Data Processing Addendum

Introduction

It is possible that by using the Services, Licensee processes personal data and that therefore, Avisi processes that personal data on behalf of Licensee. In that case, this Data Processing Addendum applies, complementary to the License Agreement, End User License Agreement and Privacy Policy. The applicability of any Data Processing Agreement or Addendum preceding this Data Processing Addendum, either issued by Licensee or Avisi is strictly rejected.

Preamble

Avisi provides Services for Licensee, as described in the License Agreement, of which this Data Processing Addendum is an integral part. Providing these Services entails the processing of personal data. Licensee is the Controller for these personal data. Avisi shall be considered the Processor. The parties wish to use this Data Processing Addendum to record the arrangements concerning the processing of personal data within the context of the aforementioned Services.

Definitions of Data Types

The use of the Services may involve several types of data that may contain personal data. The following data types are distinguished:

  • Content Data - Any data that Licensee or its End Users enter into the Services that is not any other data type.

  • Support Data - Any data, not being Contact Data, that Licensee or its End Users provide to Avisi directly in the support process.

  • Contact Data - Data that Licensee or its End Users have provided to Avisi in order to communicate with Avisi.

  • Feedback Data - Data that Licensee or its End Users have provided to Avisi in order to provide feedback to Avisi.

  • Usage Data - Data that is generated upon the use of Licensee or its End Users of the Services by the Services.

Scope

This Data Processing Addendum solely applies to Content Data and Support Data, since only with these data types, Licensee is to be considered as the Data Controller and Avisi as the Data Processor that processes such data on behalf of Licensee. For Contact Data, Feedback Data and Usage Data, Avisi is to be considered as the Data Controller and therefore, this Data Processing Addendum does not apply for these data types. The way in which these data types are processed is governed in the Privacy Policy.

1. Definitions

1.1. Within the context of this Data Processing Addendum, the followings terms have the following meaning:

A. Licensee: the organization which concluded a License Agreement with Avisi, represented by an authorized representative.

B. End User: any individual in the organization of Licensee, or any individual authorized by Licensee, that uses the Services, either as an administrator or a user.

C. Data Protection Law: means the Privacy Regulation and any Local Data Protection Law.

D. Local Data Protection Law: any law(s) regarding the processing of personal data to which the controller is subject, including any law(s) implementing the Privacy Regulation.

E. Privacy Regulation: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

F. Services: the services provided by Avisi to Licensee on the basis of the License Agreement.

G. License Agreement: the agreement between Avisi and Licensee regarding the provisioning of Services of which this Data Processing Addendum is an integral part.

H. Sub-Processor: any third party engaged by Avisi for the processing of personal data within the scope of the Services.

1.2. Any concepts not defined here that are defined in the Data Protection Law (such as “personal data”, “processing”, etc.), have the same meaning in this agreement.

2. Consistency with the License Agreement

2.1. This Data Processing Addendum applies to the Services provided under the License Agreement.

2.2. Insofar as any provision of this Data Processing Addendum is contrary to the provisions in the License Agreement, the provisions of this Data Processing Addendum shall prevail (in so far as the conflict relates to the processing of personal data).

2.3. For all subjects not covered by this Data Processing Addendum, the provisions of the License Agreement apply mutatis mutandis to the processing of personal data in the context of the Services.

3. Personal data to be processed

3.1. This Data Processing Addendum relates to the processing of personal data resulting from the Services, irrespective of whether or not the License Agreement explicitly refers to the processing of personal data.

3.2. The nature and the purpose of the processing, as well as the type of personal data and categories of data subjects processed by Avisi on behalf of Licensee, is set out in Annex 1, in the absence of which the processing is limited to those activities strictly necessary for the performance of the License Agreement.

4. Roles of parties

4.1. With regard to the processing of personal data in relation to the License Agreement, Licensee is considered to be the Controller and Avisi is considered to be the Processor.

4.2. Avisi shall only process the personal data on documented instructions from Licensee.

4.3. Licensee is deemed to have given the instructions to Avisi for any processing strictly necessary for the provisioning of the Services described in the License Agreement. These instructions include the processing that results out of changes to these Services, to the extent the License Agreement allows for such changes.

4.4. Notwithstanding clause 4.2, Avisi is allowed to process the personal data to the extent that Avisi is required to do so by Union or Member State law to which Avisi is subject. In such a case, Avisi shall inform Licensee of that legal requirement before processing, unless that law prohibits providing such information on important grounds of public interest.

5. Confidentiality

5.1. Avisi shall keep the personal data confidential vis-à-vis third parties and shall not make it public, other than to the extent necessary for the provision of the Services or insofar as Avisi is legally obliged or ordered by a court to disclose and/or supply the personal data.

5.2. Avisi warrants and guarantees that all employees or any other natural person who act under its authority and have access to the personal data shall also, under the same conditions, exercise confidentiality in respect of the personal data of which they become aware.

6. Security measures and data breaches

6.1. Avisi shall implement suitable technical and organizational measures to protect the personal data against losses or any form of unlawful processing as well as to guarantee an adequate level of reliability (availability, integrity and confidentiality). These measures shall be appropriate, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The technical and organizational measures that Avisi takes follow from the most recent version of their information security policy as published here: Security Policy. Avisi is allowed to make changes to the security measures if, in Avisi’s opinion, that is necessary to offer a continued adequate level of security.

