These Data Processing Clauses represent each Evoke Group Vendor’s obligations when and to the extent that a Vendor Processes Personal Data as a Data Processor of an Evoke Controller Entity as part of services provided under any Vendor Service Agreement.
These Data Processing Clauses apply to all Vendors acting as Data Processors on behalf of an Evoke Controller Entity.
These Clauses do not apply where a Vendor processes Personal Data as an independent controller entity that, alone or in collaboration with others, determines the purposes and means of Personal Data Processing. Both the Evoke Controller Entity and the Vendor must comply with their respective obligations under relevant Data Protection Laws and Regulations in such cases. Nothing shall be construed as preventing the Parties from taking reasonable steps to comply with the Data Protection Laws and Regulations.
These Data Processing Clauses shall be an inherent element of every Vendor Service Agreement, requiring all parties to the relevant Vendor Service Agreement to comply with them.
In the absence of a Vendor Service Agreement (e. g., where a Vendor only commits to Evoke Group’s supplier code of conduct), these Data Processing Clauses apply.
Data Subject (also referred to as “individual” or “individuals”) means any individual from whom Evoke collects, uses and/or processes Personal Data for their business purpose. Explanation: list includes employees, clients, client customers, agents, contractors. It includes, under California laws, the term is more fully referred to as “consumer.”
Data Protection Laws and Regulations shall mean all laws and regulations, including but not limited to laws and regulations of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom and the United States and its states, India, Brazil, South Africa applicable to the Processing of Personal Data under the Data Processing Clauses as amended from time to time.
Data Processor means a Vendor Processing Personal Data on behalf of any Evoke Controller Entity.
EU Model Contractual Clauses means Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj.
EEA means the European Economic Area;
Evoke Controller Entity or Evoke means either Evoke Technologies or its subsidiaries or branch operations depending on (i) which Evoke entity is a party to the commercial agreement with the Vendor and which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data and is considered a data controller under applicable Data Protection Laws. Evoke Group means collectively all affiliated Evoke group companies.
Personal Data also includes “Personal Information” and “Covered Business Information” under California laws (includes California Consumer Protection Act, Consumer Privacy Rights Act, and other regulations, including amendment, repeal), which means and includes any information Processed by Supplier on behalf of Evoke and/or its affiliates, that alone, or in combination with other information, relates to an identified or identifiable individual, or otherwise identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual. This includes Sensitive Personal Data.
Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
Processing means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, structuring, restriction, or otherwise making available, alignment or combination, blocking or erasure, or destruction.
Sensitive Personal Data is a subset of Personal Data which due to its nature is classified by applicable Data Protection Laws or by Evoke policy as deserving additional privacy and security protections and includes, but is not limited to information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the Processing of genetic and biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Technical and Organizational Security Measures means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Vendor means any person or company that sells goods or services to the Evoke Group including suppliers and their subcontractors.
Vendor Service Agreement means any commercial agreement including purchase orders and relevant purchase order renewal forms between a Vendor and the Evoke Controller Entity under which the Vendor provides services to the Evoke Controller Entity.
Notwithstanding anything to the contrary mentioned in these Data Processing Clauses, Vendor shall comply with all applicable requirements applicable under Data Protection Laws and Regulations. The terms and conditions agreed further in this document are in addition to, and do not relieve, remove, or replace, a party’s obligations under applicable Data Protection Laws and Regulations.
3. Permitted Processing
- Vendor shall process Personal Data only on the written instructions of the Evoke Controller Entity and in accordance with applicable Data Protection Laws and Regulations, including with regard to transfers of Personal Data to a third country or an international organization, unless otherwise either required or permitted by applicable Data Protection Laws and Regulations. Where the Vendor is relying on such compliance with local laws of the land, before performing such processing it shall notify the Evoke Controller Entity unless those local law of the land prohibit the Vendor from so notifying the Evoke Controller Entity.
- Vendor shall immediately inform the Evoke Controller Entity if in its opinion an instruction given by Evoke violates any applicable Data Protection Laws and Regulations.
- Vendor shall only process Personal Data in accordance with the instructions of Evoke Controller Entity and only for the specific purpose(s) of the Processing, as set out by the relevant Evoke Controller Entity, unless it receives further instructions from the Evoke Controller Entity.
