Evermuse
    HomeFeaturesMCPPricingContact

    Data Processing Addendum

    Usermuse, Inc., a Delaware public benefit corporation, doing business as Evermuse

    Last Updated: June 8, 2026

    This Data Processing Addendum (“DPA”) forms part of the Evermuse Terms of Service or other written agreement (the “Agreement”) between Usermuse, Inc., a Delaware public benefit corporation, doing business as Evermuse (“Evermuse” or “Processor”), and the customer that is a party to the Agreement (“Customer” or “Controller”). This DPA reflects the parties’ agreement on the Processing of Personal Data in connection with the Service and is incorporated into the Agreement by reference. Capitalized terms not defined here have the meanings given in the Agreement.

    1. Definitions

    1.1 “Applicable Data Protection Laws” means all laws applicable to the Processing of Personal Data under the Agreement, including (a) the EU General Data Protection Regulation 2016/679 (“EU GDPR”); (b) the UK GDPR and the UK Data Protection Act 2018; (c) the Swiss Federal Act on Data Protection (“FADP”); (d) the Israeli Protection of Privacy Law, 5741-1981, and the regulations issued under it (including the Protection of Privacy Regulations (Data Security), 5777-2017), each as amended (“Israeli Privacy Law”); and (e) US state privacy laws, including the California Consumer Privacy Act as amended (“CCPA”).

    1.2 The terms “Controller,” “Processor,” “Data Subject,” “Personal Data,” “Processing,” and “Personal Data Breach” have the meanings given in the EU GDPR, and the equivalent terms under other Applicable Data Protection Laws (such as “Business,” “Service Provider,” “Consumer,” and “Personal Information” under the CCPA) apply as the context requires.

    1.3 “Customer Personal Data” means Personal Data contained within Customer Data that Evermuse Processes on Customer’s behalf under the Agreement.

    1.4 “EU SCCs” means the Standard Contractual Clauses approved by European Commission Implementing Decision (EU) 2021/914.

    1.5 “UK Addendum” means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner’s Office (“ICO”).

    1.6 “Sub-processor” means a third party engaged by Evermuse to Process Customer Personal Data. “Security Incident” means a Personal Data Breach.

    2. Roles and Scope

    For Customer Personal Data, the parties agree that Customer is the Controller (or a processor acting on behalf of a third-party controller) and Evermuse is the Processor; and that, under the CCPA, Customer is the Business and Evermuse is a Service Provider. This DPA applies to Evermuse’s Processing of Customer Personal Data on Customer’s behalf in connection with the Service. The subject matter, nature, purpose, and duration of the Processing, and the categories of Personal Data and Data Subjects, are described in Annex I.

    3. Processing Instructions

    Evermuse will Process Customer Personal Data only on Customer’s documented instructions, including as set out in the Agreement and this DPA and as necessary to provide and support the Service, unless required to do otherwise by applicable law (in which case Evermuse will inform Customer of that legal requirement before Processing, unless the law prohibits such notice). Customer’s instructions will comply with Applicable Data Protection Laws, and Customer is responsible for the accuracy and legality of Customer Personal Data and the means by which it acquired it. Evermuse will inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Laws.

    4. Confidentiality of Personnel

    Evermuse will ensure that personnel authorized to Process Customer Personal Data are subject to appropriate confidentiality obligations and are made aware of the confidential nature of the Customer Personal Data.

    5. Security

    Evermuse will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as described in Annex II and in Evermuse’s Data Protection Policy, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, and the risks to Data Subjects. Evermuse maintains a SOC 2 Type 2 program covering the Security and Confidentiality Trust Services Criteria.

    6. CCPA and US State Privacy Laws

    To the extent Evermuse Processes Personal Information subject to the CCPA or similar US state laws as a Service Provider or Processor, Evermuse will not: (a) sell or share such Personal Information; (b) retain, use, or disclose it for any purpose other than performing the Service specified in the Agreement, or outside the direct business relationship, except as permitted by applicable law; or (c) combine it with personal information received from other sources, except as permitted by applicable law. Evermuse certifies that it understands and will comply with these restrictions.

