Evadata Data Processes Security Terms
1. Data Protection
1.1. Definitions: In this DPST, the following terms have the following meanings:
(a) “Agreement” means the Master Services Agreement in place between Customer and Evadata in connection with the purchase of Evadata Services by Customer.
(b) “Applicable Data Protection Law” means privacy, data security, and data protection laws, guidance, and regulations in any jurisdiction in the United States applicable to Personal Data processed under this Agreement.
(c) “Customer Personal Data” means any data or information of Customer (or it send customers), including any Personal Data therein, that Customer submits, posts, uploads, or otherwise transmits to or through the applicable Evadata Services in accordance with this Agreement and any applicable Services-SpecificSchedule, all as further described in Exhibit A of this DPST.
(d) “Data Subject” means an identified or identifiable individual to whom Personal Data relates
(e) “Documentation” means the product and technical documentation, user guides, and manuals delivered, or made available, by Evadata to Customer for the Evadata Services.
(f) “End User” means an individual the Customer permits or invites to use Evadata Services.
(g) “Personal Data” means any information that identifies an individual or is reasonably capable of being identified with an individual when combined with other information (e.g., name, social security number, account number, address), including any information that constitutes “personal data,” “personal information,” “protected health information,” “nonpublic information,” or an equivalent within the meaning of anApplicable Data Protection Law.
(h) “Security Incident” means any confirmed breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data processed by Evadata and/or its Sub-processors in connection with the provision of the Service. For the avoidance of doubt, “Security Incident” does not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful login attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
(I) “Services” means the provision of the Evadata Services by Evadata to Customer pursuant to the Agreement.
(j) “Evadata Network Subscriber Data” means, if applicable to the Evadata Services that Customer purchases, any data or information of an Evadata Network Subscriber (or its end customers), including any Personal Data therein, that an Evadata Network Subscriber contributes, submits, posts, uploads, or otherwise transmits to or through such Evadata Services and that Evadata makes available to Customer for such Evadata Services.
(k) “Evadata Network Subscribers” means, as applicable, any other customers of Evadata that have purchased a subscription to the same Evadata Services as Customer pursuant to their agreement(s) with Evadata.
(l) “Sub-processor” means any processor engaged by Evadata to assist in fulfilling Evadata’s obligation to provide the Services pursuant to the Agreement or this DPST where such Sub-processor processes Customer Personal Data. Sub-processors may include Evadata’s affiliates or other third parties.
1.2. Description of Processing: A description of the processing of Personal Data related to the Services, as applicable, is set out in Exhibit A. Evadata may update the description of processing from time to time to reflect new products, features or functionality comprised within the Services. Evadata will update relevant documentation to reflect such changes.
1.3. Customer Processing of Personal Data: Customer agrees that (i) it will comply with its obligations under Applicable Data Protection Law in its processing of CustomerPersonal Data, Evadata Network Subscriber Data, and any processing instructions it issues to Evadata, and (ii) it has provided notice and obtained (or will obtain) all consents and rights necessary under Applicable Data Protection Law for Evadata to process Personal Data and provide the Services pursuant to the Agreement (including this DPST).
1.4. Evadata Processing of Personal Data: When Evadata processes Customer Personal Data in its capacity as a processor on behalf of the Customer, Evadata will process the Customer Personal Data as necessary to perform its obligations under the Agreement, and only in accordance with the documented lawful instructions ofCustomer (as set forth in the Agreement, in this DPST, or as directed by the customer or Customer’s End Users through the Evadata Services) (the “Permitted Purpose”). Evadata will not retain, use, disclose, or otherwise process the Customer Personal Data for any purpose other than the Permitted Purpose except where otherwise required by law(s) that are not incompatible with ApplicableData Protection Law and will not “sell” the Customer Personal Data. To the extent that Applicable Data Protection Law precludes Evadata from processing Customer Personal Data, Evadata will, to the extent permitted by law, inform Customer.
1.5. Confidentiality of Processing: Evadata must ensure that any person that it authorizes to process customer Personal Data (including Evadata’s staff, agents, and Sub-processors)will be subject to a duty of confidentiality (whether a contractual duty or a statutory duty) and must not permit any person to process Customer PersonalData who is not under such a duty of confidentiality.
