GDPR Compliance
Evolve is fully committed to complying with the General Data Protection Regulation (GDPR). This article explains how we handle personal data and what tools are available to help your organization meet its own GDPR obligations.
Evolve's Role Under GDPR
When your organization uses Evolve, you are the data controller — you decide what personal data is collected and why. Evolve acts as the data processor, handling that data on your behalf according to your instructions and our Data Processing Agreement (DPA).
Data We Process
Evolve processes the following categories of personal data:
Account information — name, email address, role, department
Learning activity — course enrollments, progress, quiz scores, completion timestamps
Platform usage — login times, device type, IP address (for security logging)
We do not process sensitive personal data (e.g., health, biometric, or political data) unless explicitly configured by your organization.
Your Rights and Controls
Evolve provides built-in tools to support GDPR data subject rights:
Right of access — Export a learner's full data profile from Settings > Privacy > Data Export.
Right to erasure — Delete a user and all associated data from Settings > Privacy > Data Deletion. This action is irreversible.
Right to portability — Data exports are provided in standard JSON and CSV formats.
Right to rectification — Users can update their own profile information at any time. Admins can also edit user records.
Data Processing Agreement
All Evolve customers on paid plans are covered by our standard DPA, which is aligned with GDPR Article 28. You can download a signed copy from Settings > Legal > Data Processing Agreement, or request a custom DPA by contacting legal@evolveplatform.ai.
Data Residency
Evolve stores all customer data in the European Union (AWS eu-west-1) by default. Organizations that require a different region can request data residency configuration during onboarding.
Breach Notification
In the event of a personal data breach, Evolve will notify your designated security contact within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
For further questions, contact privacy@evolveplatform.ai.
Frequently Asked Questions
Q: What data residency options are available?
A: By default, all customer data is stored in the European Union (AWS eu-west-1). If your organization requires a different region, such as the United States or Asia-Pacific, you can request a specific data residency configuration during onboarding. Contact your account manager or email privacy@evolveplatform.ai for details.
Q: How long does it take to process a right-to-be-forgotten request?
A: Evolve processes erasure requests within 30 days of receiving a verified request, in line with GDPR Article 17. Once executed, all personal data associated with the user is permanently deleted from production systems. Backup copies are purged within 90 days.
Q: Is a Data Processing Agreement available for free plans?
A: The standard DPA is included with all paid plans. Organizations on free or trial plans can request a DPA by contacting legal@evolveplatform.ai. The team will work with you to put an appropriate agreement in place before any personal data is processed.
Q: Where can I find Evolve's cookie policy?
A: Evolve's cookie policy is linked in the footer of every page on the platform and on the marketing website. It describes the types of cookies used, their purposes, and how users can manage their cookie preferences.
You can also access it directly from Settings > Legal > Cookie Policy.