Contracts
- Express Product Schedule
- Express Purchase Exhibit
- Express Professional Services Schedule
- Express Gen2 Exhibit
- eXpedite Product Schedule
- eXpedite Professional Services Schedule
- Visual Gun Detection Product Schedule
- Visual Gun Detection Professional Services Schedule
- Data Processing Addendum
- Data Processing Addendum - Saudi
- Service Terms
Express Product Schedule
Effective June 4th 2025
DownloadTable of Contents
Express Products
Effective June 3rd 2025 to June 4th 2025
DownloadTable of Contents
Express Products
Effective June 24th 2024 to June 3rd 2025
DownloadTable of Contents
Express Products
Effective March 11th 2024 to June 24th 2024
DownloadTable of Contents
Express Products
Effective February 5th 2024 to March 11th 2024
DownloadTable of Contents
PRODUCT SCHEDULE
FOR
EVOLV EXPRESS®
This Product Schedule for Evolv Express® (the “Express Product Schedule”) is a part of and incorporated into the Customer General Terms (“General Terms”) and/or the Terms of Use (the “ToU”), to the extent applicable, and apply to your (“Customer”) subscription to and use of Express Products (as defined below). Capitalized terms not defined in this Express Product Schedule are as defined in the General Terms and/or the ToU.
1. Product Description. The “Evolv Express Products” (“Express Products”) available to Customer are described on Exhibit A hereto. Subject to Customer’s compliance with the General Terms and/or the ToU, this Express Product Schedule, and all associated Documentation, during the Express Term (as defined below), the Express Products shall be provided to Customer pursuant to one or more Order Documents entered into by Customer and (i) Evolv, or (ii) an authorized reseller of Evolv Products (“Reseller”).
2. Fees; Shipping.
2.1 Fees. Fees for the Express Products purchased by Customer directly from Evolv will begin accruing on the date that the Express Products are delivered to Customer’s designated location(s) as verified by the shipper (the “Delivery Date”).
3. Term and Effect of Termination.
3.1 Term. For Customers that purchase the Express Products directly from Evolv, and unless noted otherwise on the Order Document, the initial term for the Express Products will commence on the Delivery Date and end upon the four (4) year anniversary of the Delivery Date (the “Express Initial Term”), unless earlier terminated in accordance with the General Terms (to the extent applicable). For Customers that purchase the Express Products from a Reseller, and unless noted otherwise on the Order Document, the initial term for the Express Products will commence on the date that the Express Products are shipped to Customer’s designated location(s) as verified by the shipper (the “Shipping Date”) and end upon the four (4) year anniversary of the Shipping Date (also the “Express Initial Term”). Upon expiration of the Express Initial Term, this Express Product Schedule will automatically renew for additional one (1) year periods (each an “Express Renewal Term,” and together with the Express Initial Term, the “Express Term”), unless either Party provides written notice of non-renewal to the other Party at least thirty (30) days prior to the end of the Express Initial Term or then-current Express Renewal Term, as the case may be. Notwithstanding the foregoing, this Express Product Schedule will remain in effect and applicable to any Express Products under an Order Document that has not yet expired or terminated as of the time of the expiration or termination of the Express Term in accordance with this Section.
3.2 Effect of Termination. Upon the termination of an Order Document, expiration of the Express Term or termination of the General Terms (to the extent applicable): (a) the rights granted to Customer for use of Express Software under the applicable Order Document(s) will end, and Customer will immediately lose access to and lose use of such Express Software, and (b) as applicable, Customer will return the Express Equipment, at its cost and expense, to Evolv in as good condition as when it was delivered to Customer, ordinary wear and tear excepted. Customer will securely pack and ship the Express Equipment to Evolv at its facility and provide Evolv with proof of shipment within thirty (30) business days after the expiration or termination of the Term. If the Customer has not provided Evolv with proof that the Express Equipment has been shipped, or if Evolv has not actually received the Express Equipment within such thirty (30) day period, Evolv will invoice Customer for the value of the retained Express Equipment based on the remaining useful life of the Express Equipment as determined in Evolv’s sole discretion. After receipt of the returned Express Equipment, Evolv will evaluate its condition and invoice Customer for all repairs Evolv deems necessary and attributable to Customer to return the Express Equipment to its original condition excluding normal wear and tear. This Section does not limit the provisions of Section 4(c) of this Express Product Schedule with respect to loss, theft, destruction or damage of or to Express Equipment.
4. Express Equipment.
(a) Customer shall keep the Express Equipment in good working order and will promptly notify Evolv and/or Reseller (to the extent applicable) in the event the Express Equipment requires maintenance or repair.
(b) Customer is responsible for normal daily maintenance of the Express Equipment in connection with its ordinary course use (such as cleaning, proper location, proper environment, and causing the provision of proper utility, electrical and networking requirements) in accordance with the Documentation and will keep sufficient records to demonstrate that Customer has performed such maintenance. Customer shall not permit any third party, except Evolv authorized agents, to maintain or repair the Express Equipment.
(c) Customer is solely responsible for all loss, theft, destruction of or damage to the Express Products (“Equipment Events”) provided to Customer, except to the extent due to repairs and maintenance performed by Evolv. Customer shall promptly notify Evolv and/or Reseller (to the extent applicable) of any Equipment Events and shall at Evolv’s sole option, (i) reimburse for the repair costs to return the Express Equipment to its original condition, or (ii) pay for the value of the Express Equipment based on the remaining useful life of the Express Equipment as determined in Evolv’s sole discretion, as calculated by Evolv in accordance with its standard accounting practices. Loss, theft, destruction of or damage to the Express Products shall not under any circumstances relieve Customer of any other obligation under the Agreement, including but not limited to the obligation to pay Fees.
5. Ownership
5.1 Ownership of Express Software. As between Customer and Evolv, Evolv is the sole owner of the Express Software and any associated Documentation and Evolv retains all right, title and ownership interest therein, including to all enhancements, upgrades, updates, modifications, corrections, derivatives, integrations related thereto and all intellectual property rights in the foregoing. The Agreement imparts no right, title, or ownership interest in the Express Software or associated Documentation to Customer except for the limited right to use the Express Software and associated Documentation. The Express Software is protected by copyright, trade secret and other laws and international treaty provisions, and Evolv reserves all rights. The Express Software and related Documentation are to be accessed and used solely with or as part of the Express Products in accordance with this Express Product Schedule. Customer shall not: (A) decompile, disassemble, reverse engineer, decode, adapt or attempt to reconstruct, identify, gain access or discover any source code, underlying ideas, user interface techniques or algorithms of the Express Software, in whole or in part or disclose any of the foregoing; (B) encumber, transfer, manufacture, distribute, sell, sublicense, assign, provide, lease, lend, use for timesharing or service bureau purposes, or use the Express Software except as expressly provided herein; (C) copy, modify, adapt, translate, incorporate into or with other software or service, or create a derivative work of any part of the Express Software; or (D) attempt to circumvent any user limits, timing or use restrictions that are built into the Express Software.
5.2 Ownership of Express Equipment. Unless otherwise stated in an Order Document, as between Customer and Evolv, Evolv is the sole owner of the Express Equipment and any associated Documentation and Evolv retains all right, title and ownership interest and intellectual property rights therein. The Agreement imparts no right, title, or ownership interest in the Express Equipment or associated Documentation to Customer except for the limited right to use the Express Equipment and associated Documentation. Customer will keep the Express Equipment free and clear of any and all liens, charges, and encumbrances with respect to Customer’s leasing, possession, use, or operation of the Express Equipment and will not sell, assign, sublease, transfer, grant a security interest in, or otherwise make any disposition of any interest in any Express Equipment. Evolv may display notice of its ownership of the Express Equipment by affixing an identifying stencil, legend, plate, sticker, or any other indicia of ownership, which may be updated by Evolv from time to time, and Customer will not alter, obscure, or remove such identification. Express Equipment is protected by patents, copyright, trade secret and other laws and international treaty provisions, and Evolv reserves all rights.
6. Express Professional Services.
6.1 If Customer, pursuant to one or more Order Documents entered into by the Parties, subscribes to Professional Services relating to the Express Products (the “Express Professional Services”), the Express Professional Services Schedule shall apply, and are published at https://legal.evolvtechnology.com/customers, as updated from time to time.
6.2 Limitations. Evolv reserves the right to suspend Customer’s access to the Express Software, refuse to perform Express Professional Services and/or require the immediate return of the Express Equipment, if: (i) Customer has failed to use the Express Products in accordance with Documentation, this Express Product Schedule and/or other procedures that Evolv has made available to Customer or generally makes available; (ii) the Express Products have been altered or repaired, except by Evolv or in accordance with Evolv’s written instructions; (iii) the Express Products have been used in conjunction with another customer’s or vendor’s products resulting in the need for maintenance (except for such Evolv authorized uses, evidenced in writing); (iv) the Express Products have been damaged by improper environment, improper location, an improper power source, lack of reasonable care, lack of use of needed accessories (e.g., external wheel attachment to move an outdoor unit), abuse, misuse, accident or negligence; (v) an indoor Express Product or specific indoor Express Product component, as specified in the Order Document or Documentation, is used in an improper environment including, but not limited to, being used outdoors; (vi) Evolv or its authorized agents are not granted prompt reasonable access to the Express Product location upon arrival to perform any Express Professional Services; or (vii) Customer has not promptly notified Evolv and/or Reseller (to the extent applicable) of any maintenance or repair issues and the need for related Express Professional Services and such maintenance or repair could have been avoided by Customer promptly notifying Evolv and/or Reseller (to the extent applicable).