1.6. Security: Evadata, and, to the extent required under the Agreement, Customer, must implement appropriate technical and organizational measures in accordance with Applicable DataProtection Law to protect Customer Personal Data from Security Incidents and top reserve the security and confidentiality of the Customer Personal Data. Evadata’s current technical and organizational measures are described in Exhibit B (“Security Measures”). The customer acknowledges that the Security Measures are subject to technical progress and development and that Evadata may update or modify the Security Measures from time to time, provided that such updates and modifications do not degrade or diminish the overall security of the Services.
1.7. Sub processing: Customer agrees that Evadata may engage Sub-processors to process Customer Personal Data on Customer’s behalf. The Sub-processors currently engaged by Evadata and authorized by Customer are listed at https://www.evadata.com/data-subprocessors. Evadata will enter into a written agreement(s) with each Sub-processor imposing data protection terms that require the Sub-processor to protect the Customer’s Personal Data to the standard required by Applicable Data Protection Law (and in substance, to the same standard provided by this DPST).
1.8. Cooperation obligations and Data Subjects’ rights:
(a) Taking into account the nature of the processing, Evadata must provide reasonable and timely assistance to Customer (at Customer’s expense) to enable customer to respond to: (i) any request from a Data Subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, to rectification, to erasure, to restriction, to objection, and data portability, as applicable); and (ii) any other correspondence, inquiry, or complaint received from a Data Subject, regulator, or other third party, in each case in respect of Customer Personal Data that Evadata processes on Customer’s behalf.
(b) In the event that any request, correspondence, enquiry, or complaint(referred to under paragraph (a) above) is made directly to Evadata, Evadata acting as a processor will not respond to such communication directly without Customer’s prior authorization, unless legally required to do so, and instead, after being notified by Evadata, Customer may respond. If Evadata is legally required to respond to such a request, Evadata will promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so; and
(c) To the extent Evadata is required under Applicable Data Protection Law, Evadata will (at Customer’s request and expense) provide reasonably requested information regarding the Services to enable the Customer to carry out data protection impact assessments or prior consultations with data protection authorities, taking into account the nature of processing and the information available to Evadata.
1.9. Security Incidents: Upon becoming aware of a Security Incident, Evadata will inform the Customer without undue delay and provide timely information (taking into account the nature of processing and the information available to Evadata) relating to the Security Incident as it becomes known or as is reasonably requested by Customer to allow Customer to fulfill its data breach reporting obligations under Applicable Data protection law. Evadata will further take reasonable steps to contain, investigate, and mitigate the effects of the Security Incident. Evadata’s notification of or response to a Security Incident in accordance with this Section 1.9 will not be construed as an acknowledgment by Evadata of any fault or liability with respect to the Security Incident.
1.10. Deletion or return of Data: Upon receipt of a written request from Customer, Evadata will delete or return to Customer all Customer Personal Data (including copies) processed on behalf of Customer in compliance with the procedures and retention periods outlined in the DPST. Notwithstanding the foregoing, this requirement does not apply to the extent Evadata is required by applicable law to retain some or all of the Customer Personal Data, or to Customer Personal Data it has archived on back-up systems, which Customer Personal Data Evadata will securely isolate and protect from any further processing, as further detailed in Exhibit A. Evadata will have no obligation to destroy, remove or archive Customer Personal Data that has been transmitted or submitted to Evadata Network Subscribers prior to Evadata’s receipt of Customer’s written request, and Evadata Network Subscribers may continue to use such Customer Personal Data.
1.11. Audit: Customer acknowledges that Evadata is regularly audited by independent third-party auditors and/or internal auditors. Upon request, and on the condition that Customer has entered into an applicable non-disclosure agreement with Evadata, Evadata must:
(a) supply (on a confidential basis) a summary copy of its audit report(s)(“Report”) to Customer, so Customer can verify Evadata’s compliance with the audit standards against which it has been assessed, and this DPST; and
(b) provide written responses (on a confidential basis) to all reasonable requests for information made by Customer related to its Processing of CustomerPersonal Data, including responses to information security and audit questionnaires, that are necessary to confirm Evadata’s compliance with this DPST, provided that Customer cannot exercise this right more than once per calendar year.
