Terms of Use

1. Personal Data Collection

We collect personal data that is necessary to operate our business, provide our EOR services, and improve our website. The types of Personal Data we collect and the sources of that information include:

‍Contact and Identity Information: This includes identifiers such as full name, email address, telephone number, physical address, and other contact details. We collect this information when you fill out forms on our site (e.g. requesting a demo or information), correspond with us, or enter into contracts. For example, if you request a proposal or create an account, we may ask for your name, business email, company name, and job title. We may also collect government-issued identifiers (such as Social Security numbers, tax identification numbers, passport or driver’s license numbers) and date of birth from employees or job candidates as needed for employment, payroll, and compliance purposes. In accordance with our MSA, each placed employee must provide necessary personal details for onboarding and payroll, and they sign any required agreements (e.g. confidentiality and IP assignment) to protect all parties’ interests.

‍Professional and Employment Information: As an EOR, we collect data related to an individual’s work and education history. For placed employees (individuals we hire and assign to work under our client’s direction), we collect information such as job title, resume/CV details, employment history, qualifications, skills, and performance information relevant to their role. We obtain much of this from the individuals themselves during the application and onboarding process, and from our clients who help select and supervise these employees. We also maintain records of the employee’s compensation, benefits enrollment, work hours, and other HR administration details as required to serve as the legal employer. For client contacts (representatives of our client companies), we collect business contact details and organizational information (company name, office address, billing contact info, etc.) to manage the services. If you apply for a job with Evolution Workforce or become a placed employee, you will be asked to provide personal information needed for hiring and compliance (such as references, background check information, bank account for payroll, emergency contact, etc.), which we will use only for those purposes and as permitted by law.

‍Sensitive Personal Information: In the course of our services, we may handle categories of data considered “sensitive.” This can include government ID numbers (e.g. SSN or passport) and financial account info for payroll (collected from employees), demographic or health information (for benefits or equal opportunity compliance), or precise geolocation (if, for example, a work device’s security settings report location). We collect sensitive data only where necessary for business operations or legal obligations – for instance, we may collect nationality or citizenship status to ensure compliance with immigration or export control. Any sensitive personal information is closely protected and used strictly for the purposes disclosed (such as paying salaries, providing benefits, ensuring workplace safety, or complying with law) and not for secondary purposes like marketing, unless expressly permitted by law or with consent.

‍Online Usage Information: When you visit our website or use our online services, we automatically collect certain data about your device and browsing actions through cookies and similar technologies. This usage data may include your IP address, device identifiers, browser type, operating system, referring URL, pages or content viewed, and dates/times of access. For example, like many companies we use cookies to remember your preferences and to understand how you navigate our site. Some cookies are necessary for site functionality, while others support analytics and advertising (see Tracking Tools below). You can set your browser to refuse or alert you about certain cookies; however, note that blocking all cookies may impact site functionality. We also log interactions such as clicks, form submissions, and referral information (e.g. what marketing campaign or external site led you to us) to better understand interest in our services.

‍Sources of Personal Data: We collect personal data directly from you in most cases – for instance, when you provide information through our website forms, sign contracts, communicate with us by email/phone, or during employee onboarding processes. We also receive personal data from third-party sources in certain situations: for example, a client that engages our EOR services may share information about a selected candidate or an existing employee that will be transitioning to Evolution Workforce employment. If we recruit candidates, we might receive resumes from staffing partners or professional networking sites with your consent. Additionally, we may collect data from publicly available sources (like LinkedIn profiles for recruitment, or public corporate registries for client due diligence) and from service providers (such as background check agencies, if applicable). Finally, as noted, we gather some data automatically via our website’s cookies and tracking tools or via our IT systems (for instance, our secure device management software may report device compliance status when a placed employee uses our equipment).We will inform you at the point of collection if certain personal data is mandatory or optional and the purposes for which it is needed. We do not collect personal information that is not relevant to our relationship (for example, we do not seek out personal details about your family, religion, or other unrelated matters). If we ever need to collect additional categories of personal data or use existing data for new purposes, we will provide updated notice and obtain consent if required.

