Avalara Data Processing Addendum

Last updated May 1, 2018

This Data Processing Addendum (“Addendum”) is in addition to, and incorporates by reference, the Avalara Services Terms and Conditions located at http://www.avalara.com/terms or https://www.avalara.com/eu-terms, as applicable (the “Terms”).  If a provision of this Addendum conflicts with a provision of the Terms, the provision in this Addendum governs.  Capitalized terms used and not otherwise defined in this Addendum have the meanings provided in the Terms.

1. DEFINITIONS

a. The terms “Personal Data,” “Personal Data Breach,” “Processing,” and “Supervisory Authority” have the meanings given those terms in the GDPR.

b. “Customer Personal Data” means any Personal Data of Data Subjects based in the European Economic Area (as defined in the Agreement on the European Economic Area dated January 1, 1994, “EEA”) that is Processed by Avalara or any Subprocessor on behalf of Customer pursuant to the Agreement.  For clarification, aggregated or otherwise anonymized data is not Customer Personal Data. 

c. “Data Protection Law” means, (a) on and after May 25, 2018, the GDPR, and (b) before May 25, 2018, Directive 95/46/EC. For the avoidance of doubt, until May 25, 2018, any provisions of this Addendum relating to GDPR are deemed to refer to the corresponding provisions (if any) of Directive 95/46/EC.

d. “Data Subject Request” means the exercise by Data Subjects of their rights under Chapter III of the GDPR.

e. “Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates.

f. “Directive 95/46/EC” means Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

g. “GDPR” means the EU General Data Protection Regulation 2016/679 and, to the extent the GDPR is no longer applicable, any implementing legislation or legislation having equivalent effect. 

h. “Subprocessor” means any third party (including any Avalara Affiliate) appointed by or on behalf of Avalara to Process Customer Personal Data.

2. PROCESSING OF CUSTOMER PERSONAL DATA

a. Avalara shall implement processes and maintain procedures designed to comply with the Data Protection Law in Processing Customer Personal Data and shall not Process Customer Personal Data other than on Customer’s instructions or as otherwise required by applicable law.

b. Customer instructs Avalara, subject to Customer’s compliance with the Data Protection Law, to Process Customer Personal Data as necessary to provide the Services to Customer in a manner consistent with the Agreement and the Documentation. Where Avalara receives an instruction from Customer that, in its reasonable opinion, infringes the Data Protection Law, Avalara shall inform Customer.

c. Section 3 to this Addendum describes the details of the Processing of the Customer Personal Data. Avalara may update Section 3 from time to time as Avalara reasonably considers necessary to reflect the Processing and meet any applicable requirements of the Data Protection Law.

d. Customer shall comply with its obligations under the Data Protection Law with respect to the Processing of Customer Personal Data.

3. DATA PROCESSING DETAIL

a. Data Subjects.  Customer may submit Customer Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include Customer Personal Data relating to the following categories of data subjects:

i. Customer’s Authorized Users, employees, contractors, agents, or representatives;

ii. Customer’s customers.

b. Categories of Data.  Customer may submit Customer Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and may include the following categories of Customer Personal Data:

i. As to Customer’s Authorized Users, employees, contractors, agents, or representatives: contact details of the individual, which may include name, email, user ID, and connection data.

ii. As to Customer’s customers: invoice data, contact details, and identifier (number and/or free text field as supplied by Customer).

c. Nature, Subject Matter, and Purpose of Processing.  The objective of Processing of Customer Personal Data by Avalara is the performance of the Services pursuant to the Agreement.

d. Duration of Processing.  Subject to Section 9 (Return or Deletion of Customer Personal Data After Termination) of this Addendum, Avalara will process Customer Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.

4. AVALARA PERSONNEL

Avalara shall use commercially reasonable measures to ensure that Avalara personnel who may Process Customer Personal Data (i) comply with Avalara’s technical and organizational security measures, including ensuring that they are subject to appropriate confidentiality obligations, and (ii) Process Customer Personal Data only as instructed by the Customer or as otherwise required by applicable law.

