Evicta LogoEVICTA
[EV-DPA]

Data Processing Addendum

Effective: April 8, 2026
Parties & ScopeCategories of DataTechnical MeasuresSubprocessingRetention & DeletionAudit Rights
[EV-DPA-301]

1. Parties and Scope

This Data Processing Addendum ("DPA") forms part of the Master Service Agreement between Evicta Infrastructure ("Processor") and the Customer ("Controller").

Evicta acts as a Data Processor on behalf of the Controller. The Controller determines the purposes and means of processing. Evicta processes personal data solely as instructed by the Controller for the purpose of executing data extraction and migration services.

Processor
Evicta Infrastructure
Controller
The Customer
[EV-DPA-302]

2. Categories of Data

Evicta processes the following categories of data during an extraction run:

  • Support ticket metadata (status, assignee, timestamps, tags)
  • User and organization identifiers
  • Custom field definitions and mapping configurations
  • API authentication credentials (encrypted at rest via AES-256-GCM)
  • Ticket communications, comments, and body content

No ticket body content is retained after the Migration Window concludes. All extracted archives are purged via automated lifecycle policies.

[EV-DPA-303]

3. Technical and Organizational Measures (TOMs)

Evicta implements the following technical measures to protect personal data:

Encryption in TransitTLS 1.3 with certificate pinning
Encryption at RestAES-256-GCM for credential and key storage
Execution ModelEphemeral runtimes — destroyed after stream closes
Data PathSource → RAM → Destination (zero disk persistence)
Access ControlRole-based, least-privilege access policies
MonitoringAudit-logged access to production systems
[EV-DPA-304]

4. Subprocessing

Evicta engages subprocessors to provide infrastructure, configuration storage, and payment processing services. A complete list of subprocessors, categorized by function, is maintained at evicta.dev/subprocessors.

The Controller authorizes the use of subprocessors as listed. Evicta will provide thirty (30) calendar days' notice before engaging a new subprocessor or changing an existing subprocessor's role. During this period, the Controller may object to the change by providing written notice.

[EV-DPA-305]

5. Data Retention and Deletion

Extracted archives are stored for the duration of the Migration Window (default 30 days) and are subsequently purged via automated lifecycle policies. Configuration metadata is retained for idempotency and support purposes.

Upon termination of the Agreement, all Customer data (including archives and metadata) will be deleted within fourteen (14) calendar days, unless the Controller requests earlier deletion.

[EV-DPA-306]

6. Audit Rights

The Controller has the right to audit Evicta's compliance with this DPA, subject to reasonable advance written notice of at least thirty (30) calendar days. Audits shall be conducted during normal business hours and shall not unreasonably interfere with Evicta's operations.

Evicta will make available all information reasonably necessary to demonstrate compliance, including access to security documentation and audit reports upon request.