2. Tracking Tools (Google Analytics, Meta Pixel, HubSpot)

Our website utilizes cookies and third-party tracking technologies to improve user experience, analyze traffic, and support our marketing efforts. In particular, we use the following tools and disclose their operation in the interest of transparency:

‍Google Analytics: We use Google Analytics, a web analytics service provided by Google, to understand how visitors use our site. Google Analytics sets cookies on your browser that collect information such as your IP address, device identifiers, browser type, the pages you visit on our site, and the page you came from. This data is transmitted to Google and aggregated to help us analyze site traffic and usage patterns. For example, Google Analytics helps us see which pages are most popular and how users navigate between pages. Google may also use this information for its own analytics and advertising purposes. We have configured Google Analytics to partially mask or anonymize IP addresses where possible. Information generated by these cookies will be used by us for internal analysis, to compile reports on website activity, and to improve the site’s content and performance. Google may transfer analytics information to third parties if required by law or if those third parties process data on Google’s behalf. You can opt out of Google Analytics by using Google’s opt-out browser add-on or by adjusting your browser settings to block cookies (see Tracking Tools below for more on cookie controls).

‍Meta Pixel: We use the Meta Pixel (formerly known as the Facebook Pixel) on our website to help measure the effectiveness of our advertising on Meta’s platforms (Facebook/Instagram). The Meta Pixel is a small snippet of code that, when you visit our site, can collect information about your visit (such as pages viewed, actions taken, your IP address, device identifiers, etc.) and report it to Meta. This allows us to understand which ads or posts lead to desirable actions on our site (like filling out a contact form). Meta may combine this information with data it holds about you to optimize ad delivery or for its own advertising purposes. We do not receive personal data from Meta that identifies you individually; rather, we get aggregated reports (for example, how many users who clicked a certain ad filled out our form). We also use any “Do Not Sell/Share” signals received (such as via the Opt-Out Preference or our cookie banner) to restrict the use of the Meta Pixel for targeted advertising, as required by law.

‍HubSpot: Our site uses HubSpot, which is a customer relationship management (CRM) and marketing automation platform. HubSpot’s tracking code may set cookies on your device to help us identify visits and gather data on usage of our site. If you provide your contact information through a form, HubSpot will associate your subsequent website activity with your profile in our database. We use HubSpot to manage our email newsletters, contact forms, and other marketing activities, so the information collected (e.g. pages visited, form responses, email opens/clicks) helps us tailor our communications and sales follow-ups. HubSpot also provides analytics on the performance of our site and campaigns. Like our other tools, HubSpot’s cookies and tracking are used only for our internal purposes of improving our services and outreach; HubSpot does not sell your personal information. You can opt out of HubSpot tracking by rejecting cookies on our site or by contacting us to object to marketing communications.

We want to be transparent about these tracking tools: they help us understand our web traffic and improve our user experience, but you have choices in how your data is used. See Section 12 (Do Not Sell/Share) below for how you can opt out of advertising cookies and tracking.

3. CCPA/CPRA Rights

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) regarding your personal information. These include:

• Right to Know: You can request that we disclose the categories and specific pieces of personal information we have collected about you in the last 12 months, the categories of sources of that information, the business or commercial purposes for collecting or selling it, and the categories of third parties with whom we share it. Essentially, you may ask for a report outlining the personal data we have on you and how it’s used/shared. (Note: Evolution Workforce does not sell personal data, so while the CCPA includes a right to know about “sales” of data, our response will state that we have not sold your information.)

• Right to Delete: You have the right to request that we delete personal information we have collected from you (and direct our service providers to do the same), with certain exceptions. Once we receive and confirm a verifiable deletion request, we will delete (and instruct our service providers to delete) your personal information from our records, unless an exception applies. For example, we may retain information needed to complete the transaction for which it was collected, to detect security incidents, to comply with legal obligations (such as maintaining payroll records), or other CCPA-recognized exceptions.

• Right to Correct: You can request that we correct inaccurate personal information that we maintain about you. If you become aware that information we hold about you is incorrect or has changed (for instance, your contact information or a detail in your employment record), you may request an update. We will take steps to verify the accuracy of the new information and correct our records accordingly.

