Preferences

Privacy is important to us, which is why you have the option to disable certain types of storage that may not be necessary for the basic functioning of the website. Blocking categories may affect your experience on the site. Learn more.

Accept all cookies

These elements are required to enable the basic functionality of the website.

Always active

These items are used to deliver advertising that is more relevant to you and your interests.

These elements allow the website to remember choices you make (such as your username, language, or the region you are in) and provide enhanced, more personalized features.

These elements help the website owner understand how their website is functioning, how visitors interact with the site, and whether there might be technical issues.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Cookies Icon

Data Processing Agreement

Last Updated: July 2025

Evolution Workforce Inc., a New York corporation (“Evolution Workforce,” “Company,” “we,” “us,” or “our”), and [Client Name] (“Client”) hereby enter into this Data Processing Agreement (this “DPA”). This DPA is effective as of the date of the last signature below and is incorporated into and forms part of the Master Services Agreement (the “MSA”) and any applicable Statement of Work (“SOW”) between Evolution Workforce and Client. In the event of any conflict between this DPA and the MSA or any applicable SOW, the terms of the MSA shall govern, except to the extent that this DPA expressly states otherwise or is required by applicable law. All other provisions of the MSA remain in full force and effect.

This DPA sets forth the parties’ obligations regarding the processing of personal data in connection with Evolution Workforce’s services under the MSA. For purposes of this DPA, Evolution Workforce will act as a data processor (or “service provider”) on behalf of the Client (the data controller) with respect to personal data that Client provides or that Evolution Workforce processes on Client’s behalf in the course of delivering Employer-of-Record and related services. Evolution Workforce is a U.S.-based company that provides services exclusively to clients in the United States; accordingly, the parties agree to implement data protection measures consistent with high industry standards and best practices to safeguard all personal data. Each party will comply with all applicable data protection and privacy laws with respect to personal data processed under the MSA, including all relevant U.S. federal and state privacy laws.

1. Definitions

For purposes of this DPA, the following terms have the meanings set forth below:

  • Personal Data: Any information relating to an identified or identifiable natural person that is processed by Evolution Workforce on behalf of Client under the MSA. This includes personal data about individuals such as Placed Employees (as defined in the MSA) and Client’s personnel or other data subjects, which may encompass identification details, contact information, employment and payroll details, and other data provided by Client for the Services.

  • Processing: Any operation or set of operations performed on Personal Data, whether by automated means or otherwise, such as collection, recording, organizing, storing, altering, retrieving, using, disclosing, or deleting (and related terms like “Process” or “Processed” shall be construed accordingly).

  • Sub processor: Any third-party service provider engaged by Evolution Workforce to Process Personal Data on its behalf for the purpose of delivering the Services to Client.

Note: Other capitalized terms used but not defined in this DPA (such as “Services,” “Placed Employee,” or “Confidential Information”) have the meanings given to them in the MSA.

2. Data Processing Details

The processing of Personal Data by Evolution Workforce under this DPA shall encompass the following:

  • Subject Matter and Nature: Evolution Workforce will process Personal Data as necessary to provide the Services specified in the MSA and/or SOW, including employer-of-record HR administration, payroll processing, benefits administration, and related support services. This processing may involve operations such as collecting information from Client, storing and organizing it in Evolution Workforce’s systems (including secure cloud platforms), using it to carry out HR and payroll tasks, and transferring it to authorized recipients (e.g. payroll processors, tax authorities, benefits providers) as needed to perform the Services in accordance with Client’s instructions.

  • Categories of Data and Data Subjects: The Personal Data processed under this DPA typically relates to the following categories of individuals and information:

    • Placed Employees: Individuals employed by Evolution Workforce and assigned to work for Client under an SOW. Personal Data about Placed Employees may include identifying information (name, date of birth, government identification numbers), contact details (address, telephone number, email), employment details (job title/role, work location, hours worked, supervisor), work qualifications or background (education, work history, certifications), and payroll/benefits information (bank account details for direct deposit, compensation information, tax withholding data, benefits enrollment data).