- Vendor shall only process to disclose the personal data to a third party on documented instructions from an Evoke Controller Entity. In addition, the Personal Data may only be disclosed to a third party located outside to an entity located in another country, only if the entity in the destination agrees to be bound by these clauses in the Data Processing Clauses including any adequacy decisions, and/or ensuring appropriate safeguards, in particular to the processing for the purpose agreed under one of the below.
- For the purposes where personal data is shared with Vendor acting as an independent data controller, and located outside EU, the following EU Model Contractual Clauses shall additionally apply.
- For the purposes where personal data belong to EU, UK and Switzerland is shared with Vendor acting as a Data Processor, located outside in a third country, the following EU Model Contractual Clauses shall additionally apply.
- For the purposes where personal data belong only to EU residents, and shared with Vendor acting as a Data Processor, located outside in a third country, the following EU Model Contractual Clauses shall additionally apply.
- Vendor understands and agrees that it will not sell, retain, use, rent, lease, disseminate, disclose, make available, transfer Personal Data, unless limited to the purposes set forth under written instructions.
- Vendor shall not sell any Personal Data to another business or third party without prior written consent of the Evoke Controller Entity. Vendor’s receipt of Personal Data shall not constitute a sale under any Data Protection Laws or Regulations.
- Vendor shall ensure that any of its affiliates that also is a Data Processor for an Evoke Controller Entity commits to and adheres to these Data Processing Clauses if and to the extent required under applicable Data Protection Laws and Regulations.
- Sub-processing shall be authorized in advance by the Evoke Controller Entity through either a general or a specific written authorization, including any sub-contractors working on behalf of the Vendor.
- Vendor shall remain fully liable to the Evoke Controller Entity for any failure by their employees, consultants, staffs, including their suppliers and 3rd parties in relation to processing of any Personal Data, in accordance with this clause.
- Vendor must ensure that the contract between Vendor and its suppliers ensure the same obligations as set out in these Data Processing Clauses, mandating legal mechanism to ensure an adequate level of protection of the Personal Data transferred, including, where applicable, execution of EU Model Contractual Clauses prior to any such processing.
- In case the Evoke Controller Entity grants a general authorization to sub-processing Personal Data, the Vendor shall inform the Evoke Controller Entity of any intended change concerning the addition or replacement of sub-Vendors, giving the Evoke Controller Entity the opportunity to object to such change.
Where Personal Data is processed by the Vendor, its agents, sub-contractors or employees, the Vendor shall, and shall procure its agents, sub-contractors, and employees to:
- Take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the Personal Data, ensuring in each case that access is strictly limited to those individuals who need to access the relevant Personal Data, as strictly necessary to perform the services in the context of that individual’s duties to the Vendor, ensuring that all such individuals.
- Are informed of the confidential nature of the Personal Data.
- Have undertaken appropriate training in relation to the protection of Personal Data.
- Are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
- Are aware of the Vendor’s obligations in relation to data protection under these Data Processing Clauses.
- Vendor, including its employees, agents, sub-contractors shall implement appropriate Technical and Organizational Security Measures, to ensure a level of security commensurate with the risks associated with the processing, such measures to be appropriate in particular to protect against accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of or access to the Personal Data as required under applicable Data Protection Laws and Regulations.
- Vendor shall conduct necessary due diligence and provide Evoke Technologies with annual reports of their compliance to implementation of adequate safeguards, including completing any assessments, including supporting of audits that Evoke Technologies will conduct as applicable.
7. Data Subjects Rights
- Unless expressly authorized by the Vendor, Vendor shall promptly notify Evoke Technologies without any unreasonable delay to the Evoke Technologies Controller Entity upon any request received directly from a Data Subject and assist Evoke Technologies Controller Entity with requests to exercise Data Subject Rights, including but not limited to the right to access and the right to erasure.
- Vendor shall provide all necessary support the Evoke Technologies Controller Entity requires in case a Evoke Technologies Controller Entity is obliged by virtue of the Data Protection Laws and Regulations to comply, including the scope and extent of such measures, and appropriate safeguards in place related to processing Vendor as part of the Services.
8. Personal Data Breach
Vendors shall notify the Evoke Technologies Controller Entity without undue delay and in any case not later than 48 hours upon becoming aware of a Personal Data Breach affecting Personal Data belonging to Evoke Technologies Controller Entity and provide the Evoke Technologies Controller Entity with sufficient information to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
Vendor shall co-operate with the Evoke Technologies Controller Entity or its affiliates, subsidiaries and take such reasonable steps as are directed by the Evoke Technologies Controller Entity to assist in the investigation, mitigation, and remediation of each such Personal Data Breach
Any Personal Data Breaches shall be reported to DPO@dev2.evoketechnologies.com, describing the Personal Data Breach in terms of who and how many Data Subjects are affected, where, and when and how it occurred, and which measures have already been taken to stop the breach and mitigate its effects.