• Right to Opt Out of Sale/Sharing: You have the right to opt out of the “sale” of your personal information or the “sharing” of your personal information for cross-context behavioral advertising. As noted, Evolution Workforce does not sell personal data in the traditional sense. We also do not share personal information for targeted advertising except via certain cookies or third-party tools that could be construed as “sharing” under the CPRA (for example, using the Meta Pixel might be considered sharing data with Meta for advertising purposes). We honor opt-out requests by enabling website visitors to turn off any such cookies (through our cookie banner preferences or via the “Do Not Sell or Share My Personal Information” link on our site). California residents or their authorized agents can also submit an opt-out request to us at any time (see Section 12 for more on opting out).

• Right to Limit Use of Sensitive Personal Information: The CPRA grants California residents the right to limit the use and disclosure of “sensitive personal information” (SPI) if it is used for purposes beyond what is necessary to provide the goods or services. Evolution Workforce only uses SPI (like Social Security numbers or precise geolocation) for necessary business purposes (e.g., HR administration) or legal compliance, not for inferring characteristics about consumers or for unrelated secondary purposes. Therefore, we do not use sensitive information in a manner that would trigger the right to limit under CPRA. If that ever changes, we will provide a clear “Limit Use of My Sensitive Info” mechanism.

• Right of No Retaliation: We will not retaliate or discriminate against you for exercising any of your CCPA/CPRA rights. This means we will not deny you services, charge you a different price, or provide a different level of quality because you exercised your privacy rights. If you are an employee or prospective employee exercising your rights, it will not affect your employment prospects or any benefits to which you are entitled. In some cases, if the exercise of your rights limits our ability to process personal information (for example, if you request deletion of data needed to provide a service), we may not be able to continue the service relationship – but we will inform you of such consequences and alternatives at the time.

How to Submit a Request: To exercise your California privacy rights, you (or an authorized agent acting on your behalf) may contact us by email at info@evolution-workforce.com with the subject line “CCPA Request” and specifying which right you seek to exercise. You may also call us at +1 (212) 400-1650 to submit your request. We will need to verify your identity to a “reasonable degree of certainty” (or a “reasonably high degree” for requests for specific pieces of information) before processing your request, which may involve matching information you provide with information we have on file (such as verifying control of your email or requiring a signed declaration). If you use an authorized agent, we will require proof of the agent’s written permission to act on your behalf and may still ask you to verify your identity directly. We aim to respond to requests within 45 days, or notify you if an extension of up to 45 additional days is needed. For requests to know specific pieces of data, we will provide those via a secure method. For deletion requests, we will either confirm deletion or explain the basis for any denial (e.g. legal exemption). For opt-out requests, we will comply as soon as feasibly possible.

If we decline to take action on a request, you have the right to understand why. In such cases, we will provide an explanation. California law also allows you to contact the California Attorney General if you have concerns about the result of your request or if you believe your rights under CCPA/CPRA have been violated. (See Section 9 for additional state-specific remedies.)

4. Third-Party Data Sharing

We do not disclose or share personal data with third parties except as needed to run our business, fulfill our services, and as otherwise described here or required by law. When we do share data, we ensure appropriate safeguards are in place (such as contractual assurances of confidentiality and data protection from the recipient). The categories of third parties with whom Evolution Workforce may share personal data, and the context for such sharing, include:

‍Client Companies: As an EOR provider, one of our primary functions is to act as the employer of record for individuals who actually work under the direction of our client companies. This means that we will share relevant personal information of a placed employee with the client that is utilizing their services. For example, if we hire an international software developer on behalf of a U.S. tech company, that client will necessarily receive the individual’s work profile, contact information, and may evaluate their resume or background during selection. Throughout the engagement, we may share data such as the employee’s work hours, project reports, or performance feedback with the client, since the client manages the day-to-day work. All such sharing is part of the service contract with the client and is done for “business purposes” (e.g. providing the contracted HR service). The client is typically considered a separate business or controller of the personal data for their operational purposes. We require that clients handle any personal data we share in compliance with applicable privacy laws and with at least the same level of care we do. Our contracts with clients (MSA and SOW) include confidentiality clauses to protect personal information; clients are not permitted to use personal data of placed employees for any purposes outside the scope of the placement. Note: If a placed employee will have access to a client’s own sensitive data (for instance, the client’s customer data), the client is responsible for ensuring proper legal bases or consents are in place for that access. This ensures that all parties uphold data privacy compliance in the service relationship.

