Effective 10/1/2023
This Data Processing Addendum with its appendices (together, this “DPA”) is incorporated into the Master Subscription Agreement (or other electronic or mutually executed written agreement) between Evolution Global and Customer that references it (the “Agreement”). This DPA is effective as of the effective date of the Agreement.
Customer is responsible for ensuring that no special categories of Personal Data (under GDPR Article 9), Personal Data relating to criminal convictions and offenses (under GDPR Article 10), or similarly sensitive Personal Data (defined in Data Protection Laws) is submitted to Evolution Global for Processing.
Each Party will comply with all the Data Protection Laws applicable to its performance under this DPA.
This DPA remains in effect until the later of (a) the expiration or termination of the Agreement, and (b) the return or deletion of Customer Personal Data in accordance with Section 6.
Evolution Global will implement and maintain the technical and organizational measures to protect Customer Personal Data and Account Data against accidental or unlawful destruction, loss, alteration, and unauthorized disclosure or access, as described in Appendix B (the “Technical and Organizational Measures”). Evolution Global will take appropriate steps to ensure compliance with the Technical and Organizational Measures by its employees, agents, contractors, and Subprocessors to the extent applicable to their scope of performance, including ensuring that all persons authorized to Process Customer Personal Data or Account Data have agreed to appropriate confidentiality obligations.
Customer generally authorizes Evolution Global to engage Subprocessors in accordance with this Section 4 and approves Evolution Global’s use of the Subprocessors listed in the Subprocessors List. Evolution Global will update the Subprocessors List at least 30 days before appointing a new Subprocessor and will provide Customer with a mechanism to receive notifications of updates to the Subprocessors List (a “Change Notice”), which today is available through the Subprocessors List.
Customer may object to the new Subprocessor on reasonable grounds related to the protection of Customer Personal Data by sending an email to privacy@evolution.global describing its legitimate, good-faith objection within 15 days of a Change Notice (an “Objection Notice”), in which case Evolution Global may satisfy the objection by (a) not using the Subprocessor to Process Customer Personal Data; (b) taking corrective steps requested by Customer in its Objection Notice; or (c) ceasing to provide the parts of the Services that involve the Subprocessor Processing Customer Personal Data, subject to a mutual agreement of the Parties to adjust the remuneration for the Services considering their reduced scope. If none of the options outlined above are reasonably available and Customer’s objection has not been resolved to the Parties’ mutual satisfaction within 15 days of Evolution Global’s receipt of the Objection Notice, either Party may terminate the affected Order and Evolution Global will refund to Customer a pro rata share of any unused amounts prepaid by Customer under the applicable Order for the Services on the basis of the remaining portion of the current terms of the Order. If the Customer does not provide a timely Objection Notice with respect to a new Subprocessor, Customer will be deemed to have authorized Evolution Global’s use of the Subprocessor and to have waived its right to object.
Evolution Global will enter into a written agreement with each Subprocessor that contains data protection obligations equivalent to those in this DPA. Evolution Global will be liable for the actions and omissions of its Subprocessors undertaken in connection with Evolution Globals performance under this DPA to the same extent Evolution Global would be liable if performing the Services directly.
If Evolution Global receives a Data Subject Request, Evolution Global will (a) advise the Data Subject to submit the request to Customer directly, and (b) promptly notify Customer of the request. Where required by Data Protection Laws, Evolution Global will, on Customer’s request and taking into account the nature of Customer Personal Data Processed, provide reasonable assistance to Customer in fulfilling the Data Subject Request to the extent Customer is unable through its use of the Services to address a particular Data Subject Request on its own. To the extent permitted by Applicable Law, Customer will be responsible for any costs arising from Evolution Global’s assistance.
Commencing 30 days after the effective date of termination of the Agreement, Evolution Global will initiate a process on Customer’s written request that deletes Customer Personal Data retained in production within 90 days and in backups within 180 days. Any Customer Personal Data archived in backups will be isolated and protected from any further Processing, except as otherwise required by Applicable Laws. Notwithstanding the foregoing, to the extent Evolution Global is required by Applicable Laws to retain some or all Customer Personal Data, Evolution Global will not be obligated to delete the retained Customer Personal Data, and this DPA will continue to apply to the retained Customer Personal Data. Customer acknowledges that it is responsible for exporting any Customer Personal Data that Customer wants to retain prior to expiration of the referenced 30-day period pursuant to the Agreement.
