Evidence Watcher Data Processing Agreement

Draft for legal review. Last updated: June 5, 2026.

This Data Processing Agreement ("DPA") supplements the Evidence Watcher Terms of Service, Privacy Policy, Subscription Terms, order form, or other written agreement between Evidence Watcher and the customer that references this DPA (the "Agreement").

This DPA applies only where Evidence Watcher processes Personal Data on behalf of a business, organization, institution, or other customer as a Processor, Service Provider, or equivalent role in connection with the Evidence Watcher service.

"Evidence Watcher," "we," "us," and "our" refer to SOUTHBYTE LABS LTD, registered in England and Wales with registered number 17260462 and registered office at 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ. "Customer," "you," and "your" refer to the organization that has entered into the Agreement with Evidence Watcher.

1. Definitions

For purposes of this DPA:

"Applicable Data Protection Laws" means privacy, data protection, and data security laws applicable to the processing of Personal Data under the Agreement, including, where applicable, the GDPR, UK GDPR, Swiss FADP, CCPA/CPRA, and other applicable U.S. state privacy laws.
"Controller" means the entity that determines the purposes and means of processing Personal Data.
"Customer Personal Data" means Personal Data that Customer submits to the Service or otherwise makes available to Evidence Watcher for processing on Customer's behalf under the Agreement.
"Data Subject" means an identified or identifiable individual to whom Personal Data relates.
"DPA" means this Data Processing Agreement, including its annexes and schedules.
"GDPR" means Regulation (EU) 2016/679.
"Personal Data" means information relating to an identified or identifiable natural person, or any equivalent term under Applicable Data Protection Laws.
"Process" or "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, transmission, deletion, or other handling.
"Processor" means the entity that processes Personal Data on behalf of a Controller.
"Security Incident" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data processed by Evidence Watcher.
"Service Provider" has the meaning given under applicable U.S. state privacy laws.
"Subprocessor" means a third party engaged by Evidence Watcher to process Customer Personal Data on Evidence Watcher's behalf.
"Supervisory Authority" means an independent public authority established under Applicable Data Protection Laws, including the UK Information Commissioner's Office where the UK GDPR applies.

2. Roles of the Parties

For Customer Personal Data processed under this DPA, Customer is the Controller or Business, and Evidence Watcher is the Processor or Service Provider.

Customer is responsible for determining whether the Service is appropriate for Customer's use case and for ensuring that Customer has a lawful basis, authority, notices, permissions, and consents needed to submit Customer Personal Data to the Service.

Evidence Watcher may act as an independent Controller for certain processing activities outside the scope of this DPA, including account administration, billing, fraud prevention, security, business operations, legal compliance, website analytics if enabled, and direct communications with Customer. Those activities are governed by Evidence Watcher's Privacy Policy and the Agreement, not this DPA.

3. Scope and Purpose of Processing

Evidence Watcher will process Customer Personal Data only as necessary to provide, secure, support, maintain, troubleshoot, and improve the Service as described in the Agreement, this DPA, Customer's documented instructions, or as required by law.

For purposes of this DPA, "improve the Service" means activities reasonably necessary to maintain, debug, test, secure, measure, and improve the reliability, quality, safety, and performance of the Service for Customer and similarly situated customers. Evidence Watcher will not use Customer Personal Data for model training, advertising, resale, or unrelated product development except as expressly permitted in this DPA or separately agreed in writing with appropriate legal basis and notice.

The subject matter, duration, nature, purpose, categories of Data Subjects, and categories of Customer Personal Data are described in Annex 1.

4. Customer Instructions

Customer instructs Evidence Watcher to process Customer Personal Data:

To provide the Service.
To create, run, manage, pause, resume, and deliver alerts.
To authenticate users and manage organization access.
To send transactional emails and service notices.
To process billing, subscription, and account administration data.
To generate AI summaries, synthesis, ranking, relevance signals, and explanations.
To maintain security, availability, reliability, logging, debugging, and abuse prevention.
To provide support and respond to Customer requests.
To comply with applicable legal obligations.
As otherwise documented in the Agreement or directed by Customer through the Service.