7. Representations and Warranties; Disclaimers.
7.1 Customer Representations and Warranties. In addition to and cumulative of the representations and warranties in the General Terms and/or ToU, Customer represents and warrants (i) it will use the Express Products only at the Customer’s location(s) that are controlled by Customer and are agreed upon by the Parties in writing, and (ii) Customer will not remove Express Products from such locations without the prior written consent of Evolv and/or Reseller (to the extent applicable).
7.2 Evolv Representations and Warranties. Evolv represents and warrants that the Express Equipment (the “Express Equipment Warranty”): (a) will be free from material defects in manufacture, and (b) provided they are deployed by Evolv or its authorized representatives in accordance with the associated Documentation, will substantially conform to the current published version of such Documentation for one (1) year from the applicable Express Equipment’s initial Delivery Date (for Customers that purchase Express Products directly from Evolv) or one (1) year from the applicable Express Equipment’s initial Shipping Date (for Customers that purchase Express Products from a Reseller).
Customer’s sole and exclusive remedy, and Evolv’s sole liability, for breach of the Express Equipment Warranty shall be for Evolv and/or Reseller (to the extent applicable) to perform maintenance and repair services as set forth in this Express Product Schedule. The Express Equipment Warranty will not apply to any Express Products which Customer, or Customer’s agents, contractors or other Customer third-parties that interact with the Express Products, has (i) failed to use in accordance with the Documentation; (ii) altered, except in accordance with Evolv’s written instructions; (iii) used in conjunction with another vendor’s products (except for uses authorized by Evolv in writing); (iv) damaged due to improper environment, which includes, but is not limited to, use of an improper power source or use of an indoor Express Product (as specified in the Order Document) in an outdoor environment; or (v) damaged by negligence, accident, abuse or misuse, which includes, but is not limited to, nonuse of a required accessory (e.g., use of an external wheel accessory for Express Product movement) as detailed in the Documentation.
Exhibit A
Express Products
Express Purchase Exhibit
Effective February 5th 2024
DownloadTable of Contents
EQUIPMENT PURCHASE EXHIBIT
FOR
EVOLV EXPRESS®
This Equipment Purchase Exhibit for Evolv Express® (“Express Purchase Exhibit”) is a part of and incorporated into the Customer General Terms (“General Terms”) and apply to your (“Customer”) purchase of the Express Equipment pursuant to one or more Order Documents entered into by the Parties. Capitalized terms not defined in this Express Purchase Exhibit are as defined in the General Terms.
Subject to the terms and conditions of this Express Purchase Exhibit, Evolv agrees to provide the Express Equipment to Customer and Customer agrees to purchase the Express Equipment from Evolv. The Fees Customer will owe to Evolv are set forth in the applicable Order Document. For clarity, the terms of this Exhibit shall not apply to any Express Equipment provided to Customer on a subscription basis.
1. Ownership
Subject to the terms and conditions of the General Terms, the Express Product Schedule and this Express Purchase Exhibit, including the payment of all Fees by Customer to Evolv as and when they become due, Evolv conveys and transfers to Customer all rights, title, and interest in and unto the Express Equipment, excluding all intellectual property rights relating thereto or embodied therein, which shall be retained by Evolv. Such rights, title and interest as well as liability for loss or damages shall transfer to Customer upon the Delivery Date. Evolv retains the right to display its name, logo or trademarks on the Products by affixing an identifying stencil, legend, plate, sticker, or any other indicia, which may be updated from time to time, and Customer will not alter, obscure, or remove such identification.
2. Termination
In the event of termination pursuant to the General Terms and/or Express Product Schedule, Evolv may take one or more of the following actions: (i) declare all unpaid Fees under the Order Document immediately due and payable; (ii) require Customer to immediately return all Express Equipment to Evolv if the Express Equipment purchase fee has not been paid in full, and (iii) exercise any right or remedy which may be available to Evolv under the General Terms, Express Product Schedule, Order Document(s), equity or law, including the right to recover damages for breach of the Agreement. In addition, Customer shall be liable for reasonable attorney's fees, other costs and expenses resulting from any default, or the exercise of such remedies. Each remedy shall be cumulative and in addition to any other remedy otherwise available to Evolv at law or in equity. No express or implied waiver of any default shall constitute a waiver of any of Evolv’s other rights.
Express Professional Services Schedule
Effective March 11th 2024
DownloadTable of Contents
- Beginning on the Delivery Date, access to a progressive tiered customer support model on a 24x7x365 basis (including holidays).
- On-site dispatch of an Evolv employee or Authorized Representative and/or delivery of replacements parts to Customer as necessary to address an Issue.
- A periodic health check to assess the status of the Express Product(s), perform recalibration, preventive maintenance, and implement equipment or software Updates.
- Updates to the Express Software and related software bug fixes.
- Documentation and Documentation updates.
- E-mail: support@evolvtechnology.com
- Telephone Support: +1 (833) 673-8658
- Severity 1 (Critical) – An Express Equipment or Express Software error causing a complete breakdown of the Express Product, resulting in serious disruption/halt to Customer’s security screening process for which no reasonable and satisfactory work-around can promptly be put in place.
- Severity 2 (Medium) – Express Equipment or Express Software error causing disruption to Customer’s security screening process for which a reasonable and satisfactory work-around can be put in place.
- Severity 3 (Low) – General usage questions or cosmetic issues (e.g., programming or configuration related questions, questions relating to functionality, operability, or cosmetic problems).
| Severity Level | Remote Response Times | On-Site Response Times |
| Severity 1 | < 30 Minutes | < 24 Hours |
| Severity 2 | < 1 Hour | < 48 Hours |
| Severity 3 | < 4 Business Hours | < 5 Business Days |
- Upon request, a mutually agreed upon date for one refresher operator training. Such request can be made after the one-year anniversary of the Implementation Date and each year thereafter.
- Documentation and remote (live or on-demand) training on new Express Product features, as part of an Update.
Effective February 5th 2024 to March 11th 2024
DownloadTable of Contents
PROFESSIONAL SERVICES SCHEDULE
FOR
EVOLV EXPRESS®
This Professional Services Schedule for Evolv Express® (the “Express Professional Services Schedule”) is a part of and incorporated into the Customer General Terms (“General Terms”) and/or the Terms of Use (the “ToU”), to the extent applicable, and apply to your (“Customer”) subscription to Express Professional Services (as provided below), pursuant to one or more Order Documents entered into by Customer and (i) Evolv, or (ii) Reseller. Capitalized terms not defined in this Express Professional Services Schedule are as defined in the General Terms and/or the ToU.
Implementation Services. Evolv shall be responsible for providing the implementation services set forth herein (the “Implementation Services”).
Support Services. Evolv shall be responsible for providing support and maintenance of Express Products set forth herein during the Express Term (the “Support Services”) as part of the Fees.
Other Express Professional Services. To the extent set forth in an Order Document or other mutual written agreement, Evolv will provide additional Express Professional Services for Express Products in accordance with this Express Professional Services Schedule and/or an Order Document, including, without limitation, installation, deployment and implementation support, and training.
Severity Level | Remote Response Times | On-Site Response Times |
Severity 1 | < 30 Minutes | < 24 Hours |
Severity 2 | < 1 Hour | < 48 Hours |
Severity 3 | < 4 Business Hours | < 5 Business Days |
Evolv will provide the following training to Customer as part of the Fees:
- Upon request, a mutually agreed upon date for one refresher operator training. Such request can be made after the one-year anniversary of the Implementation Date and each year thereafter.
- Documentation and remote (live or on-demand) training on new Express Product features, as part of an Update.
4. Other Express Professional Services.
(a) Ad-Hoc Training. If Customer desires further training in addition to what is provided in Section 3 above, such training will be subject to additional Fees set forth in an Order Document.
5. Customer Responsibilities.
(a) Customer agrees to receive communications from Evolv via email, telephone, or other similar technical means regarding the Express Products and Express Professional Services (e.g., communications concerning support coverage, availability of new releases of the Express Product and/or Express Professional Services offerings or components, release notes, or training options) and keep the Express Product(s) connected to the cloud and MyEvolv Portal during any operational use of the Express Products for all features to be fully utilized and for remote diagnostics and access to the Express Products to occur.
Express Gen2 Exhibit
Effective September 20th 2024
DownloadTable of Contents
GEN2 EXHIBIT
FOR
Evolv Express®
This Gen2 Exhibit for Evolv Express® (“Gen2 Exhibit”) is a part of and incorporated into the Customer General Terms (“General Terms”) or the Service Terms for Evolv Products (the “Service Terms”), to the extent applicable, and apply to your (“Customer”) subscription to and use of the Express Products (as defined below). Capitalized terms not defined in this Gen2 Exhibit are as defined in the General Terms.
The Express Products available to Customer are described herein. Subject to Customer’s compliance with the General Terms or the Service Terms, the Express Product Schedule, and all associated Documentation, during the Express Term, the Express Products shall be provided to Customer pursuant to one or more Order Documents entered into by Customer and (i) Evolv, or (ii) an authorized reseller of Evolv Products (“Reseller”). For clarity, the terms of this Gen2 Exhibit shall only apply to use of the second generation of Express Products.
Express Products
eXpedite Product Schedule
Effective June 4th 2025
DownloadTable of Contents
eXpedite Products
Effective June 3rd 2025 to June 4th 2025
DownloadTable of Contents
eXpedite Products
Effective December 9th 2024 to June 3rd 2025
DownloadTable of Contents
eXpedite Products
eXpedite Professional Services Schedule
Effective December 9th 2024
DownloadTable of Contents
- Beginning on the Delivery Date, access to customer support on a 24x7x365 basis (including holidays).
- On-site dispatch of an Evolv employee or Authorized Representative and/or delivery of replacements parts to Customer as necessary to address an Issue.
- A periodic health check to assess the status of the eXpedite Product(s), perform recalibration, preventive maintenance, implement equipment or software Updates, and conduct an annual radiation survey.
