Evoke: We Secure Your Agentic Workforce

EVOKE SECURITY

Privacy Notice

Last Updated: May 17, 2026

This Privacy Notice describes how Evoke Security, Inc. (“Evoke,” “we,” “our,” or “us”) collects and processes personal information when you interact with Evoke, including when you visit the Evoke website at www.evokesecurity.com (the “Site”), access or use our platform, use our software and any of our services (collectively “Services”), or otherwise communicate with us.

Evoke provides an AI agent security platform that helps organizations inventory, govern, and monitor AI agents operating across their environments. Our Services include endpoint sensors, browser extensions, production integrations, and SDKs that monitor and secure AI agent activity.

This Privacy Notice does not apply to data that our customers submit to the Services under their customer accounts (“Customer Data”). If applicable, please refer to the privacy notices made available by our customer for more information regarding how such customers may use our Services to process your personal information. We process Customer Data pursuant to our customer agreements and applicable data processing addenda.

This Privacy Notice is incorporated into and forms part of the Evoke Terms of Service, currently located at https://www.evokesecurity.com/terms-of-service (the “Evoke Terms”).

PERSONAL DATA WE COLLECT

The personal data we collect depends on which of our Services you access or use and how you interact with Evoke. We may collect the following types of personal data:

Account Information: We collect information you provide to create an account for our Services, such as your first and last name, email address, telephone number, professional title, company name, and other biographical information.

Payment and Transaction Information: We collect information such as billing address, method of payment (for example, bank, credit, or debit details), and other transactional information regarding your purchases of our Services.

Contact and Communication Information: If you contact us, including in connection with customer support requests, requests for product demonstrations, job applications, purchase inquiries, or otherwise, we collect the information you provide to enable us to contact you (such as name, job title, email address, physical address, phone number, or other similar contact information). We also collect records of emails, chats, and other communications with us and may record sales calls that we participate in.

Usage and Performance Information: When you use our Services (including visiting our website), we automatically collect information related to your use of the Services and their performance, including analytics, logs, and session information regarding how you interact with the Services (which may include information such as the resources that you access, pages viewed, time spent on a page, and how you reached our website), and other similar usage activity.

Device Information: We also collect information automatically when you use our Services (including visiting our website) regarding the device you use to access the Services, such as operating system and version, IP address, machine data, telemetry data, operating environment, and hardware profiles.

Other Information You Provide to Us: We collect any information you may submit or otherwise provide to Evoke, such as feedback regarding our Services (whether in written, oral, or electronic form), your responses to forms on our website, your responses to surveys that we have sent to you, or other information you provide when you interact with us, such as contacting us on social media, interacting with us at an event or tradeshow, participating in our online forums, or registering for and attending demos, training sessions, or other events we offer.

Other Information Provided to Us by Third Parties: In addition to the above, we may also collect other information about you from certain of our partners that perform services on our behalf (such as payment processing services, sales generation and enrichment services, community monitoring and engagement services, or recruitment services), from your employer or other individual or organization (such as in the case where your employer or other individual or organization invites you to create an account and use our Services), or from other third parties (such as the sponsor of an event or tradeshow you attend).

Endpoint Sensor Data: When a customer deploys the Evoke endpoint sensor on workstations (macOS, Windows, or Linux), the sensor monitors local AI agent activity. The sensor may collect: (a) AI agent process metadata, including agent names, versions, and execution state; (b) prompts submitted to language models and model responses; (c) MCP (Model Context Protocol) server connections, configurations, and registered tools; (d) skills and plugins installed on or available to local AI agents; (e) Tool call metadata, including tool names, invocation timestamps, and parameters; (f) file paths and data source references accessed by agents; (g) agent configuration files and permission settings; and (h) system identifiers, such as machine hostname, operating system version, and logged in username.

What the endpoint sensor does not collect: The Evoke endpoint sensor does not capture keystrokes, record screen activity, intercept email or chat message content. The sensor is designed solely to observe AI agent configurations, behavior, and metadata.

Browser Extension Data: When a customer deploys the Evoke browser extension (currently available for Chrome), the extension monitors browser based AI agent interactions. The extension may collect: (a) AI agent and chatbot session metadata from supported SaaS platforms (such as ChatGPT, Agentforce, and similar services); (b) prompts submitted to language models and model responses; (c) URLs associated with AI agent tool invocations; (d) browser extension inventories related to AI functionality; and (e) agent session identifiers and timestamps.

