Evidence.com Privacy Level Statement
Last Updated: September 12, 2018
This Privacy Level Statement ("PLS") governs the use of the Evidence.com™ Service Offerings (collectively, "Service Offerings") under the terms of the Evidence.com Master Service Purchasing Agreement ("MSPA") between Axon Enterprise, Inc. (hereinafter referred to as Cloud Service Provider, CSP, Data Processor, Axon, us or we) and users of Service Offerings (hereinafter referred to as Customer, Data Controller, or you). This PLS applies separately to each agency account using the Service Offerings. Unless otherwise provided in this PLS, this PLS is subject to the terms of the MSPA and capitalized terms have the meaning specified in the MSPA. In the event of a conflict between the terms of any agreement(s) between you and Axon and this PLS, the terms of those agreement(s) will control.
Axon complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States. Axon has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.
By using the Service Offerings, you acknowledge that you have read and understand this PLS and you agree to be bound by its terms and conditions. We may occasionally update this PLS. When we post changes, we will revise the "last updated" date at the top of this page.
- Cloud Service Provider (CSP): Axon Enterprise, Inc., 17800 N 85th Street, Scottsdale, Arizona 85255,
- Content means software, data, text, audio, video, images or other content Customer or any of Customer’s end users (a) run
on the Evidence.com Services, (b) cause to interface with the Evidence.com Services, or (c) upload to the Evidence.com
Services under Customer’s account or otherwise transfer, process, use or store in connection with Customer’s account.
- CSP EU Representative: Axon Enterprise, B.V., WTC Tower C 17th Floor, Strawinskylaan 1755, 1077 XX,
Amsterdam, the Netherlands.
- Data Controller means the natural or legal person, public authority, or any other body which alone or jointly with others
determines the purposes and means of the processing of personal data.
- Data Processor means a natural or legal person, public authority or any other body which processes personal data on behalf
of the controller.
- Data Exporter means the data controller who transfers the personal data.
- Data Importer means the data processor who agrees to receive from the data exporter personal data intended for processing on its behalf after the transfer in accordance with the MSPA and who is not subject to a third country’s system ensuring
adequate protection within the meaning of Article 25(1) of Directive 95/46/EC.
- Evidence.com Service means Axon’s web services for Evidence.com, the Evidence.com site, EVIDENCE Sync software,
EVIDENCE Mobile App, Axon® Mobile App, other software, maintenance, storage, and product or service provided by
Axon under the MSPA for use with Evidence.com. This does not include any Third-Party Applications, hardware
warranties, or the my.evidence.com services.
- Products means all Axon equipment, software, cloud based services, Documentation and software maintenance releases
and updates provided by Axon under the MSPA.
- Services means the professional services provided by us pursuant to this Agreement.
- Sub-processor means any processor engaged by the data importer or by any other sub-processor of the data importer who
agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively
intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with its
instructions, the terms of the Clauses and the terms of the written subcontract.
CSP is a Data Processor—Customers control and own all right, title, and interest in and to its Content and CSP obtains no rights to the Consumer’s Content. Customer is solely responsible for the uploading, sharing, withdrawal, management and deletion of Customer Content. Customer consent to CSP’s limited access to Customer’s Content solely for the purpose of providing and supporting the Evidence.com Services to the Customer and Customer’s end-users. Customer represents Customer owns its Content and that none of Customer’s Content or Customer’s end-users’ use of Customer’s Content or the Evidence.com Services will violate this PLS or applicable data protection laws and regulations.
CSP is a processor of Customer Data. CSP may also collect and process Account Data and Support Data. CSP collects and processes data to provide the Evidence.com Service and to support the overall delivery of Axon products and services. CSP may analyze and report anonymized and aggregated data to communicate with external and internal stakeholders.
Customer Data (Customer Content, Agency Content)
Customer Data is information uploaded into, ingested by or created in the Evidence.com Service within a Customer’s account. Content will be used only to provide Customer the Evidence.com Service including purposes compatible with providing those services. CSP will not use Customer Content or derive information from it for any advertising or similar commercial purposes.
The Evidence.com Service is upgraded periodically to provide customers with new features and enhancements. Changes to the Evidence.com Service are communicated to customers one week prior to release via Evidence.com Release Notes. Changes to the service may increase the capabilities of the service and ways in which Customer Content will be utilized.
