Security, privacy and data package
1. Security Documentation
A. The Evolved Group is ISO27001 Information Security Management certified, and is a trusted platform used by local and global brands that demand the highest levels of resilience, robustness and data security.
B. The Evolved Group is audited at least annually to ensure our information security posture is appropriately compliant at both a technical and procedural level.
C. The Evolved Group manages information security risks through its commitment to developing, implementing and continually improving its Information Security Management System (ISMS) in accordance with the ISO/IEC 27001:2015 information security standard. This process is owned by The Evolved Group’s Privacy Officer
D. The Evolved Group employs and ISO27001 conformant risk and incident management procedure to ensure that incidents are appropriately avoided or mitigated. Data is logically separated and encrypted both at rest and in transit in a secure Microsoft Azure instance using AES_256 level encryption. Human Listening employs a federated identity system to managed platform access. Access management to the Human Listening platform is customisable by Account Administrators and can be upgraded to also employ 2FA and SSO.
E. Human Listening and associated products are hosted in Microsoft Azure – Full details available at https://azure.microsoft.com/en-au/overview/trusted-cloud/compliance/
F. All employees and contractors engaged by The Evolved Group complete Information Security Training annually. All employees are introduced to their ISO27001 obligations as well as our full suite of ISO27001 Policies and Procedures in a one on one session during the induction period. Third Parties engaged by The Evolved Group are reviewed to ensure their compliancy with security standards and are reviewed on at least an annual basis by The Evolved Group
G. Our platform is penetration tested at least annually by an external party utilising the Attack Forge platform. In addition, The Evolved Group’s compliance with ISO27001 is audited annually by Best Practice Certification. This is in addition to regular internal security reviews, which are done in alignment with internal Security Calendar.
2. Customer Data
H. Customer Data includes any data input into and hosted by the Evolved SaaS, whether that data was input by or on behalf of the Customer or its survey participants. Customer Data belongs solely to Customer.
I. Customer Data may include Survey Data, contact information including email address, phone number, name and address details as well as operational data derived from customer systems
J. Evolved will:
i. treat Customer Data as confidential;
ii. collect or receive, use, copy, modify, process, transmit, disclose, store and host Customer Data for the purposes of providing the SaaS and performing the Agreement;
iii. otherwise only use Customer Data in accordance with express rights in the Agreement or authorisations from Customer;
iv. not disclose or provide third party access to any Customer Data except in accordance with the Agreement or with the express authorisation of Customer;
v. co-operate with any reasonable requests or inquiries made by Customer in relation to the management of personal information comprised in Customer Data in connection with this Agreement, including as to the arrangements for collection and storage of Customer Data;
vi. provide reasonable information and assistance to Customer, on request, to assist the Customer in responding to or resolving any complaint, investigation or request by an individual or regulator under applicable privacy legislation, where such complaint, investigation or request concerns Customer Data within the possession or control of Evolved;
ii. promptly notify and cooperate with the Customer in the event that Evolved receives any complain, investigation or request by an individual or regulator under applicable privacy legislation, concerning Company Data;
viii. if Evolved has agreed to store Customer Data in any specified hosting country or countries in the Agreement, then other than as expressly provided in the Agreement or expressly authorised by Customer, Evolved will not transmit, export or transfer Customer Data to a country or to a third party outside such hosting country or countries;
ix. implement reasonable technological and organisational measures in accordance with good industry practice to protect against unauthorised access to or disclosure of Customer Data, and ensure that any third party hosting provider it utilises to deliver the SaaS agrees to do so; and x. provide the SaaS according to the Evolved Security Documentation.
K. The Customer is responsible for:
i. the accuracy, quality and legality of the Customer Data (including any personal information) entered into the SaaS, including the means by which the Customer acquired it or authorised its acquisition;
ii. determining whether the Evolved SaaS product is suitable for its Customer Data and sufficient to enable Customer’s compliance with apply privacy, data protection and other laws, including the information set out in section 3 (Hosting Countries); and
iii. ensuring it has obtained all consents required by law to be obtained from affected individuals to permit (i) Customer to provide Evolved with Customer Data or permit Evolved to collect Customer Data on Customer’s behalf (as applicable); and (ii) Evolved to receive, use, copy, modify, process, transmit, transfer, disclose, store and host Customer Data in accordance with the Agreement.
3. Data Breaches
L. Customer acknowledges that it is impossible to guarantee against security or data breaches, third party unauthorised access, intrusion or attack, the introduction of viruses or harmful code, or similar events (Security Breaches). Accordingly, Evolved is not liable for Security Breaches or for any loss or corruption of data except where Evolved has failed to comply with its express security obligations in this section. Evolved is not responsible for any illegal intrusion, denial of service attack, attacker or hacker or any other intrusion that were not or could not reasonably have been prevented or avoided using industry standard measures to protect against unauthorised access.
M. A “data breach” is an unauthorised third party access of Customer Data – being data input into the SaaS by or on behalf of the Customer or its survey respondents – which is in the possession or control of Evolved (or its third party hosting provider). If Evolved becomes aware of a Data Breach, it will: (i) promptly take steps to minimise or stop the Data Breach, and prevent its recurrence, to the extent reasonably practicable, (ii) promptly notify Customer about the Data Breach and provide all reasonable information available including (if known) the details of the affected data, the timing of the Data Breach and the details of Evolved’s remediation efforts, (iii) make any applicable notifications to a regulator in accordance with laws, (iv) take appropriate steps to determine and remediate the root cause(s) of the Data Breach and provide a summary to Customer detailing the results of the investigation and remediation efforts.