    7. Sub-processors

    7.1 Authorization. Customer provides Evermuse with general written authorization to engage Sub-processors to Process Customer Personal Data. A current list of Sub-processors is maintained at evermuse.com/data-subprocessors.

    7.2 Obligations and liability. Evermuse will impose on each Sub-processor data-protection obligations that are substantially similar to those in this DPA and will remain liable for each Sub-processor’s performance of its obligations.

    7.3 Notice and objection. Evermuse will provide notice of any new Sub-processor (through its Sub-processor page or an email-subscription mechanism) at least ten (10) days before authorizing the Sub-processor to Process Customer Personal Data. Customer may object on reasonable, documented data-protection grounds within that period, and the parties will work together in good faith to resolve the objection. If they cannot, Customer may terminate the portion of the Service that cannot be provided without the objected-to Sub-processor.

    7.4 AI sub-processors. Evermuse maintains contractual agreements with the artificial-intelligence and large-language-model providers it engages as Sub-processors that prohibit those providers from using Customer Personal Data to train their models and that require that no Customer Personal Data is retained by those providers after the relevant processing is complete. Evermuse does not train its own models on Customer Personal Data.

    8. Data Subject Requests

    Taking into account the nature of the Processing, Evermuse will assist Customer by appropriate technical and organizational measures, insofar as practicable, to enable Customer to respond to requests by Data Subjects to exercise their rights under Applicable Data Protection Laws. If Evermuse receives such a request directly, it will, unless legally required to respond, advise the Data Subject to submit the request to Customer.

    9. Security Incidents

    Evermuse will notify Customer without undue delay, and where feasible within seventy-two (72) hours, after becoming aware of a Security Incident affecting Customer Personal Data, and will provide information reasonably available to Evermuse to assist Customer in meeting its obligations under Applicable Data Protection Laws. Evermuse’s notification is not an acknowledgment of fault or liability.

    10. Data Protection Impact Assessments

    Evermuse will provide Customer with reasonable assistance with data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of the Processing and the information available to Evermuse.

    11. International Data Transfers

    11.1 EU SCCs. To the extent Evermuse Processes Customer Personal Data protected by the EU GDPR and transfers it to a country that has not received an adequacy decision, the EU SCCs are incorporated into this DPA by reference and apply, with Module Two (Controller to Processor) where Customer is a controller, and Module Three (Processor to Processor) where Customer acts as a processor.

    11.2 SCC elections. For purposes of the EU SCCs: the optional docking clause (Clause 7) applies; the general written authorization option for sub-processors (Clause 9, Option 2) applies, with the notice period in Section 7.3; the optional redress language in Clause 11(a) does not apply; the governing law (Clause 17) and the forum (Clause 18) are those of Ireland; and Annexes I and II of the EU SCCs are populated by Annexes I and II of this DPA.

    11.3 UK and Swiss transfers. For transfers subject to the UK GDPR, the UK Addendum applies and is completed using the information in Annexes I and II of this DPA (with Evermuse as the importer in Table 4). For transfers subject to the FADP, references in the EU SCCs to the GDPR are understood as references to the FADP, and the competent authority is the Swiss Federal Data Protection and Information Commissioner.

    11.4 Israeli transfers. For transfers of Customer Personal Data subject to the Israeli Privacy Law, Evermuse will maintain appropriate safeguards consistent with the requirements of the Protection of Privacy Regulations (Transfer of Data to Databases Abroad), 5761-2001, including the contractual protections in this DPA, and will reasonably assist Customer in meeting its transfer obligations under Israeli law.

    11.5 Alternative mechanisms. Where Evermuse adopts an alternative lawful transfer mechanism, that mechanism applies instead of the clauses above to the relevant transfer.

    12. Return and Deletion of Customer Personal Data

    Upon termination or expiration of the Agreement, and upon Customer’s request, Evermuse will delete or return Customer Personal Data and delete existing copies, except to the extent retention is required by applicable law. Consistent with the Agreement and Evermuse’s Data Protection Policy, Evermuse will make Customer Data available for export for thirty (30) days after termination, then delete it from active systems within sixty (60) days and from backups in the ordinary course of its backup and retention cycle. Where deletion is technically infeasible (for example, within backups), Evermuse will isolate and protect the Customer Personal Data and de-identify it where appropriate until deletion is possible.

