Evosus®, Inc. Data Processing Addendum
This Data Processing Addendum (“DPA”) is governed by and part of the Terms of Service - LOU or Terms of Service – Legacy Product, Terms of Service – LOU Ecommerce or any other written agreement (in each case, such agreement is referred to herein as the “Agreement”) between (“Evosus,” “we,” or “us,”) and you as the Client (“Client” or “you”). Terms not defined herein shall have the meaning as given the Agreement. This DPA takes effect on the date Client agrees to the Agreement, and governs the collection, processing, or receipt of Personal Data by Evosus on behalf of the Client while providing the Evosus Services (defined in Section 1 herein). As used in this DPA, references to the term “Agreement” includes the Agreement, this DPA, all attachments and exhibits to the Agreement, and any and all Order Forms/Pages, addenda, service level agreements, and attachments to the Agreement.
BY EXECUTING THE AGREEMENT, YOU AGREE TO THIS DPA. This DPA shall not replace any comparable or additional rights relating to the Processing of Personal Data contained in the Agreement (including any existing data processing addendum to the Agreement). If and to the extent language in this DPA conflicts with the Agreement, this DPA shall control as to the subject matter herein. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement unless otherwise required by applicable Data Protection Laws.
If you have questions or would like to receive a signed copy of this DPA, please contact support.evosus.com or email marketing@evosus.com.
-
Definitions
a. “Applicable Laws” means all laws, rules, regulations, and orders applicable to the subject matter herein, including without limitation Data Protection Laws.
b. "Business", "Sell", “Share”, and "Service Provider" shall have the meanings given to them in U.S. Privacy Laws.
c. "CCPA" means California Civil Code Sec. 1798.100 et seq., also known as the California Consumer Privacy Act of 2018, as amended from time to time including, without limitations, the amendments thereto by the California Privacy Rights Act of 2020, California Civil Code Sec. 1798.150 et seq.
d. “Consumer” means the natural person to whom the Personal Data relates.
e. “Controller” means the entity that determines the means and purposes of the Processing of Personal Data.
f. “Client Data” means all Personal Data, including without limitation California Personal Information, Processed by Evosus on behalf of Client pursuant to the Agreement.
g. “Data Protection Laws” means all applicable legislation relating to data protection and privacy that apply to Evosus in its role of Processing Personal Data on behalf of Client under the Agreement, including without limitation United States federal law and consumer privacy laws applicable to U.S. states including without limitation the consumer privacy laws of California, Connecticut, Colorado, Iowa, Nevada, Virginia, and other U.S. states with laws providing similar privacy protections; in each case as amended, superseded, or replaced from time to time.
h. “Evosus Services” means the Legacy Services or the Evosus Services, in each case as defined in the Agreement.
i. “Instructions” means the written, documented instructions issued by Client to Evosus, and directing Evosus to perform a specific or general action with regard to Personal Data for the purpose of providing the Evosus Services to Client. The Parties agree that the Agreement (including this DPA), together with Client's use of the Evosus Services in accordance with the Agreement, constitute Client’s complete and final Instructions to Evosus in relation to the Processing of Client Data, and additional Instructions outside the scope of the Instructions shall require prior written agreement between Evosus and Client.
j. “Personal Data” means any information relating to an identified or identifiable individual where such information is protected similarly as personal data, personal information, or personally identifiable information under applicable Data Protection Laws.
k. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Data. Personal Data Breach does not include unsuccessful attempts or activities that do not compromise the security of Client Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
l. “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
m. “Processor” means the Party which Processes Personal Data on behalf of the Controller, including as applicable any “Service Provider” as that term is defined by the CCPA.
n. “Sub-Processor” means any entity that provides Processing services to Evosus in furtherance of Evosus’s Processing of Client Data pursuant to the Agreement.
-
Nature, Purpose, and Subject Matter
The nature, purpose, and subject matter of Evosus’s Processing activities performed as part of the Evosus Services are set out in the Agreement. The Client Data that may be processed may relate to (a) Client’s customers or (b) Client’s employees, contractors, and agents. Categories of Personal Data Processed may include identifiers, employment information, legally protected information, commercial history, internal and similar information, as well as any other Personal Data that Client may choose to process on the Evosus Services pursuant to the Agreement.
-
Duration
The term of this DPA shall follow the term of the Agreement. Evosus will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.