1.12. Law enforcement: If a law enforcement agency sends Evadata a demand for Customer Personal Data(e.g., a subpoena or court order), Evadata will attempt to redirect the law enforcement agency to request that data directly from the Customer. As part of this effort, Evadata may provide the Customer’s contact information to the law enforcement agency. If compelled to disclose Customer Personal Data to a law enforcement agency, then Evadata will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy to the extent Evadata is legally permitted to do so.
1.13. Third party integrations: Through use of the Evadata Services and certain features thereof, Customer or Customer’s End Users, as applicable, may elect to grant third parties visibility to data or content (which may include Customer Personal Data). Evadata may make Customer’s data or content (which may include Personal Data) visible to third parties consistent with this paragraph, as instructed by Customer or Customer’s End Users through the Evadata Services and relevant functionalities.
2. Relationship with the Agreement
2.1. The parties agree that this DPST, effective as of the date last updated herein replaces and supersedes any existing DPST the parties may have previously entered into in connection with the Services. Notwithstanding any contrary term in the Agreement or this DPST, Evadata may update the DPST from time to time in its reasonable discretion; provided that, the updates do not (a) result in a material degradation of the overall security of the Evadata Services or the Customer Personal Data, (b)expand the scope of or remove any restrictions on Evadata’s processing of customer Personal Data as described in the Agreement, or (c) have a material adverse impact on Customer’s rights under the DPST. Evadata will promptly notify the customer of any material updates to the DPST.
2.2. Except for the changes made by this DPST, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPST and the Agreement, this DPST will prevail to the extent of that conflict in connection with the processing of Customer Personal Data. If there is any conflict between the Standard Contractual Clauses and the Agreement (including this DPST), the Standard Contractual Clauses will prevail to the extent of that conflict in connection with the processing of Customer Personal Data governed under the Standard Contractual Clauses.
2.3. Notwithstanding anything to the contrary in the Agreement or this DPST, the liability of each party and each party’s affiliates under this DPST is subject to the exclusions and limitations of liability set out in the Agreement. Customer acknowledges that Evadata is reliant on Customer for direction as to the extent to which Evadata is entitled to Process Customer Personal Data on behalf of Customer in performance of the applicable Evadata Services. Consequently, Evadata will not be liable under the Agreement for any claim brought by a Data Subject arising from (a) any action or omission by Evadata in compliance with Customer’s instructions or (b) from Customer’s failure to comply with its obligations under any applicable law.
2.4. Any claims against Evadata or its affiliates under this DPST can only be brought by the Customer entity that is a party to the Agreement against the Evadata entity that is a party to the Agreement. In no event will this DPST or any party restrict or limit the rights of any Data Subject or of any competent supervisory authority.
2.5. This DPST will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Protection Law.
2.6. This DPST and the StandardContractual Clauses will terminate simultaneously and automatically upon deletion by Evadata of the Customer Personal Data processed on behalf of the Customer, in accordance with Section 1.10 of this DPST.
Description of the Processing and Transfer Activities
The parties acknowledge that Evadata’s processing of Personal Data will include all Personal Data submitted or uploaded to the Services by Customer from time to time for the purposes of, or otherwise in connection with, Evadata providing the Services to Customer
Set out below are descriptions of the processing and transfers of Personal Data as contemplated as of the date of this DPST. Such descriptions are subject to change or may be supplemented pursuant to Section 1.2 of the DPST.
Part A: Description of processing and transfer.
Evadata LENS – Death Notifications
Categories of Data Subjects
Customer Data, as well as all relevant End Users of Services on behalf of Customer.
