Evolver LLC EU-U.S. Data Privacy Framework

Evolver LLC EU-U.S. Data Privacy Framework

Introduction

Evolver LLC (“Evolver,” “we,” “us,” or “our”) receives and processes information (in paper and electronic format) following its clients’ instructions for the purpose of providing legal data support services, including legal review, repository holding, data management, and forensics.  Evolver provides services from forensic collection to managed hosting and document review. Examples of personal data that may be collected include: full name, address, telephone or mobile number, business and home contact details including e-mail addresses and telephone numbers, health information, medication adherence information, video information including images of a user’s face, audio information, and demographic information. Personal data may further include any information that identifies an individual, but does not include information that has been encoded, encrypted, or otherwise anonymized. This data is shared only with the clients’ outside counsel and the client for their review and preparation in response to U.S. litigation.  At Evolver, we recognize the importance of privacy to our clients, and we strive to safeguard all personal information we may receive and may need to use to support our clients. 

Evolver adheres to the set of data privacy and data protection principles developed in consultation by the United States Department of Commerce (DOC), in collaboration with the European Commission, producing the EU-U.S. Data Privacy Framework Documents.                    

Evolver LLC complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.  Evolver has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Evolver has also certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.  If there is any conflict between the terms in these data privacy and data protection policies and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) program and to view our certification, please visit https://www.dataprivacyframework.gov/.

The Federal Trade Commission has jurisdiction and enforcement authority over Evolver’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).

SCOPE

This Policy applies to all personal information received by Evolver from the EU, the UK, Gibraltar, and Switzerland. In most cases, the data we receive will be in electronic format and relate to our clients and their business activities. It may include personal information about our clients’ employees, business contacts, customers, and any other individuals our clients deal with. When we receive and process personal information provided to us by our clients, we do so as a “data processor” acting on the instructions of our clients and/or the court systems.  Evolver does not actively collect personal information from individuals in the EU or Switzerland. Evolver’s possession and use of personal information is incidental to our primary task of providing electronic discovery services to our clients.

DEFINITIONS

  1. “Personal Information” means any information that is transferred from the European Union, United Kingdom, Gibraltar, or Switzerland to the United States; is recorded in any form; relates to an identified or identifiable natural person; and can be used, alone or in combination with other data, to directly or indirectly identify that individual. Examples include, but are not limited to: full name, physical address, telephone or mobile number, business and home contact details including email addresses and fax numbers, demographic information, video data including images of a user’s face, audio information, and health-related information such as medication adherence. Personal Data does not include data that has been encoded, encrypted, anonymized, or otherwise rendered unidentifiable.
  2. “Sensitive Information” means a category of Personal Data that includes information revealing or concerning an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (where processed to uniquely identify an individual), sexual orientation, or health-related information, including mental or physical conditions and medical treatment. Sensitive Data is subject to heightened protection under the EU-U.S. Data Privacy Framework and typically requires affirmative (opt-in) consent before collection or processing, unless otherwise permitted by applicable law.
  3. “Agent” means any third party such as a service provider, contractor, document review company, hosting vendor, software vendor, or subprocessor who collects, processes, stores, or transmits Personal Information on behalf of and under the instruction of Evolver in connection with the delivery of services. This includes agents located within or outside of the United States. All Agents must enter into binding agreements with Evolver, including data protection, confidentiality, and non-disclosure terms that meet or exceed the safeguards required by the Data Privacy Framework Principles. Evolver remains responsible and liable under the DPF Principles if an Agent processes Personal Data in a manner inconsistent with those Principles, unless Evolver proves it is not responsible for the event giving rise to the damage.
  4.  

DATA PRIVACY FRAMEWORK PRINCIPLES

Evolver affirms its participation in the EU-US and Swiss-US Data Privacy Frameworks as well as the UK extension. The practices to which Evolver is committed are based on the DPF Principles negotiated between their respective government agencies and the United States Department of Commerce. Evolver’s adherence provides the legal basis for the transfer of personal information from the EU, UK, Gibraltar, and Switzerland to the U.S. in accordance with DPF requirements and Framework Principles. Evolver’s execution of these principles may be limited in certain circumstances, in particular:

(a) where there is a conflicting or overriding legal obligation;

(b) to the extent expressly permitted by any applicable law, rule, or regulation; or

(c) where Evolver receives personal information as a “data processor” acting on the instructions of a client.

