Data Processing Addendum by Language:
Last Updated: January 15, 2023
This Data Processing Addendum (“DPA”) is incorporated into and forms part of the terms and conditions of the End User Service Agreement (“EUSA”) between Avetta and Supplier and sets out the additional terms, requirements, and conditions on which Avetta will obtain, handle, process, disclose, transfer, or store Personal Data when providing services under the EUSA. All capitalized terms not defined in this DPA shall have the meanings ascribed to them in the EUSA.
1. Definitions and Interpretation.
1.1 Definitions:
"Applicable Data Protection Legislation" means the laws and regulations applicable to the respective party’s processing of Personal Data in connection with the EUSA, including, where applicable, (i) the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”), as amended and supplemented, as the case may be, by the relevant EU Member States laws and regulations in which Supplier directly or indirectly operates, (ii) the UK Data Protection Act 2018 and the UK General Data Protection Act (“UK GDPR”), (iii) the Australian Privacy Act 1988 and National Privacy Principles, (iv) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and any related regulations or guidance (collectively, the “CCPA”), and (v) any other international, federal, state, provincial, and local privacy or data protection laws, rules, regulations, directives and governmental requirements currently in effect and as they become effective.
"Data Subject" means an individual who is the subject of the Personal Data and to whom or about whom the Personal Data relates or identifies, directly or indirectly.
“EEA” refers to the European Economic Area consisting of all member states of the European Union and Iceland, Norway and Liechtenstein.
"EU SCCs" means the European Commission's standard contractual clauses for the transfer of personal data from the European Union to third countries, as set out in the Annex to Commission Decision (EU) 2021/914, a copy of which is available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en.
"Personal Data" means any information Avetta processes that (i) identifies or relates to an individual who can be identified directly or indirectly from that data alone or in combination with other information in Avetta's possession or control, or (ii) the Applicable Data Protection Legislation otherwise defines as protected personal data or personal information.
"Processing, processes, and process" means any activity that involves the use of Personal Data, or as the Applicable Data Protection Legislation may otherwise define the terms “processing,” “processes,” or “process.” It includes obtaining, recording, or holding the data, or carrying out any operation or set of operations on the data including organizing, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transferring Personal Data to third parties.
"Security Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data.
"Subject Rights Request" means the exercise by a Data Subject of his or her rights under the Applicable Data Protection Legislation.
"UK Addendum" means the UK Information Commissioner’s Office’s International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses, a copy of which is available at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/.
1.2 The Schedules form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Schedules.
1.3 A reference to writing or written includes email.
1.4 In the case of conflict or ambiguity between any of the provisions of this DPA and the provisions of the EUSA, the provisions of this DPA will prevail, and any of the provisions of this DPA and any provisions contained in Schedule A, the applicable provisions of Schedule A will prevail.
2. Roles and Scope of Processing.
2.1 Roles of the Parties. Supplier and Avetta acknowledge and agree that:
(a) Avetta is a data processor to the extent the processing of Personal Data is carried out on behalf of and under the direction of Supplier, such as processing of Supplier’s Personal Data (including Personal Data of its personnel and Workers) contained in the Prequalification Forms, OSHA data set, or other data set gathered during an Audit; and
(b) Avetta is a data controller to the extent the processing of Personal Data is for Avetta’s own purposes in connection with the provision of the Avetta Services or for Avetta’s legitimate business interests, such as billing, account management, technical support, product development, analytical uses, and sales and marketing.
2.2 Supplier Processing of Personal Data. Supplier acknowledges and agrees that:
(a) Supplier shall have the sole responsibility for the accuracy, quality, and legality of the Personal Data submitted to Avetta and/or the Site (either by Supplier or by its Data Subjects);
(b) Supplier shall only upload and submit to Avetta and/or the Site Personal Data that were obtained from Data Subjects in compliance with the Applicable Data Protection Legislation;
(c) Supplier shall ensure Supplier has all necessary consents and notices in place and has satisfied all other requirements under the Applicable Data Protection Legislation to enable lawful transfer of Personal Data (including Sensitive Data) to Avetta and permit Avetta’s processing of Personal Data in various jurisdictions pursuant to the EUSA and this DPA;
(d) Where consent is the lawful basis for processing Personal Data or is otherwise required for the use of the Avetta Services, Supplier shall, at all times, make available and maintain (i) a mechanism for obtaining such consent from Data Subjects, and (ii) a mechanism for Data Subjects to withdraw such consent, in each case in accordance with the Applicable Data Protection Legislation; and
(e) Supplier’s use of the Avetta Services will not violate the rights of any Data Subjects.