Evolution Global will notify Customer without undue delay after becoming aware of a Personal Data Breach. Evolution Global’s notification to Customer will describe (a) the nature of the Personal Data Breach, including, if known, the categories and approximate number of Data Subjects and Personal Data records concerned; (b) the measures Evolution Global has taken, or plans to take, to respond to and mitigate the Personal Data Breach; (c) any measures Evolution Global recommends that Customer take to address the Personal Data Breach; and (d) information related to Evolution Global’s point of contact with respect to the Personal Data Breach. If Evolution Global cannot provide all the information above in the initial notification, Evolution Global will provide the information to Customer as soon as it is available.
Evolution Global will promptly take all actions relating to its Technical and Organizational Measures that it deems necessary and advisable to identify and remediate the cause of a Personal Data Breach.
Evolution Global’s notification of or response to a Personal Data Breach will not constitute an acknowledgment of fault or liability with respect to the Personal Data Breach. The obligations in this Section 7 do not apply to Personal Data Breaches that are caused by Customer, Authorized Users, or providers of Customer Components. Except as may otherwise be required by Applicable Law (including any mandated deadlines under Data Protection Laws), if Customer decides to notify a Supervisory Authority, Data Subjects, or the public of a Personal Data Breach, Customer will make reasonable efforts to provide Evolution Global with advance copies of the notice(s) and allow Evolution Global an opportunity to provide any clarifications or corrections to them.
On Customer’s request, and subject to the confidentiality provisions of the Agreement, Evolution Global will make available to Customer copies of, or extracts from, Evolution Global’s audit reports related to the security of the Services, including, for example, its ISO 27001 certification, SOC 2 Type 2 report, and Consensus Assessments Initiative Questionnaire (CAIQ).
Customer may request (directly or through a third-party auditor subject to written confidentiality obligations) an audit of Evolution Global to verify Evolution Global’s compliance with the terms of this DPA if such an audit is required by Data Protection Laws and Evolution Global’s compliance cannot be demonstrated by means that are less burdensome on Evolution Global (including under Section 8.1). Any audit under this section must meet the following requirements: (a) Customer must provide Evolution Global at least 30 days’ prior written notice of a proposed audit unless otherwise required by a competent supervisory authority or Data Protection Laws; (b) Customer may not perform more than one audit in any 12-month period, except where required by a competent supervisory authority; (c) Customer and Evolution Global must mutually agree on the time, scope, and duration of the audit in advance; (d) Customer must reimburse Evolution Global for its time expended in connection with an audit at Evolution Global’s reasonable professional service rates, which will be made available to Customer on request; (e) Customer must ensure that its representatives performing an audit protect the confidentiality of all information obtained through the audit in accordance with the Agreement, execute an enhanced mutually agreeable nondisclosure agreement if requested by Evolution Global, and abide by Evolution Global’s security policies while on Evolution Global’s premises; and (f) Customer must promptly disclose to Evolution Global any written audit report created, and any findings of noncompliance discovered, as a result of the audit.
Taking into account the nature of the Processing and the information available to Evolution Global, Evolution Global will, when required by Data Protection Laws, assist Customer with its obligations related to data protection impact assessments (where related to the Services, and only to the extent that Customer does not otherwise have access to the relevant information) and prior consultation with supervisory authorities, including by providing the information outlined in Section 8.1 above.
Each Party’s liability taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability provisions of the Agreement.
In the event of a conflict or inconsistency between the Agreement, this DPA, and the SCCs, the terms of the following documents will prevail (in order of precedence): the SCCs; then this DPA; and then the Agreement.
Evolution Global may make changes to this DPA where (a) the change is required to comply with an Applicable Law; or (b) the change is commercially reasonable, does not materially reduce the security of the Services, does not change the scope of Evolution Global’s processing of Customer Personal Data, and does not have a material adverse impact on Customer’s rights under this DPA.
Capitalized terms not otherwise defined in this DPA or the Agreement have the meanings assigned to them below.
“Account Data” means information about Customer that Customer provides to Evolution Global in connection with the creation or administration of its Evolution Global accounts, such as first and last name, username, and email address of an Authorized User or Customer’s billing contact.
