Please note that this updated DPA will apply to your Avalara Service upon any renewal, upgrade, or additional Service purchase made on or after January 1, 2020.
Avalara Data Processing Addendum
Last updated January 20, 2020.
This Data Processing Addendum (“Addendum”) is in addition to, and incorporates by reference, the Avalara Service Terms and Conditions located at http://www.avalara.com/terms (the “Terms”). If a provision of this Addendum conflicts with a provision of the Terms, the provision in this Addendum governs. Capitalized terms used and not otherwise defined in this Addendum have the meanings provided in the Terms.
a. The terms “Personal Data,” “Personal Data Breach,” “Processing,” and “Supervisory Authority” have the meanings given those terms in the GDPR.
b. “Customer Personal Data” means any Personal Data (i) of Data Subjects based in the European Economic Area (as defined in the Agreement on the European Economic Area dated January 1, 1994, “EEA”) or (ii) held by Customer if the Customer is established in the EEA, that is Processed by Avalara or any Subprocessor on behalf of Customer pursuant to the Agreement. For clarification, Aggregated Data or otherwise anonymized data is not Customer Personal Data.
c. “Data Subject Request” means the exercise by Data Subjects of their rights under Chapter III of the GDPR.
d. “Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates.
e. “GDPR” means the General Data Protection Regulation 2016/679 of the European Parliament and of the Council or, if the GDPR is no longer applicable, any legislation designed to replace the GDPR and having equivalent effect.
f. “Subprocessor” means any third party (including any Avalara Affiliate) appointed by or on behalf of Avalara to Process Customer Personal Data.
2. PROCESSING OF CUSTOMER PERSONAL DATA
a. Avalara shall implement processes and maintain procedures designed to comply with the GDPR in Processing Customer Personal Data and shall not Process Customer Personal Data other than on Customer’s instructions or as otherwise required by Applicable Law.
b. Customer instructs Avalara, subject to Customer’s compliance with the GDPR, to Process Customer Personal Data as necessary to provide the Services to Customer in a manner consistent with the Agreement and the Documentation. Where Avalara receives an instruction from Customer that, in its reasonable opinion, would violate the GDPR, Avalara shall inform Customer.
c. Section 3 to this Addendum describes the details of the Processing of the Customer Personal Data. Avalara may update Section 3 from time to time as Avalara reasonably considers necessary to reflect the Processing and meet any applicable requirements of the GDPR.
d. Customer shall comply with its obligations under the GDPR with respect to the Processing of Customer Personal Data.
3. DATA PROCESSING DETAIL
a. Data Subjects. Customer may submit Customer Personal Data, the extent of which is determined and controlled by Customer in its sole discretion, and which may include Customer Personal Data relating to the following categories of data subjects:
i. Customer’s Authorized Users, employees, contractors, or other Representatives;
ii. Customer’s customers.
b. Categories of Data. Customer may submit Customer Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include the following categories of Customer Personal Data:
i. As to Customer’s Authorized Users, employees, contractors, or other Representatives: contact details of the individual, which may include name, email, user ID, and connection data.
ii. As to Customer’s customers: invoice data, contact details, and identifier (number and/or other information in a free text field, as supplied by Customer).
c. Nature, Subject Matter, and Purpose of Processing. The objective of Processing of Customer Personal Data by Avalara is the performance of the Services pursuant to the Agreement.
d. Duration of Processing. Subject to Section 9 (Return or Deletion of Customer Personal Data After Termination) of this Addendum, Avalara will process Customer Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
4. AVALARA PERSONNEL
Avalara shall use commercially reasonable measures to ensure that Avalara personnel who may Process Customer Personal Data (i) comply with Avalara’s technical and organizational security measures, including ensuring that they are subject to appropriate confidentiality obligations; and (ii) Process Customer Personal Data only as instructed by the Customer or as otherwise required by Applicable Law.
a. Avalara shall implement reasonable technical and organizational measures to ensure an appropriate level of security for Customer Personal Data, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. In assessing the appropriate level of security, Avalara shall take into account the risks of Processing Personal Data, in particular from accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, Personal Data.
b. Adherence to an approved certification mechanism will be sufficient to demonstrate Avalara’s (or a Subprocessor’s) compliance with its security obligations under this Addendum.