- Updates to the eXpedite Software and related software bug fixes.
- Documentation and Documentation updates.
- E-mail: support@evolvtechnology.com
- Telephone Support: +1 (833) 673-8658
- Severity 1 (Critical) – An eXpedite Equipment or eXpedite Software error causing a complete breakdown of the eXpedite Product, resulting in serious disruption/halt to Customer’s security screening process for which no reasonable and satisfactory work-around can promptly be put in place.
- Severity 2 (Medium) – eXpedite Equipment or eXpedite Software error causing disruption to Customer’s security screening process for which a reasonable and satisfactory work-around can be put in place.
- Severity 3 (Low) – General usage questions or cosmetic issues (e.g., programming or configuration related questions, questions relating to functionality, operability, or cosmetic problems).
| Severity Level | Remote Response Times | On-Site Response Times |
| Severity 1 | < 30 Minutes | < 24 Hours |
| Severity 2 | < 1 Hour | < 48 Hours |
| Severity 3 | < 4 Business Hours | < 5 Business Days |
- Upon request, a mutually agreed upon date for one refresher operator training. Such request can be made after the one-year anniversary of the Implementation Date and each year thereafter.
- Documentation and remote (live or on-demand) training on new eXpedite Product features, as part of an Update.
Visual Gun Detection Product Schedule
Effective September 11th 2024
DownloadTable of Contents
Visual Gun Detection Products
Effective June 24th 2024 to September 11th 2024
DownloadTable of Contents
Visual Gun Detection Products
Effective March 11th 2024 to June 24th 2024
DownloadTable of Contents
Visual Gun Detection Products
Effective February 5th 2024 to March 11th 2024
DownloadTable of Contents
PRODUCT SCHEDULE
FOR
EVOLV VISUAL GUN DETECTION™
This Product Schedule for Evolv Visual Gun Detection™ (the “Visual Gun Detection Product Schedule”) is a part of and incorporated into the Customer General Terms (“General Terms”) and/or the Terms of Use (the “ToU”), to the extent applicable, and apply to your (“Customer”) subscription to and use of Visual Gun Detection Software (as defined below). Capitalized terms not defined in this Visual Gun Detection Product Schedule are as defined in the General Terms and/or the ToU.
1. Product Description. The “Evolv Visual Gun Detection Products” (“Visual Gun Detection Products”) available to Customer are described on Exhibit A hereto. Subject to Customer’s compliance with the General Terms and/or the ToU, this Visual Gun Detection Product Schedule, and all associated Documentation, during the Visual Gun Detection Term (as defined below), the Visual Gun Detection Software shall be provided to Customer as identified in the applicable Order Document between Customer and Evolv or an authorized reseller of Evolv Products (“Reseller”).
2. Fees; Shipping.
2.1 Fees. Fees for the Visual Gun Detection Software purchased by Customer directly from Evolv will begin accruing on the date that Customer receives an email activation from the Visual Gun Detection Software licensor (“Omnilert”) for the Visual Gun Detection Software (the “Commencement Date”).
3. Term and Effect of Termination.
3.1 Term.
(a) Evolv Visual Gun Detection - Standard. Unless provided otherwise in an Order Document, in the event that Customer purchases the Visual Gun Detection Software for stand-alone use with Existing Equipment (as defined below), the initial term for the Visual Gun Detection Software will commence on the Commencement Date and end upon the two (2) year anniversary of the Commencement Date (the “Visual Gun Detection Initial Term”), unless earlier terminated in accordance with the General Terms (to the extent applicable). Upon expiration of the Visual Gun Detection Initial Term, this Visual Gun Detection Product Schedule will automatically renew for additional one (1) year periods (each a “Visual Gun Detection Renewal Term,” and together with the Visual Gun Detection Initial Term, the “Visual Gun Detection Term”), unless either Party provides written notice of non-renewal to the other Party at least thirty (30) days prior to the end of the Visual Gun Detection Initial Term or then-current Visual Gun Detection Renewal Term, as the case may be. Notwithstanding the foregoing, this Visual Gun Detection Product Schedule will remain in effect and applicable to any Visual Gun Detection Software under an Order Document that has not yet expired or terminated as of the time of the expiration or termination of the Visual Gun Detection Term in accordance with this Section.
(b) Evolv Visual Gun Detection - Upgrade. Unless provided otherwise in an Order Document, in the event that Customer (i) purchases the Visual Gun Detection Software and Express Products simultaneously; or (ii) is already under an Express Term, the Visual Gun Detection Initial Term shall be concurrent with such Express Term applicable to the Express Products, as defined in the Express Product Terms located at https://legal.evolvtechnology.com/customers.
3.2 Effect of Termination. Upon the termination of an Order Document, expiration of the Visual Gun Detection Term or termination of the General Terms (to the extent applicable), the rights granted to Customer for use of Visual Gun Detection Software under the applicable Order Document(s) will end, and Customer will immediately lose access to and lose use of such Visual Gun Detection Software.
4. Required Equipment.
Customer shall utilize its existing stand-alone video camera and surveillance systems (“Existing Equipment”) or purchase designated equipment from third parties as set forth in Exhibit A, attached hereto, to be used in conjunction with the Visual Gun Detection Software (collectively, “Required Equipment”). Such Required Equipment must meet the specifications defined in the Documentation. Customer acknowledges and agrees that Required Equipment that fails to meet such specifications may result in the Visual Gun Detection Software not operating as intended.
Customer is responsible for the operation and normal daily maintenance of the Required Equipment in connection with its ordinary course use (such as cleaning, proper location, proper environment, and causing the provision of proper utility, electrical and networking requirements). Evolv is not responsible and/or liable for any loss, theft, destruction of or damage to the Required Equipment.
Evolv, its authorized representatives, and/or Reseller (to the extent applicable) shall work with Customer to ensure that the Visual Gun Detection Software is installed on the Required Equipment.
5. Ownership
5.1 Ownership of Visual Gun Detection Software. As between Customer and Evolv, Evolv is the sole owner of the Visual Gun Detection Software and any associated Documentation and Evolv retains all right, title and ownership interest therein, including to all enhancements, upgrades, updates, modifications, corrections, derivatives, integrations related thereto and all intellectual property rights in the foregoing. The Agreement imparts no right, title, or ownership interest in the Visual Gun Detection Software or associated Documentation to Customer except for the limited right to use the Visual Gun Detection Software and associated Documentation. The Visual Gun Detection Software is protected by copyright, trade secret and other laws and international treaty provisions, and Evolv reserves all rights. The Visual Gun Detection Software and related Documentation are to be accessed and used solely with or as part of the Visual Gun Detection Products in accordance with this Visual Gun Detection Product Schedule. Customer shall not: (A) decompile, disassemble, reverse engineer, decode, adapt or attempt to reconstruct, identify, gain access or discover any source code, underlying ideas, user interface techniques or algorithms of the Visual Gun Detection Software, in whole or in part, or disclose any of the foregoing; (B) encumber, transfer, manufacture, distribute, sell, sublicense, assign, provide, lease, lend, use for timesharing or service bureau purposes, or use the Visual Gun Detection Software except as expressly provided herein; (C) copy, modify, adapt, translate, incorporate into or with other software or service, or create a derivative work of any part of the Visual Gun Detection Software; or (D) attempt to circumvent any user limits, timing or use restrictions that are built into the Visual Gun Detection Software.
5.2 Ownership of Required Equipment. Unless otherwise stated in an Order Document, as between Customer and Evolv, Customer is the sole owner of the Required Equipment and Customer retains all right, title and ownership interest and intellectual property rights therein. The Agreement imparts no right, title, or ownership interest in the Required Equipment to Evolv except for the limited right to access the Required Equipment as set forth herein.
6. Visual Gun Detection Professional Services.
6.1 If Customer, pursuant to one or more Order Documents entered into by the Parties, subscribes to Professional Services relating to the Visual Gun Detection Software (the “Visual Gun Detection Professional Services”), the Visual Gun Detection Professional Services Schedule shall apply, and are published at https://legal.evolvtechnology.com/customers, as updated from time to time.
6.2 Limitations. Evolv reserves the right to suspend Customer’s access to the Visual Gun Detection Software and/or refuse to perform Visual Gun Detection Professional Services, if: (i) Customer has failed to use the Visual Gun Detection Software in accordance with Documentation, this Visual Gun Detection Product Schedule and/or other procedures that Evolv has made available to Customer or generally makes available; (ii) the Visual Gun Detection Software has been used in conjunction with another customer’s or vendor’s products resulting in the need for maintenance (except for such Evolv authorized uses, evidenced in writing); (iii) Evolv or its authorized agents are not granted prompt reasonable access to the Visual Gun Detection Product location upon arrival to perform any Visual Gun Detection Professional Services; or (iv) Customer has not promptly notified Evolv and/or Reseller (to the extent applicable) of any maintenance or repair issues and the need for related Visual Gun Detection Professional Services and such maintenance or repair could have been avoided by Customer promptly notifying Evolv and/or Reseller (to the extent applicable).
7. Representations and Warranties; Disclaimers.
7.1 Customer Representations and Warranties. In addition to and cumulative of the representations and warranties in the General Terms and/or ToU, Customer represents and warrants (i) it will use the Visual Gun Detection Software only at the Customer’s location(s) that are controlled by Customer and are agreed upon by the Parties in writing.
7.2 Evolv Representations and Warranties. Evolv represents and warrants that the Visual Gun Detection Software, provided it is deployed by Evolv, its authorized representatives or Omnilert, in accordance with the associated Documentation, will substantially conform to the current published version of such Documentation for one (1) year from the applicable Commencement Date (the “Visual Gun Detection Warranty”).