2.3 Details of Data Processing. Schedule B describes the general categories of Personal Data, the types of Data Subjects, and other details of the processing Avetta will perform in connection with the provision of the Avetta Services in accordance with the EUSA.
3. Avetta's Obligations.
3.1 Avetta will process Personal Data only for the specific purposes of the transfer as set out in Schedule B. Avetta may process Personal Data for another purpose (i) where it has obtained the Data Subject's prior consent, (ii) where necessary for the establishment, exercise or defense of legal claims in the context of specific administrative, regulatory or judicial proceedings; or (iii) where necessary in order to protect the vital interests of the Data Subject or of another natural person. To the extent Avetta acts as a data processor of Supplier, Avetta shall process Personal Data on the instructions of Supplier. The parties agree that Supplier’s instructions shall be within the scope of the EUSA. Any additional requested instructions require the prior written consent of Avetta. Avetta shall promptly notify Supplier if, in Avetta’s opinion, such instruction violates any Applicable Data Protection Legislation. Where applicable, Supplier shall be responsible for any communications, notifications, assistance and/or authorizations that may be required in connection with its Data Subjects.
3.2 Avetta will, while considering the nature of Avetta's processing and the information available to Avetta, reasonably assist Supplier with meeting Supplier's compliance obligations under the Applicable Data Protection Legislation, provided that Supplier shall cover all costs incurred by Avetta in connection with its provision of such assistance. Such compliance obligations may include the obligation to carry out an assessment of the impact of the processing operations on the protection of Personal Data (a “Data Protection Impact Assessment”) where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons.
4. Avetta's Employees.
4.1 Avetta will ensure that all employees who have access to or are involved in processing Personal Data (i) have undertaken training on the Applicable Data Protection Legislation relating to handling Personal Data and how it applies to their particular duties; and are aware both of Avetta's duties and their personal duties and obligations under the Applicable Data Protection Legislation and this DPA; and (ii) are under appropriate obligation of confidentiality (whether a contractual or statutory duty).
4.2 Avetta will take reasonable steps to ensure the reliability, integrity, and trustworthiness of any Avetta’s employee with access to Personal Data.
5. Security.
5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, Avetta has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the security measures described in Annex II to Schedule B. Avetta may review and update Annex II from time to time, provided that any such updates shall not materially diminish the overall security of the Avetta Services or Personal Data.
5.2 Supplier is responsible for reviewing the information made available by Avetta relating to data security and making an independent determination as to whether the Avetta Services meet Supplier’s requirements and legal obligations under the Applicable Data Protection Legislation.
6. Security Breach and Personal Data Loss.
6.1 Avetta shall notify Supplier without delay after Avetta becomes aware of any Security Breach. Avetta’s notification shall be sent to the email registered by Supplier within the Avetta Services, and where no such email is registered, Supplier acknowledges that the means of notification shall be at Avetta’s reasonable discretion and Avetta’s ability to timely notify shall be negatively impacted. Avetta shall promptly take reasonable steps to contain, investigate, and mitigate any Security Breach.
6.2 To the extent available, Avetta shall provide Supplier timely information about the Security Breach, including, but not limited to, the nature and consequences of the Security Breach, the measures taken and/or proposed by Avetta to mitigate or contain the Security Breach, the status of Avetta’s investigation, a contact point from which additional information may be obtained, and the categories and approximate number of data records concerned. Communications by or on behalf of Avetta with Supplier in connection with a Security Breach shall not be construed as an acknowledgment by Avetta of any fault or liability with respect to the Security Breach.
7. Cross-Border Transfers of Personal Data; Required Contractual Clauses.
7.1 Supplier acknowledges and agrees that Avetta may transfer, access, and process Personal Data on a global basis as necessary to provide the Avetta Services.
7.2 Where the Applicable Data Protection Legislation has prescribed specific mechanisms for the transfer of Personal Data to Avetta and/or contract clauses for processing of Personal Data by Avetta (collectively, a “Transfer Mechanism”), Avetta shall make such specific Transfer Mechanism available (to the extent generally supported by Avetta) in Schedule A.