‍Service Providers (“Processors”): We share personal data with third-party service providers and vendors who perform functions on our behalf to support our operations. These providers are bound by contract to use personal data only as necessary to provide services to us and not for their own purposes, consistent with the concept of “service providers” under CCPA. Examples include:

• Payroll and Benefits Administrators: We may use third-party payroll processors, benefits providers, insurance companies, and HR software platforms to administer salaries, health insurance, retirement plans, and other benefits for placed employees. These providers will receive personal data such as identification details, salary information, and benefits selections necessary to perform their duties. They are obligated to keep such information confidential and secure.

• Cloud Hosting and IT Infrastructure: We utilize reputable cloud service providers (for example, for data storage, database hosting, or application hosting) to store and process data. Personal data may be stored on cloud servers operated by companies like Microsoft or Amazon Web Services, subject to strict access controls and encryption. Similarly, we may use IT management services – for instance, we deploy Microsoft Intune for device management and CrowdStrike Falcon for endpoint security on devices used by our employees. These tools, while software on our behalf, may send certain diagnostic or usage data to the tool providers (e.g., device compliance status to Microsoft Intune cloud) solely to enable the security functions. Such providers are not permitted to use personal info except to provide the contracted service.

• Analytics and Marketing Partners: As described in Section 2, we use third-party analytics (Google) and CRM (HubSpot) tools that process personal data about website visitors. These partners act on our behalf to provide insights and marketing automation. Data shared with them (like cookie identifiers or lead info) is covered by our agreements with those companies. In the case of advertising partners (such as Meta for our Meta Pixel), those companies may be considered independent “third parties” who collect data for their own uses as well; we treat such situations as data “sharing” that you can opt out of (see Sections 2 and 12). We do not sell personal data to these partners, but we want you to be aware that when you interact with our site, these third parties might collect information under their own privacy policies as well. We contractually require any marketing or advertising vendors to comply with privacy laws and honor opt-outs (for example, if you opt out of cookies, we instruct analytics tools accordingly).

• Background Check and Compliance Services: If, as part of hiring or onboarding, a background screening, identity verification, or sanctions check is required, we will share the necessary personal details with trusted agencies that provide these services. For instance, to perform a criminal background check or education verification (where lawful and agreed), we would provide the candidate’s name, ID number, or other needed data to the screening provider. Those providers are prohibited from using the data for anything beyond the requested screening and must comply with applicable consumer reporting laws.

• Legal, Accounting, and Other Professional Advisors: We may disclose personal information to our external auditors, attorneys, insurers, bankers, or other professional advisors as necessary for securing their services or defending our legal rights. For example, if we undergo an audit, the auditor might have access to employee payroll records to verify our compliance with tax and labor laws. If we seek legal advice regarding an employment matter, we might share relevant personal data with our attorneys, who are bound to confidentiality.

Affiliates and Corporate Transactions: Evolution Workforce may share personal information with our corporate affiliates (entities under common ownership or control) for aligned business purposes, such as centralized management or consistent service delivery. Currently, Evolution Workforce is a part of Double M Merchandise Inc.; we ensure any affiliate receiving data will handle it under the same privacy and security standards described in this policy. In the event of a business transaction, such as a merger, acquisition, reorganization, or sale of all or part of our business or assets, personal data may be disclosed to potential or actual purchasers (and their professional advisors) as part of due diligence or the transfer of business assets. If ownership or control of Evolution Workforce changes, we will require the successor entity to honor the commitments we have made in this Privacy Policy regarding your personal information, or we will notify you and seek consent if required by law.