-
Processing of Client Data
Client hereby appoints Evosus to process Client Data on Client’s behalf as necessary for Evosus to provide the Evosus Services under the Agreement. Evosus shall Process Client Data only for the purposes described in the Agreement (including this DPA) or as otherwise agreed within the scope of Client’s lawful Instructions, except where and to the extent otherwise required by Applicable Law. If Evosus is collecting Personal Data from Client’s Clients or other end users on behalf of Client, Evosus shall follow Client’s Instructions regarding such Personal Data collection. Evosus shall inform Client without delay if, in Evosus’s opinion, an Instruction violates applicable Data Protection Laws and, where necessary, cease all Processing until Client issues new Instructions with which Evosus can comply. If this provision is invoked, Evosus will not be liable to Client under the Agreement for any failure to perform the Evosus Services until such time as Client issues new lawful Instructions.
-
Instructions
Evosus shall Process, retain, use, store, and disclose Personal Data only according to written, documented instructions issued by Client to Evosus to perform a specific or general action with regard to Personal Data for the purpose of providing the Services to Client pursuant to the Agreement (Client’s “Instructions”). The parties agree that the Agreement, together with Client’s selections on and use of the Services in accordance with the Agreement, and other written Instructions from Client to Evosus shall constitute Client’s complete and final Instructions to Evosus in relation to the Processing of Client Data. Client may modify, amend, add, or replace individual Instructions in writing (“Additional Instructions”) to Evosus at support.evosus.com. Any Additional Instructions must be consistent with this DPA and the Agreement. If Evosus determines that Additional Instructions are outside the scope of the Agreement, Evosus may charge additional fees and/or require a written agreement between Evosus and Client to perform such Additional Instructions. Evosus shall inform Client without delay if, in Evosus ’s opinion, an Instruction violates applicable Data Protection Laws and Regulations or Evosus is unable follow an Instruction and, where necessary, cease all Processing until Client issues new Instructions with which Evosus is able to comply. Notwithstanding any provision to the contrary, Client is solely responsible for the legality, outcome, and results of any and all Instructions and Evosus shall have no liability whatsoever related to its performance of the Agreement according to any Client Instructions.
-
Confidentiality
Evosus shall ensure that any Evosus personnel who Processes Client Data is subject to appropriate confidentiality obligations (whether a contractual or statutory duty) with respect to that Client Data. Additionally, Evosus shall take reasonable steps to ensure that persons employed by Evosus, and other persons engaged to perform on Evosus’s behalf comply with the terms of the Agreement.
-
Client Responsibilities
Within the scope of the Agreement (including this DPA) and in Client’s use of the Evosus Services, Client shall comply with all Applicable Laws, including without limitation, all requirements that apply to Client under Data Protection Laws with respect to its Processing of Personal Data and the Instructions it issues to Evosus. In particular, and without limiting the generality of the foregoing, Client shall take sole responsibility for: (a) the accuracy, quality, and legality of Client Data and the means by which Client acquired such data; (b) complying with all necessary transparency and lawfulness requirements under applicable Data Protection Laws for the collection and use of Personal Data, including obtaining any necessary consents and authorizations; (c) ensuring Client has the right to transfer or provide access to, the Client Data to Evosus for Processing in accordance with the terms of the Agreement (including this DPA); (d) ensuring that Client’s Instructions to Evosus regarding the Processing of Client Data comply with Applicable Laws; (e) ensuring that the Personal Data Processed by Evosus is not subject to protections of Data Protection Laws of any jurisdiction(s) other than United States, Australia, New Zealand, the Cayman Islands, or Canada; and (f) complying with all Applicable Laws (including Data Protection Laws) applicable to Client’s use of the Evosus Services, including without limitation those relating to providing notice and obtaining consents. Client shall inform Evosus without undue delay if it is not able to comply with this section or applicable Data Protection Laws. For the avoidance of doubt, Evosus is not responsible for compliance with any Data Protection Laws applicable to Client or Client's industry that are not generally applicable to Evosus.
-
Role and Restrictions
The Parties agree that Evosus will Process California Personal Information as a Processor or Service Provider strictly for the business purpose of performing the Evosus Services under the Agreement and as set forth in the Privacy Policy. The Parties agree that Evosus shall not: (i) Sell or Share Personal Data; (ii) retain, use, or disclose Personal Data for a commercial purpose other than for such business purpose or as otherwise permitted by Data Protection Laws; or (iii) retain, use, or disclose Personal Data outside of the direct business relationship between Client and Evosus. Evosus hereby certifies that it understands and will comply with the restrictions of the foregoing sentence. The Parties agree that Client does not Sell or Share Personal Data to Evosus because, as a Service Provider or Processor, Evosus may only use Personal Data for the purposes of providing the Evosus Services to Client.
-
Sub-Processors
Client agrees that Evosus may engage Sub-Processors to Process Client Data. Where Evosus engages Sub-Processors, Evosus shall impose data protection terms on the Sub-Processors that provide at least the same level of protection for Client Data as those in this DPA, to the extent applicable to the nature of the Evosus Services provided by such Sub-Processors. Evosus will remain responsible for each Sub-Processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-Processor that cause Evosus to breach any of its obligations under this DPA. Client may request a list of current Sub-Processors via email at support@evosus.com.