Categories of data transferred by Customer to Evadata
CustomerFile, for example:
-Date of Birth
-Any other data Customer sends
Verified Death File, for example:
-Date of Birth
-Social Security Number
-Date of Death
-Any other data Customer sends
End User Account Information, for example:
–Evadata identifier associated with user account
-AvatarImage and URL
-Employment Information, for example:
-Job title / role
Categories of data transferred by Evadata to Customer
Matches fromCustomer File, for example:
-Date of Birth
-Social Security Number
-Any other data Customer sends
Death data from Death Sources, for example:
-Date of Birth
-Social Security Number
-Date of Death
Categories of data transferred by Evadata to Evadata Network Subscribers
Matches from Verified Death File, for example:
-Date of Birth
-Social Security Number
-Date of Death
Sensitive data transferred?
Frequency of the transfer
Nature of the processing
Purpose of the data transfer
Duration of processing
Technical and Organizational Security Measures
1. Purpose. This Exhibit describes Evadata’s security program, security certifications, and physical, technical, organizational, and administrative controls and measures to protect Customer Data from unauthorized access, destruction, use, modification or disclosure (the “Security Measures“). The Security Measures are intended to be consistent with the commonly-accepted standards of similarly situated software-as-a-service providers (“industry standard“). Unless otherwise specified in the applicable Product-SpecificTerms, the Security Measures apply to all Evadata Products that are available under the Agreement.
2. Updates and Modifications. The Security Measures are subject to technical progress and development and Evadata may update or modify the Security Measures from time to time, provided that such updates and modifications do not materially degrade or diminish the overall security of theProducts, as described in this document.
3. Definitions. Any capitalized terms used but not defined in this document have the meanings set out in the Agreement. The term “Customer Data” means any data, content or materials provided to Evadata by or at the direction of Customer or its End Users, including from Third-Party Products.
4. Security Measures.The security measures are described in the following table:
Measures of encryption of Personal Data
Evadata has and will maintain:
(i) an established method to encrypt Customer Data in transit and at rest;
(ii) an established method to securely store passwords following industry standard practices; and
(iii) use established encryption key management methods.
Any Customer Data is encrypted in transit over public networks using TLS 1.2 or greater to protect it from unauthorized disclosure or modification.
CustomerData uses industry-standard, AES256 encryption at rest.
Evadata will maintain a security management program that includes but is not limited to:
a) executive review, support, and accountability for all security related policies and practices;
b) a written information security policy that meets or exceeds industry standards and that includes defined information security roles and responsibilities,
c) periodic risk assessments of all Evadata-owned or leased systems processing Customer Data;
d) prompt review of security incidents affecting the security of Evadata systems processing Customer Data, including determination of root cause and corrective action;
e) a formal controls framework based on, among other things, formal audit standards such as the AICPA SOC 2 Type II report (or any successor standard);
f) processes to document non-compliance with the security measures;
g) processes to identify and quantify security risks, and develop and implement mitigation plans
Evadata will periodically (and, in any event, no less frequently than annually) review, test, and, where applicable, update such a security management program.
Measures for ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services
Security Incident Notification
Evadata will notify Customer without undue delay of any Information Security Incident of which Evadata becomes aware. Such notifications will describe available details of the Information Security Incident, including steps taken to mitigate the potential risks and steps Evadata recommends the Customer take to address the Information Security Incident. Evadata’s notification of or response to an Information Security Incident will not be construed as Evadata’s acknowledgment of any fault or liability with respect to the Information Security Incident
Employee Screening, Training, Access, and Controls
Evadata will maintain policies and practices that include the following controls and safeguards applied to Evadata staff who have access to Customer Data and/or provide Support and Services to Customer:
a) pre-hire background checks (including criminal record inquiries) on Evadata job candidates, which are conducted by a third-party background check provider and in accordance with applicable laws and generally accepted industry standards;
b) periodic security awareness training and anti-trust awareness training;
c) a disciplinary policy and process to be used when Evadata staff violate Evadata’s security policies;
d) access to Evadata IT systems with appropriate technical security controls including two-factor authentication;
e) controls designed to limit access to Customer Data to only those Evadata staff with an actual need-to-know such Customer Data. Such controls include the use of a formal access management process for the request, review, approval, and provisioning for all Evadata staff with access to Customer Data.
