This Privacy Policy explains how Evolution Risk Assurance Ltd collects, uses, shares and protects personal data in connection with the EROMS (Evolution) platform and the Nexus application, and how individuals can exercise their rights under UK data protection law.
1. Purpose
This Privacy Policy explains how Evolution Risk Assurance Ltd (“Evolution Risk Assurance”, “we”, “us”) collects, uses, shares, and protects personal data in connection with the EROMS risk assessment, emergency-response and management platform (also referred to as “Evolution”) and the Nexus visualisation application (together, the “Services”).
It sets out our commitments under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, and how individuals can exercise their rights.
2. Scope
- In scope: All personal data processed through the EROMS platform (including its Permit-to-Work, Incident Response, Competence, Asset Management, Pre-Incident Planning and Mika AI features) and the Nexus application, whether delivered as hosted SaaS or deployed on-premise for a customer.
- Out of scope: Personal data a customer organisation processes on systems outside the Services, and the internal HR/employment data Evolution Risk Assurance processes about its own staff (covered by a separate internal privacy notice).
2.1 Our role — controller vs processor
Evolution Risk Assurance operates the Services on a business-to-business basis. Our data-protection role depends on the data:
| Data | Our role | Typical controller |
|---|---|---|
| Personal data your organisation enters or generates in the Services (worker records, permits, incidents, casualty/injury records, location data) | Processor — processed on documented instructions from the customer | The customer organisation |
| Account administration, billing, support, and the contact details of account administrators | Controller | Evolution Risk Assurance |
| Marketing and website enquiry data | Controller | Evolution Risk Assurance |
Where Evolution Risk Assurance is a processor, the terms of processing are set out in the Data Processing Agreement (DPA) between Evolution Risk Assurance and the customer, and the customer’s own privacy notice governs how data subjects are informed. This policy describes our practices in both roles for transparency.
3. Definitions
| Term | Meaning |
|---|---|
| Personal data | Information relating to an identified or identifiable living individual. |
| Special category data | Sensitive data under Article 9 UK GDPR — here, primarily health/injury data recorded about casualties during incidents. |
| Controller | The party that determines the purposes and means of processing. |
| Processor | A party that processes personal data on behalf of a controller. |
| Sub-processor | A third party engaged by Evolution Risk Assurance to process personal data as part of delivering the Services. |
| Data subject | The individual to whom personal data relates. |
4. How we handle personal data
4.1 Personal data we process
Depending on which modules a customer enables, the Services may process:
- Account & user identity — name, work email address, telephone number(s), team, competency level and role, training paths, and authentication identifiers issued by our identity provider.
- Usage & technical data — sign-in events, feature/app-usage records, QR-code scan events, audit-trail entries, device/browser information, IP address, and diagnostic/debug logs.
- Operational content — permits to work, risk assessments, hazards, checklists, assets, pre-incident plans and related documents, which may name individuals.
- Location data — worker check-in geo-location and time-on-site, including lone-worker monitoring where enabled by the customer.
- Special category (health) data — casualty and injury records captured during incident response, including the person’s name, company, location and injury type.
- Communications — support requests, and content submitted to the Mika AI assistant where that feature is enabled.
Nexus additionally processes the identity and authentication data needed to sign in and download/run the application, and standard technical/usage data.
4.2 Why we process it and our lawful bases
| Purpose | Typical lawful basis (UK GDPR Art. 6) |
|---|---|
| Providing and operating the Services under contract | Contract (6(1)(b)); or legitimate interests where Evolution Risk Assurance is processor acting on the customer’s basis |
| Authentication, security, and fraud/abuse prevention | Legitimate interests (6(1)(f)) |
| Health, safety and incident/emergency response | Legal obligation (6(1)(c)) / vital interests (6(1)(d)) as directed by the customer controller |
| Service improvement, diagnostics and support | Legitimate interests (6(1)(f)) |
| Account administration and billing | Contract (6(1)(b)) / legal obligation (6(1)(c)) |
| Marketing to business contacts | Consent (6(1)(a)) or legitimate interests (6(1)(f)), with an opt-out |
Special category (health/injury) data is processed under an Article 9 condition — typically substantial public interest or health and safety at work (Art. 9(2)(b)/(g), with a DPA 2018 Schedule 1 condition) — as determined by the customer controller. Evolution Risk Assurance processes it only on the controller’s instructions.
4.3 How we collect personal data
- Directly from customer administrators and users who enter data into the Services.
- Generated automatically as individuals use the Services (usage, audit, location and diagnostic data).