Customer’s sole and exclusive remedy, and Evolv’s sole liability, for breach of the Visual Gun Detection Warranty shall be for Evolv and/or Reseller (to the extent applicable) to perform maintenance and repair services as set forth in this Visual Gun Detection Product Schedule. The Visual Gun Detection Warranty will not apply to any Visual Gun Detection Software which Customer, or Customer’s agents, contractors or other Customer third-parties that interact with the Visual Gun Detection Software, has (i) failed to use in accordance with the Documentation; (ii) altered, except in accordance with Evolv’s written instructions; (iii) used in conjunction with another vendor’s products (except for uses authorized by Evolv in writing); or (iv) damaged by negligence, accident, abuse or misuse, which includes, but is not limited to, nonuse of a required accessory as detailed in the Documentation. Evolv shall not be responsible or liable in connection with the Visual Gun Detection Warranty or for any non-performance of maintenance and repair services by Omnilert.
Exhibit A
Visual Gun Detection Products
Visual Gun Detection Professional Services Schedule
Effective September 11th 2024
DownloadTable of Contents
- Beginning on the Delivery Date, access to a progressive tiered customer support model on a 24x7x365 basis (including holidays).
- On-site dispatch of an Evolv employee or Authorized Representative and/or delivery of replacements parts to Customer as necessary to address an Issue.
- Updates to the Visual Gun Detection Software and related software bug fixes.
- Documentation and Documentation updates.
- E-mail: support@evolvtechnology.com
- Telephone Support: +1 (833) 673-8658
- Severity 1 (Critical) –Visual Gun Detection Product error causing a complete breakdown of the Visual Gun Detection Product, resulting in serious disruption/halt to Customer’s security screening process for which no reasonable and satisfactory work-around can promptly be put in place.
- Severity 2 (Medium) –Visual Gun Detection Product error causing disruption to Customer’s security screening process for which a reasonable and satisfactory work-around can be put in place.
- Severity 3 (Low) – General usage questions or cosmetic issues (e.g., programming or configuration related questions, questions relating to functionality, operability, or cosmetic problems).
| Severity Level | Responsible Party | Remote Response Times | On-Site Response Times |
| Severity 1 | Evolv | < 60 Minutes | < 24 Hours |
| Severity 2 | Evolv | < 24 Hours | < 48 Hours |
| Severity 3 | Omnilert | < 2 Business Days | < 5 Business Days |
- Training of Visual Gun Detection Software operators on the Implementation Date. This training shall be scheduled in parallel with the Implementation Date.
- Documentation and remote (live or on-demand) training on new Visual Gun Detection Software features, as part of an Update.
Effective March 11th 2024 to September 11th 2024
DownloadTable of Contents
- Beginning on the Delivery Date, access to a progressive tiered customer support model on a 24x7x365 basis (including holidays).
- On-site dispatch of an Evolv employee or Authorized Representative and/or delivery of replacements parts to Customer as necessary to address an Issue.
- Updates to the Visual Gun Detection Software and related software bug fixes.
- Documentation and Documentation updates.
- E-mail: support@evolvtechnology.com
- Telephone Support: +1 (833) 673-8658
- Severity 1 (Critical) –Visual Gun Detection Product error causing a complete breakdown of the Visual Gun Detection Product, resulting in serious disruption/halt to Customer’s security screening process for which no reasonable and satisfactory work-around can promptly be put in place.
- Severity 2 (Medium) –Visual Gun Detection Product error causing disruption to Customer’s security screening process for which a reasonable and satisfactory work-around can be put in place.
- Severity 3 (Low) – General usage questions or cosmetic issues (e.g., programming or configuration related questions, questions relating to functionality, operability, or cosmetic problems).
| Severity Level | Responsible Party | Remote Response Times | On-Site Response Times |
| Severity 1 | Evolv | < 60 Minutes | < 24 Hours |
| Severity 2 | Evolv | < 24 Hours | < 48 Hours |
| Severity 3 | Omnilert | < 2 Business Days | < 5 Business Days |
- Training of Visual Gun Detection Software operators on the Implementation Date. This training shall be scheduled in parallel with the Implementation Date.
- Documentation and remote (live or on-demand) training on new Visual Gun Detection Software features, as part of an Update.
Effective February 5th 2024 to March 11th 2024
DownloadTable of Contents
PROFESSIONAL SERVICES SCHEDULE
FOR
EVOLV VISUAL GUN DETECTION™
This Professional Services Schedule for Evolv Visual Gun Detection™ (the “Visual Gun Detection Professional Services Schedule”) is a part of and incorporated into the Customer General Terms (“General Terms”) and/or the Terms of Use (the “ToU”), to the extent applicable, and apply to your (“Customer”) subscription to Visual Gun Detection Professional Services (as provided below), pursuant to one or more Order Documents entered into by Customer and (i) Evolv, or (ii) Reseller. Capitalized terms not defined in this Visual Gun Detection Professional Services Schedule are as defined in the General Terms and/or the ToU.
Implementation Services. Evolv shall be responsible for providing the implementation services set forth herein (the “Implementation Services”).
Support Services. Evolv shall be responsible for providing support and maintenance of the Visual Gun Detection Software set forth herein during the Visual Gun Detection Term (the “Support Services”) as part of the Fees.
Other Visual Gun Detection Professional Services. To the extent set forth in an Order Document or other mutual written agreement, Evolv will provide additional Visual Gun Detection Professional Services for Visual Gun Detection Software in accordance with this Visual Gun Detection Professional Services Schedule and/or an Order Document, including, without limitation, installation, deployment and implementation support, and training.
1. Implementation Services
(a) Evolv will provide the following Implementation Services on a date or dates mutually agreed by the Parties (each, an “Implementation Date”). Evolv or its authorized representatives and contractors will implement the Visual Gun Detection Software pursuant to Evolv’s standard procedures, which may include, but are not limited to, the implementation procedures set forth below:
(i) Implementation includes an Evolv employee or authorized representative (i) confirming that the Visual Gun Detection Software is installed and configured, (ii) confirming that the Required Equipment are added into the Visual Gun Detection Software, and (iii) to the extent applicable, installing an app on the Required Equipment.
(ii) Evolv will provide Customer with advance notice of any items needed for implementation and Customer shall be responsible for installation of the Required Equipment prior to the Implementation Date.
(iii) If Customer cancels or requests a change to the Implementation Date within the 72 hours preceding the Implementation Date, Customer will be assessed a cancellation/change fee of $2,500.
(iv) At least two (2) weeks prior to the Implementation Date, Customer will identify to Evolv or its authorized representative, any special access or security requirements for performance of on-site Visual Gun Detection Professional Services.
(v) Customer will (a) provide a safe and adequate work environment, including sufficient space for the delivery of on-site Visual Gun Detection Professional Services, (b) ensure that the Required Equipment and all items necessary for implementation are available and located in the immediate area where implementation is planned, (c) ensure the Required Equipment is easily accessible without the need to move furniture and supplying hand carts, if needed, and (d) be responsible for removal of any trash and packing material associated with the Visual Gun Detection Product(s).
2. Support Services and Service Levels
(a) Definitions
(i) Authorized Representative means the third-party representative that Evolv has contracted to perform Support Services subject to the terms of this Agreement.
(ii) Issue(s) means any confirmed failure of the Visual Gun Detection Software which results in the Visual Gun Detection Software not performing in accordance with the applicable Documentation.
(iii) Named Contact means the administrator and backup administrator that serve as Evolv’s primary contact for Support Services. Customer is required to appoint at least one main administrator.
(iv) Response Time means the maximum period which may elapse between the time Evolv is notified and opens a case of an Issue and the time at which Evolv or Omnilert starts to address the Issue.
(v) Severity Level means the classification system for all Issues as defined in Section 5 below.
(vi) Updates means all subsequent general public releases of the Visual Gun Detection Software, excluding any value-added Visual Gun Detection Product features, functionalities, or capabilities that Evolv develops or creates and offers to existing and potential customers as additional subscription or purchasable add-ons to the Visual Gun Detection Software or Visual Gun Detection Professional Services.
(b) Support Services
(i) During the Term, Evolv will provide the following Support Services as part of the Fees, as applicable:
- Beginning on the Delivery Date, access to a progressive tiered customer support model on a 24x7x365 basis (including holidays).
- On-site dispatch of an Evolv employee or Authorized Representative and/or delivery of replacements parts to Customer as necessary to address an Issue.
- Updates to the Visual Gun Detection Software and related software bug fixes.
- Documentation and Documentation updates.
(ii) Evolv provides 24x7x365 access to its support service organization by phone, e-mail or the MyEvolv Portal:
- E-mail: support@evolvtechnology.com
- Telephone Support: +1 (833) 673-8658
(iii) Customer shall promptly notify Evolv following the discovery of an Issue. Customer shall assist Evolv in troubleshooting the reported Issue by (a) appointing and training the Named Contact(s), (b) unless an Issue prevents otherwise, have the system on and operational, and (c) providing all information reasonably requested by Evolv that may be necessary to deliver remote Visual Gun Detection Professional Services.
(iv) The Named Contact(s) will be trained by Evolv to provide first-line support to its internal users. Such training will include how to gather relevant system information including serial number and data logs to enable troubleshooting to commence; review of administrator features on the tablet; how to access the MyEvolv Portal; how to outreach to Evolv for technical support; and any other items to enable the Named Contact to run an initial troubleshooting of the Issue prior to reaching out to Evolv per section 4(a), if they have not already done so.
(v) Evolv will acknowledge a request for Support Services by logging a case, communicating the case ID to the Customer, and assigning a Severity Level commencement of remedial action.
(c) Service Levels
(i) Evolv will assign each Issue a severity level, based on the following criteria:
- Severity 1 (Critical) –Visual Gun Detection Product error causing a complete breakdown of the Visual Gun Detection Product, resulting in serious disruption/halt to Customer’s security screening process for which no reasonable and satisfactory work-around can promptly be put in place.