    • Client Personnel: Contact persons or staff of Client who interact with Evolution Workforce or the Placed Employee (for example, managers or HR contacts at Client’s organization). For such individuals, Personal Data may include business contact information (name, work email, phone number, job title) and any other information Client provides to facilitate the Services (for example, project details or system access credentials needed for a Placed Employee’s work).

    • Other Individuals (if applicable): Any other data subjects whose Personal Data Client may provide or direct Evolution Workforce to process as part of the Services. (At present, Evolution Workforce’s role generally does not involve processing personal data of Client’s customers or end-users. If in the course of a Placed Employee’s assignment such data is accessed or used, Client is responsible for ensuring any necessary consent or legal basis for that access, and such data should be handled in accordance with Client’s own policies. Evolution Workforce will treat any such data that comes into its possession as Confidential Information and will process it only as instructed by Client.)

  • Purpose of Processing: The purpose of the processing is strictly limited to enabling Evolution Workforce to perform the Services on behalf of Client. This includes using Personal Data to onboard and pay Placed Employees, to administer employment benefits and ensure compliance with employment requirements, to coordinate work assignments, and to otherwise fulfill Evolution Workforce’s obligations and Client’s instructions under the MSA. Evolution Workforce shall not use Personal Data for any other purpose except as required by law or expressly authorized by Client.

  • Duration: This DPA (and the processing obligations herein) shall remain in effect for as long as Evolution Workforce retains or processes Personal Data in connection with the Services. In general, processing will continue for the duration of the underlying MSA and any SOWs. Upon termination or expiration of the Services, Evolution Workforce will cease processing and will return or securely delete Personal Data as described in Section 9 below. Residual copies of Personal Data may be retained in backups or as required by law, in which case protection of the data will continue for as long as it is retained in any form.

3. Processing on Instructions

Evolution Workforce will process Personal Data only on documented instructions from Client and for the purposes described in the MSA, SOW, and this DPA. Evolution Workforce shall not access, use, or disclose Personal Data except as necessary to provide the Services and in accordance with Client’s instructions. By default, the provisions of the MSA and any applicable SOW (together with any direct written or verbal instructions from Client in the course of service delivery) shall constitute Client’s instructions to Evolution Workforce. If Evolution Workforce believes any instruction from Client violates applicable law or this DPA, it will promptly inform Client and may delay or refuse to follow such instruction until confirmed or modified by the parties. Evolution Workforce will not “sell” or “share” Personal Data for monetary or other valuable consideration, nor use Personal Data for its own marketing or other purposes outside the scope of the agreed Services (consistent with Evolution Workforce’s role as a “service provider” under U.S. privacy laws). Evolution Workforce may Process Personal Data as required by law or legal order, but if it is obligated to do so, it will inform Client in advance (and provide a copy of the legal demand) unless legally prohibited from doing so.

4. Confidentiality and Personnel

Personal Data handled under this DPA is deemed Confidential Information of Client. Evolution Workforce shall ensure that any persons it authorizes to process Personal Data (including its employees and agents, and any Placed Employees to the extent they have access to Client data during their assignment) are subject to appropriate confidentiality obligations. Evolution Workforce will restrict Personal Data access to personnel who need such access to fulfill Evolution Workforce’s duties, and will impose confidentiality duties or agreements on those individuals that are at least as protective as the confidentiality obligations in the MSA. Evolution Workforce confirms that all employees engaged in processing Personal Data are trained in data protection and understand their obligations to protect Personal Data. In addition, any Placed Employees will sign confidentiality and non-disclosure agreements for the benefit of Client before being given access to Client’s Confidential Information (including any personal data of Client or its customers). Evolution Workforce will instruct and require Placed Employees to safeguard Client data and use it only for authorized purposes while performing their work for Client. These confidentiality commitments shall survive termination of the DPA.

