Data Processing Addendum

Last updated: October 11, 2023

Introduction

It is possible that by using the Services, Licensee processes personal data and that therefore, Avisi Apps B.V. (“Avisi”) processes that personal data on behalf of Licensee. In that case, this Data Processing Addendum applies, complementary to the License Agreement, End User License Agreement and Privacy Policy. The applicability of any Data Processing Agreement or Addendum preceding this Data Processing Addendum, either issued by Licensee or Avisi is strictly rejected.

Preamble

Avisi provides Services for Licensee, as described in the License Agreement, of which this Data Processing Addendum is an integral part. Providing these Services entails the processing of personal data. Licensee is the Controller for these personal data. Avisi shall be considered the Processor. The Parties wish to use this Data Processing Addendum to record the arrangements concerning the processing of personal data within the context of the aforementioned Services.

Definitions of Data Types

The use of the Services may involve several types of data that may contain personal data. The following data types are distinguished:

• Content Data - Any data that Licensee or its End Users enter into the Services that is not any other data type.

• Support Data - Any data, not being Contact Data, that Licensee or its End Users provide to Avisi directly in the support process.

• Contact Data - Data that Licensee or its End Users have provided to Avisi in order to communicate with Avisi.

• Feedback Data - Data that Licensee or its End Users have provided to Avisi in order to provide feedback to Avisi.

• Usage Data - Data that is generated upon the use of Licensee or its End Users of the Services by the Services.

Scope

This Data Processing Addendum solely applies to Content Data and Support Data, since only with these data types, Licensee is to be considered as the Data Controller and Avisi as the Data Processor that processes such data on behalf of Licensee. For Contact Data, Feedback Data and Usage Data, Avisi is to be considered as the Data Controller and therefore, this Data Processing Addendum does not apply for these data types. The way in which these data types are processed is governed in the Privacy Policy.

1. Definitions

1.1. Within the context of this Data Processing Addendum, the followings terms have the following meaning:

A. Licensee: the organization which concluded a License Agreement with Avisi, represented by an authorized representative.

B. End User: any individual in the organization of Licensee, or any individual authorized by Licensee, that uses the Services, either as an administrator or a user.

C. Data Protection Law: means the Privacy Regulation and any Local Data Protection Law.

D. Local Data Protection Law: any law(s) regarding the processing of personal data to which the controller is subject, including any law(s) implementing the Privacy Regulation. The California Consumer Privacy Act (CCPA) is an example of a Local Data Protection Law.

E. Privacy Regulation: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

F. Services: the services provided by Avisi to Licensee on the basis of the License Agreement.

G. License Agreement: the agreement between Avisi and Licensee regarding the provisioning of Services of which this Data Processing Addendum is an integral part.

H. Sub-Processor: any third party engaged by Avisi for the processing of personal data within the scope of the Services.

I. Parties: The Licensee and Avisi, when mentioned together. Licensee and Avisi will hereafter be called "Party" when mentioned separately and "Parties", when mentioned together.

1.2. Any concepts not defined here that are defined in the Data Protection Law, have the same meaning in this agreement.

1.3. Unless distinguished herein, “personal data” shall include “personal information”.

2. Consistency with the License Agreement

2.1. This Data Processing Addendum applies to the Services provided under the License Agreement.

2.2. Insofar as any provision of this Data Processing Addendum is contrary to the provisions in the License Agreement, the provisions of this Data Processing Addendum shall prevail (in so far as the conflict relates to the processing of personal data).

2.3. For all subjects not covered by this Data Processing Addendum, the provisions of the License Agreement apply mutatis mutandis to the processing of personal data in the context of the Services.

3. Personal data to be processed

3.1. This Data Processing Addendum relates to the processing of personal data resulting from the Services, irrespective of whether or not the License Agreement explicitly refers to the processing of personal data.

3.2. The nature and the purpose of the processing, as well as the type of personal data and categories of data subjects processed by Avisi on behalf of Licensee, is set out in Annex 1, in the absence of which the processing is limited to those activities strictly necessary for the performance of the License Agreement.

4. Roles of parties

4.1. With regard to the processing of personal data in relation to the License Agreement, Licensee is considered to be the Controller and Avisi is considered to be the Processor. With regard to the processing of personal information in relation to the License Agreement, Licensee is considered to be the Business and Avisi is considered to be the Service Provider and/or Contractor.