(a) Where the processing involves transfer of Personal Data outside the EEA or the UK to Avetta in a jurisdiction that has not been deemed by the European Commission or the UK Information Commissioner’s Office to provide an adequate level of data protection, and there is not another legitimate basis for the international transfer of such Personal Data, such transfer is subject to the EU SCCs, the terms of which are incorporated herein by reference and are supplemented by the applicable terms in Schedule A. In circumstances where Avetta acts as a data controller, Module One of the EU SCCs (for controller-to-controller transfers) shall apply to the transfers of Personal Data between Supplier and Avetta. In circumstances where the Supplier is a data controller and Avetta is a data processor with respect to the processing, Module Two of the EU SCCs (for controller-to-processor transfers) shall apply. Where Personal Data is subject to the UK GDPR, in addition to the applicable EU SCCs, the UK Addendum, subject to the terms of Schedule A, shall apply and is hereby incorporated by reference as if fully set forth herein.
(b) Where the processing involves the Personal Data of California Residents, the parties shall additionally comply with Section 3 of Schedule A.
(c) If the Applicable Data Protection Legislation has prescribed additional requirements for the transfer and/or contract clauses for the processing of Personal Data, Avetta agrees to reasonably cooperate with Supplier for Supplier’s compliance with such requirements and will update the Transfer Mechanisms in Schedule A accordingly. Supplier agrees to execute further documents and take further actions as may be reasonably necessary to give legal effect to the additional or modified Transfer Mechanism.
8. (Sub-) processors.
8.1 Supplier agrees that, to the extent Avetta acts a data processor, Avetta may use sub-processors listed at https://www.avetta.com/privacy/processors for the processing of Personal Data in connection with the provision of the Avetta Services. At least 10 days prior to authorizing any new sub-processor or replacing any sub-processor, Avetta will notify Supplier of the changes by posting the proposed new sub-processors to https://www.avetta.com/privacy/processors. It is Supplier’s responsibility to check this website regularly for updates. If Supplier has legitimate objections to the appointment of new sub-processor that relates to Avetta’s compliance with this DPA, Avetta will make reasonable efforts to address Supplier’s objection. If no resolution can be reached, Avetta will, at its sole discretion, either not appoint the new sub-processor, or permit Supplier to suspend or terminate the EUSA without liability to either party. Avetta shall not be obliged to make any refund of any sums paid under the EUSA.
8.2 Supplier further acknowledges and agrees that, to the extent Avetta acts as a data controller, Avetta may use the additional service providers described or listed at https://www.avetta.com/privacy/processors for the purposes set forth therein.
9. Data Subject Rights Requests.
9.1 The parties each agree to provide such assistance as is reasonably required to enable the other party to comply with Subject Rights Request within the time limits imposed by the Applicable Data Protection Legislation.
10. Third-Party Data Access Request.
10.1 Avetta shall notify Supplier of any request for the disclosure of Supplier’s Personal Data by a governmental or regulatory body or law enforcement authority, unless otherwise prohibited by law or a legally binding order of such body or agency.
11. Term and Termination.
11.1 This DPA shall come into force on the effective date of the EUSA or the first provision of Personal Data to Avetta, whichever is earlier, and shall remain in full force and effect so long as the EUSA remains in effect.
11.2 Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the EUSA in order to protect Personal Data will remain in full force and effect.
12. Data Return and Destruction.
12.1 At Supplier's request, Avetta will provide Supplier a copy of, or access to, Supplier's Personal Data in its possession or control, in Avetta’s standard format, if the request is submitted prior to Avetta’s disposal of the Personal Data.
12.2 Following termination of the EUSA, Avetta will, within a reasonable period of time, securely delete or destroy Supplier’s Personal Data related to this DPA in its possession or control. This requirement will not apply (i) to the extent that the retention of the Personal Data is to satisfy any legal, regulatory, tax, accounting or reporting requirements or is necessary for the establishment, exercise or defense of legal claims if Avetta reasonably believes there is a prospect of litigation; and (ii) to the Personal Data in backup systems until the backups have been overwritten or expunged in accordance with Avetta’s backup policy, in which event Avetta will isolate and protect the Personal Data from any further processing except to the extent required by such law until deletion is possible.