5. SECURITY

a. Avalara shall implement commercially reasonable technical and organizational measures to ensure an appropriate level of security for Customer Personal Data, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. In assessing the appropriate level of security, Avalara shall take into account the risks of Processing Personal Data, in particular from accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, Personal Data. 

b. Adherence to an approved certification mechanism will be sufficient to demonstrate Avalara’s (or a Subprocessor’s) compliance with its security obligations under this Addendum. 

6. SUBPROCESSING

a. Customer authorizes Avalara to appoint Subprocessors in accordance with this Section 6 and any restrictions in the Agreement. Avalara may continue to use those Subprocessors already engaged at the date of this Addendum, subject to Avalara’s compliance with the obligations set out in Section 6(c) with respect to such Subprocessors.  

b. Avalara shall give Customer prior notice of the appointment of any new Subprocessor of Customer Personal Data. If, within 30 days of date of notice, Customer notifies Avalara in writing of any reasonable objections to the Subprocessor, the Parties will meet to discuss in good faith.  The Customer will be deemed to have waived any objections 30 days after date of notice.

c. Avalara shall ensure that each Subprocessor is governed by a written contract that imposes data protection obligations at least as protective as those of this Addendum.

7. DATA SUBJECT REQUESTS

a. Taking into account the nature of the Processing, Avalara shall implement processes and maintain procedures to enable Customer to fulfill its obligations under the Data Protection Law to respond to Data Subject Requests.

b. If Avalara receives a request from a Data Subject under the Data Protection Law with respect to Customer Personal Data, then to the extent legally permissible, Avalara will advise the Data Subject to submit his or her request to Customer, and Customer will be responsible for responding to any such request.

8. PERSONAL DATA BREACH

a. Avalara shall notify Customer without undue delay upon Avalara’s confirmation of any Personal Data Breach affecting Customer Personal Data.

b. Avalara shall provide Customer with information regarding such Personal Data Breach as required by the Data Protection Law.

c. Avalara shall use commercially reasonable efforts to: (i) identify the cause of such Personal Data Breach; and (ii) remediate the cause of such Personal Data Breach within Avalara’s systems, to the extent such remediation is within Avalara’s reasonable control.

d. The obligations of this Section 8 will not apply to Personal Data Breaches caused by Customer or its personnel.

9. RETURN OR DELETION OF CUSTOMER PERSONAL DATA AFTER TERMINATION

a. Customer may request the return or deletion of Customer Personal Data as provided in Section 7(h) (Return and Retention of Data) of the Terms.

b. Avalara and any Subprocessor may retain Customer Personal Data (i) to the extent necessary to comply with applicable law (including but not limited to tax audit requirements), (ii) to respond to support requests, and (iii) in backups and historical archives in accordance with Avalara’s standard backup and archival procedures (unless prohibited by the Data Protection Law and provided that all Customer Personal Data will continue to be subject to this Addendum until deleted).

10. AUDIT RIGHTS

a. Upon request, Avalara shall make available to Customer all information reasonably necessary to demonstrate compliance with this Addendum.

b. If Customer reasonably considers that information made available to Customer pursuant to Section 10(a) is insufficient to demonstrate compliance with this Addendum, Avalara will allow an audit by Customer (or auditors appointed by Customer) in relation to Avalara’s Processing of the Customer Personal Data.

c. Any such audit will be carried out remotely (unless otherwise agreed by the Parties or expressly required by a Supervisory Authority) and in accordance with Avalara’s reasonable security requirements. Customer shall reimburse Avalara for any time expended by Avalara for the audit at Avalara’s then-current professional services rates. Before the commencement of the audit, Customer and Avalara will mutually agree upon the scope, timing, and duration of the audit. Customer shall promptly notify Avalara of any non-compliance discovered during the audit. All results of the audit shall be subject to the confidentiality obligations of the parties under the Terms and the Data Protection Law.

11. DATA TRANSFERS

Where Avalara transfers Personal Data outside of the EEA, Avalara makes that transfer pursuant to a separate agreement between Avalara and Customer that complies with applicable law.

12. GENERAL PROVISIONS

Except as amended by this Addendum, the Terms remain in full force and effect (including, for the avoidance of doubt, the financial limits on liability included in the Terms). This Addendum shall automatically expire on the termination or expiration of the Agreement, except with respect to any Customer Personal Data retained by Avalara after such termination or expiration.