4.2. Avisi shall only process the personal data on documented instructions from Licensee. Licensee discloses personal information to Avisi only for the specific business purpose of providing the Services.

4.3. Licensee is deemed to have given the instructions to Avisi for any processing of personal data strictly necessary for the provisioning of the Services described in the License Agreement, except that Avisi shall not sell or share personal information. These instructions include the processing that results out of changes to these Services, to the extent the License Agreement allows for such changes.

4.4. Notwithstanding clause 4.2, Avisi is allowed to process the personal data to the extent that Avisi is required to do so by Union or Member State law to which Avisi is subject. In such a case, Avisi shall inform Licensee of that legal requirement before processing, unless that law prohibits providing such information on important grounds of public interest.

4.5. Avisi shall keep a record of all processing activities carried out on behalf of Licensee and cooperate in good faith and provide information reasonably necessary to enable Licensee to comply with its obligations under Data Protection Laws.

5. Confidentiality

5.1. Avisi shall keep the personal data confidential vis-à-vis third parties and shall not make it public, other than to the extent necessary for the provision of the Services or insofar as Avisi is legally obliged or ordered by a court to disclose and/or supply the personal data.

5.2. Avisi warrants and guarantees that all employees or any other natural person who act under its authority and have access to the personal data shall also, under the same conditions, exercise confidentiality in respect of the personal data of which they become aware.

6. Security measures and data breaches

6.1. Avisi shall implement suitable technical and organizational measures to protect the personal data against losses or any form of unlawful processing as well as to guarantee an adequate level of reliability (availability, integrity and confidentiality). These measures shall be appropriate, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The technical and organizational measures that Avisi takes follow from the most recent version of their information security policy as published here: Security Policy. Avisi is allowed to make changes to the security measures if, in Avisi’s opinion, that is necessary to offer a continued adequate level of security.

6.2. In assessing the appropriate level of security, Avisi shall in particular take account of the risks that are presented by processing, such as in particular the destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed, either accidentally or unlawfully.

6.3. The measures taken by Avisi in the context of paragraphs 1 and 2 comply with the ISO 27001 standard, ISO 27701 standard and SOC 2 declaration. At Licensee's first request, Avisi will submit a certificate or SOC 2 report issued by an independent and expert third party to prove this.

6.4. Avisi shall periodically test, assess and evaluate the effectiveness of the technical and organizational measures taken to secure the processing, whether or not by calling in an expert third party. Should this review show that the measures taken are no longer sufficient, Avisi will take all reasonable steps to improve upon the level of security.

6.5. Avisi shall take all necessary steps to ensure that any natural person acting under Avisi's authority, who has access to personal data, does not process this personal data except on instructions from Licensee, unless he or she is required to do so by Union or Member State law.

7. Personal Data Breaches

7.1. Avisi shall notify Licensee about any Personal Data Breach. This notification is given without undue delay and to the best of its abilities, but not to exceed seventy two (72) hours after discovering any Personal Data Breach, abiding by applicable laws and regulations. The Licensee will then judge if they need to inform the supervisory authorities and/or data subjects. Avisi strives to ensure that the information is complete, correct and accurate to the best of their abilities.

7.2. The notification shall at least, to the extent Avisi has the information:

A. describe the nature of the Personal Data Breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

B. communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;

C. describe the likely consequences of the Personal Data Breach;

D. describe the measures taken or proposed to be taken by the controller to address the Personal Data Breach, including, where appropriate, measures to mitigate Avisi possible adverse effects;

E. provide Licensee with any other information Licensee needs according to the Data Protection Law.

7.3. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

7.4. Avisi shall assist Licensee in ensuring compliance with the obligations pursuant to the Data Protection Law, taking into account the nature of processing and the information available to the processor. This assistance includes informing the data subjects about Personal Data Breaches, if the Data Protection Law includes such a notification obligation.

7.5. Avisi shall document any Personal Data Breaches, including the facts relating to the Personal Data Breach, the consequences thereof and the corrective actions taken, as well as any other relevant information regarding the Personal Data Breach.