‍Legal Compliance and Protection: We may disclose personal information to third parties (such as courts, law enforcement, government authorities, or opposing counsel) if we believe disclosure is necessary to: (a) comply with any applicable law, regulation, legal process, or governmental request; (b) enforce or apply our contracts, including investigating potential violations (for example, suspected fraud or misuse of our services); (c) detect, prevent, or otherwise address illegal or harmful activities, security incidents, or technical issues; or (d) protect the rights, property, or safety of Evolution Workforce, our employees, our clients, or others. For instance, if a regulatory agency requests information about employees for compliance reasons, or if a subpoena or court order demands records, we may be legally obligated to provide the data. We will limit any such disclosure to the relevant requirements and will object to overly broad requests when appropriate. Additionally, if a placed employee were to raise a legal claim or there’s a dispute (e.g., a workers’ compensation claim or a lawsuit involving a placed employee’s conduct), we might share necessary information with insurers or legal representatives to handle the matter.Other than the situations above, Evolution Workforce will not share your personal data with third parties. In particular, we do not sell your personal information to data brokers or unrelated parties, and we do not disclose personal data to third parties for their own direct marketing purposes without your consent. We also do not allow unauthorized third-party advertising networks to gather your info from our site beyond what is described in Section 2 (and you can opt out of those). If our practices regarding data sharing change in the future, we will update this Privacy Policy and provide any required notices or opt-in/opt-out choices.

5. Contact Methods and Policy Updates

Contacting Us: If you have any questions, concerns, or requests regarding this Privacy Policy or how Evolution Workforce handles your personal data, please contact us by any of the following methods:

‍Email: info@evolution-workforce.com – This is our dedicated email for privacy inquiries (e.g. questions about this Policy, requests to exercise your rights, or reports of a potential data incident). Please include your name and contact information and describe your question or request with sufficient detail.

‍Phone: +1 (212) 400-1650. You may call our offices during normal business hours and request to speak to the Privacy Officer or a member of the legal/compliance team.

‍Mail: Attn: Privacy Officer, Evolution Workforce, 260 West 54th Street, New York, NY 10019, USA. You may send us a written letter with any inquiries or requests. If you are exercising legal rights, please indicate that in your letter and provide a way to contact you (email or postal address) for response.We will endeavor to respond to any privacy-related inquiry within a reasonable timeframe. If you are an Evolution Workforce placed employee or job applicant with questions about your personal data, you may also reach out to your Evolution Workforce HR contact or account manager, who can coordinate with our privacy team.

‍Effective Date: This Privacy Policy is effective as of July 2025. It reflects our data practices and commitments at that date. We chose this effective date to ensure the Policy encompasses the latest legal requirements (including CPRA and new state laws effective in 2023) and our current business practices in 2025.

‍Updates to this Policy: We may update or revise this Privacy Policy from time to time to reflect changes in our practices, to keep up with new legal requirements, or for other operational, legal, or regulatory reasons. If we make material changes, we will notify users in a manner appropriate to the significance of the changes:

• For minor or routine updates (e.g., clarifying language, updating contact info), we may simply update the “Last Updated” date above and post the revised Policy on our website. Please check this page periodically to stay informed of any changes.

• For significant changes that affect your rights or how we use personal data (e.g., if we begin collecting new categories of personal information or start using data for new purposes not previously disclosed), we will provide a more prominent notice. This may include posting a notice on our website’s homepage or login portal, or contacting you directly via email or other contact information you have provided. In certain cases, if required by law, we will seek your consent for the new processing.

Any revised Privacy Policy will be accessible on our website (likely at the same URL). The “Effective Date” at the top will indicate when the changes become effective. We encourage you to review our Privacy Policy whenever you access our services to stay informed about our information practices. If you continue to use our website or services after an updated Privacy Policy takes effect, it will signify your acceptance of the changes. However, we will not, without your consent, use your personal information in a manner materially different than what was stated at the time it was collected from you.

6. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required or permitted by law. Because the appropriate retention period can vary depending on the context and the nature of the data, we maintain internal retention guidelines and take into account various factors when determining how long to keep information:

• Operational Necessity: We keep personal information as long as needed to provide our services and run our business. For example, while you are an active client or user, we will retain your account information and contact details. If you are a placed employee, we retain your HR records for the duration of your employment with Evolution Workforce and for a period after termination as required for legal compliance or our business records. We aim to retain data for the shortest duration that serves the intended purpose. In practice, this means that if data is no longer actively used or needed, we will either delete it or anonymize it (unless an exception applies).

• Legal and Contractual Requirements: Certain laws mandate retention of records for specific periods. For instance, payroll and tax records for employees must often be kept for a number of years (e.g., IRS regulations typically require keeping employee tax forms for at least 4 years). Similarly, basic company records of contracts or services provided may be kept to comply with statutes of limitations (for example, to defend against possible legal claims, we might retain a copy of the contract and related communications for a number of years after the contract ends). We comply with applicable laws in different jurisdictions concerning data retention. Where laws differ, we may apply the longest applicable retention period if that data might be relevant to multiple jurisdictions.

• Archival and Auditing Needs: We retain certain data for our legitimate interests in maintaining business continuity, financial records, and audit trails. For example, even after a placed employee leaves, we may retain a record of their employment dates, position, and salary for accounting and audit purposes. We may also keep security logs or backup tapes for a certain period to ensure we can investigate security incidents or restore services in a disaster recovery scenario. These archives are protected and have strictly controlled access.

• Deletion and Anonymization: When personal data reaches the end of its retention period, we will either delete it securely or convert it into an anonymized form that no longer identifies individuals. Secure deletion may involve shredding physical documents and using technical wiping for electronic data. In some cases, rather than deleting entirely, we may anonymize data (for example, aggregate business analytics might be derived from historical data but without personal identifiers). Once anonymized, data is no longer subject to this Privacy Policy because it is not personally identifiable.

• Exceptions: If you exercise your right to deletion under applicable law, we will delete your data unless a specific exception applies (see Section 3 on CCPA deletion exceptions, which are aligned with our general practice). Also, if there is ongoing litigation, audit, or an open investigation, we may preserve relevant data until it is resolved, even if that extends beyond normal retention periods – this is to comply with legal hold obligations.

In summary, Evolution Workforce strives to keep personal information for no longer than necessary. We periodically review the data we hold and erase or anonymize information that is no longer needed. If you have specific questions about how long certain data is kept, you can contact us (Section 5), and we will try to provide guidance. For example, a California resident might request information on the retention period for their category of data under Cal. Civ. Code § 1798.100. We will happily provide available details to the extent required by law.

7. COPPA/Children

Our services and website are not directed to children under the age of 13, and we do not knowingly collect or solicit personal information from children under 13 years old. In fact, due to the nature of our business (employment services for companies), we generally do not have any users or employees in that age group. The Children’s Online Privacy Protection Act (COPPA) imposes requirements on websites that collect data from children under 13, and Evolution Workforce’s policy is to avoid any such collection.

If you are under 13, please do not use or provide any information on this website or through our services. We do not intend to collect information from minors, and any information provided to us about a child should come only through a parent or legal guardian (for instance, if an employee provides dependent information for benefits, that is done by the adult parent, and we handle that data in compliance with applicable law).

In the unlikely event that we learn we have collected personal information directly from a child under 13 without verified parental consent, we will delete that information as quickly as possible. If you believe we might have any information from or about a child under 13, please contact us immediately at info@evolution-workforce.com so that we can investigate and take appropriate action.

For minors aged 13 to 16: While our website is not intended for this audience either, if you are a California resident between 13 and 16 years old, you have the right to opt-in to any sales of your personal information (as that term is defined under CCPA/CPRA). As noted, we do not sell personal information, so this generally does not apply. Nonetheless, if we were ever to consider practices that fall under “selling” data, we would not sell the personal information of consumers less than 16 years old without legally required affirmative authorization.