As a processor, Evolver’s primary responsibilities are limited to onward transfer, security, access, and enforcement. Evolver’s client remains responsible for providing data subjects with notice, choice, and maintaining data integrity.

Evolver also affirms its participation in the EU-US and Swiss-US Data Privacy Frameworks, as well as the UK extension. Adherence by Evolver to these Principles provides the necessary level of protection required by the EU, the UK, and Swiss Directives for the transfer of personal information outside the EU, the UK, Gibraltar, and Switzerland.  Evolver’s execution of these principles may be limited in certain circumstances, in particular:

(a) where there is a conflicting or overriding legal obligation;

(b) to the extent expressly permitted by any applicable law, rule, or regulation; or

(c) where Evolver receives personal information as a “data processor” acting on the instructions of a client.

As Evolver will receive personal information from the EU, UK, Gibraltar, and/or Switzerland for processing, its principal obligations are limited to onward transfer, security, access, and enforcement. Evolver’s client remains responsible for notice, choice, and data integrity.

NOTICE: Evolver receives data to be processed and/or stored, the contents of which may or may not be identifiable Personal Information or Sensitive Information.  Should Evolver be engaged to collect Information from individuals in the EU, the UK, Gibraltar and/or Switzerland, it will inform individuals of the purposes for which it collects and uses their Personal Information or Sensitive Information, the types of third parties (if any) to which Evolver may disclose that Information, and the choices and means, if any, that Evolver offers individuals for limiting the use and disclosure of their Information. Notice will be provided in clear language when individuals are first asked to provide Information to Evolver, or as soon as practicable thereafter, and in any event before Evolver uses such Information for a purpose other than that for which it was originally collected or processed by the transferring organization or discloses it for the first time to a third party.

CHOICE: Given that Evolver’s services are directed by our clients and frequently by legal proceedings, choice may be limited. Where Evolver is the collector of Personal Information or Sensitive Information and Choice is permissible, it will offer individuals the opportunity to choose (opt-out or opt-in) whether their Information is:

(a) to be disclosed to a third party (unless that disclosure is allowed or required by contract), or

(b) to be used for a purpose that is not consistent with the purpose for which that

 Personal Information or Sensitive Information was originally collected or subsequently authorized by the individual.

We will provide an individual opt-out choice, or opt-in for Sensitive Information, before we share your data with third parties other than our agents, or before we use it for a purpose other than for which it was originally collected or subsequently authorized.  To request to limit the use and disclosure of your personal information, please submit a written request to Evolver-ethics@evolverinc.com

ONWARD TRANSFERS: In the event Evolver must transfer Personal Information or Sensitive Information to a document review company, Evolver will obtain assurances from its Agents, prior to such transfer, that they will safeguard the Personal Information or Sensitive Information in a manner consistent with this Policy. The client, not Evolver, engages with the document review company.  The client shall give written approval to Evolver to allow the document review company selective access based on litigation review requirements. Every Agent utilized enters into a contractual relationship with Evolver, which includes confidentiality and non-disclosure clauses, and provides the same level of commitment to and protections as required by the DPF Principles.

In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Evolver’s accountability for personal data that it receives in the United States under the DPF and subsequently transfers to a third party acting as its agent is described in the DPF Principles. Evolver remains responsible and liable under the DPF Principles if third-party agents that it engages to process the personal data on its behalf do so in a manner inconsistent with the principles, unless Evolver proves that it is not responsible for the event giving rise to the damage.

SECURITY: Evolver takes reasonable precautions to protect Personal Information or Sensitive Information in its possession from loss, misuse, and unauthorized access, disclosure, alteration, and destruction. Evolver utilizes a Tier III, ISO 27001:2013 (updated 2022) certified data facility that employs an array of security equipment, techniques, and procedures to control, monitor, and record access to the facility, including individual cages.

DATA INTEGRITY: Evolver will use Personal Information or Sensitive Information only in ways that are relevant and compatible with the purpose for which that information was collected or provided to Evolver. Evolver will take reasonable steps to ensure that all data collected, processed, and/or stored is protected from destruction, corruption, or use in a manner inconsistent with the purpose for which it received the information was collected.