6.2. In assessing the appropriate level of security, Avisi shall in particular take account of the risks that are presented by processing, such as in particular the destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed, either accidentally or unlawfully.

6.3. The measures taken by Avisi in the context of paragraphs 1 and 2 comply with the ISO 27001 standard. At Licensee's first request, Avisi will submit a certificate issued by an independent and expert third party to prove this.

6.4. Avisi shall periodically test, assess and evaluate the effectiveness of the technical and organizational measures taken to secure the processing, whether or not by calling in an expert third party. Should this review show that the measures taken are no longer sufficient, Avisi will take all reasonable steps to improve upon the level of security.

6.5. Avisi shall take all necessary steps to ensure that any natural person acting under Avisi’s authority, who has access to personal data, does not process this personal data except on instructions from Licensee, unless he or she is required to do so by Union or Member State law.

7. Personal Data Breaches

7.1. Avisi shall notify Licensee about any Personal Data Breach. This notification is given without unreasonable delay, but in any case within 72 hours after he has taken note of it.

7.2. The notification shall at least, to the extent Avisi has the information:

A. describe the nature of the Personal Data Breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

B. communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;

C. describe the likely consequences of the Personal Data Breach;

D. describe the measures taken or proposed to be taken by the controller to address the Personal Data Breach, including, where appropriate, measures to mitigate Avisi possible adverse effects;

E. provide Licensee with any other information Licensee needs according to the Data Protection Law.

7.3. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

7.4. Avisi shall assist Licensee in ensuring compliance with the obligations pursuant to the Data Protection Law, taking into account the nature of processing and the information available to the processor. This assistance includes informing the data subjects about Personal Data Breaches, if the Data Protection Law includes such a notification obligation.

7.5. Avisi shall document any Personal Data Breaches, including the facts relating to the Personal Data Breach, the consequences thereof and the corrective actions taken, as well as any other relevant information regarding the Personal Data Breach.

8. Location of data

8.1. Avisi shall process (or arrange the processing of) personal data within the borders of the European Economic Area (“EEA”), unless

A. Licensee authorizes or instructs the transfer of personal data outside the EEA; or

B. Avisi is required to transfer the data by Union or Member State law to which Avisi is subject.

8.2. Notwithstanding clause 8.1, Avisi is allowed, in accordance with article 9, to appoint sub-processors outside the EEA. If Avisi uses sub-processors in countries outside of the EEA, the transfer of personal data will always be in accordance with all relevant laws and regulations. If Avisi transfers personal data to countries outside the EEA for which the European Commission has not decided that those countries ensure an adequate level of protection, Avisi will ensure that it provides appropriate safeguards, as meant in article 46 GDPR, for the transfer.

9. Sub-processing

9.1. Licensee provides Avisi the general permission to work with Sub-Processors for the processing of personal data. Upon request by Licensee and within a reasonable time frame, Avisi will inform Licensee about the relevant Sub-Processors that Avisi works with regarding the processing of personal data as meant in this Data Processing Addendum.

9.2. Avisi has the right to add or replace Sub-Processors. If Avisi intends to add or replace a Sub-Processor, Avisi will inform Licensee accordingly, allowing Licensee to object. If Licensee wishes to object, Licensee must submit their objection in written form, within two weeks and supported by sound argumentation. If Licensee does not object within these conditions, Licensee is regarded to accept the intended change.

9.3. If Licensee objects within the conditions as stated in article 9.2, Avisi and Licensee will consult each other and strive to achieve a reasonable solution. If both parties cannot achieve a satisfactory agreement about the intended change as meant in article 9.2, Avisi is entitled to work with the respective added or replaced Sub-Processor. Respectively, Licensee is entitled to terminate their subscription to the Services per the date that the new or replaced Sub-Processor is activated.

9.4. When engaging a Sub-Processor:

A) Avisi remains fully liable for the fulfilment of the obligations under this Data Processing Addendum;

B) Avisi will lay down the engagement of the Sub-Processor in a written agreement;

C) Avisi guarantees that all obligations that rest with Avisi in relation to this Data Processing Addendum, will also come to bear on the Sub-Processor engaged;

D) Avisi guarantees that the Sub-Processor in question also follows Licensee’s written instructions as meant in this Data Processing Addendum.

10. Data subjects rights

10.1. The Data Protection Law grants certain rights to the data subjects. The responsibility for dealing with (the exercise of) these rights rests at Licensee.

10.2. Avisi will, if so requested by Licensee, provide Licensee with all necessary cooperation in the fulfillment of Licensee's obligations on the basis of the rights referred to in the previous paragraph.

11. Information, cooperation, audit and compliance

11.1. Avisi will make available to Licensee all information about any approved code of conduct or an approved certification mechanism it adheres to, as referred to in respectively article 40 and article 42 of the Privacy Regulation.

11.2. Avisi shall provide to Licensee, at first request, all relevant information regarding the aspects of the processing of personal data that it performs, so that Licensee can demonstrate, partly on the basis of that information, that it complies with the Data Protection Law.

