Log inGet started
Elicivo is a trading name. Legal entity details will be updated prior to first paying subscriber.

Data Processing Agreement

Last updated: 25 May 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Elicivo ("Processor") and the customer organisation that creates or administers a workspace on the Elicivo platform ("Controller" or "Customer"). By using the Service, the Customer accepts this DPA.

1. Parties and roles

Processor: Elicivo (trading name; legal entity details to be updated prior to first paying subscriber).

Controller: The organisation identified by the workspace registered on app.elicivo.com, acting through its authorised workspace administrators.

The Controller determines the purposes and means of processing personal data relating to its employees, reviewers, and reviewees. Elicivo processes that data solely on documented instructions from the Controller.

2. Subject matter and duration

Subject matter: Processing of personal data in connection with AI-assisted performance review workflows configured by the Controller.

Duration: For the term of the Customer's subscription to the Service, plus applicable retention periods described in the Privacy Policy.

3. Nature and purpose of processing

Processing includes:

  • Storing employee and reviewer records provided by the Controller.
  • Conducting AI-assisted review interviews and mapping conversations to scoring criteria.
  • Generating scores, justifications, and aggregated reports.
  • Maintaining audit logs of processing activities.
  • Delivering notifications and participant links as configured by the Controller.

4. Types of personal data

  • Employee records: name, email, department, review cadence.
  • Reviewer data: name, optional email, conversation transcripts, scores, adjustments, and justifications.
  • Reviewee data: scores, narratives, discrepancy flags, and aggregated reports.
  • Audit events relating to the above processing.

5. Categories of data subjects

  • Workspace members (Controller's staff using the platform).
  • Employees subject to review cycles.
  • Reviewers and participants (peers, managers, self-reviewers).

6. Processor obligations

Elicivo shall:

  • Process personal data only on documented instructions from the Controller, including instructions transmitted through the Service configuration, unless required by law.
  • Ensure that persons authorised to process personal data are bound by confidentiality obligations.
  • Implement appropriate technical and organisational security measures, as described in the Privacy Policy.
  • Not engage another processor (sub-processor) without informing the Controller, subject to Section 7 below.
  • Assist the Controller, where reasonably possible, with data protection impact assessments and prior consultations with supervisory authorities relating to the Service.
  • Notify the Controller without undue delay after becoming aware of a personal data breach affecting Controller data.
  • At the Controller's choice, delete or return personal data after the end of the provision of services, subject to applicable retention requirements.
  • Make available information reasonably necessary to demonstrate compliance with this DPA and allow for audits conducted by the Controller or an appointed auditor, subject to reasonable notice and confidentiality restrictions.

7. Sub-processors

The Controller authorises Elicivo to use the sub-processors listed in Section 6 of the Privacy Policy.

Elicivo will notify the Controller of intended changes to sub-processors at least 30 days before the change takes effect. The Controller may object on reasonable grounds relating to data protection. If the parties cannot resolve the objection, the Controller may terminate the affected part of the Service.

Elicivo remains responsible for sub-processor performance of data protection obligations.

8. International transfers

Personal data processed through the Service is stored and processed in AWS eu-west-1 (Ireland), within the European Economic Area. Elicivo does not intentionally transfer Controller data outside the EEA for processing.

9. Controller obligations

The Controller shall:

  • Ensure it has a lawful basis to collect and process personal data submitted to the Service.
  • Inform data subjects, including reviewers and reviewees, as required by applicable law.
  • Configure the Service responsibly, including alignment and disclosure settings.
  • Ensure human oversight of AI-generated outputs before using them in employment decisions.

10. Governing law

This DPA is governed by the laws of England and Wales, consistent with the Terms of Service.

11. Contact

Data protection enquiries: privacy@elicivo.com