    13. Audits and Compliance

    Evermuse will make available to Customer the information reasonably necessary to demonstrate compliance with this DPA, including its SOC 2 Type 2 report (covering the Security and Confidentiality Trust Services Criteria) and security documentation, on reasonable request and subject to the report’s restricted-use and confidentiality terms (for example, under a non-disclosure agreement). Where Applicable Data Protection Laws require a more extensive audit right, Customer (or a mutually agreed independent auditor bound by confidentiality) may, no more than once per calendar year (unless required by a supervisory authority or following a Security Incident), upon reasonable prior notice and during normal business hours, conduct an audit that does not unreasonably interfere with Evermuse’s operations. Customer bears its own costs for any such audit.

    14. Liability

    Each party’s liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

    15. General

    This DPA forms part of, and is subject to, the Agreement. In the event of a conflict regarding the Processing of Personal Data, this DPA controls over the remainder of the Agreement, and the EU SCCs control over this DPA with respect to international data transfers. This DPA continues in effect for as long as Evermuse Processes Customer Personal Data. Except as required by the EU SCCs, the governing law and jurisdiction of the Agreement apply to this DPA.

    Annex I — Details of Processing

    A. List of Parties

    Data Exporter: Customer, the entity that is a party to the Agreement, acting as Controller (or as a processor on behalf of a third-party controller). Contact: the administrative contact associated with Customer’s account. Activities relevant to the transfer: use of the Service as described in the Agreement.

    Data Importer: Usermuse, Inc. d/b/a Evermuse, acting as Processor. Contact: legal@evermuse.com. Activities relevant to the transfer: provision of the Service, including recording, ingestion, transcription, storage, AI analysis, and generation of Outputs.

    B. Description of Transfer

    Categories of Data Subjects: Customer’s customers, prospects, end users, and the participants in calls, meetings, and conversations captured or submitted by Customer; and Customer’s employees and contractors who are Authorized Users.

    Categories of Personal Data: identifiers (such as name, email address, and phone number); professional and role information; the contents of communications, including call and meeting recordings, transcripts, chat and support messages, and documents; audio and voice data; associated metadata (such as timestamps and participant lists); and any other Personal Data that Customer chooses to submit to the Service.

    Special Categories of Data: Special categories of Personal Data are not intentionally collected. Customer is responsible for not submitting special-category data; to the extent any is present within conversations or documents, it is handled as Restricted data under the measures in Annex II.

    Frequency of Transfer: Continuous, for the duration of Customer’s use of the Service.

    Nature and Purpose of Processing: Recording, ingestion, transcription, storage, AI-based analysis and clustering, generation of Outputs, evaluating the performance, accuracy, and quality of the Service, delivery of Customer Data and Outputs to Customer-directed integrations, and provision of support.

    Duration of Processing: For the term of the Agreement plus the export and deletion periods described in Section 12.

    Sub-processor Processing: As described in the Sub-processor list at evermuse.com/data-subprocessors; subject matter and duration as set out above.

    C. Competent Supervisory Authority

    The competent supervisory authority is determined in accordance with the EU SCCs, based on Customer’s place of establishment in the EEA or the location of its EU representative; for transfers subject to the UK GDPR, the competent authority is the ICO.

    Annex II — Technical and Organizational Measures

    Evermuse maintains the following measures, as further described in its Data Protection Policy, Encryption Policy, Backup Policy, and related security policies:

    • Hosting and redundancy: production systems are hosted in Google Cloud Platform (GCP); data is replicated and backed up in accordance with Evermuse’s Backup Policy and Disaster Recovery Plan.
    • Tenant separation: the Service is multi-tenant and customer data is logically separated at the application and database layers through tenant identifiers and tenant-scoped queries, or through dedicated resources where required; this separation is enforced throughout all processing pipelines, including AI and large-language-model operations, so that one customer’s data is not accessible to or commingled with another customer’s data.
    • Access control: access is role-based and follows least privilege; administrative access to production data is disabled by default; temporary break-glass access is time-bound and logged; production access requires approval by the Security Officer, is time-boxed and revoked promptly after use, and is reviewed at least quarterly.
    • Encryption: Restricted and Internal data in production stores is encrypted at rest, with keys protected and managed in approved key-management tooling; all external transmission of Evermuse and customer data is encrypted in transit using TLS 1.2 or higher; internal connections are encrypted where practical and where required for Restricted data.
    • Authentication: access to corporate network, production machines, network devices, and support tools requires a unique ID; multi-factor authentication is required for access to sensitive systems; workstations apply hard-disk encryption and run anti-malware software.
    • Network and perimeter security: network access restrictions limit communications to approved channels and protocols; a content-delivery and security layer provides DNS, load balancing, DDoS protection, web application firewall, and TLS encryption; an intrusion detection system provides continuous monitoring for potential security events.
    • Vulnerability and penetration testing: vulnerability scans are performed on a recurring basis, at least quarterly and upon significant change or after a confirmed security incident, with remediation based on risk and impact; an independent third-party penetration test of the production environment is performed at least annually, with remediation tracked to defined timelines.
    • Logging and monitoring: access to production systems and sensitive data is logged and retained; infrastructure logging monitors web traffic and suspicious activity, with automated alerts raised for anomalous activity and escalated under the Incident Response Plan.
    • Resilience and recovery: daily backups are performed and monitored; critical infrastructure is replicated across multiple availability zones to support failover; documented Disaster Recovery and Business Continuity Plans are maintained and tested at least annually.
    • Secure configuration and change management: production systems disable non-required services and follow secure configuration and change standards.
    • Data leakage prevention: leakage risk is reduced through least privilege, approved tools, encryption, monitoring, and training; suspected leakage is handled through Incident Response procedures.
    • Deletion and secure disposal: deletion occurs through authenticated workflows or approved administrative tools and is logged; data is removed from active systems and backups in accordance with retention policies; where deletion is infeasible, data may be de-identified; and devices and media are wiped or destroyed in accordance with the Asset Management Policy.
    • Secure information exchange: data is exchanged only under approved agreements (customer contracts, DPAs, and vendor agreements) that define scope, obligations, classification, and incident notice.
    • Compliance program: Evermuse maintains a SOC 2 Type 2 program (audited by Sensiba), continuous control monitoring (via Drata), and reviews its security policies at least annually and upon material change.

    Annex III — Authorized Sub-processors

    Evermuse maintains a current list of authorized Sub-processors, including the entity name, the Processing activity, and the location, at evermuse.com/data-subprocessors. Sub-processor categories include cloud infrastructure and hosting (Google Cloud Platform); AI and large-language-model providers used for signal collection, analysis, and chat responses (which, as of the date of this DPA, include Anthropic, OpenAI, Google, and Groq); and operational vendors that support the delivery of the Service. As described in Section 7.4, the AI and large-language-model providers are contractually prohibited from training their models on Customer Personal Data and do not retain Customer Personal Data after processing is complete. The online list is the controlling, up-to-date record for purposes of Section 7.

    Evermuse
    Monitored by Drata - SOC 2
    Sensiba - SOC 2 Type 2 certified
    GDPR Ready

    Solutions

    • For UX Researchers
    • For Developers
    • For Sales & CS
    • AI Research Agency

    Compare

    • vs. Generic AI
    • vs. Claude
    • vs. ChatGPT
    • vs. Gemini
    • vs. Dovetail

    Get Started

    • Book a UXR Demo
    • Book a Developer Demo
    • Book a Product Manager Demo
    • Contact Sales

    Product

    • Features
    • Pricing
    • Integrations
    • MCP
    • Changelog

    Company

    • About
    • Blog
    • Contact
    • Media Kit
    • Workshops

    Support

    • Help Center
    • System Status
    • Report a Bug
    • Data Subprocessors
    • Terms of Service
    • Data Processing Addendum
    • Data Protection Policy

    © 2026 Usermuse, Inc. All rights reserved.