5. Security Measures

Evolution Workforce will implement and maintain appropriate technical and organizational security measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, alteration, or damage. Such measures shall be commercially reasonable and in line with industry standards, taking into account the sensitivity of the Personal Data and the nature of the Services. At a minimum, Evolution Workforce’s data security program will include: access controls to restrict access to Personal Data on a need-to-know basis; authentication and authorization mechanisms for its systems; encryption of Personal Data in transit and at rest (where feasible); network security protections (such as firewalls, intrusion detection systems, secure VPNs for remote access); endpoint protection for devices (e.g. up-to-date antivirus/anti-malware software and device management enforcement); and regular monitoring and testing of security controls. Evolution Workforce utilizes enterprise-grade security tools and infrastructure as described in the MSA – for example, mobile device/application management (e.g. Microsoft Intune) to ensure secure, compliant devices; advanced endpoint threat detection and response software (e.g. CrowdStrike Falcon) on Placed Employee devices; encrypted VPN connectivity (e.g. NordLayer) for remote access to Client systems; and user activity monitoring tools (e.g. Teramind) for work oversight. Evolution Workforce will periodically review and update its security measures to adapt to new threats or follow evolving best practices.

Security Compliance: Each party agrees to implement and maintain appropriate technical and organizational measures to protect the Personal Data in its possession. Client is responsible for the security of Personal Data within its own IT environments and for any accounts or credentials it provides to Placed Employees. (Client should limit Placed Employees’ access permissions to only what is necessary and is responsible for maintaining the security of its systems.) Evolution Workforce will not be liable for unauthorized access to or loss of data caused by Client’s failure to secure its own systems, or by a Placed Employee’s actions outside of Evolution Workforce’s reasonable control (except to the extent such incident is directly caused by Evolution Workforce’s breach of its own security obligations). If Evolution Workforce detects any security vulnerability or incident that could imminently jeopardize Client’s data, it will inform Client and take appropriate remedial actions.

6. Use of Subprocessors

Client acknowledges and authorizes that Evolution Workforce may engage Subprocessors (subcontractors) to assist in delivering the Services, such as providers of cloud hosting, data storage, payroll processing, analytics, or customer relationship management platforms. (For example, Evolution Workforce uses HubSpot as its CRM, which may involve processing of Client contact information to support Evolution Workforce’s business operations on behalf of Client.) When engaging any Subprocessor, Evolution Workforce will impose data protection obligations on the Subprocessor that are at least as protective of Personal Data as those in this DPA. Evolution Workforce remains fully liable to Client for any acts, omissions, or breaches by its Subprocessors in the performance of services that involve Client’s Personal Data. A current list of Subprocessors (by category or name) can be made available to Client upon request. Evolution Workforce will notify Client of any intended addition or replacement of Subprocessors that will handle Client’s Personal Data, giving Client the opportunity to object on reasonable, lawful grounds. If Client has a legitimate objection to a new Subprocessor that cannot be resolved, Client may have the right to terminate the portion of the Services affected by that Subprocessor, in accordance with the termination provisions of the MSA.

7. Data Breach Notification

In the event Evolution Workforce becomes aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed by Evolution Workforce (a “Personal Data Breach”), Evolution Workforce will notify Client without undue delay. Such notification will be made promptly after discovery of the incident, and no later than 72 hours after confirming that a Personal Data Breach involving Client’s data has occurred, to the extent feasible. The notice to Client will include, to the extent known at the time, relevant information about the nature of the incident. Specifically, the breach notification will describe:

  • What happened: A description of the breach, including the likely causes, what occurred, and when the incident was discovered (and, if known, when it began).

  • Data affected: The categories of Personal Data and approximate number of data records or individuals affected (to the extent determinable).

  • Impact: The known or potential consequences of the breach, particularly any risks to the rights or privacy of individuals.

  • Remediation: The measures taken or proposed by Evolution Workforce to address the breach, including steps to mitigate any harm and prevent a recurrence of such an incident.