9. Assistance under Data Protection Laws and Regulations
Considering the nature of processing and information available to Vendor, Vendor shall assist the Evoke Technologies Controller Entity when a data protection impact assessment shall be carried out, wherever applicable.
Where applicable, Vendor is required to cooperate, upon Evoke Technologies Controller Entity’s request with appropriate data protection authorities (Art. 36, GDPR or other applicable Data Protection Laws and Regulations) in the performance of Evoke Technologies Controller Entity’s tasks at its own costs.
10. Availability of Information
Upon written request of the Evoke Technologies Controller Entity, the Vendor will undertake its commercially reasonable efforts to make available to Evoke Technologies Controller Entity all information necessary to demonstrate compliance with its obligations regarding data protection as explicitly set out in this Agreement or by applicable Data Protection Laws and Regulations and allow for and contribute to audits, including inspections, conducted by the Evoke Technologies Controller Entity or another auditor mandated by the Evoke Technologies Controller Entity.
Vendor agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority, where the Personal Data originated from Evoke Technologies Controller Entity, in any procedures or enquiries, and agrees to support compliance adopted, including remedial and compensatory measures.
Vendor shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject and related to any processing carried on behalf of Evoke Technologies Controller Entity, will notify within reasonable time.
Vendor agrees to notify Evoke Technologies Controller Entity without unreasonable delay when it receives a legally binding request from government, or public authority including judicial authorities, under the laws of land in the destination country for the disclosure of personal data transferred, including the reasonable basis of such legal request and response, unless Vendor is prohibited from notifying under the local laws, in which case Vendor agrees to use its best efforts to obtain a waiver of prohibition, including minimization of information to be disclosed to the extent possible and document the same for availability to Evoke Technologies Controller Entity when requested.
11. Deletion of Existing Personal Data
- Where Personal Data is processed by the Vendor, its agents, sub-contractors or employees, the Vendor shall, and shall procure its agents, subcontractors, and employees to either immediately delete the processed Personal Data once the purpose of processing is complete or upon termination of the main agreement, whichever is earlier, unless permitted by law.
- Personal data that has been transferred prior to any termination of the Data Processing Clauses shall at the choice of Evoke Technologies Controller Entity immediately be returned to Evoke Technologies Controller Entity or deleted in its entirety. The same shall apply to any copies of the data. Vendor shall certify the deletion of the data to Evoke Technologies Controller Entity. Until the data is deleted or returned, Vendor shall continue to ensure compliance with these Clauses. In case of local laws applicable to Vendor that prohibit the return or deletion of the transferred personal data, Vendor warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law. Such deletion shall include measures ensuring that any IT systems used in the context of performance of the main agreement or these Data Processing Clauses, to include any backup systems, and also allow for the erasure or deletion of specific Personal Data and put in place measures to fully implement any erasure or deletion request within the timeframe required by Evoke Technologies Controller Entity.
12. How to contact Evoke Technologies Data Privacy Office?
If you need to reach out to Evoke Technologies, you may write to the mailing address:
The V-Ascendas, Capella Block,
4th & 8th Floor, Plot No. 17,
Software Units Layout,
Madhapur, Hyderabad – 500081
Mail ID: DPO@dev2.evoketechnologies.com
Mobile No: +91 7032814899
13. Descriptions of Data Subjects and Categories of Personal Data
13.1 Data subjects
Data subjects include, but not limited to Evoke Technologies entity who may elect to include personal data from any of the following types of data subjects in the personal data:
- Employees, (former and current and future).
- Dependent of employees.
- Contractors and freelancers (current, former, prospective) of Evoke Technologies.
- Users, including online guest users, visitors, clients, including current and prospective.
- Client employees, customers, their agents, suppliers.
- Partners, stakeholders, or individuals who actively collaborate, communicate with Evoke Technologies.
