EverWellAI – Data Processing Addendum (UK)

Effective Date: 26th October 2025

Parties:

  • Customer: The entity identified in the Order (“Controller”, “Customer”).

  • EverWellAI Ltd (Company No. 16701230), 33 Kinghorne Road, Barnard Castle, DL12 8GZ, UK (“Processor”, “EverWellAI”).

This DPA forms part of the Agreement (e.g., Terms of Service/Order). It applies where EverWellAI processes Personal Data on behalf of Customer under the UK GDPR and Data Protection Act 2018 (and, as applicable, the EU GDPR).

1. Roles & Scope

1.1 Roles. Customer is Controller; EverWellAI is Processor for supervision audio, transcripts and generated outputs (“Customer Content”). EverWellAI may act as Controller for its own account admin, security logs and support data; that controller activity is governed by EverWellAI’s Privacy Policy.

1.2 Scope. The subject-matter, duration, nature and purposes, types of data and categories of data subjects are set out in Annex I.

2. Documented Instructions

2.1 EverWellAI shall process Personal Data only on Customer’s documented instructions, including as set out in this DPA, the Agreement, and Customer’s in-product settings.

2.2 EverWellAI shall promptly notify Customer if it believes an instruction infringes data protection law (without giving legal advice).

3. Confidentiality & Personnel

3.1 EverWellAI shall ensure personnel authorised to process Personal Data are subject to confidentiality obligations and receive role-appropriate data protection and safeguarding training.

3.2 For privileged roles, EverWellAI maintains baseline background screening and will meet BPSS (and DBS where reasonably required by Customer policy) for public sector deployments.

4. Security of Processing

4.1 EverWellAI implements appropriate technical and organisational measures (TOMs) considering the state of the art, costs, nature, scope, context and risks, including those listed in Annex II.

4.2 EverWellAI maintains: encryption in transit/at rest, access control (RBAC, MFA/SSO), secure key management, logging/monitoring, secure SDLC, vulnerability management, incident response, business continuity and disaster recovery.

5. Sub-processors

5.1 Customer authorises the Sub-processors in Annex III. EverWellAI shall impose data protection obligations no less protective than this DPA and remains responsible for Sub-processors’ acts/omissions.

5.2 Changes. EverWellAI will provide advance notice (≥10 business days; ≥30 days for UK public sector accounts) of material Sub-processor changes via admin email or website. Customer may object on reasonable data protection grounds; the parties will work in good faith to resolve. If unresolved, Customer may terminate the affected Service for a pro-rata refund of prepaid unused fees.

6. International Transfers

6.1 EverWellAI prioritises UK/EU data residency (AssemblyAI EU endpoint, Mistral EU, Supabase Frankfurt, Railway EU, n8n EU, Google Workspace EU data regions where available).

6.2 Where a transfer to a third country or international organisation occurs (including remote access for support), EverWellAI shall implement valid transfer tools: EU SCCs (Controller-to-Processor, Module 2) plus the UK Addendum or UK IDTA as applicable, and supplementary measures (encryption, access controls, strict purpose limits).

6.3 EverWellAI will maintain Transfer Impact Assessments (TIAs) for relevant vendors and provide a summary on request. See the Transfer Summary after Annex III.

7. Personal Data Breach

7.1 EverWellAI shall notify Customer without undue delay (initial alert within 24 hours of awareness) of a Personal Data Breach affecting Customer’s Personal Data, detailing the nature of the breach, likely consequences, and measures taken/to be taken.

7.2 EverWellAI will cooperate with Customer to investigate, mitigate and notify supervisory authorities/data subjects (Customer decides notifications). Status updates will be provided at agreed intervals.

8. Assistance to Controller

8.1 Data Subject Requests (DSRs). Taking into account the nature of processing, EverWellAI shall assist Customer by appropriate technical and organisational measures to respond to DSRs (access, rectification, erasure, restriction, portability, objection). EverWellAI will promptly notify Customer of any DSR received directly and will not respond except on documented instructions.

8.2 DPIA & Prior Consultation. EverWellAI shall provide available information to assist Customer with DPIAs, LIAs, APDs (Appropriate Policy Documents under DPA 2018 Sch.1), and prior consultations with the ICO, proportionate to risk.

8.3 Children & special category data. EverWellAI supports Customer’s higher safeguards by offering shorter retention defaults, access restriction flags, and redaction/minimisation features where feasible.

9. Data Protection by Design & Default (AI-specific)

9.1 EverWellAI will apply data minimisation, purpose limitation and access restriction by default, including prompt minimisation and context redaction where practicable.

9.2 Model training prohibition. EverWellAI shall not use Customer Content to train foundation models or EverWellAI’s general models. Sub-processors are configured in no-training / zero-data-retention (ZDR) modes where available (e.g., AssemblyAI ZDR, Mistral no-training enterprise settings).

9.3 Content logging controls. Where an AI/ASR provider offers optional content logging for abuse monitoring or quality, EverWellAI will disable such logging by default for Customer Content unless Customer explicitly opts in.

10. Records & Audits

10.1 EverWellAI shall maintain records of processing and make them available to Customer upon request.

10.2 Independent assurance. EverWellAI will provide security/privacy documentation (e.g., ISO/SOC2 reports for Sub-processors, penetration test summaries, policies) under NDA.

10.3 Audit right. Once per 12 months (or following a material incident or supervisory request), and on 10 business days’ notice, Customer may audit EverWellAI’s compliance (including via questionnaire, remote review of documentation, or on-site). On-site audits will: (i) occur in business hours, (ii) minimise disruption, (iii) respect confidentiality/safety, and (iv) avoid accessing other customers’ data. For UK public sector customers, NAO/Cabinet Office rights in the Public Sector Supplement also apply.