13. Audit.
13.1 Upon written request and at no additional cost to Supplier, Avetta shall provide Supplier, and/or its appropriately qualified third-party representative (collectively, the “Auditor”), access to reasonably requested documentation evidencing Avetta’s compliance with its obligations under this DPA in the form of the relevant audits or certifications listed in Annex II to Schedule B, such as ISO/IEC 27001:2013, ISO/IEC 27701, ISO/IEC 27017, and ISO/IEC 27018 (“ISO Certifications”), and SOC 2 Type II. Avetta will also respond to any written audit questions submitted to it by Auditor and meet by teleconference or in person (at Supplier’s expense) to address follow-up questions, provided that Supplier will not exercise this right more than once per year, except if and when required by instruction of a competent data protection authority. Avetta may require the Auditor to execute a separate confidentiality agreement with Avetta prior to any review of the reports or an audit of Avetta, and Avetta may object in writing to such Auditor, if in Avetta’s reasonable opinion, the Auditor is not suitably qualified or is a direct competitor of Avetta. Any such objection by Avetta will require Supplier to appoint another Auditor. Any expenses incurred by an Auditor in connection with any review of the reports or an audit shall be borne exclusively by the Auditor.
14. General.
14.1 The parties agree that this DPA shall replace and supersede any existing data processing addendum, attachment, exhibit or standard contractual clauses that Avetta and Supplier may have previously entered into in connection with the Avetta Services. Avetta may update this DPA from time to time (for example, in response to any changes in the Applicable Data Protection Legislature, or as a result of a merger, acquisition, corporate reorganization or other similar occurrence or the release of new features, functions, products or services or material changes to any of the existing Avetta Services), provided, however, that no such update shall materially diminish the privacy or security of Personal Data. Avetta will post the updated version to https://www.avetta.com/data-processing-supplier, or a successor website designated by Avetta.
14.2 Avetta’s liability under or in connection with this DPA, including under the EU SCCs, is subject to the exclusions and limitations on liability contained in the EUSA. In no event does Avetta limit or exclude its liability towards Data Subjects or competent data protection authorities.
14.3 Except where and to the extent expressly provided in the EU SCCs or required as a matter of the Applicable Data Protection Legislation, this DPA does not confer any third-party beneficiary rights; it is intended for the benefit of the parties hereto and their respective permitted successors and assigns only, and is not for the benefit of, nor may any provision hereof be enforced by, any other person.
14.4 This DPA and any action related thereto shall be governed by and construed in accordance with the laws as specified in the EUSA, without giving effect to any conflicts of laws principles. The parties consent to the personal jurisdiction of, and venue in, the courts specified in the EUSA.
14.5 If any provision of this DPA is, for any reason, held to be invalid or unenforceable, the other provisions of the DPA will remain enforceable. Without limiting the generality of the foregoing, Supplier agrees that Section 14.2 (Limitation of Liability) will remain in effect notwithstanding the unenforceability of any provision of this DPA.
SCHEDULE A
TRANSFER MECHANISMS AND REQUIRED CONTRACTUAL CLAUSES
This Schedule A provides the Transfer Mechanisms supported by Avetta. A Transfer Mechanism shall not apply and shall not be incorporated into this DPA if it is not applicable to the transfers from Supplier to Avetta. If a listed Transfer Mechanism is, or becomes applicable under the Applicable Data Protection Legislation, it shall be deemed to be signed by the parties and is incorporated into this DPA.
1. EU Standard Contractual Clauses (EU SCCs).
a. Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914 (Module One for controller-to-controller transfers)
With respect to Personal Data transferred subject to Model One of the EU SCCs in accordance with Section 7.2(a) of the DPA:
i. Optional language at clause 7 (docking clause) is used.
ii. The optional language at clause 11(a) (redress) is not used.
iii. For clause 17, the first option is used, and the law of Germany is the governing law.
iv. For clause 18(b), the selected forum shall be the courts of Germany.
b. Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914 (Module Two for controller-to-processor transfers)
With respect to Personal Data transferred subject to Model Two of the EU SCCs in accordance with Section 7.2(a) of the DPA:
i. Optional language at clause 7 (docking clause) is used.
ii. For clause 9(a), option 2 (general written authorization) is selected and the specified time period is ten (10) days.
iii. The optional language at clause 11(a) (redress) is not used.
iv. For clause 17, the first option is used, and the law of Germany is the governing law.
v. For clause 18(b), the selected forum shall be the courts of Germany.
c. Annex I, Annex II, and Annex III of the EU SCCs shall be deemed completed with the information set out in Schedule B.
2. UK Information Commissioner’s Office’s International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses (UK Addendum).
a. With respect to Personal Data transferred subject to the UK Addendum:
i. The parties to this UK Addendum shall be the parties to the DPA.
ii. The EU SCCs that this UK Addendum amends shall be the applicable EU SCCs referenced in Section 7.2(a).
iii. The part 2 of the UK Addendum shall be: “Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.”