8. Location of data

8.1. Avisi shall process (or arrange the processing of) personal data within the borders of the European Economic Area (“EEA”), unless

A. Licensee authorizes or instructs the transfer of personal data outside the EEA; or

B. Avisi is required to transfer the data by Union or Member State law to which Avisi is subject.

8.2. Notwithstanding clause 8.1, Avisi is allowed, in accordance with article 9, to appoint sub-processors outside the EEA. If Avisi uses sub-processors in countries outside of the EEA, the transfer of personal data will always be in accordance with all relevant laws and regulations. If Avisi transfers personal data to countries outside the EEA for which the European Commission has not decided that those countries ensure an adequate level of protection (“Third Country”), Avisi will ensure that it provides appropriate safeguards, as meant in article 46 GDPR, for the transfer.

8.3. The Parties agree to the appropriate safeguards as set out in Annex 3 of this Agreement.

9. Sub-processing

9.1. The Licensee provides Avisi the general permission to work with Sub-processors for the processing of personal data, as set out in Annex 2 of this Agreement.

9.2. Avisi has the right to add or replace Sub-processors (changes). If Avisi intends to add or replace a Sub-processor, Avisi will inform the Licensee thirty (30) days in advance, allowing the Licensee to object. If the Licensee wishes to object, the Licensee must submit their objection in written form, within two weeks. If the Licensee does not object within these conditions, the Licensee is regarded to accept the intended change.

9.3. If Licensee objects within the conditions as stated in article 9.2, Avisi and Licensee will consult each other and strive to achieve a reasonable solution. If both parties cannot achieve a satisfactory agreement about the intended change as meant in article 9.2, Avisi is entitled to work with the respective added or replaced Sub-Processor. Respectively, Licensee is entitled to terminate their subscription to the Services per the date that the new or replaced Sub-Processor is activated.

9.4. When engaging a Sub-Processor:

A) Avisi remains fully liable for the fulfilment of the obligations under this Data Processing Addendum;

B) Avisi will lay down the engagement of the Sub-Processor in a written agreement;

C) Avisi guarantees that all obligations that rest with Avisi in relation to this Data Processing Addendum, will also come to bear on the Sub-Processor engaged;

D) Avisi guarantees that the Sub-Processor in question also follows Licensee’s written instructions as meant in this Data Processing Addendum.

10. Data subjects rights

10.1. The Data Protection Law grants certain rights to the data subjects. The responsibility for dealing with (the exercise of) these rights rests at Licensee.

10.2. Avisi will, if so requested by Licensee, provide Licensee with all necessary cooperation in the fulfillment of Licensee's obligations on the basis of the rights referred to in the previous paragraph.

11. Information, cooperation, audit and compliance

11.1. Avisi will make available to Licensee all information about any approved code of conduct or an approved certification mechanism it adheres to, as referred to in respectively article 40 and article 42 of the Privacy Regulation.

11.2. Avisi shall provide to Licensee, at first request, all relevant information regarding the aspects of the processing of personal data that it performs, so that Licensee can demonstrate, partly on the basis of that information, that it complies with the Data Protection Law.

11.3. At the request of the Licensee, Avisi will, within a reasonable time frame, provide the Licensee with the necessary cooperation to meet their compliance with the obligations that follow from the Data Protection Law. This includes, among others, their obligations with regard to data security, reporting personal data breaches and performing data protection impact assessments.

11.4. Licensee is entitled to audit, via a trusted third party, bound to non-disclosure, to what extent Avisi is meeting the obligations under this Data Processing Addendum. Avisi shall lend its cooperation to such an audit. Such an audit will only be conducted after Licensee has requested the available similar audit reports from Avisi, has judged the reports and provides sound argumentation why an audit, initiated by Licensee, is still justifiable. Such an audit will only be justifiable when the similar audit reports that are available from Avisi provide no or insufficient proof about the compliance of this Data Processing Addendum by Avisi. If an audit, initiated by Licensee, is justified, it will only be conducted at least thirty (30) days after prior announcement by Licensee, with a maximum of once per year.

11.5. Clause 11.2 to 11.4 do not apply to the extent the request or instruction:

A) would impose a disproportionate burden on Avisi;

B) is not related to the processing of personal data;

C) would lead to the revelation of business secrets of Avisi;

D) would not provide Licensee with additional information besides the information already provided based upon clause 11.1;

E) would violate EU or Member State law.