- From our identity provider during authentication.
4.4 Sharing and sub-processors
We do not sell personal data. We share it only with the customer organisation and its authorised users, and with sub-processors engaged to deliver the Services under written contracts requiring UK GDPR-compliant safeguards. Current categories include:
| Sub-processor / service | Purpose | Notes |
|---|---|---|
| Auth0 by Okta (Okta, Inc.) | Authentication & identity management | Keycloak is customer-hosted for on-premise deployments |
| Microsoft Azure (Microsoft Corporation) | Application hosting & storage | Region: UK South |
| MongoDB Atlas (MongoDB, Inc.) | Data storage | SaaS only |
| Twilio SendGrid (Twilio Inc.) | Transactional & workflow email notifications | |
| Google Maps Platform | Mapping and geospatial display | |
| what3words | Location geocoding | |
| Azure OpenAI Service (Microsoft) | Mika AI generative features | Disabled by default for on-premise deployments |
A current, itemised sub-processor list is available to customers on request and is maintained in the applicable DPA. We may also disclose data to authorities and advisers where required by law or to establish or defend legal claims.
4.5 On-premise deployments
Where a customer deploys EROMS on its own infrastructure, personal data remains within the customer’s environment. In that model Evolution Risk Assurance typically has no access to the customer’s operational data, authentication runs on the customer’s own Keycloak, external data feeds and generative-AI (Mika) features are off by default, and the customer is the sole controller and operator.
4.6 International transfers
Where personal data is transferred outside the UK (for example to a sub-processor), we rely on an adequacy decision or on appropriate safeguards such as the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, together with a transfer risk assessment. Hosting region is configurable per deployment; the applicable region is confirmed in the customer contract.
4.7 Retention
We retain personal data for as long as needed to provide the Services and to meet legal, safety and contractual obligations, then delete or anonymise it. Retention periods for operational data (permits, incidents, casualty records, audit logs) are set by the customer controller and defined in the DPA. Account and billing data is retained for the duration of the contract plus the period required by law. On termination, customer data is returned or deleted in line with the DPA.
4.8 Data subject rights
Subject to their controller relationship, individuals have the right to: access their data; rectify inaccurate data; erase data; restrict or object to processing; data portability; and to withdraw consent where processing relies on it. Individuals also have the right to complain to the Information Commissioner’s Office (ICO) — ico.org.uk.
Where Evolution Risk Assurance acts as processor, requests should be directed to the relevant customer organisation, and Evolution Risk Assurance will assist that customer in responding. Where Evolution Risk Assurance is the controller, contact us using the details below.
4.9 Security
We protect personal data with technical and organisational measures including encryption in transit, role-based access control and multi-tenant isolation, authentication through a dedicated identity provider, audit logging, and least-privilege access for staff. Measures are reviewed periodically and detailed further in our Information Security Policy.
4.10 Personal data breaches
We maintain procedures to detect, investigate and respond to personal data breaches. Where Evolution Risk Assurance is a processor, we notify the affected customer controller without undue delay. Where we are the controller, we notify the ICO within 72 hours where the breach is reportable, and affected individuals where required.
4.11 Contact and complaints
| Data Protection Officer / privacy contact | Kevin Boffy — kevin.boffy@evolutionriskassurance.com |
| Registered address | 71–75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ |
| Company registration | Registered in England & Wales, company number 10539713 |
If you are not satisfied with our response you may contact the ICO.
5. Roles and responsibilities
| Role | Responsibility |
|---|---|
| Data Protection Officer | Owns this policy, oversees compliance, handles rights requests and breach notifications where Evolution Risk Assurance is controller. |
| Engineering / Platform team | Implements and maintains security, retention and access controls in the Services. |
| Customer Success / Account management | Maintains DPAs and the sub-processor list, and routes processor-role requests to customers. |
| All staff and contractors | Handle personal data only as authorised and report suspected breaches promptly. |
6. Compliance and enforcement
Compliance is reviewed at least annually and whenever the Services, sub-processors or applicable law change materially. Breaches of this policy by staff are handled under Evolution Risk Assurance’s disciplinary process. Exceptions require written approval from the Data Protection Officer.
7. Related documents
- Data Processing Agreement (DPA) — provided to customers as part of the services contract; governs Evolution Risk Assurance’s processing of customer data and lists the current sub-processors.
8. Revision history
| Version | Date | Author | Summary of change |
|---|---|---|---|
| 1.0 | 1 July 2026 | Kevin Boffy | Initial version covering EROMS platform and Nexus. |