3. CCPA Contract Clauses. This Section 3 of Schedule A provides the additional obligations of the parties when processing Personal Data of any California resident.
a. Avetta will: (i) only collect, use, retain, or disclose Personal Data for the permitted purposes described in the EUSA and the CCPA and for no other commercial purpose; (ii) not sell any Personal Data or share any Personal Data for cross-context behavioral advertising; (iii) not collect, use, retain, or disclose Personal Data outside of the direct business relationship between Avetta except as necessary to provide the Avetta Services; (iv) not combine Personal Data Avetta receives from, or on behalf of, Supplier with Personal Data that it collects on behalf of, another person or persons except for a business purpose that does not involve cross-context behavioral advertising and is permitted under the CCPA; and (v) provide at least the same level of privacy protection that the CCPA requires regarding Personal Data. Avetta certifies it understands these restrictions and will comply with them.
b. Supplier shall have the right (i) to monitor Avetta’s compliance with this DPA and (ii) to take reasonable and appropriate steps to ensure that Personal Data is used by Avetta in accordance with the CCPA. Avetta shall notify Supplier if Avetta determines that it can no longer meet any of its obligations under the CCPA, and in such event Avetta shall work with Supplier and take all reasonable and appropriate steps to stop and remediate any processing until such time as the processing complies with the CCPA and this DPA.
SCHEDULE B
PERSONAL DATA PROCESSING DETAILS
This Schedule B forms part of the DPA and describes the processing that Avetta will perform in connection with the provision of the Avetta Services.
ANNEX I – DATA PROCESSING DESCRIPTION
A. LIST OF PARTIES
Data exporter:
| Name: | As provided by Supplier |
| Address: | As provided by Supplier |
| Contact person’s name, position, and contact details: | As provided by Supplier |
| Activities relevant to the data transferred under this DPA: | Use of the Avetta Services pursuant to the EUSA. |
| Signature and date: | This Schedule A shall automatically be deemed executed when the EUSA is executed by Supplier. |
| Role (controller/processor): | Controller |
Data importer:
| Name: | Avetta, LLC |
| Address: | 549 E Timpanogos Parkway, Building G, Orem, UT 84097, USA |
| Contact person’s name, position, and contact details: | Privacy Officer [email protected] |
| Activities relevant to the data transferred under this DPA: | Processing necessary to provide the Avetta Services to Supplier. Processing necessary for the legitimate interests of Avetta as described in the Privacy Policy (https://www.avetta.com/privacy-policy). |
| Signature and date: | This Schedule B shall automatically be deemed executed when the EUSA is executed by Supplier. |
| Role (controller/processor): | Processor to the extent the processing is carried out on behalf of Supplier. Controller as to the other processing activities, including but limited to the processing activities necessary for the legitimate interests of Avetta. |
B. DESCRIPTION OF TRANSFER
| Categories of Data Subjects whose Personal Data is transferred: | Supplier’s admin users who access or use the Avetta Services through Supplier’s account. Supplier’s Workers (if Workers’ Personal Data is contained in the Prequalification Forms and other Supplier Content, or if Supplier is subscribed to Avetta’s worker product(s)). |
| Categories of Personal Data transferred: | Supplier’s admin users: business contact data (such as name, title, email, phone number, mailing address); location data (IP address); technical and usage data (such as browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices the Authorized User uses to access the Avetta Services); transaction data (such as Supplier’s subscription status and history, but only if Personal Data is contained in the transaction data); and marketing and communications data (such as Supplier’s marketing and communication preferences, but only if Personal Data is contained in such data). Supplier’s Workers:
|
| Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: | Supplier and/or its Workers may upload content to the Avetta which may include special categories of data, the extent of which is determined and controlled by Supplier in its sole discretion.
Such special categories of data include, but may not be limited to, information revealing racial or ethnic origins, trade-union membership, and the processing of data concerning an individual’s health.
Additionally, geolocation data may be collected in connection with the Avetta Services (for example, geolocation data is collected when a Worker logs into the site access control systems).
Any such special categories of data shall be protected by applying the security measures described in Schedule B.
|
| The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): | Continuous for the duration of the EUSA. |
| Nature of the processing: | Processing necessary to provide the Avetta Services to Supplier. Processing necessary for Avetta’s legitimate interests as described in the Privacy Policy. |
| Purpose(s) of the data transfer and further processing: | Processing necessary for the provision of the Avetta Services. Processing necessary for Avetta’s legitimate interests as described in the Privacy Policy. |
| The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: | Avetta shall return or delete the Personal Data in accordance with Section 12 of this DPA. |
| For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: | Details of (sub-) processors, including the subject matter, nature, and duration of processing, are available at: https://www.avetta.com/privacy/processors. |
C. COMPETENT SUPERVISORY AUTHORITY
| Identify the competent supervisory authority/ies in accordance with Clause 13 of the EU SCCs: | Where the EU GDPR applies, the competent supervisory authority determined in accordance with Clause 13 of the EU SCCs.