Customer's documented instructions include instructions provided through the Service, account settings, administrator settings, support requests, written communications, the Agreement, this DPA, and any applicable order form.

Evidence Watcher will not process Customer Personal Data for purposes outside Customer's documented instructions unless required by applicable law. If Evidence Watcher believes an instruction violates Applicable Data Protection Laws, Evidence Watcher will promptly notify Customer in writing and may suspend the relevant processing pending Customer's response.

Customer's documented instructions include instructions relating to international transfers of Customer Personal Data unless the parties agree otherwise in writing. If Evidence Watcher is required by UK, EU, member-state, or other applicable law to process Customer Personal Data outside Customer's documented instructions, Evidence Watcher will inform Customer of that legal requirement before processing unless the law prohibits that notice on important grounds of public interest.

5. Prohibited Data

The Service is not designed to collect or process protected health information, patient-identifiable information, consumer health data, medical records, special category health data, genetic data, biometric data used for identification, or information about an identifiable individual's health, treatment, diagnosis, symptoms, medications, care, clinical history, or clinical trial eligibility.

Customer must not submit prohibited data to the Service. Customer is responsible for configuring and using the Service in a way that avoids submitting prohibited data.

If Customer believes prohibited data has been submitted, Customer must notify Evidence Watcher promptly at info@evidencewatcher.com.

After receiving notice or otherwise identifying prohibited data, Evidence Watcher may, where lawful and technically practicable:

Quarantine, restrict, or delete the prohibited data.
Suspend the affected alert, account, workflow, or processing activity.
Ask Customer for instructions.
Take reasonable steps to reduce further processing of the prohibited data.
Preserve limited records where needed for security, legal, or compliance purposes.

Evidence Watcher does not offer a HIPAA Business Associate Agreement unless expressly agreed in a separate written agreement. Customer must not use the Service in a way that requires Evidence Watcher to act as a HIPAA business associate unless a signed Business Associate Agreement is in place.

6. Confidentiality

Evidence Watcher will ensure that personnel authorized to process Customer Personal Data, including employees, contractors, temporary workers, and agency workers where applicable, are subject to confidentiality obligations or appropriate statutory obligations of confidentiality.

Evidence Watcher will limit access to Customer Personal Data to personnel and Subprocessors who need access to perform the Service, support Customer, maintain security, comply with legal obligations, or otherwise perform obligations under the Agreement and this DPA.

7. Security Measures

Evidence Watcher will implement and maintain appropriate administrative, technical, and organizational measures designed to meet the requirements of Article 32 of the UK GDPR where applicable and to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.

These measures may include, as appropriate to the Service and the nature of the processing:

Access controls and authentication.
Role-based or need-to-know access.
Transport encryption for data in transit.
Encryption, hashing, or pseudonymisation where appropriate.
Measures designed to support ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
Measures designed to restore availability of and access to Customer Personal Data in a timely manner following a physical or technical incident.
Processes for testing, assessing, or reviewing the effectiveness of security measures.
Use of managed hosting, database, and infrastructure providers.
Logging, monitoring, and error tracking.
Backup, recovery, and reliability practices.
Vendor review and contractual protections.
Security incident response procedures.

Customer is responsible for secure configuration of its own accounts, users, devices, networks, passwords, identity provider settings, and access permissions.

8. Subprocessors

Customer gives Evidence Watcher general written authorization to engage Subprocessors to provide the Service, subject to this Section 8.

Evidence Watcher will carry out appropriate due diligence on Subprocessors before engaging them and will take reasonable steps to monitor their compliance on an ongoing basis.

