This Privacy Policy explains how Evolution Risk Assurance Ltd collects, uses, shares and protects personal data in connection with the EROMS (Evolution) platform and the Nexus application, and how individuals can exercise their rights under UK data protection law.

1. Purpose

This Privacy Policy explains how Evolution Risk Assurance Ltd (“Evolution Risk Assurance”, “we”, “us”) collects, uses, shares, and protects personal data in connection with the EROMS risk assessment, emergency-response and management platform (also referred to as “Evolution”) and the Nexus visualisation application (together, the “Services”).

It sets out our commitments under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, and how individuals can exercise their rights.

2. Scope

2.1 Our role — controller vs processor

Evolution Risk Assurance operates the Services on a business-to-business basis. Our data-protection role depends on the data:

DataOur roleTypical controller
Personal data your organisation enters or generates in the Services (worker records, permits, incidents, casualty/injury records, location data)Processor — processed on documented instructions from the customerThe customer organisation
Account administration, billing, support, and the contact details of account administratorsControllerEvolution Risk Assurance
Marketing and website enquiry dataControllerEvolution Risk Assurance

Where Evolution Risk Assurance is a processor, the terms of processing are set out in the Data Processing Agreement (DPA) between Evolution Risk Assurance and the customer, and the customer’s own privacy notice governs how data subjects are informed. This policy describes our practices in both roles for transparency.

3. Definitions

TermMeaning
Personal dataInformation relating to an identified or identifiable living individual.
Special category dataSensitive data under Article 9 UK GDPR — here, primarily health/injury data recorded about casualties during incidents.
ControllerThe party that determines the purposes and means of processing.
ProcessorA party that processes personal data on behalf of a controller.
Sub-processorA third party engaged by Evolution Risk Assurance to process personal data as part of delivering the Services.
Data subjectThe individual to whom personal data relates.

4. How we handle personal data

4.1 Personal data we process

Depending on which modules a customer enables, the Services may process:

Nexus additionally processes the identity and authentication data needed to sign in and download/run the application, and standard technical/usage data.

4.2 Why we process it and our lawful bases

PurposeTypical lawful basis (UK GDPR Art. 6)
Providing and operating the Services under contractContract (6(1)(b)); or legitimate interests where Evolution Risk Assurance is processor acting on the customer’s basis
Authentication, security, and fraud/abuse preventionLegitimate interests (6(1)(f))
Health, safety and incident/emergency responseLegal obligation (6(1)(c)) / vital interests (6(1)(d)) as directed by the customer controller
Service improvement, diagnostics and supportLegitimate interests (6(1)(f))
Account administration and billingContract (6(1)(b)) / legal obligation (6(1)(c))
Marketing to business contactsConsent (6(1)(a)) or legitimate interests (6(1)(f)), with an opt-out

Special category (health/injury) data is processed under an Article 9 condition — typically substantial public interest or health and safety at work (Art. 9(2)(b)/(g), with a DPA 2018 Schedule 1 condition) — as determined by the customer controller. Evolution Risk Assurance processes it only on the controller’s instructions.

4.3 How we collect personal data

4.4 Sharing and sub-processors

We do not sell personal data. We share it only with the customer organisation and its authorised users, and with sub-processors engaged to deliver the Services under written contracts requiring UK GDPR-compliant safeguards. Current categories include:

Sub-processor / servicePurposeNotes
Auth0 by Okta (Okta, Inc.)Authentication & identity managementKeycloak is customer-hosted for on-premise deployments
Microsoft Azure (Microsoft Corporation)Application hosting & storageRegion: UK South
MongoDB Atlas (MongoDB, Inc.)Data storageSaaS only
Twilio SendGrid (Twilio Inc.)Transactional & workflow email notifications
Google Maps PlatformMapping and geospatial display
what3wordsLocation geocoding
Azure OpenAI Service (Microsoft)Mika AI generative featuresDisabled by default for on-premise deployments

A current, itemised sub-processor list is available to customers on request and is maintained in the applicable DPA. We may also disclose data to authorities and advisers where required by law or to establish or defend legal claims.

4.5 On-premise deployments

Where a customer deploys EROMS on its own infrastructure, personal data remains within the customer’s environment. In that model Evolution Risk Assurance typically has no access to the customer’s operational data, authentication runs on the customer’s own Keycloak, external data feeds and generative-AI (Mika) features are off by default, and the customer is the sole controller and operator.

4.6 International transfers

Where personal data is transferred outside the UK (for example to a sub-processor), we rely on an adequacy decision or on appropriate safeguards such as the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, together with a transfer risk assessment. Hosting region is configurable per deployment; the applicable region is confirmed in the customer contract.

4.7 Retention

We retain personal data for as long as needed to provide the Services and to meet legal, safety and contractual obligations, then delete or anonymise it. Retention periods for operational data (permits, incidents, casualty records, audit logs) are set by the customer controller and defined in the DPA. Account and billing data is retained for the duration of the contract plus the period required by law. On termination, customer data is returned or deleted in line with the DPA.

4.8 Data subject rights

Subject to their controller relationship, individuals have the right to: access their data; rectify inaccurate data; erase data; restrict or object to processing; data portability; and to withdraw consent where processing relies on it. Individuals also have the right to complain to the Information Commissioner’s Office (ICO)ico.org.uk.

Where Evolution Risk Assurance acts as processor, requests should be directed to the relevant customer organisation, and Evolution Risk Assurance will assist that customer in responding. Where Evolution Risk Assurance is the controller, contact us using the details below.

4.9 Security

We protect personal data with technical and organisational measures including encryption in transit, role-based access control and multi-tenant isolation, authentication through a dedicated identity provider, audit logging, and least-privilege access for staff. Measures are reviewed periodically and detailed further in our Information Security Policy.

4.10 Personal data breaches

We maintain procedures to detect, investigate and respond to personal data breaches. Where Evolution Risk Assurance is a processor, we notify the affected customer controller without undue delay. Where we are the controller, we notify the ICO within 72 hours where the breach is reportable, and affected individuals where required.

4.11 Contact and complaints

Data Protection Officer / privacy contactKevin Boffy — kevin.boffy@evolutionriskassurance.com
Registered address71–75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ
Company registrationRegistered in England & Wales, company number 10539713

If you are not satisfied with our response you may contact the ICO.

5. Roles and responsibilities

RoleResponsibility
Data Protection OfficerOwns this policy, oversees compliance, handles rights requests and breach notifications where Evolution Risk Assurance is controller.
Engineering / Platform teamImplements and maintains security, retention and access controls in the Services.
Customer Success / Account managementMaintains DPAs and the sub-processor list, and routes processor-role requests to customers.
All staff and contractorsHandle personal data only as authorised and report suspected breaches promptly.

6. Compliance and enforcement

Compliance is reviewed at least annually and whenever the Services, sub-processors or applicable law change materially. Breaches of this policy by staff are handled under Evolution Risk Assurance’s disciplinary process. Exceptions require written approval from the Data Protection Officer.

8. Revision history

VersionDateAuthorSummary of change
1.01 July 2026Kevin BoffyInitial version covering EROMS platform and Nexus.