11.6. Avisi shall immediately inform Licensee if any of these exceptions of the preceding article applies.

12. Costs

12.1. Each Party shall perform its obligations under this Data Protection Addendum and Data Protection Laws at its own cost.

13. Liability

13.1. Any limitation of liability specified in the License Agreement applies mutatis mutandis to this Data Processing Addendum.

13.2. If as a result of an attributable shortcoming by Avisi, or an act or omission attributable to Avisi, a penalty is imposed on Licensee by a government supervisor, which penalty is (partly) directly related to the aforementioned shortcoming, act or omission, Avisi indemnifies Licensee for (that part of) that fine, limited per calendar year to at most the part of the License fees received by Avisi from Atlassian during one year (exclusive of VAT) regarding the use of the Services by Licensee under the License Agreement. Avisi’s administration is decisive in determining the amounts that Avisi received from Atlassian. For clarity: the indemnity does not apply to the part of the fine that is related to the behavior of Licensee himself.

13.3. Any limitation of liability will also lapse in case of intent or gross negligence on the part of Avisi.

14. Consequences of Data Protection Law

14.1. The Parties shall comply with their respective obligations under Data Protection Law. With respect to personal information, Avisi shall provide the same level of privacy protection as required of Licensee by the CCPA. Avisi certifies that it understands its obligations under Data Protection Law.

14.2. Avisi will inform Licensee, within seventy two (72) hours if it makes a determination that it can no longer meet its obligations under Data Protection Law.

14.3. Avisi will inform Licensee if it suspects that the provisioning of the Services might be (partly) in violation with the Data Protection Law.

15. Term, termination and consequences of termination

15.1. This Data Processing Addendum shall be in force for the same duration as the License Agreement.

15.2. This Data Processing Addendum shall automatically terminate once the License Agreement is terminated.

15.3. Obligations which by their nature are intended to continue even after termination or dissolution of the Data Processing Addendum will remain after termination or dissolution of this processing agreement. These obligations include:

A) Indemnification for fines imposed by a government supervisor;

B) Confidentiality and security

C) Dispute resolution, applicable law.

15.4. In case the License Agreement is terminated, Avisi shall, at the choice of Licensee, either delete or return all the personal data processed in relation to the Services.

15.5. Pending the choice of Licensee as mentioned in article 15.4, Avisi will retain the personal data. Avisi shall delete the personal data after thirty (30) days unless Licensee instructs it otherwise before then.

15.6. The return of the personal data takes place in a generally readable and properly documented file format.

15.7. Notwithstanding the preceding:

A) Avisi is allowed to keep the data if Union or Member State law requires Avisi to keep the personal data stored.

B) Avisi will retain the documentation about personal data breaches as specified in clause 7.5 for at least one year after termination of the License Agreement.

Annex 1: Description of the data processing

The description of the data processing is defined as follows:

• Parties: Licensee is the Data Exporter and Avisi is the Data Importer. The Parties’ contact information is as set out in the Data Processing Addendum.

• Subject: processing of content data and support data entered by Licensee and/or his End Users

• Duration of processing: the processing will follow the term of the Data Processing Addendum as set out in Section 15. Any personal data that is transferred shall be transferred continuously.

• Nature: hosting, transmitting and backup of personal data

• Purpose: facilitating the use of Avisi's Services

• Personal data categories: content data and support data as defined in the "Definitions of Data Types" Personal data subject categories:

  • People who use the Services (End Users)

  • People whose personal data is captured using the Services by Licensee and/or his End Users

  • People whose data is transmitted via the Services by the Licensee and/or his End Users

  • Other possible data subject categories whose personal data is processed using the Services

• Personal data subject countries: world-wide

Annex 2: Sub-processor list

Pursuant to Section 9 of the Data Processing Addendum, Licensee authorizes the use of the following Sub-processors:

Name	Only applies to	Purpose	Description	Relevant categories of personal data	Location of personal data
Google Cloud Platform		Hosting	All our apps are deployed and run on GCP.	Content data	Global
Google Cloud Platform	TOPdesk app	Hosting	TOPdesk is deployed and runs on GCP.	Content data	TOPdesk app: EER (specifically Germany, Frankfurt)
Google Cloud Platform	Manage Custom Field Values	Hosting	Manage Custom Field Values is deployed and runs on GCP.	Content data	Data residency configurable by customer
Atlassian (host platform)		Host applications and data storage	All our apps function in the context of a host application provided by Atlassian. Some app data is actually stored in the host application.	Content data	Data residency configurable by customer
Atlassian (support tooling)		Support	We use Jira for handling support requests and feature requests.	Support data	Global
Atlas CRM		Support	We use Atlas CRM to support the support process in Jira.	Support data / Contact data	Global
Gravatar	Atlas CRM app	Profile pictures	Automatic retrieval of public profile pictures for a user.	Contact data	Global
Backblaze		Offsite backup	All backups are replicated to Backblaze as an extra precaution.	Content data	Global
Wasabi		Offsite backup	All backups are replicated to Wasabi as an extra precaution.	Content data	Data resident, following the apps data residency
Sendinblue		Dripfeed mailings	Dripfeed mailings to support customer onboarding.	Contact data	EER
Mailchimp		Customer Mailings	Customer notifications about pricing changes, legal updates and general product announcements.	Contact data	Global
Mandrill	Atlas CRM	Onboarding emails, notifications	Send onboarding emails and notifications to individual users.	Contact data	Global
monday.com		Product management	Plan new functionality, based on customer feedback.	Support data	Global

Annex 3: Transfers of personal data to a third country

1. In all cases where the Parties transfer personal data to a third country, the obligations herein apply.

2. The obligations herein shall apply inter alia to any onward transfer of personal data to another Third Country; or to another entity within the same country it has been exported to.

3. In the event that the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 in accordance with Commission Implementing Decision (EU) 2021/914 of 4 June 2021, Module 2: Transfer Controller to Processor (“C2P Transfer Clauses”) or the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, VERSION B1.0, in force 21 March 2022 (“UK Addendum”) are amended, replaced or repealed, the Parties shall work together in good faith to enter into any updated version of the agreement(s) or negotiate in good faith a solution to enable transfers of personal data to be conducted in compliance with Data Protection Laws.

4. The C2P Transfer Clauses and or UK Addendum shall prevail in the event of any direct or indirect contradiction with any provision of this Data Processing Addendum.

5. In relation to personal data that originates in the EEA and is exported to a Third Country, the C2P Transfer Clauses will apply and shall be incorporated by reference into this Data Processing Addendum completed as follows:

   • Clause 7: the optional docking is omitted;

   • Clause 9: Option 2 applies, and the notification time shall be thirty (30) days.

   • Clause 11: the optional language is omitted;

   • Clause 13: the supervisory authority indicated in Annex 1.C shall act as the competent supervisory authority;

   • Clause 17: Option 2 applies, and the law of The Netherlands shall apply;

   • Clause 18(b): disputes shall be resolved before the courts of The Netherlands;

   • Annex I A (List of Parties) shall be deemed completed with the information set out in Annex 1 to this DPA;

   • Annex I B (Description of Transfer) shall be deemed completed with the information set out in Annex 1 to this Data Processing Addendum;

   • Annex I C: the competent supervisory authority shall be the National Commission for Data Protection of The Netherlands;

   • Annex II shall be deemed completed with the information set out in Annex 4 to this Data Processing Addendum; and

   • Annex III shall be deemed completed with the information set out in Annex 2 to this Data Processing Addendum.

6. In relation to personal data that originates in the United Kingdom and is exported to a Third Country, the C2P Transfer Clauses shall be deemed executed between the Parties as set out in Section 5 above and the UK Addendum shall be incorporated by reference into this Data Processing Addendum completed as follows:

   • The UK Addendum shall be deemed executed between the Parties, and the C2P Transfer Clauses shall be deemed amended as specified by the UK Addendum;

   • Table 1: the start date shall be the same as the Effective Date of this Data Processing Addendum, and the Parties details shall be deemed completed with the information set out in this Data Processing Addendum;

   • Table 2 shall be deemed completed with the information set out in Section 5, and personal data from the Data Importer is not combined with Personal Data collected by the Exporter.

   • Table 3 shall be deemed completed with the information set out in Section 5 and in the Annexes to this Data Processing Addendum.

   • Table 4: either Party may end the UK Addendum set out in Section 19 of the UK Addendum.

Annex 4: Technical and organizational measures including technical and organizational measures to ensure the security of data

The technical and organizational measures including technical and organizational measures to ensure the security of data we have in place can be found in our Security Policy.