Evidence Watcher will impose data protection obligations on Subprocessors that are at least equivalent to those imposed on Evidence Watcher under this DPA, including obligations requiring the Subprocessor to provide sufficient guarantees to implement appropriate technical and organisational measures.

Known current or planned Subprocessors include the providers listed in Annex 2. Additional Subprocessor details are available on request.

Evidence Watcher will give Customer at least 30 days' prior written notice before adding or replacing any Subprocessor that processes Customer Personal Data, unless shorter notice is necessary because of urgent security, availability, legal, or business-continuity reasons. Notice may be provided by email to Customer's registered contact, in-app notice, or another written notice method.

Customer may object to the addition or replacement of a Subprocessor by providing written notice within 14 days of Evidence Watcher's notice. Customer's objection must describe the reasonable data protection grounds for the objection. The parties will work in good faith to resolve the objection. If the parties cannot resolve the objection, Customer may terminate the affected Service by giving written notice within 30 days after Evidence Watcher's notice.

Evidence Watcher remains fully liable to Customer for the performance by each Subprocessor of its data protection obligations under this DPA, to the same extent as if Evidence Watcher were performing those obligations directly.

Public data and source services, including PubMed/NCBI, ClinicalTrials.gov, PubChem, MONDO, EBI OLS, publisher websites, registries, and related services, may receive search terms, query metadata, source identifiers, or request metadata as needed to retrieve public records. These public source services are generally independent third-party sources rather than Evidence Watcher Subprocessors unless Evidence Watcher engages them to process Customer Personal Data on Evidence Watcher's behalf. Customer should avoid including Personal Data in search terms or alert fields.

9. AI Processing and Model Training

Evidence Watcher may process Customer Personal Data through AI systems to provide AI summaries, synthesis, ranking, relevance signals, and explanations.

Evidence Watcher currently uses Anthropic as an AI service provider for AI synthesis and related alert summarization features. Evidence Watcher will list AI service providers that process Customer Personal Data in Annex 2 or make additional details available on request.

Evidence Watcher will not use Customer Personal Data or Customer Content to train third-party foundation models or Evidence Watcher-owned AI models. Anthropic states that, by default, it does not use inputs or outputs from its commercial products, including the Anthropic API, to train its models, except where customers explicitly provide feedback, report bugs, or otherwise choose to allow such use. Evidence Watcher does not submit Customer Personal Data or Customer Content to Anthropic for feedback, bug-reporting, or model-training purposes.

Evidence Watcher will maintain contractual commitments with AI service providers designed to support this Section 9, including commitments restricting model training on Customer Personal Data where available and applicable.

AI-generated outputs are provided as part of the Service and may be incomplete, inaccurate, outdated, or unsuitable for Customer's use case. Customer remains responsible for verifying source materials and determining whether AI outputs are appropriate for its intended use.

10. Assistance with Data Subject Requests

Taking into account the nature of the processing and the information available to Evidence Watcher, Evidence Watcher will provide reasonable assistance to Customer in responding to Data Subject requests to access, correct, delete, restrict, object to, or port Customer Personal Data.

If Evidence Watcher receives a Data Subject request relating to Customer Personal Data, Evidence Watcher will direct the requester to Customer unless Applicable Data Protection Laws require otherwise.

Evidence Watcher will not independently respond to a Data Subject request relating to Customer Personal Data unless instructed by Customer or required by Applicable Data Protection Laws.

11. Assistance with Compliance

Taking into account the nature of the processing and the information available to Evidence Watcher, Evidence Watcher will provide reasonable assistance to Customer with Customer's obligations relating to:

Keeping Customer Personal Data secure.
Notifying personal data breaches to regulators, including the ICO where applicable.
Notifying personal data breaches to Data Subjects where required.
Carrying out data protection impact assessments where required.
Consulting the ICO or another Supervisory Authority where a data protection impact assessment indicates a high risk that cannot be mitigated.