Account Data is information provided to CSP during sign-up, purchase, or administration of the Evidence.com Services. Account Data includes the name, address, phone number, and email address Customer provides, as well as aggregated usage information related to Customer’s account and administrative data associated with the account. CSP uses Account Data to provide the Evidence.com service, manage Customer accounts, and to communicate with Customers.
CSP may use Account Data to contact Customer to provide information about its account, subscriptions, billing, and updates to the Evidence.com service, including information about new features, security or other technical issues. Customer will not be able to unsubscribe from these non-promotional communications.
Support Data is the information CSP collects when Customer contacts or engages CSP for support. It includes information a Customer submits in a support request or communication to CSP. It may also include information about hardware, software, and other details gathered related to the support incident, such as contact or authentication information, chat session personalization, information about the condition of the machine and the application when the fault occurred and during diagnostics, system and registry data about software installations and hardware configurations, and error-tracking files. In addition to using Support Data to resolve your support incident, CSP uses Support Data to operate, improve and personalize the Products and Services offered.
Support may be provided through phone, email, or online chat. With Customer’s permission, CSP may use Guest Access (“GA") to temporarily navigate Customer’s Evidence.com account to view diagnostic data in order to resolve a support incident. Phone conversations, online chat sessions, or GA sessions with support professionals may be recorded and/or monitored.
Usage and Installation of the Evidence.com Service
Customer access to the Evidence.com Service is through a web interface accessed via standard web browsers. CSP offers local software for desktop and mobile devices to interface with the Evidence.com Service, including the EVIDENCE Sync software, EVIDENCE Mobile App, Axon® Mobile App. These systems are used to capture and transfer data from devices into Evidence.com or may be used to enhance the Evidence.com Services. At Customer’s discretion, the Evidence.com Service and the local software may transmit (i) data, which may include Customer Content, from a device or appliance to or from the online services; or (ii) logs or errors reports to CSP or Sub-processors for troubleshooting purposes. The Evidence.com Service and the local software may also collect Support Data including information about the use and performance of the local software or the Evidence.com Service that may be transmitted to CSP and analyzed to improve the quality, security, and integrity of the Products and Services offered. Customers can opt-out of tracking on Evidence.com by disabling cookies or preventing your browser from accepting new cookies.
SERVER & DATA LOCATION
Evidence.com is offered in numerous geographic regions. Customer determines which regional deployment of Evidence.com it wishes to utilize prior to agency creation in Evidence.com. Customer’s selection determines where its Content will be stored.
|Region Code||Economic Area||3rd Party Infrastructure Sub-processors||Data Center Location(s)|
Microsoft Azure and Amazon Web Services
Sydney, Victoria & New South Wales, Australia
Amazon Web Services
Sao Paulo, Brazil
Microsoft Azure and Amazon Web Services
Toronto, Quebec City and Montreal
Amazon Web Services
Microsoft Azure and Amazon Web Services
London & Durham, England & Cardiff, Wales
Microsoft Azure and Amazon Web Services
Texas & Virginia, United States
United States (Federal Region)
Texas & Virginia, United States
CSP ensures that all Customer Content in Evidence.com remains within the selected economic area, including any backup data, replication sites, and disaster recovery sites. Customer selected regions can be determined through review of an agency's Evidence.com URL. Agency URLs conform to the <youragency>.<regioncode>.evidence.com scheme with the exception of US customers where the scheme may exclude the region code and is <youragency>.evidence.com. US Federal customers conform to the scheme <youragency>.us.evidence.com
Account Data and Support Data
Account and Support data is housed in the United States.
Customer Data will remain within the selected region for all backup, replication and disaster recovery. Customer Data will be transferred outside the designated region only in circumstances required by law, such as a valid subpoena, or court order. Account and Support Data is transferred to and retained in the United States.
CSP may transfer data with its subsidiaries and Sub-processors including service providers and other partners to support the overall delivery of Axon products and services as described in “Data Processing” section of this PLS.
CSP uses commercially reasonable practices in conjunction with contractual obligations to ensure its Sub-processors are compliant with all applicable data protection laws and regulations surrounding the Sub-processors access and scope of work in connection with Customer’s Content.
Customer consents to the transfer of its Content to CSP's Sub-processors for the purpose of storing Customer’s Content. The Sub-processors responsible for storing Customer Content are contracted by CSP for data storage services. Ownership of Customer Content remains with Customer.