Evolution Workforce will promptly take appropriate steps to contain, investigate, and remediate any Personal Data Breach. It will cooperate with Client’s reasonable requests in connection with the breach, including providing information or assisting with any notifications that Client may be legally required to make (for example, to regulators or affected individuals). The parties agree to coordinate in good faith on breach response; Evolution Workforce will not communicate with any third party about a confirmed breach involving Client’s data (other than engaging a security forensics team, law enforcement, or its own legal counsel/insurers) without prior consent from Client, unless such communication is legally mandated. If disclosure to a third party (e.g. law enforcement or a regulator) is required by law, Evolution Workforce will inform Client beforehand, if permitted. Both parties shall keep each other informed of significant developments during the investigation and resolution of a breach incident.

8. Assistance with Data Subject Rights and Compliance

Evolution Workforce will provide reasonable assistance to Client to fulfill Client’s obligations to individuals (data subjects) and to regulators, as may be required under applicable privacy laws. This includes cooperating with Client in responding to any inquiries, complaints, or requests from individuals to exercise their rights under such laws (for example, requests to access, correct, or delete Personal Data held by Evolution Workforce on Client’s behalf). If Evolution Workforce receives any request or communication directly from an individual concerning Personal Data that Evolution Workforce processes on Client’s behalf, it will promptly forward the request to Client and refrain from responding directly unless authorized by Client or required by law.

Additionally, Evolution Workforce will assist Client with broader compliance obligations, such as:

  • Privacy Impact Assessments: Providing relevant information about Evolution Workforce’s processing activities to enable Client to conduct any data protection or privacy impact assessments required by law.

  • Regulatory Inquiries: Supporting Client in consultations with, or in responding to investigations or inquiries initiated by, any governmental or regulatory authority concerning the Personal Data processing under the MSA.

For any such support, each party is responsible for its own costs or fees incurred in fulfilling data subject requests or regulatory obligations. Evolution Workforce’s routine assistance as described above shall be provided at no additional charge to Client to the extent such cooperation remains reasonable and limited in scope. If Client’s requests for assistance become excessively burdensome or beyond what is required under applicable law, the parties will discuss in good faith any necessary adjustments or cost-sharing for such assistance. Both parties acknowledge that the cooperation obligations outlined in this section are an important component of this DPA, and Evolution Workforce will maintain adequate measures and internal processes to enable it to assist Client as needed.

9. Return or Deletion of Data

Upon expiration or termination of the MSA and the related Services, Client has the right to decide whether Personal Data in Evolution Workforce’s possession should be returned or deleted. Upon Client’s written request, Evolution Workforce will either return all relevant Personal Data to Client (in a commonly readable electronic format) or securely delete and render unrecoverable all Personal Data that Evolution Workforce has processed on Client’s behalf. Such deletion will include removing Personal Data from active systems and directories within a reasonable timeframe. If Client does not request return or deletion, then within a reasonable period following termination, Evolution Workforce will proceed to securely delete the Personal Data in its systems as a matter of course. In all cases, Evolution Workforce may retain one archival copy of Personal Data if required for legal, tax, or compliance purposes, or if automatically stored in routine IT backups, provided that any retained data remains subject to the confidentiality and security obligations of this DPA. Evolution Workforce will not retain Personal Data longer than necessary for such permitted purposes. Upon Client’s request, Evolution Workforce will certify in writing that it has complied with the obligations of this section regarding the return or deletion of Personal Data.

10. Audit Rights

Client, as the data controller, has the right to verify Evolution Workforce’s compliance with the data protection obligations set forth in this DPA. Evolution Workforce will make available to Client all information reasonably necessary to demonstrate such compliance and will allow for and contribute to audits or inspections as described below:

  • Documentation and Reports: Upon request, Evolution Workforce can provide Client with relevant documentation or summary audit reports that demonstrate the effectiveness of Evolution Workforce’s security measures and its compliance with this DPA. For example, if Evolution Workforce undergoes regular third-party security audits or maintains certifications (such as SOC 2, ISO 27001, or similar), it may share pertinent reports or executive summaries under appropriate confidentiality protections to satisfy Client’s audit requirements.