a. Customer provides general authorization to Avalara to appoint Subprocessors in accordance with this Section 6 and any restrictions in the Agreement. Avalara may continue to use those Subprocessors already engaged at the date of this Addendum, subject to Avalara’s compliance with the obligations set out in subsection (c) below with respect to such Subprocessors.
b. Avalara shall give Customer prior notice of the appointment of any new Subprocessor of Customer Personal Data. If, within 30 days of the date of notice, Customer notifies Avalara in writing of any reasonable objections to the Subprocessor, the Parties will meet to discuss the matter in good faith. Customer will be deemed to have waived any objections if Customer has not objected in writing within 30 days after the date of notice.
c. Avalara shall ensure that each Subprocessor is governed by a written contract that imposes data protection obligations at least as protective as those of this Addendum.
d. Avalara’s Subprocessors may be found here.
7. DATA SUBJECT REQUESTS
a. Taking into account the nature of the Processing, Avalara shall implement processes and maintain procedures to enable Customer to fulfill its obligations under the GDPR to respond to Data Subject Requests.
b. If Avalara receives a request from a Data Subject under the GDPR with respect to Customer Personal Data, then to the extent legally permissible, Avalara will advise the Data Subject to submit his or her request to Customer, and Customer will be responsible for responding to any such request.
8. PERSONAL DATA BREACH
a. Avalara shall notify Customer without undue delay upon Avalara’s confirmation of any Personal Data Breach affecting Customer Personal Data.
b. Avalara shall provide Customer with information regarding such Personal Data Breach as required by the GDPR or as otherwise reasonably requested by Customer to enable Customer to comply with its obligations under the GDPR.
c. Avalara shall use commercially reasonable efforts to: (i) identify the cause of such Personal Data Breach; and (ii) remediate the cause of such Personal Data Breach within Avalara’s systems, to the extent such remediation is within Avalara’s reasonable control.
d. The obligations of this Section 8 will not apply to Personal Data Breaches caused by Customer, its Representatives, or its Authorized Users.
9. RETURN OR DELETION OF CUSTOMER PERSONAL DATA AFTER TERMINATION
a. Customer may request the return or deletion of Customer Personal Data as provided in Section 6(h) (Return, Retention, and Deletion of Data) of the Terms.
b. Avalara and any Subprocessor may retain Customer Personal Data (i) to the extent necessary to comply with Applicable Law (including but not limited to tax audit requirements), (ii) to respond to support requests, and (iii) in backups and historical archives in accordance with Avalara’s data retention policies and standard backup and archival procedures, unless prohibited by the GDPR, provided that all Customer Personal Data will continue to be subject to this Addendum until deleted.
10. AUDIT RIGHTS
a. Upon request, Avalara shall make available to Customer all information reasonably necessary to demonstrate compliance with this Addendum.
b. If Customer reasonably considers that information made available to Customer pursuant to subsection (a) is insufficient to demonstrate compliance with this Addendum, Avalara will allow an audit by Customer (or auditors appointed by Customer) in relation to Avalara’s Processing of the Customer Personal Data. Any such audit will be carried out remotely (unless otherwise agreed by the Parties or expressly required by a Supervisory Authority) and in accordance with Avalara’s reasonable security requirements. Customer shall reimburse Avalara for any time expended by Avalara for the audit at Avalara’s then-current professional services rates. Before the commencement of the audit, Customer and Avalara will mutually agree upon the scope, timing, and duration of the audit. Customer shall promptly notify Avalara of any non-compliance discovered during the audit. All results of the audit shall be subject to the confidentiality obligations of the parties under the Terms and the GDPR.
11. DATA TRANSFERS
If Avalara transfers Customer Personal Data outside of the EEA, Avalara makes that transfer pursuant to the terms of the Avalara Data Transfer Addendum located at https://www.avalara.com/DTA, which is incorporated in this Addendum by reference.
12. GENERAL PROVISIONS
Except as amended by this Addendum, the Terms remain in full force and effect (including, for the avoidance of doubt, the limits on liability included in the Terms). This Addendum shall automatically expire on the termination or expiration of the Agreement, except with respect to any Customer Personal Data retained by Avalara after such termination or expiration.