11.3. Avisi shall furthermore provide to Licensee, at first request, all necessary assistance in the performance of the legal obligations on Licensee pursuant to the Data Protection Law.

11.4. Licensee is entitled to audit, via a trusted third party, bound to non-disclosure, to what extent Avisi is meeting the obligations under this Data Processing Addendum. Avisi shall lend its cooperation to such an audit. Such an audit will only be conducted after Licensee has requested the available similar audit reports from Avisi, has judged the reports and provides sound argumentation why an audit, initiated by Licensee, is still justifiable. Such an audit will only be justifiable when the similar audit reports that are available from Avisi provide no or insufficient proof about the compliance of this Data Processing Addendum by Avisi. If an audit, initiated by Licensee, is justified, it will only be conducted at least thirty (30) days after prior announcement by Licensee, with a maximum of once per year.

11.5. Clause 11.2 to 11.4 do not apply to the extent the request or instruction:

A) would impose a disproportionate burden on Avisi;

B) is not related to the processing of personal data;

C) would lead to the revelation of business secrets of Avisi;

D) would not provide Licensee with additional information besides the information already provided based upon clause 11.1;

E) would violate EU or Member State law.

11.6. Avisi shall immediately inform Licensee if any of these exceptions of the preceding article applies.

12. Costs

12.1. The costs for the processing of data that is entailed in the normal performance of the Services, are considered to be included in the standard charges for the Services.

12.2. Any assistance or any other additional service that Avisi must provide under this Data Processing Addendum (e.g. pursuant to Articles 7.4 and 11.4), or that is requested by Licensee, including all requests for additional information, will be charged to Licensee in accordance with Avisi’s then current rates.

12.3. The preceding clause does not apply if Licensee demonstrates that any assistance requested is directly attributable to non-performance by Avisi of any of Avisi’s obligations in this Data Processing Addendum. In that case, the work will be performed free of charge (without prejudice to Licensee's right to recover the actual damage from Avisi).

13. Liability

13.1. Any limitation of liability specified in the License Agreement applies mutatis mutandis to this Data Processing Addendum.

13.2. If as a result of an attributable shortcoming by Avisi, or an act or omission attributable to Avisi, a penalty is imposed on Licensee by a government supervisor, which penalty is (partly) directly related to the aforementioned shortcoming, act or omission, Avisi indemnifies Licensee for (that part of) that fine, limited per calendar year to at most the part of the License fees received by Avisi from Atlassian during one year (exclusive of VAT) regarding the use of the Services by Licensee under the License Agreement. Avisi’s administration is decisive in determining the amounts that Avisi received from Atlassian. For clarity: the indemnity does not apply to the part of the fine that is related to the behavior of Licensee himself.

13.3. Any limitation of liability will also lapse in case of intent or gross negligence on the part of Avisi.

14. Consequences of Data Protection Law

14.1. The responsibility for compliance with the Data Protection Law in the processing of personal data in relation to the License Agreement rests at Licensee.

14.2. Licensee must inform Avisi about any Local Data Protection Law to the extent relevant for the provisioning of the Services.

14.3. Avisi will inform Licensee if it suspects that, based upon the information provided by Licensee according to clause 14.2, the provisioning of the Services might be (partly) in violation with the Local Data Protection Law.

15. Term, termination and consequences of termination

15.1. This Data Processing Addendum shall be in force for the same duration as the License Agreement.

15.2. This Data Processing Addendum shall automatically terminate once the License Agreement is terminated.

15.3. Obligations which by their nature are intended to continue even after termination or dissolution of the Data Processing Addendum will remain after termination or dissolution of this processing agreement. These obligations include:

A) Indemnification for fines imposed by a government supervisor;

B) Confidentiality

C) Dispute resolution, applicable law.

15.4. In case the License Agreement is terminated, Avisi shall, at the choice of Licensee, either delete or return all the personal data processed in relation to the Services.

15.5. Pending the choice of Licensee as mentioned in article 15.4, Avisi will retain the personal data. Avisi is not entitled to destroy the personal data without explicit instructions of Licensee thereto.

15.6. The return of the personal data takes place in a generally readable and properly documented file format.

15.7. Notwithstanding the preceding:

A) Avisi is allowed to keep the data if Union or Member State law requires Avisi to keep the personal data stored.

B) Avisi will retain the documentation about personal data breaches as specified in clause 7.5 for at least one year after termination of the License Agreement.

Annex 1: Description of the data processing

The description of the data processing is defined as follows:

  • Subject: processing of content data and support data entered by Licensee and/or his End Users

  • Nature: hosting, transmitting and backup of personal data

  • Purpose: facilitating the use of Avisi's Services, including …

  • Personal data categories: content data and support data as defined in the "Definitions of Data Types" Personal data subject categories:

    • People who use the Services (End Users)

    • People whose personal data is captured using the Services by Licensee and/or his End Users

    • People whose data is transmitted via the Services by the Licensee and/or his End Users

    • Other possible data subject categories whose personal data is processed using the Services

  • Personal data subject countries: world-wide