- Severity 2 (Medium) –Visual Gun Detection Product error causing disruption to Customer’s security screening process for which a reasonable and satisfactory work-around can be put in place.
- Severity 3 (Low) – General usage questions or cosmetic issues (e.g., programming or configuration related questions, questions relating to functionality, operability, or cosmetic problems).
(ii) Once Evolv has acknowledged the receipt of a service call and assigned a Severity Level, Evolv will (i) work to isolate, remotely troubleshoot, remedy, and work to resolve Severity Level 2 or Severity Level 3 Issues; and (ii) if a Severity Level 1 Issue, promptly notify Omnilert (to the extent required) and with Omnilert, as applicable, work to resolve the Issue. If Evolv and/or Omnilert is unable to perform remote diagnostics within the remote response times below, an Evolv representative, or Authorized Representative, may be deployed to perform onsite technical support per the on-site response times below.
(iii) Evolv and/or Omnilert (as applicable) will respond to the reported Issue(s) within the following response periods:
Severity Level | Responsible Party | Remote Response Times | On-Site Response Times |
Severity 1 | Evolv | < 60 Minutes | < 24 Hours |
Severity 2 | Evolv | < 24 Hours | < 48 Hours |
Severity 3 | Omnilert | < 2 Business Days | < 5 Business Days |
Evolv will provide the following training to Customer as part of the Fees:
- Training of Visual Gun Detection Software operators on the Implementation Date. This training shall be scheduled in parallel with the Implementation Date.
- Documentation and remote (live or on-demand) training on new Visual Gun Detection Software features, as part of an Update.
4. Other Visual Gun Detection Professional Services.
(a) Ad-Hoc Training. If Customer desires further training in addition to what is provided in Section 3 above, such training will be subject to additional Fees set forth in an Order Document.
5. Customer Responsibilities.
(a) Customer agrees to receive communications from Evolv via email, telephone, or other similar technical means regarding the Visual Gun Detection Software and Visual Gun Detection Professional Services (e.g., communications concerning support coverage, availability of new releases of the Visual Gun Detection Software and/or Visual Gun Detection Professional Services offerings or components, release notes, or training options).
Data Processing Addendum
Effective March 11th 2024
DownloadTable of Contents
| Name: | The data exporter is the entity identified as “Customer” in the DPA |
| Address: | As set forth in the Agreement |
| Contact person: | As set forth in the Notices provision in the Agreement or Order Document |
| Activities relevant to the data transferred under these Clauses: | As set forth in the Agreement |
| Signature and date: | Refer to DPA or Agreement, as applicable |
| Role: | Controller, except when processing data on behalf of another entity, in which case data exporter is a Processor |
| Name: | The data importer is the entity identified as “Evolv” in the DPA |
| Address: | As set forth in the Agreement |
| Contact person: | privacy@evolvtechnology.com |
| Activities relevant to the data transferred under these Clauses: | As set forth in the Agreement |
| Signature and date: | Refer to DPA or Agreement, as applicable |
| Role: | Processor, or Subprocessor if data exporter is a Processor |
| Categories of data subjects whose personal data is transferred: | Data exporter’s contacts including its employees, contractors, suppliers and subcontractors and other personnel, and its customers, patrons, and other visitors. Data exporter will prevent the sharing or transfer to data importer of Personal Data of patients unless data importer has agreed in writing. |
| Categories of personal data transferred: | Depending on data exporter’s configuration of the data importer’s Services categories of personal data may include contact information, images, location information, and application/website usage information. |
| Sensitive categories of data (if appropriate): | N/A |
| The frequency of the transfer: | As set forth in the Agreement |
| Nature of the processing: | The subject-matter and nature of the processing of data exporter Personal Data by data importer is for the provision of the Services to the data exporter under the Agreement. |
| Purposes of the data transfer and further processing: | Refer to DPA. |
| The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: | Personal Data will be processed for the duration of the Agreement, subject to Section 10 of the DPA |
| For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: | Refer to DPA and the Agreement |
- Establish and maintain an information security program designed to (i) protect the security and confidentiality of data exporter’s Personal Data; (ii) protect against any anticipated threats or hazards to the security or integrity of data exporter’s Personal Data; (iii) protect against unauthorized access to or use of data exporter’s Personal Data; and (iv) ensure the proper disposal of data exporter’s Personal Data.
- Provide security awareness and training programs delivered not less than annually, for all Evolv personnel who access data exporter’s Personal Data.
- Maintain controls that provide reasonable assurance that access to data importer’s physical servers at its production data center (“Systems”) is limited to properly authorized individuals and that environmental controls are established to detect, prevent, and control destruction due to environmental extremes. Logging and monitoring of unauthorized access attempts made to the Systems by the data center security personnel, and camera surveillance systems at critical internal and external entry points to the data center.
- Maintain policies and procedures designed to protect the confidentiality, integrity, and availability of Personal Data and protect it from unauthorized disclosure, alteration, or destruction. For clarity, data importer does not control data exporter’s user-facing configuration of any data importer software and is not responsible for any of the foregoing obligations and protections to the extent they are controlled by data exporter’s configuration of the software. Data importer will provide guidance on the recommended configuration of user-facing software.
- Maintain a security incident response plan that includes procedures to be followed in the event of any incident that results in a Personal Data Breach. The procedures include:
- Roles and responsibilities: formation of an internal incident response team with a response leader
- Investigation: assessing the risk the Personal Data Breach poses and determining which customers may be affected
- Communication: internal reporting as well as a notification process to data importer customers and other applicable third parties.
- Implement storage and transmission security measures designed to guard against unauthorized access to Personal Data that is being transmitted over an electronic communications network. Such measures include requiring NIST acceptable encryption of any Personal Data stored on desktops, laptops or other mobile computer devices. Data importer will encrypt sensitive data when transmitted over public networks.
Effective January 23rd 2024 to March 11th 2024
DownloadTable of Contents
DATA PROCESSING ADDENDUM
This Data Processing Addendum (the “DPA”) forms part of the Customer General Terms and/or the Terms of Use (the “ToU”), to the extent applicable, between you (“Customer”) and Evolv Technologies, Inc. (“Evolv”).
This DPA is incorporated into the Agreement between Evolv and Customer and applies to Evolv’s Processing of Personal Data in connection with Evolv’s provision of the Products and related Professional Services (to the extent applicable) to Customer. In the event of any inconsistency between the DPA and the Agreement as to Evolv’s Processing of Personal Data, the DPA shall control.
For purposes of this DPA, the following terms and those defined within the body of this DPA apply.
SCHEDULE 1
APPENDIX TO THE STANDARD CONTRACTUAL CLAUSES
A. LIST OF PARTIES
Data exporter
Name: | The data exporter is the entity identified as “Customer” in the DPA |
Address: | As set forth in the Agreement |
Contact person: | As set forth in the Notices provision in the Agreement or Order Document |
Activities relevant to the data transferred under these Clauses: | As set forth in the Agreement |
Signature and date: | Refer to DPA or Agreement, as applicable |
Role: | Controller, except when processing data on behalf of another entity, in which case data exporter is a Processor |
Data importer
Name: | The data importer is the entity identified as “Evolv” in the DPA |
Address: | As set forth in the Agreement |
Contact person: | |
Activities relevant to the data transferred under these Clauses: | As set forth in the Agreement |
Signature and date: | Refer to DPA or Agreement, as applicable |
Role: | Processor, or Subprocessor if data exporter is a Processor |
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred: | Data exporter’s contacts including its employees, contractors, suppliers and subcontractors and other personnel, and its customers, patrons, and other visitors. Data exporter will prevent the sharing or transfer to data importer of Personal Data of patients unless data importer has agreed in writing. |
Categories of personal data transferred: | Depending on data exporter’s configuration of the data importer’s Services categories of personal data may include contact information, images, location information, and application/website usage information. |
Sensitive categories of data (if appropriate): | N/A |
The frequency of the transfer: | As set forth in the Agreement |
Nature of the processing: | The subject-matter and nature of the processing of data exporter Personal Data by data importer is for the provision of the Services to the data exporter under the Agreement. |
Purposes of the data transfer | Refer to DPA. |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: | Personal Data will be processed for the duration of the Agreement, subject to Section 10 of the DPA |
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: | Refer to DPA and the Agreement |
C. COMPETENT SUPERVISORY AUTHORITY
The competent Supervisory Authority shall be the Netherlands, or the UK ICO for matters related to data subjects in the UK.
ANNEX II
Evolv agrees to implement appropriate technical and organizational measures designed to protect Customer Personal Data as required by applicable data protection law(s). Such measures will include:
ANNEX III
The data exporter has authorized the use of the following subprocessors:
Please see https://learn.evolvtechnology.com/express-subprocesser-list
Data Processing Addendum - Saudi
Effective October 31st 2025
DownloadTable of Contents
Saudi Data Processing Addendum
This Saudi Data Processing Addendum (the “DPA”) forms part of the Service Terms for Evolv Products (the “Service Terms”), to the extent applicable, between you (“Customer”) and Evolv Technologies, Inc. (“Evolv”).
This DPA is incorporated into the Agreement between Evolv and Customer and applies to Evolv’s Processing of Personal Data in connection with Evolv’s provision of the Products and related Professional Services (to the extent applicable) to Customer. In the event of any inconsistency between the DPA and the Agreement as to Evolv’s Processing of Personal Data, the DPA shall control.
For purposes of this DPA, the following terms and those defined within the body of this DPA apply.
1. DEFINITONS
1.1 In this DPA, the terms "Personal Data", "Controller", "Processor", "Data Subject", "Process" and " Competent Authority" shall have the same meaning as set out in applicable Data Protection Laws with the same or equivalent terms, and the following words and expressions shall have the following meanings unless the context otherwise requires.