14. Categories of data
The personal data that is included in e-mail, documents, and other data in an electronic form in the context of the services agreed under written instructions with Vendor. By Evoke Technologies. Vendor acknowledges that, depending on Evoke Technologies’s use of the Services, Evoke Technologies may elect to include: personal data from any of the following categories in the personal data
Personal data from any of the following categories in the personal data
- Basic personal data of data subject, including basic personal data about family members and children
- Contact information (for example addresses, email, phone numbers, social media identifiers, emergency contact details)
- Recruitment Data, including profiles shared with education and previous work experiences and compensation offered
- Certification and skill development training
- Background checks to include employment history, education history, personal data details
- HR data including status of employment, date of joining, Unit details, salary details, including worked hours, Leave, assessments and salary, work permit details, terms of employments, payment details, insurance, tax contributions, locations, including any corporate travel.
- Photos, videos, and audio
- Authentication data, Active Directory details
- National Identification, Passport, and visa related information (e.g., date of application, dates of validity, emigration check requirement, address, place of issue, Social Security Number or equivalent etc.)
- ID card number, IP addresses, employee number, unique identifier in tracking cookies or similar technology
- Financial and insurance information, including Bank Account numbers, Social Security Benefit accounts
- Grievance handling and disciplinary processes
- Internet activity (for example browsing history, search history, reading, television viewing, radio listening activities)
- Citizenship and residency information (for example citizenship, naturalization status, marital status, nationality, immigration status, passport data, details of residency or work permit)
- Stock Options
- Information processed for the performance of a task carried out in the public interest or in the exercise of an official authority
- Special categories of data (for example racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, data concerning a natural person’s sex life or sexual orientation, or data relating to criminal convictions or offences); or
- Any other personal data identified as per applicable Data Protection Laws and Regulations.
15. Nature & Purpose of Processing
Personal Data that is included in e-mail, documents, and other data in an electronic form in the context of the services, which shall include but not limited to following:
- Recruitment and Onboarding to Evoke Technologies
- Client onboarding
- Internal compliances, secretarial, and audits
- Background checks and screening
- Processing Payroll
- Immigration, Visa and Travel support
- Mergers & Acquisition
- Managing rewards and benefits, including stock options management
- IT Infrastructure and support
- Performance Evaluations
- Social Security and Welfare benefits
- Legal consultation matters (including consultation for tax, and actuarial support), including litigation support
- Trainings and skill development
- Storage of data on On-Prem servers and cloud servers
- To provide services to the Clients as part of the written instructions agreed between the Client, Evoke Technologies and the Vendor offering services, including reselling arrangements.
- Obligations under applicable local laws and regulations.
16. Technical and Organizational Security Measures
Where applicable, depending on the nature, subject and scope of Personal Data are processed or used automatically, Vendor is obligated to arrange its policies and practices to be arranged in such a way that it meets the specific requirements of compliance with Data Protection Laws and Regulations. In particular, measures suited to the type of Personal Data or data categories to be protected shall be taken, to include but not limited to below controls:
- To prevent unauthorized persons from gaining access to data processing systems with which Personal Data are processed or used (admission control),
- To prevent data processing systems from being used without authorization (entry control),
- To ensure that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that Personal Data cannot be read, copied, modified or removed without authorization in the course of processing or use and after storage (access control),
- To prevent the unauthorized use of automated processing systems by means for data transmission (user control),
- To prevent unauthorized reading, copying, modification or removal of data media (data media control),
- To ensure that Personal Data cannot be read, copied, modified or removed without authorization during electronic transmission or transport, and that it is possible to check and establish to which bodies the transfer of Personal Data by means of data transmission facilities is envisaged (transmission control),
- To ensure that it is possible to check and establish whether and by whom Personal Data have been input into data processing systems, modified or removed (input control),
- To prevent unauthorized persons to enter Personal Data as well as unauthorized inspection, modification or deletion of stored Personal Data (storage control),
- To ensure that, in the case of commissioned processing of Personal Data, the data are processed strictly in accordance with the instructions of the principal (order control),
- To ensure that personal data are protected against accidental destruction or loss and therefore are always available for the Controller (availability control),
- To ensure that data collected for different purposes can be processed separately (separation control),
- To ensure that the Controller is able to review the documentation of all essential processing steps of the data processing systems, and trace whether Personal Data provided by the Controller have only been processed in compliance with the instructions of the Controller (documentation control),
- To ensure that data processing systems used can be recovered in case of trouble (recovery control),
- To ensure that all functions of the data processing system are available and occurring malfunctions are notified (reliability),
- To ensure that stored Personal Data cannot get damaged by malfunctions of the system (data integrity),
- To ensure appropriate Pseudonymization and Encryption,
- To ensure a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.