8. Security Measures

Evolution Workforce takes the security of personal data very seriously. We have implemented a comprehensive information security program with administrative, technical, and physical safeguards designed to protect personal information from unauthorized access, disclosure, and misuse. Some of the key security measures we maintain include:

• Access Controls: We restrict access to personal data to authorized personnel who need it for their job duties (principle of least privilege). For example, employee records can only be accessed by our HR and compliance team, and client data by the account managers and service team working with that client. Systems and databases require authentication, and each user has unique credentials. We also employ multi-factor authentication for sensitive systems to add an extra layer of security.

• Encryption: We use encryption to protect personal information in transit and at rest. Our public-facing website is encrypted via HTTPS for secure data transmission. Sensitive personal data (like government ID numbers or financial information) is stored in encrypted form within our systems or databases. Portable devices used by our staff (such as laptops) are encrypted to prevent data exposure if lost or stolen.

• Network and System Security: Our IT infrastructure is protected by firewalls, intrusion detection systems, and anti-malware defenses. We regularly update software and apply security patches to address vulnerabilities. We use endpoint protection on employee devices and actively monitor for suspicious activity or unauthorized access attempts. Our email system has spam filtering and phishing detection measures, and we train employees to recognize and report potential phishing attacks.

• Vendor Security Assurance: When we engage third-party service providers (as discussed in Section 4), we assess their security practices and require them to implement appropriate security measures. We enter into data protection agreements or addenda with vendors to ensure they protect personal data to a standard commensurate with our own practices. For cloud or software providers, we review their security certifications or audits (such as SOC 2 reports) to validate their controls.

• Physical Security: The offices and data centers where personal information is stored are secured with badge access, alarms, and monitoring. Paper records (when they exist) are kept in locked cabinets. We have policies for the secure disposal of documents and devices (shredding paper, wiping or destroying hard drives) to prevent unintended data leaks.

• Training and Policies: All Evolution Workforce employees undergo privacy and security training. We maintain clear internal policies on data handling, confidentiality, and acceptable use of systems. Employees are required to adhere to these policies and are reminded of their obligations to safeguard personal data. We conduct periodic security awareness programs to keep security top-of-mind (such as simulated phishing exercises and refreshers on proper data handling).

• Incident Response Plan: Despite preventative measures, no method of transmission or storage is 100% secure, so we have an incident response plan in place for addressing potential data breaches or security incidents. This plan outlines the steps to take in identifying, containing, eradicating, and recovering from an incident. It also includes notification procedures to make sure we can promptly inform affected individuals and authorities when required.

We continually evaluate and upgrade our security measures in light of current risks and best practices in the industry. This includes staying aware of emerging threats and adapting our safeguards (for example, if new guidance suggests higher encryption standards or if we expand into new regions with specific security requirements). We also regularly review our vendors and tools to ensure they meet our security expectations.

In the unfortunate event of a data breach or security incident that affects personal data, Evolution Workforce will promptly take steps to contain and investigate the incident. We have procedures to notify affected parties and regulators as required by law. For example, if a data breach involves personal information of individuals in certain jurisdictions, we will comply with breach notification laws such as California’s data breach notification statute. Our MSA also commits us to notify our clients of breaches related to the services: if either party (us or the client) becomes aware of a breach involving personal data, they must promptly notify the other. We will provide as much information as we can about what happened, what data is involved, and what we are doing in response. We will also take appropriate remedial actions, such as changing access credentials, patching vulnerabilities, and offering identity theft protection services if applicable. Our goal is transparency and partnership with our clients and data subjects in security matters.

If you have further questions about our security measures, you can contact us or visit any security resources we publish (e.g., our Security or Trust Center on our website, if available).

9. State-Specific Disclosures (CA, VA, CO, CT, etc.)

In addition to the California-specific rights discussed in Section 3, several U.S. states have enacted their own privacy laws granting residents certain rights over their personal data. These laws — such as the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), and the Utah Consumer Privacy Act (UCPA) — share many similarities with the CCPA/CPRA, though there are some differences in scope and terminology. Evolution Workforce’s policy is to respect all applicable state privacy laws. This section provides an overview of additional rights and disclosures for residents of these states:

• Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA) and Other States: Residents of Virginia, Colorado, Connecticut, Utah, and any other U.S. state with comprehensive privacy laws have rights similar to those of California residents, although there are some differences in scope and terminology. If you are a resident of these states, you generally have the right to confirm whether we process your personal data and to access that data; to correct inaccuracies in your personal data; to delete personal data provided by or obtained about you; to obtain a copy of your personal data in a portable and, to the extent technically feasible, readily usable format (where required by law); and to opt out of certain types of data processing. Specifically, you may opt out of: (a) targeted advertising based on your personal data, (b) the sale of personal data (as defined by each law), and (c) profiling in furtherance of decisions that produce legal or similarly significant effects. We do not engage in profiling to make decisions with legal or significant effects on individuals, nor do we sell personal data as defined by these state laws. We do utilize cookies and third-party advertising tools (as described in Section 2), so if you are in one of these states, you can opt out of the use of your data for targeted advertising via our cookie settings or by sending us an opt-out request as described below.

• Sensitive Data (VA, CO, CT): These state laws have concepts of “sensitive data” (e.g., data about health, race, precise location, etc., similar to CPRA’s sensitive PI). In general, if we process sensitive data about you, we will obtain your consent if required (for instance, Colorado and Connecticut require opt-in consent for sensitive data processing in many cases). Most of Evolution Workforce’s processing of sensitive data is either (a) done with consent (e.g., an employee providing medical info for leave requests) or (b) falls under necessary exemptions (e.g., compliance with employment law). We will honor any state-specific rules on sensitive data — for example, not processing sensitive data of a Virginia consumer for anything other than a necessary purpose unless they have consented.

• Authorized Agents: Some state laws (like California’s CCPA) allow you to use an authorized agent to submit requests on your behalf. If you choose to do so, we will take steps to verify the agent’s authority (e.g., requiring a signed permission from you) and also verify your identity directly with us, depending on the type of request. This is to prevent fraud or unauthorized access to your data.

• State Contact Information:
  – California residents can visit the California Attorney General’s CCPA page or call the designated hotline (see oag.ca.gov/privacy/ccpa).
  – Virginia residents can contact the Virginia Attorney General’s Consumer Protection section (for example, via consumer@oag.state.va.us or the phone number on the Virginia AG’s site).
  – Colorado residents can reach out to the Colorado Attorney General’s Office (see coag.gov for contact information).
  – Connecticut residents can contact the Connecticut Attorney General’s Privacy Unit (see the Connecticut AG’s official website for current contact details).
  – Utah residents can contact the Utah Division of Consumer Protection.

We provide these contacts as a resource if you feel we have not addressed your requests adequately, but of course we encourage you to work with us first so we can resolve any issue.

• No Fee Charged: We will not charge you for exercising your rights under these state laws, with a possible exception if a request is manifestly unfounded or excessive/repetitive, in which case the law allows a reasonable fee or permitting us to decline. To date, we have not needed to charge any fees for fulfilling privacy requests.

Appeal Process (for VA, CO, CT, etc.): If we deny your request under Virginia, Colorado, or Connecticut law, you have the right to appeal our decision. We will include instructions in our response if we refuse to act on a request. Typically, to appeal, you may reply to our denial or email us at info@evolution-workforce.com with the subject “Appeal” within a reasonable time (e.g., within 30–60 days of our response). A different reviewer (usually a more senior member of our compliance team or legal counsel) will re-evaluate the request and respond to you with the outcome of the appeal within the time required by law (Virginia requires a response within 60 days of an appeal). If the appeal is denied, Virginia, Colorado, and Connecticut residents additionally have the right to contact their state Attorney General to submit a complaint. We will provide you with the relevant contact information for your state’s Attorney General in our appeal denial response, as required by law.

‍Nebraska, Iowa, etc.: As privacy legislation evolves, we intend to extend fundamentally similar rights to all individuals, even beyond those required by law, as part of our commitment to privacy. So even if you are in a state without a specific privacy law, you can still contact us to inquire about your data. We will handle such requests in good faith.

In summary, Evolution Workforce’s policy is to treat personal data consistently with the strongest applicable rights and to provide clear notice as required by each jurisdiction. If you have any questions about state-specific rights or how to exercise them, please reach out to us.