1.2 "Customer Personal Data" means the Personal Data described in Annex 1 of Schedule 1, and any other Personal Data that Evolv Processes on behalf of Customer in connection with Evolv's provision of the Services.
1.3 "Data Protection Laws" means all applicable laws, rules and regulations relating to the Processing of Personal Data including the PDPL as amended, repealed, consolidated or replaced from time to time.
1.4 "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any Customer Personal Data by Evolv that compromises the security, confidentiality or integrity of such Customer Personal Data.
1.5 "Standard Contractual Clauses" are the Saudi Contractual Clauses issued by SDAIA.
1.6 "Subprocessor" means any Processor engaged by Evolv to Process Customer Personal Data on Evolv’s behalf.
1.7 "Third Country" means any country outside of a country in which the Data Protection Laws restrict transfers of Personal Data to destinations outside of that country, except where the Data Protection Laws and applicable regulatory authorities of the originating country adopted an adequacy decision regarding the Data Protection Laws of the destination country such that transfers of Personal Data to that destination country are not restricted.
1.8 “PDPL” means the Saudi Personal Data Protection Law, issued by Royal Decree No. M/19 dated 09/02/1443 AH and amended by Royal Decree No. M/148 dated 05/09/1444 AH, together with its Implementing Regulations.
1.9 “SDAIA” means the Saudi Data and Artificial Intelligence Authority.
1.10 “KSA” means kingdom of Saudi Arabia.
Capitalized terms used in this DPA and not defined above shall have the meaning set forth in the Agreement.
2. DATA PROCESSING
2.1 Evolv will only Process Customer Personal Data in accordance with the Agreement and any Order Document, to the extent necessary to provide the Professional Services and/or Software (collectively, “Services”) to Customer, and Customer's written instructions, including with respect to transfers of Customer Personal Data, unless Processing is required by applicable Data Protection Laws, in which case Evolv shall, to the extent permitted by applicable law, inform Customer of that legal requirement before so Processing that Customer Personal Data. Evolv shall not Process Customer Personal Data outside of the direct business relationship between Customer and Evolv. Evolv shall not ‘sell’ or ‘share’ (as such terms may be specifically defined in applicable Data Protection Laws) Customer Personal Data. To the extent required by applicable Data Protection Laws, Evolv certifies that it understands the foregoing restrictions and will comply with them. The Agreement, DPA, and any Order Document (subject to any changes to the Services) shall be Customer's complete and final instructions to Evolv in relation to the Processing of Customer Personal Data. Processing outside the scope of the foregoing will require prior written agreement between Customer and Evolv on additional instructions for Processing and may be subject to additional fees. As part of the Services, and in compliance with Data Protection Law, Evolv may Process certain Customer Personal Data of select customers to optimize and improve the Service.
2.2 Customer shall provide all applicable notices to Data Subjects required under applicable Data Protection Laws for the lawful Processing of Customer Personal Data by Evolv in accordance with the Agreement, including notices for capturing images of Data Subjects. Customer shall obtain and maintain throughout the term of the Agreement any required consents and/or authorizations related to its provision of, and Evolv’s processing of, Customer Personal Data as part of the Services, including for capturing images of Data Subjects. If Customer is not required by Data Protection Laws to obtain and maintain valid consent from Data Subjects, Customer will otherwise obtain and maintain a valid legal basis in accordance with Data Protection Laws to Process Customer Personal Data and for providing such data to Evolv for Processing under the Agreement.
2.3 For the avoidance of doubt, Customer’s instructions for the processing of Customer Personal Data shall comply with all applicable Data Protection Laws in the operating jursidictions. Customer acknowledges that Evolv is reliant on Customer for direction as to the extent to which Evolv is entitled to use and Process Customer Personal Data. Consequently, Evolv will not be liable for any claim brought against Customer by a Data Subject arising from any act or omission by Evolv to the extent that such act or omission resulted from Customer's instructions or Customer's use of the Services.
2.4 Unless set forth in an Order Document, Customer Data may not include any sensitive or special data that imposes specific data security or data protection obligations on Evolv in addition to or different from those specified in the Documentation or which are not provided as part of the Services.
2.5 If applicable Data Protection Laws recognize the roles of Controller and Processor as applied to Customer Personal Data then, as between Customer and Evolv, Customer acts as Controller and Evolv acts as a Processor (or subprocessor, as the case may be) of Customer Personal Data.
2.6 As required by applicable Data Protection Laws, if Evolv believes any Customer instructions to Process Customer Personal Data will violate applicable Data Protection Laws, or if applicable Data Protection Laws require Evolv to process Customer Personal Data relating to data subjects in a way that does not comply with Customer’s documented instructions, Evolv shall notify Customer in writing, unless applicable Data Protection Laws prohibit such notification, provided Evolv is not responsible for performing legal research or providing legal advice to Customer.
2.7 Evolv shall Process Customer Personal Data for the duration of the provision of Services in accordance with the Agreement and thereafter only as set forth in the Agreement and this DPA.
2.8 Each Party will comply with Data Protection Laws applicable to such Party in connection with the Agreement and this DPA.
3. SUBPROCESSORS
3.1 Consent to Subprocessor Engagement. Customer generally authorizes the engagement of third parties as Subprocessors. For the avoidance of doubt, this authorization constitutes Customer’s prior written consent to the subprocessing of Customer Personal Data for purposes of Clause 9, Option 2 of the Standard Contractual Clauses and any similar requirements of other data transfer mechanisms.
3.2 Information about Subprocessors. A current list of Subprocessors is available at https://learn.evolvtechnology.com/express-subprocesser-list ("Subprocessor List"), and may be updated by Evolv from time to time in accordance with this DPA. Customer may sign up to receive notices of additions to the Subprocessor List by completing the email sign-up process on the Subprocessor List web page referenced above.
3.3 Requirements for Subprocessor Engagement. When engaging any Subprocessor, Evolv will:
(a) execute with Subprocessors a written agreement providing:
(i) the Subprocessor only Processes Customer Personal Data to the extent required to perform the obligations subcontracted to it and does so in accordance with the Agreement and this DPA; and
(ii) the Subprocessor utilize the same level of data protection and security with regard to its Processing of Customer Personal Data as are described in this DPA.
(b) be responsible for the Subprocessor’s violations of this DPA or Data Protection Laws in relation to the services such Subprocessor provides to Evolv to the extent Evolv would be liable for the same violations under the terms of the Agreement.
3.4 Opportunity to Object to Subprocessor Changes. Customer may, on reasonable and objective grounds, object to Evolv's use of a new Subprocessor by providing Evolv with written notice within fifteen (15) days after Evolv has provided notice to Customer as described herein with documentary evidence that reasonably shows that the Subprocessor does not or cannot comply with the requirements in this DPA or Data Protection Laws ("Objection"). In the event of an Objection, Customer and Evolv will work together in good faith to find a mutually acceptable resolution to address such Objection, including but not limited to reviewing additional documentation and or remediation efforts of the subprocessor supporting the Subprocessor’s compliance with the DPA or Data Protection Laws. To the extent Customer and Evolv do not reach a mutually acceptable resolution within a reasonable timeframe, Evolv will use reasonable endeavors to make available to Customer a change in the Services or will recommend a commercially reasonable change to the Services to prevent the applicable Subprocessor from Processing Customer Personal Data. If Evolv is unable to make available such a change within a reasonable period of time, which shall not exceed thirty (30) days, Evolv and Customer shall escalate to their applicable executive or senior leadership to discuss the matter in good faith and determine an appropriate resolution and next steps.
4. INTERNATIONAL TRANSFERS
4.1 In accordance with Customer’s instructions under Section 2, Evolv may Process Customer Personal Data on a global basis as necessary to provide the Services, including for IT security purposes, maintenance and provision of the Services and related infrastructure, technical support, and change management.
4.2 To the extent that the Processing of Customer Personal Data by Evolv involves the transfer of such Customer Personal Data from a country whose Data Protection Laws restrict the transfer of Personal Data to Third Countries, then such transfers shall be subject to the protections and provisions of the Standard Contractual Clauses (for which the SCC Appendix is attached to this DPA in Schedule 1), DPA for transfers from KSA to Third Countries, or other binding and appropriate transfer mechanisms that provide an adequate level of protection in compliance with Data Protection Laws.
4.3 Customer shall be deemed to have signed the SCC in Schedule 1, Annex I in its capacity of “data exporter” and Evolv in its capacity as “data importer.” Template Two of the SCC issued by SDAIA shall apply to the transfer.
4.4 The SCC, or DPA , as applicable, will cease to apply if Evolv has implemented an alternative recognized compliance mechanism for the lawful transfer of personal data in accordance with applicable Data Protection Laws.
4.5 In the event of any conflict between any terms in the SCC or DPA, as applicable, and the DPA, the SCC, as applicable, shall prevail to the extent of the conflict.
5. DATA SECURITY, AUDITS AND SECURITY NOTIFICATIONS
5.1 Evolv Security Obligations. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Evolv shall implement appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk of the Processing, including the measures set out in Schedule 1. Evolv may update its security practices from time to time but will not materially decrease the overall security of the Services during the term of the Agreement. Such measures shall include process for regularly testing, assessing, and evaluating the effectiveness of the measures.
5.2 Security Audits.
(a) Evolv will, upon Customer’s written request, verify its compliance with its obligations in this DPA by first providing to Customer for its review documentation regarding the same and, if such documentation is not reasonably sufficient to address Customer’s inquiries, participate in and contribute to audits as set forth below.