Evidence Watcher will provide assistance required by Article 28(3)(f) UK GDPR, including security, breach notification, DPIA, and prior consultation assistance, without additional charge as part of the Service.

Evidence Watcher may charge reasonable fees only for assistance requests that go materially beyond what is required by Applicable Data Protection Laws, are outside the scope of this DPA, and are expressly requested by Customer.

12. Security Incident Notice

Evidence Watcher will notify Customer without undue delay, and in any event within 48 hours, after becoming aware that a Security Incident has occurred or is reasonably suspected.

Initial notice may be preliminary and may be followed by additional information as it becomes available. The notice will include information reasonably available to Evidence Watcher, which may include:

The nature of the Security Incident.
Affected categories of Customer Personal Data.
Affected categories of Data Subjects.
Likely consequences, where known.
Measures taken or proposed to address the Security Incident.
Measures recommended to Customer to mitigate potential harm.
A contact point for follow-up.

Evidence Watcher will take reasonable steps to investigate, contain, mitigate, and remediate Security Incidents affecting Customer Personal Data.

Customer is responsible for determining whether notification to Data Subjects, regulators, customers, or other parties is required.

13. Return and Deletion

Upon termination or expiration of the Agreement, Evidence Watcher will, at Customer's choice, delete or return Customer Personal Data in accordance with the Agreement, the Service's functionality, and applicable law.

Unless a different timeframe is specified in the Agreement or required by law, Evidence Watcher will delete Customer Personal Data from active production systems within 30 days after termination, expiration, or Customer's written deletion request, where technically practicable.

Evidence Watcher may retain Customer Personal Data where required or permitted by law, including backup copies, logs, billing records, security records, fraud prevention records, legal records, or information needed to enforce the Agreement, provided that retained data remains protected in accordance with this DPA and is not processed for other purposes.

Where immediate deletion from backups or archives is not reasonably practicable, Evidence Watcher will put retained Customer Personal Data beyond active use and delete it according to its ordinary deletion or destruction cycle, not to exceed 180 days, unless continued retention is required or permitted by law.

14. Audits, Information, and Records

Evidence Watcher will make available information reasonably necessary to demonstrate compliance with this DPA and Article 28 of the UK GDPR where applicable.

Evidence Watcher will maintain records of processing activities carried out on behalf of Customer where required by Article 30(2) UK GDPR or equivalent Applicable Data Protection Laws.

Where required by Applicable Data Protection Laws, Customer may request an audit of Evidence Watcher's compliance with this DPA. Evidence Watcher will allow for and contribute to audits and inspections carried out by Customer or an auditor appointed by Customer, subject to reasonable scope, timing, duration, confidentiality, security, and non-disruption requirements.

As a first step, Evidence Watcher may provide security documentation, policies, summaries, certifications, third-party reports, written responses, or other reasonable evidence of compliance. If that documentation is not reasonably sufficient to demonstrate compliance with this DPA, Customer may request a more detailed audit or inspection, subject to reasonable safeguards designed to protect Evidence Watcher, other customers, and the security of the Service.

Audits may not require Evidence Watcher to disclose confidential information of other customers, information that would compromise security, trade secrets, privileged materials, or information unrelated to Customer Personal Data.

15. International Transfers

Customer acknowledges that Evidence Watcher's primary application database is hosted in the UK. Customer Personal Data may also be processed in other jurisdictions where Evidence Watcher, its personnel, or its service providers operate, depending on the provider and service used.

Where Customer Personal Data is transferred from the European Economic Area to a country not subject to an EU adequacy decision, the parties agree to the applicable EU Standard Contractual Clauses, incorporated into this DPA as Schedule 1.

Where Customer Personal Data is transferred from the United Kingdom to a country not subject to UK adequacy regulations, the parties agree to the terms of the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, incorporated into this DPA as Schedule 2.

Where Customer Personal Data is transferred from Switzerland to a country not recognized as providing adequate protection, the parties will use the EU Standard Contractual Clauses with appropriate Swiss amendments or another lawful transfer mechanism.