-
Security
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Evosus shall, in relation to the Client Data, maintain appropriate technical and organizational security measures designed to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of Client Data. In assessing the appropriate level of security, Evosus shall take account of the risks that are presented by Processing, in particular from a Personal Data Breach. Upon request, Evosus shall provide Client with a summary of Evosus’s security policies applicable to the Evosus Services.
-
Data Transfers
Client acknowledges and agrees that Client Data will be transferred to and Processed by Evosus in the United States and to other jurisdictions where Evosus’s Sub-Processors have operations.
-
Personal Data Breaches
Evosus will notify Client without undue delay after Evosus becomes aware of a known or suspected likely Personal Data Breach involving Client Data and will provide timely information relating to such Personal Data Breach as it becomes known or as reasonably requested by Client. At Client’s request, Evosus will promptly provide Client with commercially reasonable assistance as necessary to enable Client to notify authorities and/or affected Consumers, if Client is required to do so under Data Protection Laws.
-
Privacy Requests
As part of the Evosus Services, Evosus provides Client and its end users with certain controls that Client or end users may use to access, correct, delete, or restrict Personal Data, which Client or its end users may use to assist in connection with Client’s obligations under Data Protection Laws, including its obligations relating to responding to requests from Consumers to exercise their rights under applicable Data Protection Laws ("Privacy Requests"). To the extent that Client is unable to independently address a Privacy Request through the Evosus Services, upon Client’s written request, Evosus shall provide reasonable assistance to Client to respond to any Privacy Requests or requests from data protection authorities relating to the Processing of Client Data under the Agreement. Client shall reimburse Evosus for the actual costs incurred by Evosus as the result of providing such assistance. Evosus will promptly inform Client if a Privacy Request or other communication regarding the Processing of Client Data under the Agreement is made directly to Evosus. Client shall be solely responsible for facilitating any such Privacy Requests or communications involving Personal Data.
-
Data Protection Impact Assessment and Prior Consultation
To the extent Evosus is required under Data Protection Law, Evosus shall (at Client's expense) provide reasonably requested information regarding Evosus’s Processing of Client Data under the Agreement to enable Client to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.
-
Deletion or Return of Personal Data
At the expiry of termination of the Agreement, Evosus will, at Client's option and request, delete or return to Client all Client Data Processed pursuant to this DPA in accordance with Client’s reasonable Instructions. The requirements of this section shall not apply to the extent that Evosus is required by Applicable Law to retain some or all of the Client Data, or to Client Data Evosus has archived on back-up systems, which data Evosus shall securely isolate and protect from any further Processing and delete in accordance with Evosus’s deletion practices.
-
Demonstration of Compliance
Upon Client's written request and with at least 45 days’ notice (or a shorter period if permitted by Applicable Law), Evosus shall make available to Client (on a confidential basis) all information reasonably necessary and allow for and contribute to audits (collectively, “Audits”) to demonstrate Evosus’s compliance with this DPA, provided that Client shall not exercise this right more than once per year. Such Audits shall be solely in the form of information relating to the Processing under this DPA as provided by documents and interviews with Evosus information technology employees and subcontractors or applicable third parties. No access to any part of Evosus’s information system, data hosting sites or centers, or infrastructure will be permitted. Client or its designated and professionally qualified agent may carry out such Audit. Client must conduct all Audits (a) during normal business hours; (b) according to security and confidentiality terms and guidelines; and (c) taking reasonable measures necessary to prevent unnecessary disruption to Evosus’s operations. Client shall be responsible for all costs and expenses arising from Audits, including the actual costs and expenses of Evosus in complying with an Audit request. Client shall take all reasonable measures to limit any impact on Evosus by combining several information or Audit requests in one single request.
-
General Terms
Client represents that it is authorized to, and hereby agrees to, enter into and be bound by this DPA for and on behalf of itself and each of its affiliates and subsidiaries, thereby establishing a separate DPA between Evosus and Client and each of Client’s affiliates and subsidiaries subject to the Agreement, as applicable. To the fullest extent permitted by applicable law, the limitations of liability set forth in the Agreement shall apply to Evosus’s liability arising out of or relating to this DPA, taken in the aggregate along with the Agreement and any other agreement between the Parties. If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA shall not be affected. Evosus periodically updates this Agreement. If you are a current Client, you will be informed of any update or amendment by email, alert on the Evosus Services or by other means. In case of any conflict or inconsistency with the terms of the Agreement, this DPA shall take precedence over the terms of the Agreement to the extent of such conflict or inconsistency.
Evosus, Inc.
Dan McManus
President and CEO