ACCESS:  Pursuant to the DPF Principles, EU and Swiss individuals have the right to obtain our confirmation of whether we maintain personal information relating to you in the United States.  We will provide you access to the Personal Information or Sensitive Information we hold about you upon request.  You may also correct or amend the personal information we hold about you.  You may also demand the erasure of data that has been handled in violation of the DPF Principles. An individual who seeks access to correct, amend, or delete inaccurate data transferred to the United States under DPF should direct their query to Evolver-ethics@evolverinc.com.  If requested to remove data, we will respond within a reasonable timeframe.

DATA SUBJECT RIGHTS: In accordance with DPF, individuals also have the right to object to processing, restrict processing, and request data portability. Evolver will honor such requests where applicable. Individuals may also request processing confirmation, obtain a copy of their personal data in a commonly used electronic format, and seek clarification about how their data is used. Evolver will act on valid data subject requests without undue delay and within the timelines established under DPF Principles.

DSAR HANDLING: Evolver has a documented internal DSAR workflow that governs the intake, verification, fulfillment, and closure of Data Subject Access Requests (DSARs). Once a request is received, the request is logged, verified, and assigned to a designated resource. Relevant data is collected, filtered for relevance, and redacted for sensitive content (such as PII and PHI). All steps are tracked to ensure timely compliance and transparency.

ENFORCEMENT: Evolver will conduct compliance audits at least annually of its relevant data privacy and data protection practices to verify adherence to this Policy and will self-certify with the U.S. Department of Commerce. Further, Evolver will conduct follow-up investigations to verify that attestations and assertions regarding practices are true. Evolver maintains an Ethics hotline (Evolver-ethics@evolverinc.com) to which violations and/or complaints may be made, and Evolver engages in training to support implementation and compliance. Any employee who Evolver determines is in violation of this Policy will be subject to disciplinary action.

DISPUTE RESOLUTION AND RECOURSE FOR PRIVACY COMPLAINTS: In compliance with the DPF Principles, Evolver commits to resolving complaints about your privacy and our collection or use of your Personal Information or Sensitive Information transferred to the United States pursuant to the DPF Principles. European Union and Swiss individuals with DPF inquiries or complaints should first contact Evolver by email at Evolver-ethics@evolverinc.comor via post at:

Evolver LLC
Ethics and Compliance Officer
11800 Sunrise Valley, Suite 900
Reston, VA  20191

Evolver has further committed to refer unresolved privacy complaints under the EU-US Data Privacy Framework Principles (DPF) to an independent dispute resolution mechanism, the BBB NP Data Privacy Framework Services. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/programs/all-programs/dpf-consumers/ProcessForConsumers for more information and to file a complaint. This service is provided free of charge to you. 

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms.  See https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction

CONTACT INFORMATION

Please refer all questions or comments regarding this Policy to:

Evolver LLC
Ethics and Compliance Officer
11800 Sunrise Valley Drive, Suite 900
Reston, VA  20191
(703) 742-4090
(888) 742-4090
(703) 889-9255 – Hotline
mailto:privacy@evolverinc.com

This EU-US Data Privacy Framework policy is available at www.evolverinc.com/data-privacy-framework

CHANGES TO THIS EU-US DATA PRIVACY FRAMEWORK

This Policy may be amended from time to time to remain consistent with the requirements of the EU-US Data Privacy Framework Principles.

The effective date of this EU-US Data Privacy Framework is: July 2025

Linkedin

Helpful Links

Company
Privacy Notice
Careers
Contact

Evolver LLC EU-U.S.
Data Privacy Framework

Strategic teams

Evolver Federal
Evolver Commercial
Evolver Legal Services

Capabilities

Cybersecurity
Enterprise Infrastructure
App Dev & Cloud Servicess
eDiscovery & Legal Technology

Headquarters

11800 Sunrise Valley Dr, Suite 900
Reston, VA 20191
888 742 4090

Detroit Location

30700 Telegraph Road
Suite 1651
Bingham Farms, MI 48025

Copyright © Evolver 2024. All Rights Reserved