The applicable modules, annex details, supplementary measures, and transfer risk assessment details must be completed before this DPA is executed or relied upon for restricted transfers.

Nothing in this DPA may be interpreted to modify, limit, or conflict with the Standard Contractual Clauses, UK International Data Transfer Agreement, UK Addendum, or any other mandatory transfer mechanism incorporated into this DPA.

16. U.S. State Privacy Laws

Where U.S. state privacy laws apply and Evidence Watcher processes Customer Personal Data as a Service Provider or Processor, Evidence Watcher will:

Process Customer Personal Data only for the business purposes described in the Agreement and this DPA.
Not sell Customer Personal Data.
Not share Customer Personal Data for cross-context behavioral advertising.
Not retain, use, or disclose Customer Personal Data outside the direct business relationship except as permitted by applicable law.
Not combine Customer Personal Data with personal information from other sources except as permitted by applicable law.
Assist Customer with applicable consumer rights requests as required by applicable law.
Notify Customer if Evidence Watcher determines it can no longer meet its obligations under applicable U.S. state privacy laws.

Customer may take reasonable and appropriate steps to ensure that Evidence Watcher uses Customer Personal Data in a manner consistent with Customer's obligations under applicable U.S. state privacy laws.

17. Limitation of Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Agreement, unless prohibited by Applicable Data Protection Laws.

Nothing in the Agreement or this DPA limits or excludes liability to the extent such limitation or exclusion is prohibited by Applicable Data Protection Laws or an incorporated transfer mechanism.

The parties should ensure that the Agreement's liability cap is appropriate for the nature, volume, and sensitivity of Customer Personal Data processed under the Service.

18. Conflict

If there is a conflict between this DPA and the Agreement, this DPA controls only with respect to the processing of Customer Personal Data as a Processor or Service Provider.

If there is a conflict between this DPA and Standard Contractual Clauses, the UK International Data Transfer Agreement, the UK Addendum, or another mandatory transfer mechanism, that mandatory transfer mechanism controls to the extent of the conflict.

19. Changes to This DPA

Evidence Watcher may update this DPA from time to time to reflect non-material changes in the Service, Applicable Data Protection Laws, Subprocessors, security measures, or Evidence Watcher's data practices, provided that such changes do not materially reduce protections for Customer Personal Data.

Evidence Watcher will provide notice of material changes to this DPA. Changes that materially reduce protections for Customer Personal Data or materially alter the parties' rights or obligations under this DPA will not apply to Customer without Customer's written agreement, unless the change is required by Applicable Data Protection Laws.

Changes to incorporated Standard Contractual Clauses, the UK International Data Transfer Agreement, the UK Addendum, or other mandatory transfer mechanisms will only be made as permitted by those instruments and Applicable Data Protection Laws.

20. Governing Law and Jurisdiction

This DPA is governed by the governing law specified in the Agreement unless otherwise required by Applicable Data Protection Laws or an incorporated transfer mechanism.

If the Agreement does not specify governing law, this DPA is governed by the laws of [England and Wales / other jurisdiction selected by counsel].

Any disputes arising from this DPA are subject to the jurisdiction specified in the Agreement, unless otherwise required by Applicable Data Protection Laws or an incorporated transfer mechanism.

21. Contact

Questions about this DPA, privacy matters, prohibited data, Security Incidents, or data protection requests can be sent to:

info@evidencewatcher.com

Data Protection Officer information:

Available on request.

Annex 1: Details of Processing

Subject Matter

Evidence Watcher's provision of research monitoring, alerting, AI synthesis, account management, organization management, billing, and related services to Customer.

Duration

For the duration of the Agreement and any additional period required or permitted by the Agreement, this DPA, or applicable law.