What the browser extension does not collect: The browser extension does not monitor general web browsing, collect passwords, or access browser data unrelated to AI agent activity.

Production Integration Data (SDK and Proxy API): When a customer integrates our SDK or routes agent inference traffic through the Evoke proxy API, the Platform may process: (a) agent trace data, including prompts submitted to language models and model responses; (b) tool call arguments and return values within agent execution flows; (c) model identifiers, versions, and inference provider metadata (such as AWS Bedrock, Google Cloud, or direct model API calls); (d) token counts, latency metrics, and other performance telemetry; (e) agent identifiers, session identifiers, and user identifiers associated with agent sessions; and (f) policy evaluation results and detection findings.

Prompt and response data: Agent trace data processed through the SDK or proxy API may incidentally contain personal information or sensitive business data that end users include in their prompts or that language models return in their responses. Evoke processes this data solely for security analysis purposes (such as detecting prompt injection, data exfiltration, or unauthorized tool usage) and does not use prompt or response content for any purpose other than delivering the security services contracted by the customer. Customers should ensure their end users are informed that agent activity may be monitored for security purposes.

SaaS Connector Data: The Platform integrates with third party SaaS platforms (such as Github) to inventory AI agents and track agent integrations. From these connectors, the Platform may collect: (a) AI agent and automation configurations within the third party platform; (b) integration and API connection metadata; (c) agent permission scopes and access levels; and (d) activity logs related to agent operations within the third party platform.

Detection and Analysis Processing: The Evoke Platform analyzes the data described above using multiple detection methods to identify and respond to security threats. These methods include: (a) signature based detection, where known malicious patterns (such as recognized prompt injection techniques or malicious MCP servers) are matched against a maintained threat intelligence database; (b) heuristic based detection, where behavioral rules identify anomalous or risky agent actions, such as agents accessing data sources outside their expected scope or invoking tools that exceed their defined permissions; and (c) LLM based detection, where large language models analyze agent activity for sophisticated threats such as indirect prompt injection attacks embedded in tool call outputs.

When LLM based detection is used, relevant portions of agent trace data may be processed by the language model. Evoke’s use of LLMs for detection is governed by data processing agreements that prohibit the use of customer data for model training by third party LLM providers. The Platform may also take automated actions based on detection results, including blocking specific tool calls, quarantining suspicious agent sessions, or alerting security teams. Customers configure the scope and thresholds for automated responses through customizable security policies within the Platform. All automated blocking actions are logged and auditable.

Incidental Personal Information in Security Telemetry: Agent telemetry and trace data may incidentally contain personal information, such as names, email addresses, or other identifiers that appear in agent prompts, tool call arguments, or model responses. Evoke does not intentionally collect personal information through security telemetry and processes all such data solely for the purpose of delivering security services. Evoke applies data minimization practices and, where feasible, collects metadata and structural information rather than full content. Our customers (not Evoke) are the controllers of this data and are responsible for providing privacy disclosures to their own employees and end users regarding the deployment of Evoke in their environment.

HOW WE USE YOUR PERSONAL DATA

We use the personal data we collect primarily to develop, operate, deliver, and improve our Services. We also may use the personal data we collect for the following purposes:

Personalization: To personalize our Services, such as customizing your experience or making recommendations for features or functionality you may wish to use.

Communication: To send you technical notices, updates, security alerts, and other administrative messages, and to respond to your requests, comments, or questions.

Support and Development: To monitor and analyze trends, performance, usage, and other activities in connection with, and to otherwise support, maintain, and improve our Services and to develop new products and services.

Administer our Business: To process transactions, fulfill orders, and send related information, including confirmations, receipts, and invoices, and to otherwise administer and operate our business.

Security and Legal Compliance: To detect, investigate, and prevent fraudulent transactions, abuse, and other illegal activities, to verify your identity, to help secure our Services, to comply with legal obligations, and to protect the rights and property of Evoke and others.

Research and Improvement: To conduct research and analysis to improve our detection capabilities, threat modeling, and security offerings, including the training and improvement of our machine learning models and detection engines, using aggregated or de‐identified data where possible.