CSP may hire Sub-processors to provide or enhance Services on its behalf. Any such Sub-processors will only be permitted to obtain data from the Evidence.com Service to deliver the retained and will be prohibited from using data for any other purpose.
Prior to onboarding Sub-processors, CSP conducts an audit of the security and privacy practices of Sub-processors to ensure Sub-processors provide a level of security and privacy appropriate to its access to data and scope of services. CSP performs periodic due diligence of Sub-processors to ensure security and privacy expectations are being met.
Under Privacy Shield's Onward Transfer Principle, CSP remains responsible for personal information that is shared with CSP's Sub-processors.
Customers and users can transfer data from Evidence.com to third parties. Those third parties are solely responsible for that data.
We will not disclose Customer Content or any information about you except as compelled by a court or administrative body or required by any law or regulation. We will give you notice if any disclosure request is received for Customer Content so you may file an objection with the court or administrative body.
Customer's Access and Choice
Customers have access to manage Customer Data.
Account Data and Support Data
Within the scope of our authorization to do so, and in accordance with our commitment under the Privacy Shield, Axon will work with Customers to provide access to personal data about them that CSP or Sub-processors holds. Axon also will take reasonable steps to enable Customers to correct, amend, or delete personal data that is demonstrated to be inaccurate.
Data Security Measures
CSP is committed to help protect the security of Customer’s Data. CSP will implement commercially reasonable and appropriate measures designed to secure Customer, Account and Support Data against accidental or unlawful loss, access or disclosure. CSP will maintain a comprehensive Information Security Program that includes appropriate technical and organizational measures intended to protect Customer information against accidental loss, destruction, or alteration; unauthorized disclosure or access; or unlawful destruction. These measures include logical and physical access management, vulnerability management, configuration management, incident monitoring and response, encryption of digital evidence uploaded, security education, risk management, and data protection.
CSP has established and implemented policies, programs, and procedures that are commercially reasonable and in compliance with applicable industry practices, including administrative, technical and physical safeguards to protect the confidentiality, integrity and security of Customer Data against unauthorized access, use, modification, disclosure or other misuse.
CSP will take appropriate steps to ensure compliance with the data security measures by its employees, contractors and Sub-processors, to the extent applicable to the respective scope of performance.
Customer, Account and Support data is encrypted in transit. Customer data is encrypted at rest in all Evidence.com Service regions.
All Customer, Account and Support Data is protected with strong logical access control mechanisms to ensure only users with appropriate business needs have access to data. Access control mechanisms are periodically validated by contracted specialized security firms. Access control lists are reviewed periodically.
As customer data is ingested into Evidence.com, a Secure Hash Algorithm (“SHA”) checksum is generated on the upload device and again upon ingestion into Evidence.com. If the SHA checksum does not match, the upload will be reinitiated. Once upload of data is successful, the SHA checksum is retained by Evidence.com and is made viewable by users with access to the evidence audit trail for the specific piece of evidence. Tamper-proof audit trails are created automatically by Evidence.com upon ingestion of any evidence data.
CSP takes a comprehensive approach to ensure the availability of the Evidence.com service. CSP replicates Customer Data over multiple systems to help to protect against accidental destruction or loss. Evidence.com systems are designed to minimize single points of failure. CSP has designed and regularly plans and tests its business continuity planning and disaster recovery programs.
CSP logically isolates each Customer’s Data. Data for an authenticated customer will not be displayed to another customer (unless Customers explicitly create a sharing relationship between their accounts or shared data between themselves). Centralized authentication systems are used across an Evidence.com Service region to increase uniform data security.
Additional role based access control is leveraged within Customer’s Evidence.com account to define what users can interact with or access Customer Data. Customer solely manages the role based access control mechanisms within its Evidence.com account.
Within the Evidence.com supporting infrastructure, access is granted based on the principle of least privilege. All access must be approved by system owners and undergo at least quarterly user access reviews. Any shared computing or networking resource will undergo extensive hardening and is validated periodically to ensure appropriate isolation of Customer’s Data.
Account and Support Data is logically isolated within information systems such that only appropriate CSP personnel have access.
CSP personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, acceptable usage, and professional standards. CSP personnel must complete security training upon hire in addition to annual and role-specific security training.