(b) Customer may, upon at least 30 days’ advance written notice and per a timeline mutually agreeable to Evolv and the Customer, audit (either by itself or using independent third-party auditors) Evolv's compliance with the security measures set out in this DPA solely for the purpose of confirming Evolv's compliance with its obligations under this DP, provided that such an audit will not place an inordinate resource burden on Evolv Evolv shall reasonably assist with any audits conducted in accordance with this Section 5.2. Such audits may be carried out once per year, or more often if required by Data Protection Law or Customer’s applicable Supervisory Authority. The timeline and schedule commits for such an audit must be negotiated at each instance of such a request.
(c) Any third party engaged by Customer to conduct an audit must be pre-approved by Evolv (such approval not to be unreasonably withheld) and sign Evolv’s confidentiality agreement. Customer must provide Evolv with a proposed audit plan at least two weeks in advance of the audit, after which Customer and Evolv shall discuss in good faith and finalize the audit plan prior to commencement of audit activities.
(d) Audits may be conducted only during regular business hours, in accordance with the finalized audit plan and Evolv’s security and other policies, and may not unreasonably interfere with Evolv’s regular business activities. Evolv is not required to grant access to its premises or systems for the purposes of such an audit to any individual unless they produce reasonable evidence of identity and authority. Customer shall reimburse Evolv for any costs or expenses incurred by Evolv in granting access to its data processing facilities.
(e) Information obtained or results produced in connection with an audit are Evolv confidential information and may only be used by Customer to confirm compliance with this DPA and for complying with its requirements under Data Protection Laws.
(f) Customer may request that Evolv audit a Subprocessor or provide confirmation that such an audit has occurred (or, where available, obtain or assist Customer in obtaining a third-party audit report concerning the Subprocessor’s operations) to verify compliance with the Subprocessor’s obligations. The subprocessor may, in lieu of the audit, submit existing compliance audit reports and certifications whose security standards (e.g., ISO27001, SOC2 etc.) conform to the objectives of the DPA. Customer shall have the discretion to accept or reject such reports and insist on a new audit of the subprocessor.
(g) Without prejudice to the rights granted in Section (b) above, if the requested audit scope is addressed in a SOC, ISO, NIST, PCI DSS, HIPAA or similar audit report or attestation letter issued by a qualified third party auditor within the prior twelve months and Evolv provides such report or attestation letter to Customer confirming there are no known material changes in the controls audited, Customer agree to accept the findings presented in the third party audit report or attestation letter in lieu of requesting an audit of the same controls covered by the report.
(h) In the absence of a recent audit report based on SOC, ISO, NIST, PCI DSS standards, Evolv might, in good faith, request a compliance plan deadline to initiate/conduct a fresh audit to the effect of this request. In such event, Evolv must commission an audit submit a report thereof no later than 12 months from the data of request.
5.3 Upon Customer's written request, Evolv shall make available all information reasonably necessary to demonstrate compliance with this DPA as required by Data Protection Laws.
5.4 Personal Data Breach Notification.
(a) If Evolv becomes aware of and determines a Personal Data Breach has occurred, Evolv will:
(i) notify Customer of the Personal Data Breach without undue delay and, in any case, as soon as practicable after such determination, at the contact information on file, where such notification shall describe (1) the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (2) the reasonably anticipated consequence of the Personal Data Breach; (3) measures taken to mitigate any possible adverse effects; and (4) other information concerning the Personal Data Breach reasonably known or available to Evolv that Customer is required to disclose to a Supervisory Authority or Data Subjects under Data Protection Laws; and
(ii) investigate the Personal Data Breach and provide such reasonable assistance to the Client (and any law enforcement or regulatory official) as required to investigate the Personal Data Breach.
5.5 Except as required by applicable Data Protection Laws, the obligations set out in Section 5.4 shall not apply to Personal Data Breaches caused by Customer.
5.6 Evolv’s contact point for additional details regarding a Personal Data Breach is privacy@evolvtechnology.com Evolv’s provision of any notification of a Personal Data Breach shall not constitute an admission of fault.
5.7 Customer is solely responsible for fulfilling any Personal Data Breach notification obligations applicable to Customer. Customer and Evolv shall work together in good faith within the timeframes for Customer to provide Personal Data Breach notifications in accordance with Data Protection Laws to finalize the content of any notifications to Data Subjects or Supervisory Authorities, as required by Data Protection Laws. Evolv’s prior written approval shall be required for any statements regarding, or references to, Evolv made by Customer in any such notifications.
5.8 Evolv Employees and Personnel. Evolv shall treat Customer Personal Data as the Confidential Information of Customer, and shall put procedures in place to ensure that:
(a) access to Customer Personal Data is limited to those employees or other personnel who have a business need to have access to such Customer
Personal Data; and
(b) any employees or other personnel with access to Customer Personal Data have committed themselves to confidentiality of Customer Personal Data or are under an appropriate statutory obligation of confidentiality and do not Process such Customer Personal Data other than in accordance with this DPA.
6. ACCESS REQUESTS AND DATA SUBJECT RIGHTS
6.1 Save as required (or where prohibited) under applicable law, Evolv shall promptly notify Customer of any request received by Evolv or any Subprocessor from a Data Subject in respect of their Personal Data included in Customer Personal Data (“Data Subject Request”) and shall not respond to the Data Subject Request where the Data Subject identifies Customer as its Controller. If a Data Subject does not identify a Controller, Evolv will instruct the Data Subject to identify and contact the relevant Controller.
6.2 Where applicable, and taking into account the nature of the Processing, Evolv shall use reasonable endeavors to assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to Data Subject Requests as required by Data Protection Laws. In order to receive such assistance, Customer shall submit a support request to correct, delete, block, access or copy the Personal Data of a Data Subject.
7. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
7.1 To the extent required under applicable Data Protection Laws, Evolv shall provide reasonable assistance to Customer with any data protection impact assessments and with any prior consultations to any Supervisory Authority of Customer, in each case solely in relation to Processing of Customer Personal Data and taking into account the nature of the Processing and information available to Evolv.
7.2 Such cooperation and assistance are provided to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Evolv and the extent that the effort required by Evolv to fulfil such requests could be negotiated with mutual cooperation. Evolv may fulfil its above obligations by providing Customer with documentation regarding its Processing operations.
8. RETENTION AND DELETION OF PERSONAL DATA
8.1 During the Term, the Services retain Personal Data for a period of time based on Customer’s configuration of the Services. The configuration settings may prescribe, for example, that certain Personal Data are only retained in the Equipment system memory and erased on reboot, or that that certain Personal Data are retained for so long as the applicable Services component has sufficient disk space, or that certain Personal Data are stored in the Services for upto seven, fourteen or thirty days depending on the specific storage artefact in the Express solution and its components. If, during the course of product evolution, Evolv changes these retention policies which could be deemed as a weaker security posture by the Customer, Evolv will make available all the foregoing options for retaining security posture which is compatible with the terms in the DPA. Depending on Customer’s configuration of the Services and Equipment, Customer shall have access to Personal Data for a period of time after termination or expiration of the Agreement.
8.2 Subject to Section 8.3 below, where deletion of Personal Data is not possible, Evolv will sufficiently de-identify Customer Personal Data that is reasonably capable of deidentification such that it is no longer Personal Data, except for compliance, audit, security, or Equipment configuration or Service optimization purposes.
8.3 Evolv and its Subprocessors may retain Customer Personal Data to the extent required by applicable laws and the PDPL
9. GENERAL
9.1 With regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and any other agreements between the parties, including but not limited to the Agreement, the provisions of this DPA shall prevail with regard to the parties’ data protection obligations for Customer Personal Data of a Data Subject. Notwithstanding the foregoing, and solely to the extent applicable to any protected health information (as defined under and regulated by the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA”)) (“HIPAA Data”), if there is any inconsistency or conflict between this DPA and a Business Associate Agreement between Evolv and Customer (the “BAA”), then the BAA shall prevail to extent the inconsistency or conflict relates to such HIPAA Data.
9.2 Evolv may share and disclose Customer Personal Data and other data of Customer in connection with, or during the negotiation of, any merger, sale of company assets, consolidation or restructuring, financing, or acquisition of all or a portion of Evolv’s business by or to another company, including the transfer of contact information and data of customers, partners and end users.
9.3 Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
SCHEDULE 1
APPENDIX TO THE STANDARD CONTRACTUAL CLAUSES
Protection of Transferred Personal Data
Standard Contractual Clauses
Clause (1) Purpose and Scope
- The purpose of these Clauses is to ensure that an appropriate level of Personal Data protection equivalent to the level of protection applicable under the Personal Data Protection Law and its Implementing Regulations is applied in the absence of an appropriate level of Personal Data protection outside the Kingdom by specifying the obligations of the parties involved in the transfer of Personal Data to a country or international organization that does not have an appropriate level of Personal Data protection. Appendix (1) shows the data for both Data Exporters and Data Importers.
- These Clauses apply to the transfer of Personal Data as specified in Appendix (2) ("Personal Data to be Transferred or Disclosed").
Clause (2) Modification and Impact
- These Clauses set out appropriate safeguards, including rights of complaint by Personal Data Subjects, and cannot be amended except to select the appropriate template or to add or update information in the appendix.
- The parties may incorporate these Clauses into a comprehensive agreement or add other clauses or additional guarantees, provided they do not directly or indirectly conflict with these Clauses or infringe on the fundamental rights of Personal Data Subjects.
- These Clauses do not relieve any party from its obligations under the Law and Regulations, nor do they prejudice the provisions of the Laws and Regulations in force in the Kingdom or agreements to which the Kingdom is a party.
Clause (3) Rights of Personal Data Subjects
- These Standard Contractual Clauses are without prejudice to the rights of Personal Data Subjects under the Law and Regulations.
- Personal Data Subjects whose Personal Data is transferred from the parties based on these Standard Contractual Clauses may notify the Competent Authority ("Saudi Data & AI Authority") if they become aware of any violation of these Standard Contractual Clauses.