Marketing: To market and promote our Services, which may include sending you emails or direct mail with information about products, services, offers, promotions, news, or events offered by Evoke or others we think will be of interest to you.

Other Purposes with Your Consent: For any other purpose that we communicate to you and to which you consent.

DISCLOSURE OF YOUR PERSONAL DATA

We do not disclose or share your personal data outside of Evoke, except as follows:

With Service Providers: We may engage third party service providers to help deliver Services on our behalf (or enhance specific features within our offerings), or to perform certain tasks, at our direction. We may share your personal data with such service providers to perform such services and tasks on our behalf. This includes, for example, data processors, cloud hosting providers, payment processors, analytics providers, customer support tools, and, where applicable, LLM inference providers used in our detection engine. All sub‐processors are bound by data processing agreements that restrict their use of personal information to the services they perform on our behalf.

With Related Entities: We may share some or all of your personal data with such related entities.

Business Transfers: We may share your personal data in connection with, or during negotiations of, any merger, sale of assets, financing, or acquisition of all or a portion of our business.

Protection and Enforcement Purposes: We may disclose any information about you as we deem necessary in our sole discretion to: (i) enforce this Privacy Notice or the Evoke Terms, (ii) respond to claims of a violation of the rights of third parties, (iii) protect our rights, property, or safety and the rights, property, and safety of the Services, our users, or others, or (iv) prevent or stop any activity we may consider to be, or to pose a risk of being, illegal, unethical, inappropriate, or legally actionable information, if permitted and practicable.

As Required by Law: We may disclose any information about you to government or law enforcement officials or private parties that we, in our sole discretion, believe necessary or appropriate to comply with a legal requirement or process, including, but not limited to, civil and criminal subpoenas, court orders, or other compulsory disclosures. However, Evoke will endeavor only to disclose such information requested via a valid legal process, and will use reasonable efforts to notify any individual about whom we have disclosed information.

Otherwise with Your Consent: We may otherwise disclose any information about you with your consent or at your direction.

We may also share aggregated or de‐identified information, which cannot reasonably be used to identify you, with others.

YOUR CHOICES

Account Information: At any time, you may access and change any of your personal data in your account by editing your profile within the account management portion of our website or by sending an email to us at support@evokesecurity.com. You may also request deletion of your account information by email at support@evokesecurity.com, but please note that we may be required (by law or otherwise) to keep this information and not delete it (or to keep this information for a certain time, in which case we will comply with your deletion request only after we have fulfilled such requirements). When we delete account information, it will be deleted from the active database, but may remain in our archives.

Cookies: We use cookies and other similar technologies on our website for a number of purposes, including enhancing website navigation, analyzing website usage, improving our users’ experience, enhancing the security of our services, and assisting in our marketing efforts. You can manage cookies through your browser settings. The “Help” feature on most browsers and devices will tell you how to remove cookies from your device, how to prevent your browser or device from accepting new cookies, how to have the browser notify you when you receive a new cookie, or how to disable cookies altogether.

Promotional Emails: You may opt out of receiving promotional emails from us by following the instructions in such marketing emails. If you opt out, we may still send you non‐promotional emails, such as those about your account or your purchases.

YOUR RIGHTS

Subject to certain limitations and exceptions allowed by law, Evoke honors the exercise of the following rights for individuals regardless of their location:

Access: You have the right to request access to the personal data we process about you along with information about how we process your personal data and the categories of personal data we process.

Correction: You have the right to request that we correct inaccurate or incomplete personal data we process about you.

Deletion: You have the right to request that we delete personal data about you.

Depending on where you reside, you may have other rights available to you in addition to those described above. For more information, please review the Location Specific Notices section below.

Individuals who wish to submit a privacy related request can either do so on their own, or through a third party, such as an authorized agent. Prior to taking action on any privacy related request, Evoke takes steps to limit fraudulent activity that are designed to verify the identity of the person making the request. Failure to provide us with the information requested may result in our denial of the request. We respond to all legitimate requests within legally mandated timeframes or, to the extent the above rights are not legally mandated where you reside, we will use reasonable efforts to respond within 45 days. To exercise any of the rights above or the additional rights described in the Location Specific Notices section below, please contact us using any of the methods described in the Contact Information section below.

