Data Processing Agreement

Last updated: 15 April 2026

This Data Processing Agreement (“DPA”) supplements the Terms of Servicebetween Everlong s.r.o. (“Innociti”, “Processor”) and the customer using the Service (“Controller”). It sets out the terms under which Innociti processes personal data on behalf of the Controller pursuant to Article 28 of the EU General Data Protection Regulation (“GDPR”).

1. Subject Matter and Duration

The Processor processes personal data solely to provide the Service to the Controller, for the duration of the Controller's subscription plus any retention period specified in the Privacy Policy.

2. Nature and Purpose of Processing

The Processor provides SaaS matchmaking, brief generation, city outreach, and related advisory features. Processing activities include storage, retrieval, structuring, transmission via email, and AI-assisted analysis of Controller-provided input.

3. Categories of Data Subjects

End users authorised by the Controller, including innovation officers, procurement staff, city representatives, and other professionals interacting with the Service.

4. Types of Personal Data

  • Contact data: name, work email, organisation, role.
  • Authentication data: hashed credentials, session tokens.
  • Usage metadata: timestamps, queries submitted, pages viewed.
  • Free-text content submitted in matchmaking queries.

The Controller shall not submit special categories of personal data (Art. 9 GDPR) or data relating to criminal convictions (Art. 10 GDPR) to the Service.

5. Processor's Obligations

  • Process personal data only on documented instructions from the Controller, including transfers to third countries, unless required by EU or Member State law.
  • Ensure persons authorised to process personal data are bound by confidentiality.
  • Implement appropriate technical and organisational security measures (Section 7).
  • Assist the Controller with responding to data subject requests.
  • Assist with data protection impact assessments and prior consultations where required.
  • Notify the Controller of any personal data breach without undue delay, and in any case within 72 hours of becoming aware.
  • Delete or return personal data at the end of the engagement, at the Controller's choice, subject to legal retention obligations.

6. Sub-Processors

The Controller grants the Processor general authorisation to engage the following sub-processors:

  • Vercel Inc. (USA) — web hosting and content delivery.
  • Supabase Inc. (EU/Ireland, data stored in eu-west-1) — managed database and authentication.
  • Anthropic PBC (USA) — AI inference for matchmaking and briefs.
  • OpenAI Ireland Ltd. (Ireland) — semantic search embeddings.
  • Stripe Payments Europe Ltd. (Ireland) — payment processing.
  • Resend, Inc. (USA) — transactional email delivery.
  • Google LLC (USA) — OAuth sign-in (optional).

The Processor will notify the Controller of any intended addition or replacement of sub-processors with at least 30 days' notice. The Controller may object on reasonable data protection grounds within that period.

7. Security Measures

  • TLS 1.2+ for all data in transit.
  • AES-256 at-rest encryption for database and object storage.
  • Role-based access control and the principle of least privilege.
  • Multi-factor authentication for administrative access.
  • Logging and monitoring of access to personal data.
  • Regular backups with defined recovery objectives.
  • Vendor security reviews of sub-processors.

8. International Transfers

Where personal data is transferred outside the European Economic Area, the Processor relies on Standard Contractual Clauses (2021/914) or, where applicable, the EU-US Data Privacy Framework. Supplementary measures include encryption in transit and at rest, and contractual confidentiality obligations on sub-processors.

9. Audit

The Processor will make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR. The Controller may request an audit once per year, on 30 days' notice, during business hours, and subject to confidentiality obligations. Audit costs are borne by the Controller unless material non-compliance is found.

10. Liability

Liability under this DPA is subject to the limitations set out in the Terms of Service, without prejudice to any rights of data subjects or regulatory authorities under GDPR.

11. Contact

For data protection matters contact privacy@innociti.eu.