Nature and Purpose

Processing Customer Personal Data to provide, secure, support, maintain, troubleshoot, and improve the Service, including account authentication, alert creation, alert execution, alert delivery, AI-generated synthesis, billing, support, logging, abuse prevention, and compliance.

Categories of Data Subjects

Customer's authorized users.
Customer's administrators.
Customer's billing contacts.
Customer's support contacts.
Other individuals whose information Customer submits to the Service, subject to the prohibited-data restrictions in the Agreement and this DPA.

Categories of Customer Personal Data

Name.
Email address.
Authentication identifiers.
Organization membership and role.
Account status.
Alert names and descriptions.
Search queries.
Monitored trial identifiers.
Alert frequency, schedule, timezone, and delivery preferences.
Alert run history and delivery history.
Profile and personalization information.
Support communications.
Billing contact information and billing metadata.
IP address.
Device and browser information.
Referring page information.
Session identifiers.
Authentication logs.
Request metadata.
Error logs.
Security logs.
Approximate location inferred from IP address.
Timestamps and usage events.

Customer Obligations and Rights

Customer is responsible for complying with its obligations as Controller or Business, including providing lawful instructions, giving required notices, establishing a lawful basis for processing, responding to Data Subject requests, and determining whether the Service is appropriate for Customer's intended use.

Customer has the rights described in this DPA and the Agreement, including rights to issue documented instructions, receive reasonable assistance, receive Security Incident notices, object to Subprocessor changes, request return or deletion of Customer Personal Data at the end of the Agreement, and request information, audits, or inspections as required by Applicable Data Protection Laws.

Sensitive Data

The Service is not intended to collect or process protected health information, patient-identifiable information, consumer health data, medical records, special category health data, genetic data, biometric data used for identification, or individual health details. Customer must not submit that information to the Service.

Processing Operations

Collection, recording, organization, structuring, storage, retrieval, consultation, use, transmission, disclosure to service providers, alignment or combination, restriction, deletion, and destruction as necessary to provide the Service.

Annex 2: Subprocessors

Additional Subprocessor details are available on request. The following known current or planned Subprocessors are disclosed:

Provider	Service	Location / transfer notes
Vercel	Application hosting, serverless functions, cron jobs, deployment infrastructure, logs, and related platform services.	[Complete before publication]
Neon / managed Postgres	Database hosting and storage.	Primary application database hosted in the UK.
Google OAuth	Sign-in and identity provider services.	[Complete before publication]
Postmark	Transactional email delivery.	[Complete before publication]
Stripe	Checkout, subscriptions, payment processing, invoices, billing portal, fraud prevention, and tax-related payment services if billing is enabled.	[Complete before publication]
Anthropic	AI synthesis, summarization, ranking, relevance signals, and related AI processing. Anthropic states that commercial-product inputs and outputs are not used for model training by default, subject to feedback, bug-reporting, or opt-in exceptions.	[Complete before publication]

Schedule 1: EU Standard Contractual Clauses

To be completed by counsel before use where Customer Personal Data is transferred from the European Economic Area to a country without an EU adequacy decision.

The parties should complete and incorporate the applicable 2021 EU Standard Contractual Clauses, including:

Applicable module.
Parties and contact details.
Description of processing.
Categories of Personal Data.
Categories of Data Subjects.
Sensitive data, if any.
Frequency of transfer.
Nature and purpose of processing.
Retention period.
Subprocessors.
Technical and organizational measures.
Competent supervisory authority.
Supplementary measures and transfer risk assessment where required.

Schedule 2: UK Transfer Mechanism

To be completed by counsel before use where Customer Personal Data is transferred from the United Kingdom to a country not subject to UK adequacy regulations.

The parties should select, complete, and incorporate either:

The UK International Data Transfer Agreement; or
The UK International Data Transfer Addendum to the EU Standard Contractual Clauses.

The selected mechanism should include all required tables, annexes, transfer details, security measures, and any required transfer risk assessment or supplementary measures.