  • On-Site Audit: If further verification is required, Client may conduct an on-site audit of Evolution Workforce’s relevant processes and systems no more than once annually, with at least thirty (30) days’ prior written notice to Evolution Workforce. Such audit will be conducted during normal business hours and in a manner that minimizes disruption to Evolution Workforce’s operations. Client may elect to have a qualified independent auditor perform the inspection on its behalf, provided that the auditor is bound by appropriate confidentiality obligations. Evolution Workforce will reasonably cooperate with the audit process, including providing access to knowledgeable personnel and relevant records, so long as such access does not compromise the confidentiality of other clients’ data or Evolution Workforce’s other obligations.

  • Costs and Confidentiality: Each party shall bear its own costs in relation to any audit. If an audit request from Client is unduly burdensome, beyond the scope of what is required under applicable law or this DPA, or could jeopardize Evolution Workforce’s other clients or obligations, the parties agree to negotiate in good faith to set appropriate parameters for the audit (for example, adjusting the scope or timing, or relying on a recent third-party audit report acceptable to both parties). All information obtained or observed by Client (or its designated auditor) during an audit shall be deemed Evolution Workforce’s Confidential Information and shall be handled in accordance with the confidentiality provisions of the MSA.

These audit rights are intended to satisfy requirements under applicable data protection laws and industry standards by providing Client a mechanism to verify Evolution Workforce’s data protection compliance. If a government or regulatory authority with jurisdiction over Client’s business requires an audit or inspection beyond the scope of this section, Evolution Workforce will permit such audit, provided that reasonable notice is given and appropriate confidentiality measures are in place.

11. Liability and Indemnity

Each party’s liability arising under or in connection with this DPA shall be subject to the limitations and exclusions of liability (such as caps on damages) set forth in the MSA. This includes any aggregate liability caps and the types of recoverable damages agreed to in the MSA, except that no limitation of liability shall apply to any liability which cannot be limited under applicable law. The parties acknowledge that Evolution Workforce’s fees under the MSA reflect the allocation of risk and the limitations of liability agreed herein.

Client remains responsible for its own compliance with data protection laws as the data controller, including the lawfulness of the personal data that it instructs Evolution Workforce to process. Client shall indemnify and hold harmless Evolution Workforce from any third-party claims, damages, or fines arising from Client’s breach of its obligations under this DPA or applicable data protection laws (for example, if Client provides Evolution Workforce with Personal Data that was collected without a necessary legal basis or consent, or if Client’s instructions violate applicable law). Likewise, Evolution Workforce shall indemnify and hold harmless Client from any third-party claims, damages, or regulatory fines arising from Evolution Workforce’s breach of its obligations under this DPA or applicable data protection laws, to the extent not caused by an act or omission of Client or by Client’s instructions. Any indemnification under this section is subject to the notice, procedure, and liability cap provisions set forth in the MSA’s indemnification and limitation of liability sections.

12. Miscellaneous

This DPA is governed by the same governing law and jurisdiction (and dispute resolution process) as the MSA. No modification of this DPA is effective unless in writing and signed by both parties (or otherwise executed in accordance with the amendment procedures of the MSA). This DPA (together with the MSA and any SOW) constitutes the entire agreement between the parties with respect to its subject matter and supersedes any prior discussions or understandings specifically regarding data processing. If any provision of this DPA is found to be invalid or unenforceable, the remainder of the DPA shall remain in full force and effect, and the parties will negotiate in good faith to modify the invalid provision so that it reflects the parties’ intention as closely as possible. This DPA may be executed in counterparts and via electronic signature or electronic consent, with the same effect as an original signed document.

13. Availability of DPA on Website

For transparency, Evolution Workforce will publicly reference the availability of this DPA on its website. Clients and prospective clients can find a reference or link to the Data Processing Agreement on Evolution Workforce’s “Trust” or “Security” page (and/or in the website footer), and may download a copy for review. This public notice is provided to inform all clients that a robust Data Processing Agreement is in place as part of Evolution Workforce’s commitment to data protection. If this DPA is updated, the website will be updated to reflect the latest version, and material changes will be communicated to Clients as appropriate.

Let’s Build Your Global Team

Hiring doesn’t have to be complicated. Evolution Workforce gives you access to top global talent without the stress of international employment.

Schedule Your Free Consultation
Globe