GENERAL

Changes to This Privacy Notice

If we make changes to this Privacy Notice, these changes will be posted on our website in a timely manner. We reserve the right to modify this Privacy Notice at any time, so please review it frequently. You can determine when this Privacy Notice was last revised by referring to the “Last Updated” legend at the top of this page. Any changes to this Privacy Notice will become effective upon our posting of the revised Privacy Notice on our website.

Security of Your Data

Evoke uses a variety of technical, organizational, and administrative measures designed to protect the personal data that we collect about you against unauthorized access, use, and disclosure. As a security company, we take these measures seriously and employ industry standard practices to safeguard your information. However, no method of transmission over the internet or method of electronic storage is completely secure, so we cannot guarantee absolute security.

Data Retention

We store the personal data we collect about you for as long as is necessary for the purpose for which such information was collected or for other legitimate business purposes, including for the purposes of satisfying any legal, accounting, or reporting obligations or to resolve disputes.

Retention periods for Customer Data are defined in our customer agreements and vary based on the customer’s configuration and subscription tier. Upon termination of a customer agreement, Customer Data is deleted within the timeframe specified in the applicable agreement, typically within 90 days, unless a longer retention period is required by law. Aggregated, de‐identified threat intelligence derived from security events (such as new attack signatures or malicious tool patterns) may be retained indefinitely to improve our detection capabilities for all customers; this data does not contain personal information or information attributable to any individual customer.

Location of Processing

We are headquartered in, and collect, use, and otherwise process personal data we collect or otherwise receive about you primarily in the United States but certain of our employees and service providers reside or operate in other jurisdictions and your personal data may be stored in or accessed from multiple countries. Whenever we transfer personal information to other jurisdictions, we will ensure that the information is transferred in accordance with this Privacy Notice and as permitted by applicable data protection laws.

Analytics Services Provided by Others

We engage others to provide analytics services via our Services. These entities use cookies, web beacons, device identifiers, and other technologies to collect information about your use of our Services and other websites and online services, including your IP address, web browser, pages viewed, time spent on pages or in apps, links clicked, and conversion information. For example, we may use Google Analytics. See Google’s privacy policy for more information about how Google collects and uses data about you when you use our Services.

Children’s Privacy

We do not permit anyone under the age of 18 to register for our Services, nor do we knowingly collect or solicit personal data from anyone under the age of 18. If you are under 18, please do not attempt to register for the Services or send any personal data about yourself to us. If we learn that we have collected personal data from a child under the age of 18, we will make commercially reasonable efforts to delete such information from our database. If you believe that a child under 18 may have provided us with personal data, please contact us at support@evokesecurity.com.

LOCATION SPECIFIC NOTICES

The following sections provide additional notices and describe additional rights that may apply to you based upon where you reside.

European Economic Area, Switzerland, and United Kingdom

Evoke’s Role: Evoke acts as a controller of the personal data we collect and use in providing Services to our customers. When we process Customer Data on behalf of our customers, we act as a processor.

Legal Bases for Processing Personal Data: We may process your personal data on the following legal bases:

Contract: We use information about you to fulfill our contractual obligations to you or to an organization (such as your employer), such as to provide our Services, provide customer service, or fulfill other transactions like processing payments.
Legitimate Interest: We also use information about you when we have a legitimate interest in doing so, such as to help secure and improve our products and services, to detect and prevent fraud, or to conduct research and analysis to improve our threat detection capabilities.
Legal Obligation: We may be required to use information about you to comply with our legal obligations, such as to communicate legally required notices.
Consent: We may ask for consent to use information about you for specific purposes. If we do, know that you can withdraw your consent at any time. Even if we are not relying on consent to use information about you, we may still provide you with choices or ask your permission before conducting a specific processing activity.

International Transfers: When we transfer personal data outside the EEA, Switzerland, or the United Kingdom, we ensure appropriate safeguards are in place in accordance with applicable data protection laws. These safeguards may include the use of Standard Contractual Clauses approved by the European Commission, adequacy decisions, or other lawful transfer mechanisms.

Additional Rights: In addition to the access, correction, and deletion rights described above in the Your Rights section, you have the following rights, subject to certain limitations and exceptions allowed by law:

Restriction: You have the right to request that we restrict processing of your personal data, such as by limiting to storing but not further processing.
Data Portability: For personal data you provided to us, you have the right to request that we provide that data in a structured, commonly used, and machine readable format, and you have the right to transmit that data to another controller.
Objections: You have the right to object to our processing, such as if you object to our processing based on legitimate interests or our direct marketing.
Revocation of Consent: When our processing is based on your consent, you have the right to revoke that consent.