“Controller” means the entity that determines the purposes and means of Processing Personal Data.
“Customer Data” means data from Customer’s Environment that are submitted for Processing by the Services. Through Customer’s configuration and use of the Services, Customer has control over the types and amounts of Customer Data.
“Customer Personal Data” means Customer Data comprising Personal Data.
“Data Protection Laws” means data protection or privacy laws and regulations directly applicable to a Party’s Processing of Personal Data under the Agreement, including European Data Protection Laws.
“Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
“Data Subject Request” means a request from a Data Subject exercising his or her rights under Data Protection Laws that relates to Customer Personal Data and identifies Customer.
“EEA” means the European Economic Area.
“European Data Protection Laws” means the GDPR; the UK GDPR; and any national data protection laws, implementing regulations, or binding decisions made under the GDPR or the UK GDPR.
“GDPR” means the General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data, and repealing of Directive 95/46/EC.
“Personal Data” means any information relating to an identified or identifiable natural person.
“Personal Data Breach” means a breach of Evolution Global’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.
“Process” and “Processing” mean any operation or set of operations which is performed on Personal Data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
“Processor” means the entity that Processes Personal Data on behalf of a Controller.
“Restricted Transfer” means (i) where the GDPR applies, a transfer of Customer Personal Data or Account Data from the EEA to a country outside of the EEA that is not subject to an adequacy determination by the European Commission; (ii) where the Swiss Federal Act on Data Protection applies, a transfer of Customer Personal Data or Account Data from Switzerland to a country that is not subject to an adequacy determination by the Swiss Federal Data Protection and Information Commissioner; and (iii) where the UK GDPR applies, a transfer of Customer Personal Data or Account Data from the UK to a country that is not the subject of adequacy regulations under section 17A of the United Kingdom Data Protection Act of 2018.
“SCCs” means the standard contractual clauses for international transfers annexed to the European Commission’s commission implementing decision on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, published on June 4, 2021, including as incorporated into the UK Transfer Addendum, if applicable.
“Subprocessor” means any Processor engaged by Evolution Global or a Evolution Global Affiliate to Process Customer Personal Data on Evolution Global’s or its Affiliate’s behalf while providing the Services.
“Subprocessors List” means the list of Subprocessors available at https://evolution.global/subprocessors/.
“UK” means the United Kingdom.
“UK GDPR” means the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018.
“UK Transfer Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, published by the UK Information Commissioner’s Office on March 21, 2022.
A. LIST OF PARTIES
Data Exporter(s):
Name: Customer.
Address: The address for Customer associated with its Evolution Global account or as otherwise stated in the Agreement.
Contact person’s name, position, and contact details: The contact details for Customer associated with its Evolution Global account or as otherwise stated in the Agreement.
Activities relevant to the data transferred under these Clauses: Processing Customer Personal Data and Account Data for the purpose of providing, supporting, and improving the Services. Signature and date: The parties agree that execution of the Agreement constitutes execution of this Appendix A by both parties.
Role (controller/processor): Processor or Controller with respect to Customer Personal Data; Controller with respect to Account Data.
Data importer(s):
Name: Evolution Global, Inc.
Address: 6713 Old Jacksonville Highway, Suite 103, Tyler, TX 75703 USA
Contact person’s name, position, and contact details: The contact details for Evolution Global as stated in the Agreement. Evolution Global’s privacy team can be contacted at privacy@evolution.global.
Activities relevant to the data transferred under these Clauses: Processing Customer Personal Data and Account Data for the purpose of providing, supporting, and improving the Services. Signature and date: The parties agree that execution of the Agreement constitutes execution of this Appendix A by both parties.
Role (controller/processor): Processor with respect to Customer Personal Data; Controller with respect to Account Data.
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
With respect to Account Data: the data subjects may include Customer’s employees. With respect to Customer Personal Data, the data subjects may include Customer’s employees, customers, vendors, and end-users.
Categories of personal data transferred
With respect to Account Data: the Personal Data that is sent to Evolution Global by Customer for the purpose of using the Services. With respect to Customer Personal Data: the Personal Data that is sent to Evolution Global by Customer for the purpose of using the Services.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
No sensitive data is transferred.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
The Personal Data is transferred on a continuous basis.