Measures for ensuring the ability to restore the availability and access to Evadata Services in a timely manner in the event of a physical or technical incident
Evadata’s Business Continuity and Disaster Recovery Plans (collectively, the “BCDR Plans“) will address at least the following topics:
a) the availability of human resources with appropriate skill sets;
b) the availability of all IT infrastructure, and any other technology used or relied upon by Evadata in the provision of the Products;
c) Evadata’s plans for storage and continuity of use of data and software;
d) clear Recovery Time Objectives (RTOs);
e) mechanisms for the geographic diversity or back-up of business operations;
f) the potential impact of cyber events and Evadata’s ability to maintain business continuity in light of such events, as well as a framework and procedure to respond to and remediate such events;
g) procedures and frequency of testing of the BCDR Plans.
h) continuous and open communication with clients, partners, employees, and suppliers during a service disruption.
Evadata will periodically (and, in any event, no less frequently than annually) review, test and, where applicable, update the BCDR Plans.
Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing
Evadata will maintain a compliance program that includes independent third-party audits and certifications. Evadata will make available upon request to Customer copies of the most up-to-date version of the SOC2 report.
Evadata will maintain the following vulnerability management processes:
Identifying Malicious Threats.
Evadata employs processes and tools consistent with industry standards to identify malicious actors and prevent them from accessingCustomer Data or Evadata systems that process Customer Data. These include, but are not limited to, maintaining software that attempts to identify and detect attempted intrusions, behaviors consistent with Internet-based attacks, and indicators of potential compromise. Evadata will maintain a security incident and event management system and supporting processes to notify appropriate personnel in response to threats.
Vulnerability Scanning and Infrastructure Security Testing
The scanning and identification of Evadata’s system vulnerabilities are performed by an industry accepted Anti-Virus Solution. Additionally, periodic security scans of Evadata systems are done using a combination of external open source and commercial vulnerability testing tools, including:
-StaticApplication Security Testing (SAST) tools
-Cloud vulnerability scanning tools
-Additional tools as they come to market and are needed by an ever-changing security landscape
Evadata assesses the risk of identified or reported vulnerabilities and mitigates vulnerabilities in a timely manner.Mitigations for vulnerabilities deemed highest severity are addressed within twenty-four(24) hours of validation.
Measures for the protection of data during storage
Evadata will, no less frequently than annually, request assurances (e.g., in the form of an independent third-party audit report and vendor security evaluations) from its data hosting providers that store or process Customer Data that:
a) such data hosting provider’s facilities are secured in an access-controlled location and protected from unauthorized access, damage, and interference;
b) such data hosting provider’s facilities employ physical security appropriate to the classification of the assets and information being managed; and
c) such data hosting provider’s facilities limit and screen all entrants employing measures such as on-site security guard(s), badge reader(s), electronic lock(s), or a monitored closed caption television (CCTV).
Evadata will use established measures to ensure that Customer Data is kept logically segregated from other customers’ data when at-rest.
Measures for ensuring limited data retention
Data Retention and Destruction Standard
Evadata maintains a Data Retention and Destruction Standard, which designates how long Evadata needs to maintain data of different types.
The Data Retention and DestructionStandard is guided by the following principles:
-Records should be maintained as long as they serve a business purpose.
– Records that serve a business purpose, or which Evadata has a legal, regulatory, contractual, or other duty to retain, will be retained.
– Records that no longer serve a business purpose, and for which Evadata has no duty to retain, should be securely destroyed and deleted. Copies or duplicates of such data should also be securely destroyed and deleted. To the extent Evadata has a duty to retain a specified number of copies of a Record, such number of copies should be retained.
– Evadata’s practices implementing this Standard may vary across departments, systems, and media, and will, of necessity, evolve over time. These practices will be reviewed under our company-wide policy review practices.
Measures for allowing data portability and ensuring erasure
This Secure Deletion
Evadata will maintain a process reasonably-designed to ensure secure destruction and deletion of all Customer Data as provided in the Agreement. Such Customer Data will be securely destroyed and deleted by Evadata so that:
(a) Customer Data cannot be practicably read or reconstructed, and
(b) The Evadata systems that store Customer Data are securely erased and/or decommissioned disks are destroyed.