Introduction
Evervault is committed to protecting the privacy of users’ personal data while delivering secure, encrypted processing services. This policy outlines how we collect, use, share, and secure personal data in compliance with GDPR, CCPA, HIPAA (where applicable), UK GDPR, and POPIA.
Purpose
This policy aims to ensure transparency in how Evervault manages personal data, outlines customer rights, and details our use of third-party service providers. It forms part of our contractual commitment and regulatory obligations.
Policy Statements
Data Collection
We collect and process the following categories of data:
- Identity & Contact Data (e.g. name, email, phone, roles specific professional information)
- Financial & Transaction Data
- Usage, Profile, and Device Data
- Marketing Preferences and Feedback
Data is obtained directly, through interactions with our services, from cookies and tracking tools, and occasionally from third parties.
Data Usage
We process personal data to:
- Provide and improve our services
- Personalize user experiences
- Deliver support and security
- Comply with legal obligations
- Conduct research, training, and quality control
- Perform marketing within appropriate legal mechanism
- Facilitate service updates and communications
We do not sell personal data.
Data Sharing
We share personal data only when necessary:
- Internally within Evervault
- With vetted third-party service providers (see table below)
- As authorized by users or required by law
- During mergers, acquisitions, or corporate changes
We provide relevant customers 60 days’ notice before onboarding new sub-processors in our production stack. Customers may object in that window. We will offer alternatives if needed, as per GDPR requirements, or may terminate the contract.
International Transfers
Evervault may transfer personal data internationally. Such transfers will comply with applicable data protection regulations and rely on adequate safeguards, including Standard Contractual Clauses or adequacy decisions.
Data Security & Retention
We apply technical and organizational safeguards, including:
- PCI DSS Level 1 compliance
- External SOC 2 assessments
- Security, privacy and resilience by design
Data is retained as long as required for service delivery, legal compliance, or legitimate interests in alignment with relevant regulatory requirements.
Your Rights
Depending on your jurisdiction, you may have the right to:
- Access, correct, or delete personal data
- Restrict or object to processing
- Withdraw consent
- Port your data
- Lodge a complaint with your regulator
Contact: privacy@evervault.com to exercise any of the above.
Roles and Responsibilities
| Role | Responsibility |
|---|---|
| Evervault (Data Processor & Controller) | Manages data in accordance with applicable law and contractual obligations where Evervault are the direct Controller |
| Customers (Data Controllers for End Users) | Inform and manage rights of their own users where Evervault acts as processor |
| Compliance | Oversees compliance, handles rights requests, and engages with supervisory authorities |
| Service Providers | Process data under Evervault instructions, bound by contracts and data protection standards |
| Users | Maintain updated contact details and exercise rights as required |
Service Provider Table
| Provider | Purpose | Data Shared |
|---|---|---|
| Analytics, collaboration | User data | |
| Mixpanel, HubSpot | Analytics, CRM | User data, contact data |
| Swan, Customer.io, Plausible, Segment | Monitoring, analytics, tag management | Usage, traffic data |
| Twilio, SendGrid | Messaging | Email, contact data |
| Vercel | Hosting, Analytics | User and usage data |
| Zoom, Slack | Communication | Conversational, internal data |
| Stripe | Payments | Financial data |
| Cloudflare | Bot Prevention | Web traffic |
| Alguna | Invoicing | Transaction Data |
Changes to sub-processors are subject to 60-day notice to customers. Customers may opt out of such changes per their contracts and regulatory rights.
Jurisdiction and Regulation Specific addendums
HIPAA
Where Evervault processes Protected Health Information (PHI), we adhere to HIPAA regulations by implementing appropriate safeguards, policies, and training to ensure the confidentiality, integrity, and availability of PHI. It must be noted of course that Evervault only ever processes HIPAA data. HIPAA related data is never stored persistently by Evervault.
CCPA
Under the CCPA, you have the right to request disclosure about the personal information we collect, request deletion of your data, and opt-out of sharing your personal information for targeted advertising. You can exercise these rights by contacting privacy@evervault.com.
Version History
| Version | Date | Summary |
|---|---|---|
| 1.0 | 15 April 2025 | Consolidated version for multi-jurisdiction compliance (GDPR, UK GDPR, CCPA, HIPAA, POPIA). Includes roles, pro |