Complaints: You may also have further rights to lodge complaints with your local data protection authority if you have concerns about the manner in which we handle your personal data.

United States

This section provides additional disclosures for and details about rights afforded to residents of certain US states, including, without limitation, California consumers under the California Consumer Privacy Act (“CCPA”) as well as the California Privacy Rights Act (“CPRA”)

Categories of Personal Information We Collect: The personal information we have collected in the last 12 months falls into the following categories established by the CPRA:

identifiers (such as name, contact information, and device identifiers);
personal information as described in subdivision (e) of Section 1798.80 of the California Civil Code (such as a credit card number or other payment information);
commercial information (such as Services purchased);
internet or other network activity information (such as data about how and when you use our Services);
information used to prevent and detect fraud or other unauthorized activity, including informing customers if such activity were to affect them;
geolocation data;
professional or employment related information (such as from business contacts of our enterprise customers);
inference data (such as information about your preferences);
other information that does not fall into any category of data described under the CCPA (such as content you upload or submit that may contain personal information).

Categories of Sources from Which We Collect Personal Information: The above information has been collected from the following sources:

information you provide directly to us;
information we collect automatically as you use certain of our products and services; and
information we receive from other parties.

Purposes for Collection: We collect personal information for the business and commercial purposes described in the How We Use Your Personal Data section above.

Categories of Third Parties Who May Receive Your Personal Information: We may disclose this information with the categories of third parties described in the Disclosure of Your Personal Data section above.

Sales or Sharing; Targeted Advertising: Evoke does not sell your personal information. Certain data collection and processing on our website and other Services for purposes of interest based advertising and social media tools may be deemed by applicable state laws, including the CCPA, a “sale” or “sharing” of personal information. To submit a request to opt out of targeted advertising, or the sale or sharing of your personal information, you may use the cookie preferences functionality of our website, which can be accessed via the “Your Privacy Choices” link in the footer of the website, or you may email us at support@evokesecurity.com. Please note that if you use the cookie preferences functionality of our website to opt out, your opt out choice is specific to the digital property and to the device and browser you are using.

De‐identified Data: Evoke may use de‐identified data in some instances. Evoke either maintains such data without attempting to re‐identify it or treats such data as personal data subject to applicable law.

Non‐Discrimination: Evoke will not discriminate against any consumer for exercising their rights.

Profiling: Evoke does not engage in profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.

Automated Decision Making: As described in the Personal Data We Collect section, our Platform uses automated detection and response capabilities as part of our security services. These automated decisions relate to AI agent security events (such as blocking a suspicious tool call) and do not produce legal or similarly significant effects concerning individual consumers. Evoke does not use automated decision-making technology to make decisions about consumers regarding access to services, pricing, or similarly significant matters.

Additional Rights: In addition to the access, correction, and deletion rights described above in the Your Rights section, you may have the following additional rights depending on the state in which you reside and subject to certain limitations and exceptions allowed by law:

Access in a Portable Format: When exercising your right to access your personal information, you further have the right to receive such personal information in a portable format.
Opt Out of Sales/Sharing or Targeted Advertising: The right to opt out of the sale or sharing of personal information or the use of your personal information for targeted advertising, depending on the state in which you reside. Please refer to the Sales or Sharing; Targeted Advertising section above for information regarding how to opt out of such sales or sharing of personal information.
Appeal: The right to appeal any refusal by Evoke to take action on a request to exercise the rights afforded to you under applicable state law. You may exercise your right to appeal by submitting your request to appeal to Evoke via email at support@evokesecurity.com. We will inform you in writing of any action taken or not taken in response to your appeal, along with a written explanation of the reasons for our decisions. If your appeal is denied, you may be entitled to contact the Attorney General in your state to submit a complaint.

CONTACT INFORMATION

We welcome your comments or questions regarding this Privacy Notice. Feel free to email comments or questions to us or contact us to exercise any of your rights as described herein at support@evokesecurity.com or you can write to us at 8 The Green, #8184, Dover, Delaware 19901.

If you believe that any of your rights related to the collection or use of your personal data have been infringed upon, we encourage you to contact us using the provided contact information.