Frequently Asked Questions

Introduction

Avalara has prepared these Frequently Asked Questions (“FAQs”) to assist customers in understanding their obligations and Avalara’s obligations under privacy laws and regulations.

The FAQs do not, and is not intended to, constitute legal advice. All information, content, and materials available below are for general informational purposes only and do not form part of the agreement.

Why does Avalara make available a data processing agreement?

As part of Avalara main terms, Avalara offers a Services Data Processing Agreement (“DPA”) which provides helpful contractual terms for the processing of personal data. Avalara has customers around the globe and the DPA incorporates the core privacy principles that inform many international data protection laws.

What is Avalara’s role?

In relation to the provision of the services, Avalara acts as a data processor for the personal data that our customers submit. Therefore, Avalara processes personal data on behalf of and according to our customers’ instructions who are the data controllers.

How does Avalara perform onward data transfers?

In order to provide its service, Avalara may use subprocessors (both Avalara affiliates and third parties) located outside the European Economic Area ("EEA"), the United Kingdom, and Switzerland.

Avalara uses the following data transfer mechanisms to transfer personal data outside of the EEA, the United Kingdom, and Switzerland:

1) Adequacy Status

The EEA recognizes certain countries around the world as offering an adequate level of protection for personal data. That means when Avalara transfers personal data to such countries, no further measures are required.

2) Standard Contractual Clauses

The European Commission’s Standard Contractual Clauses (as updated by the Commission Implementing Decision EU 2021/914 of 4 June 2021) (“SCCs”) are model contract clauses developed by the European Commission to legitimize transfers of personal data from the European Economic Area to processors located in other countries.

The UK has indicated that Standard Contractual Clauses can also be used as a safeguard to legitimatize transfers of personal data from the UK to processors located in other countries and our DPA is updated with the addendum to the SCCs which came into force on 21 March 2022.

Avalara also relies on the SCCs, for the purpose of intra-group transfer of personal data. Avalara Europe Ltd. transfers personal data to Avalara Inc. as data importer and subprocessor under the Avalara’s internal Data Transfer Agreement (which includes the SCCs).  As the customers are the data controllers and Avalara Europe Ltd. is the data exporter, customers are not transferring personal data outside the EEA; only Avalara Europe Ltd. does so as a data processor and data exporter pursuant to the Data Transfer Agreement.

How to execute this DPA

This DPA has been pre-signed on behalf of Avalara, Inc. (“Avalara, Inc. Services Data Processing Agreement”)

and Avalara Europe Ltd. (“Avalara Europe Ltd. Services Data Processing Agreement”)

For the Avalara, Inc. Services Data Processing Agreement: please insert relevant details under page 3, fill in details under Exhibit 1 Annex 1 List of Parties and sign.

For the Avalara Europe Ltd. Services Data Processing Agreement: please insert relevant details under page 2 and sign.

For the avoidance of doubt, signature of the Avalara Inc. DPA on page 3 shall be deemed to constitute signature and acceptance of the Standard Contractual Clauses, including Schedule 2.