CSP personnel undergo an extensive background check process to the extent legally permissible and in accordance with applicable local labor laws and statutory regulations. CSP personnel supporting the Evidence.com Service are subject to additional role-specific security clearances or adjudication processes, including Criminal Justice Information Services background screening and national security clearances and vetting.
Any confirmed security incident that affects the protection of the security, availability, integrity, confidentiality, or privacy of Customer Data, Account Data or Support Data or a breach of the data security measures will prompt a notification to relevant authorities and affected customers as applicable.
Notification will be made within three business days to customer Evidence.com administrators. Authorities will be notified through CSP’s established channels.
Data Portability, Migration, and Transfer Back Assistance
Content uploaded to the Evidence.com Service is retained in original format. Content may be retrieved and downloaded by Customer from the Evidence.com Service to move data to an alternative information system. Content audit trails and system reports may also be downloaded in various industry-standard, non-proprietary formats.
CSP will not delete any Customer Content as a result of a termination during the 90 days following termination. During this 90-day period Customer may retrieve its Content only if Customer has paid all amounts due (there will be no application functionality of the Evidence.com Services during this 90-day period other than the ability for Customer to retrieve its Content). Customer will not incur any additional fees if Content is downloaded from the Evidence.com Services during this 90-day period. CSP has no obligation to maintain or provide any Customer Content after the 90-day period and will thereafter, unless legally prohibited, delete all Content stored in the Evidence.com Services. Upon written request, CSP will provide written proof that all of Customer Content has been successfully deleted and removed from the Evidence.com Services.
CSP will provide Customer with the same post-termination data retrieval assistance that is generally made available to all customers. Requests for additional assistance to Customer in downloading or transferring Content will result in additional fees and CSP cannot warrant or guarantee data integrity or readability in the external systems.
Data Retention, Restitution, and Deletion
CSP maintains internal disaster recovery and data retention policies in accordance with applicable laws and regulations. The disaster recovery plan relates to CSP’s data and extends to Evidence.com and Customer Data stored within. CSP’s data retention policies relate to CSP’s data, Account Data and Support Data. CSP’s data retention policies instruct for the secure disposal of Account Data and Support Data when such data is no longer necessary for the delivery and support of Axon product and services and in accordance with applicable regulations. As outlined below, the customer is responsible for adhering to its own retention policies and procedures.
Customer Data retention periods are defined by Customer within its internal retention policies and procedures. Customers have the ability to establish its retention policies within the Evidence.com Service. Therefore, Customer's control the retention and deletion of its Content within the Evidence.com Service. The Evidence.com system can automate weekly messages summarizing upcoming agency-wide deletions to all customer Evidence.com Administrators. All Customer users will receive a weekly message regarding evidence uploaded within their user account to protect against accidental deletions. Files can be recovered by Customers up to 7 days after being queued for deletion. After the 7 day grace period, deletion of Customer Data is initiated by the Evidence.com Service. Data deletion processing may occur asynchronously across storage systems and data centers. During data deletion processing, Customer Data will not be recovered by any party.
As outlined herein, CSP is committed to maintaining compliance with relevant security and privacy standards to ensure the continued security, availability, integrity, confidentiality, and privacy of the Evidence.com Service and Customer Data stored within.
In addition to the security efforts outlined herein, CSP will maintain its ISO/IEC 27001:2013 certification or comparable assurances for the Evidence.com Service. Customers may review the certificate issued in relation to CSP’s ISO 27001 certification on Axon's Website.
CSP will maintain, during the term of the MSPA, a cyber-insurance policy and will furnish certificates of insurance upon request.
How to contact Us
CSP commits to resolve complaints about Customer privacy and use of the Evidence.com system. Complaints surrounding this Privacy Level Statement can be directed to your local Axon representative or firstname.lastname@example.org. If you have any questions or concerns regarding privacy and security of Customer Data or our handling of your personal data under Privacy Shield, please contact email@example.com.
If you are an EU citizen and we are unable to satisfactorily resolve any complaint relating to the Privacy Shield, or if we fail to acknowledge your complaint in a timely fashion, you can contact the relevant EU Data Protection Authorities (DPAs) or the Swiss Federal Data Protection and Information Commissioner (FDPIC). In certain circumstances, the Privacy Shield Framework provides the right to invoke binding arbitration to resolve complaints not resolved by other means, as described in Annex I to the Privacy Shield Principles in each of the Privacy Shield Frameworks. CSP is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).