
1.015 April 2025Consolidated version for multi-jurisdiction compliance (GDPR, UK GDPR, CCPA, HIPAA, POPIA). Includes roles, pro