Clause (4) Interpretation
- Unless the context requires otherwise, the words and phrases used in these Clauses shall have the meanings assigned to them in Article (1) of the Personal Data Protection Law issued by Royal Decree No. (M/19) dated 9/2/1443 AH and amended by Royal Decree No. (M/148) dated 5/9/1444 AH, Article (1) of the Implementing Regulation of the PDPL and Article (1) of the Regulation on the Transfer of Personal Data Outside the Kingdom.
- These Clauses must be read and interpreted in light of and in accordance with the provisions of the Law and Regulations referred to in paragraph (a) of this Article, and may not be interpreted in any other way that is inconsistent with the provisions of the Law and Regulations.
Clause (5) Conflict
- In the event of a conflict between these Clauses and any provision in any other agreement between the parties, these Clauses shall prevail.
Clause (6) Details of Transfers
- The transfer(s), as well as the categories of Personal Data and the purposes of the transfers, are described in the Appendix.
Clause (7) Addition of New Parties
- Any Personal Data Importer or Personal Data Exporter who is not a party to these Standard Clauses may join these Standard Contractual Clauses by completing and signing Appendix (1), with the consent of the existing parties. The Joining Entity shall be either the Personal Data Importer or the Personal Data Exporter.
- Once Appendix (1) has been completed and signed, the Joining Entity shall be a party to these Clauses, and the newly Joined Entity shall, as of the date of joining, and assume the responsibilities depending on the nature of the Personal Data processing and transfer operations that occurred on or after the date of joining, and shall be entitled to exercise the rights and obligations corresponding to its role as defined in these Clauses.
Clause (8) Governing Law and Jurisdiction
- These Standard Contractual Clauses shall be governed by the applicable laws of the Kingdom of Saudi Arabia. Any dispute arising from the application of the provisions of these Clauses shall fall under the jurisdiction of the Kingdom and be vested in its courts. The Personal Data Importer, under these Standard Contractual Clauses, agrees to submit to the jurisdiction of the Kingdom of Saudi Arabia.
Clause (9) Compliance with the Requests of the Competent Authority
- Each party agrees to comply with any requests from the Competent Authority in relation to these Standard Contractual Clauses or the processing of transferred Personal Data.
- The Personal Data Importer agrees and commits to cooperate with the Competent Authority and comply with all its requests and inquiries and provide the necessary documents and information to ensure compliance with the Standard Contractual Clauses.
- The Personal Data Importer agrees to abide by the measures adopted by the Competent Authority, including corrective measures and compensation.
Clause (10) Compensation
- If any dispute arises between the Personal Data Subject and a party regarding compliance with the Standard Contractual Clauses, that party shall use all necessary means to settle the dispute amicably with the Personal Data Subject, and all parties shall inform each other of the existence of such dispute to ensure that it is resolved in cooperation with each other.
- The Personal Data Subject may submit to the Competent Authority any complaint arising from the application of the provisions of these Standard Contractual Clauses, in accordance with the procedures for submitting complaints specified by the Law and Regulations.
- The Personal Data Subject has the right to claim before the competent court for compensation for material or moral damage in proportion to the magnitude of the damage arising from the application of these Standard Contractual Clauses.
Clause (11) Personal Data Security
- All parties shall take the necessary organizational, administrative, and technical measures that ensure to maintain the privacy of personal Data against any breach at all stages of processing, including personal data security during the transfer process. In assessing the appropriate level of security, the Parties shall take into account the current state of technology, implementation costs, and the nature of the Personal Data transferred, as well as the nature, scope, context, purposes, the risks involved in the processing of the Personal Data, and specifically consider the application of encryption or de-identification, including during Personal Data transfer, where the purpose of the data processing can be achieved in this way.
- The Personal Data Exporter shall assist the Personal Data Importer in fulfilling the necessary data security requirements, and in the event of any Personal Data breach in relation to the transferred Personal Data processed by The Personal Data Exporter under these Standard Contractual Clauses, The Personal Data Exporter shall notify the Personal Data Importer without delay after becoming aware of such breach and shall assist the Personal Data Importer in containing such breach.
- The Data Exporter ensures that persons authorized to process the transferred Personal Data are bound by confidentiality and non-disclosure under an appropriate legal obligation of confidentiality and non-disclosure.
Clause (12) Duration and Termination
- If, for any reason, the personal Data Importer is unable to fulfill its obligations under these Standard Contractual Clauses, it must inform The Personal Data Exporter within forty-eight (48) hours from the time it becomes aware of this.
- In the event that the personal Data Importer violates these Standard Contractual Clauses or is unable to comply with them, the personal Data Exporter shall immediately cease the transfer of Personal Data to the Personal Data Importer until the Personal Data Importer ensures its return to compliance again, provided that the Personal Data Importer shall be given a period of (30) days, extendable for a similar maximum period, to prove its ability to comply with these Clauses, and if the period expires without achieving this, the two parties shall agree to terminate the contract, without any liability for the Personal Data Exporter or Controller, as the case may be.
- The Personal Data Exporter or Controller, as the case may be, shall ensure that all Personal Data previously transferred to the Personal Data Importer is fully destroyed before terminating the Standard Contractual Clauses under paragraph (b) above. It shall also ensure that any copies it has of such personal data are destroyed.
- The Personal Data Importer must document the destruction of the data, and this documentation must be provided to the Personal Data Exporter or controller upon request.
- The Personal Data Importer must continue to ensure - until the data is destroyed - that it complies with these Standard Contractual Clauses.
Clause (13) Protection of Transferred Personal Data
- The Personal Data Exporter and the Personal Data Importer shall process the transferred Personal Data according to the nature and purposes of the transfer as follows:
Template: Controller to Processor
The Personal Data Importer shall only process the transferred Personal Data based on written instructions from the Personal Data Exporter. Accordingly, if the Personal Data Importer is unable to follow the instructions, it shall inform the Personal Data Exporter in writing without undue delay.
The Personal Data Importer shall process the transferred Personal Data in accordance with the purposes specified in Appendix (2), unless otherwise directed in writing by the Personal Data Exporter, provided that the Personal Data shall be processed in accordance with the provisions of the Law and its Implementing Regulations in all cases.
If The Personal Data Importer realizes that any Personal Data transferred is inaccurate or not up-to-date, it shall inform the Personal Data Exporter in writing without undue delay, in which case the Personal Data Importer shall destroy the Personal Data and notify the Personal Data Exporter accordingly, unless the Personal Data Exporter is instructed not to destroy the data because it wishes to correct the transferred Personal Data.
Without prejudice to any restrictions related to sensitive data stipulated in the Law and the Implementing Regulations of the Law, the Personal Data Exporter shall ensure that the Personal Data Importer adopts additional means of protection commensurate with the nature of the sensitive data and guarantees its protection from any risks when processing it, while ensuring that the restrictions and additional guarantees described in Appendix (2) are applied.
- COMPETENT SUPERVISORY AUTHORITY
If you have any concerns, or if we do not comply with the Personal Data Protection Law, you can file a complaint to Evolv Privacy at privacy@evolvtechnology.com.
If you are not satisfied with how we process your complaint, or if we fail to respond within 30 days, you can file a complaint to the Competent Authority, the Saudi Data and Artificial Intelligence Authority at:
•Website: sdaia.gov.sa.
•National Data Governance Platform (DGP) (dgp.sdaia.gov.sa).
You can exercise any of these rights by contacting us using the Contact Us page or at privacy@evolvtechnology.com.
ANNEX II
Evolv agrees to implement appropriate technical and organizational measures designed to protect Customer Personal Data as required by applicable data protection law(s). Such measures will include:
1. Establish and maintain an information security program designed to (i) protect the security and confidentiality of data exporter’s Personal Data; (ii) protect against any anticipated threats or hazards to the security or integrity of data exporter’s Personal Data; (iii) protect against unauthorized access to or use of data exporter’s Personal Data; and (iv) ensure the proper disposal of data exporter’s Personal Data.
2. Provide security awareness and training programs delivered not less than annually, for all Evolv personnel who access data exporter’s Personal Data.
3. Maintain controls that provide reasonable assurance that access to data importer’s physical servers at its production data center (“Systems”) is limited to properly authorized individuals and that environmental controls are established to detect, prevent, and control destruction due to environmental extremes. Logging and monitoring of unauthorized access attempts made to the Systems by the data center security personnel, and camera surveillance systems at critical internal and external entry points to the data center.
4. Maintain policies and procedures designed to protect the confidentiality, integrity, and availability of Personal Data and protect it from unauthorized disclosure, alteration, or destruction. For clarity, data importer does not control data exporter’s user-facing configuration of any data importer software and is not responsible for any of the foregoing obligations and protections to the extent they are controlled by data exporter’s configuration of the software. Data importer will provide guidance on the recommended configuration of user-facing software.
5. Maintain a security incident response plan that includes procedures to be followed in the event of any incident that results in a Personal Data Breach. The procedures include:
a. Roles and responsibilities: formation of an internal incident response team with a response leader
b. Investigation: assessing the risk the Personal Data Breach poses and determining which customers may be affected
c. Communication: internal reporting as well as a notification process to data importer customers and other applicable third parties.
6. Implement storage and transmission security measures designed to guard against unauthorized access to Personal Data that is being transmitted over an electronic communications network.
Such measures include requiring NIST acceptable encryption of any Personal Data stored on desktops, laptops or other mobile computer devices. Data importer will encrypt sensitive data when transmitted over public networks.
ANNEX III
The data exporter has authorized the use of the following subprocessors:
Please see https://learn.evolvtechnology.com/express-subprocesser-list
Service Terms
Effective March 11th 2024
DownloadTable of Contents
with the same or equivalent terms, and the following words and expressions shall have the following meanings unless the context otherwise requires.