Nature of the processing
With respect to Account Data: general account management and other activities as outlined in Evolution Global’s public Privacy Policy, available at www.evolution.global/legal/privacy-policy. With respect to Customer Personal Data: analysis, storage, and other Services as described in the Agreement, Order(s), DPA, and Documentation.
Purpose(s) of the data transfer and further processing
With respect to Account Data: for Evolution Global to (a) manage Customer’s account, including to calculate Fees; (b) provide and improve the Services and Support, including to address Support Requests and troubleshoot other issues; and (c) provide Customer and Authorized Users with insights, service and feature announcements, and other reporting. With respect to Customer Personal Data: for Evolution Global to provide, support, and improve the Services.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
With respect to Account Data: Personal Data is retained to manage Customer’s accounts in accordance with Evolution Global’s Privacy Policy. With respect to Customer Personal Data: Personal Data is retained in accordance with either Customer’s configuration of the Services or the retention schedules outlined in the Documentation.
For transfers to (sub-) processors, also specify subject matter, nature, and duration of the processing
With respect to Account Data: the subject matter of Personal Data transferred to Subprocessors is Account Data, which is transferred to Subprocessors to manage Customer’s accounts with Evolution Global, in accordance with Evolution Global’s Privacy Policy. With respect to Customer Personal Data: the subject matter of Personal Data transferred to Subprocessors is Customer Personal Data, which is transferred to Subprocessors to provide, support, and improve the Services, as outlined in the agreements between Customer and Evolution Global.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
The competent supervisory authority determined in accordance with Data Protection Laws.
As of the date of this DPA, Evolution Global’s technical and organizational measures include the following:
1. Access Control
- Evolution Global restricts access to Customer Personal Data to employees with a defined need-to-know or a role requiring such access.
- Evolution Global maintains user access controls that address timely provisioning and de-provisioning of user accounts.
2. Audit
- Evolution Global will maintain SSAE 18 SOC 2 certification, or comparable certification, for the term of the Agreement. This certification will be renewed on an annual basis. Upon Customer’s request, Evolution Global will provide a summary of its most recent SOC 2 report once every 12 months of the term of the Agreement.
- Evolution Global follows guidelines from ISO 27001, NIST and other industry-standard practices.
3. Business Continuity
- Evolution Global maintains business continuity, backup, and disaster recovery plans (“BC/DR Plans”) in order to minimize the loss of service and comply with Applicable Laws.
- The BC/DR Plans address threats to the Services and any dependencies, and have an established procedure for resuming access to, and use of, the Services.
- The BC/DR Plans are tested at regular intervals.
4. Change Control
- Evolution Global maintains policies and procedures for applying changes to the Services, including underlying infrastructure and system components, to ensure quality standards are being met.
- Evolution Global undergoes a penetration test of its network and Services on an annual basis. Any vulnerabilities found during this testing will be remediated in accordance with Evolution Global’s Vulnerability Management Policies and Procedures, and will be assessed on the basis of Evolution Global’s Risk Management Framework.
- Evolution Global regularly performs vulnerability scans of its network and any vulnerabilities found will be addressed in accordance with Evolution Global’s Vulnerability Management Policies and Procedures, and will be assessed on the basis of Evolution Global’s Risk Management Framework.
- Security patches are applied in accordance with Evolution Global’s patching schedule.
- Evolution Global maintains an environment for testing and development separate from the production environment.
5. Data Security
- Evolution Global maintains technical safeguards and other security measures to ensure the security and confidentiality of Customer Personal Data.
- Evolution Global logically segregates Customer Personal Data in the production environment.
6. Encryption and Key Management
- Evolution Global maintains policies and procedures for the management of encryption mechanisms and cryptographic keys in Evolution Global’s cryptosystem.
- Evolution Global enlists encryption at rest and in transit between public networks, as applicable, according to industry-standard practice.
7. Governance and Risk Management
- Evolution Global maintains an information security program that is reviewed at least annually.
- Evolution Global maintains a risk management program, with risk assessments conducted at least annually.
8. Administrative Controls
- Evolution Global uses a third-party to conduct employee background verifications for all Evolution Global personnel with access to Customer Personal Data.
- Evolution Global employees are required to complete initial (at-hire) and annual security awareness training.