11. Retention, Return & Deletion

11.1 Retention defaults. Raw audio is retained only until transcription is verified (typically ≤14, configurable); transcripts/outputs are retained per Customer policy.

11.2 End of processing. At termination or upon written instruction, EverWellAI shall delete or return Personal Data and delete existing copies, unless retention is required by law. Backups age out on a fixed schedule (see Annex II); deletion certificates provided on request.

12. Liability & Conflict

12.1 This DPA forms part of the Agreement. Liability is as set out in the Agreement; nothing in this DPA increases total liability beyond that agreed, except to the extent required by law.

12.2 In the event of conflict, this DPA prevails over the Agreement solely with respect to data protection obligations.

13. Notices

Security incidents: security@everwellai.co.uk

Data protection: privacy@everwellai.co.uk (or the contacts in the Order)

Annex I — Description of Processing

A. Subject-matter & duration

Processing of Customer Content in connection with recording staff supervision sessions, automatic speech recognition (ASR), LLM-assisted structuring/summarisation, export/delivery, and support. Duration: for the term of the Agreement and until deletion/return per Section 11.

B. Nature & purpose

  • Audio capture & upload, temporary storage for transcription

  • ASR transcription (AssemblyAI EU endpoints, ZDR mode where available)

  • LLM structuring/summarisation (Mistral EU; no-training/zero-retention modes)

  • Export/delivery to Customer systems; support & troubleshooting

  • Security (logging/monitoring) and billing/usage metadata

C. Categories of data subjects

Employees (supervisees/supervisors), contractors, managers; third parties referenced during supervision (which may include children and vulnerable individuals).

D. Categories of personal data

Identifiers (names, role, contact), voice recordings, transcripts, supervision notes, scheduling/case metadata, device/IP logs, user account data. May include special category data (e.g., health, trade union membership) and criminal offence data if introduced by Customer.

E. Sensitive data safeguards

Short retention defaults for raw audio, access restriction flags, minimisation/redaction options, no training/ZDR configuration for ASR/LLM, encryption, strict RBAC and auditing.

F. Retention

Raw audio: ≤14–30 days (configurable). Transcripts/outputs: ≤7 days (configurable).; Evergreen logs/metrics: per Annex II.

G. Processing location

Primarily UK/EU regions; see Annex III and Section 6 for transfer mechanisms and safeguards.

Annex II — Technical & Organisational Measures (TOMs)

  1. Governance & policies: Information Security Policy; Data Protection Policy; Acceptable Use; Access Control; Incident Response; Secure Development; Vendor Risk; BCDR. Assigned security lead; regular training incl. safeguarding awareness.

  2. Access control & identity: Role-based access (RBAC) with least privilege; MFA/SSO for all admins and privileged roles; session management with timeout; quarterly access reviews and joiner/mover/leaver controls. Customer tenancy isolation; environment segregation (prod/test/dev).

  3. Encryption & key management: TLS 1.2+ in transit; AES-256 at rest (or provider equivalent). Managed KMS/CMK where supported; key rotation per policy; secrets stored in secure vaults.

  4. Logging, monitoring & detection: Centralised logging of authentication, privileged actions, data access, API usage; immutable log retention (e.g., ≥90 days hot, ≥12 months cold). Alerting for anomalous activity; regular review of audit trails.

  5. Application & infrastructure security: Secure SDLC with threat modelling for AI features; code review; dependency scanning (SCA); SAST/DAST; container image scanning; IaC scanning; supply chain controls. Regular penetration testing (at least annually) with remediation tracking. Least-privileged runtime; network segmentation; WAF/rate-limiting for APIs.

  6. Data minimisation & lifecycle: Prompt minimisation/redaction where feasible; configurable retention; defensible deletion including backup purge schedule (e.g., rolling ≤35 days); deletion certificates available. Export tooling to support DSRs; redaction support for third-party data.

  7. Sub-processor assurance: Contractual DPAs with SCCs/UK Addendum; review of SOC 2/ISO 27001/27701 or equivalent; region selection (EU/UK). Change management and notification for Sub-processors (Section 5).

  8. Incident response & BCDR: 24×7 on-call for critical incidents; IR playbooks (breach, ransomware, availability, vendor compromise); post-incident reports with root cause and corrective actions. Documented BCDR with tested recovery objectives; multi-AZ/region options where supported by provider.

  9. Public sector (where applicable): Cyber Essentials Plus (or plan to obtain within 6 months); classification as OFFICIAL; BPSS/DBS for privileged staff when required; WCAG 2.2 AA accessibility roadmap.

Annex III — Authorised Sub-processors (EU-first configuration)

ProviderPurposeData locationKey privacy controlsAssemblyAIASR transcription of uploaded audioEU endpoint (api.eu.assemblyai.com)Contractual DPA; ZDR/no-training mode where available; TLS; at-rest encryptionMistral AILLM structuring/summarisation (prompts/outputs)EUEnterprise terms; no model training on customer prompts/outputs; encryption; access controlsSupabaseDatabase/auth/storage for app dataFrankfurt (DE)DPA with SCCs/UK Addendum; SOC2/ISO documentation; encryption; RBACRailwayPaaS hosting/runtimeEU regionDPA; SOC/ISO attestations; region pinning; secret managementn8nWorkflow automation/orchestrationEU (e.g., Germany West Central/Azure) or EverWellAI EU self-hostDPA; sub-processor list; encryption; loggingGoogle WorkspaceEmail/docs, limited support artefactsEU data regions (where configured)CDPA; SCCs; admin-enforced EU data regions; restricted support access

(Customer may request the current Sub-processor list URL or receive email notices of changes.)