Where the UK GDPR applies, the UK Information Commissioner's Office.
|
ANNEX II – TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
Overview
Avetta software-as-a-service applications (“SaaS Services”) were designed from the beginning with security in mind. The Connect and Workforce Management SaaS Services are architected with a variety of security controls across each processing tier to address a range of security risks. These security controls are subject to change; however, any changes will maintain or improve the overall security posture of the SaaS platform.
The main areas of security controls below apply to each of the components of the Avetta Connect and Workforce Management SaaS Services. Avetta hosts its SaaS Services in a cloud service provider platform; currently Amazon Web Services (AWS).
Audits and Certifications
The Avetta SaaS Services are certified under ISO/IEC 27001:2013 (“ISO Certification”). Avetta has included all 114 Annex Controls within the ISO Certification. Avetta reviews its compliance annually with the ISO Certification by performing an internal controls audit. This audit is reviewed by the Information Security Management System Committee, comprised of members of the senior executive leadership team of Avetta.
Avetta utilizes global AWS regions for its computing and storage for the SaaS Services. AWS provides top-tier facilities which have achieved several accreditations, including SOC2, ISO/IEC 27001, ISO/IEC 27701, ISO/IEC 27017, and ISO/IEC 27018. These AWS facilities also provide state-of-the-art physical protection safeguards where Avetta’s customers data is stored and processed.
Disaster Recovery and Business Continuity
To ensure its SaaS Services maintain a high degree of system availability, Avetta uses a designated backup/failover AWS data center that is located in a separate geographic location than its normal production data processing facility. This ensures Avetta can respond quickly to any environmental, physical, or accidental event that may cause interruption to the production AWS facility.
Avetta maintains a comprehensive Disaster Recovery and Business Continuity plan that is reviewed at least on an annual basis. This review enables Avetta personnel to be familiar with emergency planning in case of an event which could potentially cause interruption to normal business activities at Avetta.
Avetta’s systems are designed to support a recovery point objective (RPO) of less than 2 hours and a recovery time objective (RTO) of less than 4 hours.
Avetta also conducts a comprehensive risk assessment exercise on a regular basis to ensure proper risk mitigation strategies and controls have been implemented within the organization.
Incident Response
Avetta maintains a comprehensive Incident Response Plan. This plan, along with related processes and procedures, enables Avetta personnel to quickly respond to a suspected or potential security breach, or other suspicious cybersecurity activity within the Avetta environment. An Incident Response Team, led by qualified security team members, will perform an assessment of any such situation and develop appropriate action plans and mitigation strategies. If a suspected breach is confirmed, the Incident Response Team will follow designated protocols to immediately act and appropriately respond to mitigate the malicious activity along with preserving forensic evidence. Notification procedures will also be followed.
Encryption
The Avetta SaaS Services maintain the encryption of data at rest using AES-256. Additional data elements are also encrypted using SALT methods. These encryption processes maintain a high degree of confidentiality and integrity to customer data. Logical data separation is maintained in the Avetta SaaS Services so that no customer data can be accessed by unauthorized sources. Supplier data access is controlled through unique identity and access management with attributes that disallows unauthorized users from accessing the customer data.
Avetta security measures are implemented based upon a “least privilege” method, meaning that only employees who have a business need have access to specific data and system functions.
Web Application Security Controls
Supplier access to the SaaS Services is only via secure communication protocols; TLS 1.2 or higher. This establishes an encryption channel to enable secure transmission of the data between an end-user and the SaaS Services. This protects customer’s data during data transmission processes.
A customer’s administration of the SaaS Services can provision and de-provision SaaS Service users and associated access as necessary. The SaaS Services allow customers to enable multi-factor authentication for accessing SaaS Services accounts utilizing single sign-on via SAML 2.0 identity providers. The SaaS Services allow customers to enable customizable password policies to help align SaaS Services passwords to customer corporate policies.
Network
The SaaS Services utilize cloud service provider network controls to restrict network ingress and egress. Security groups are employed to limit network activity to authorized endpoints. The SaaS Services use a multi-tier network architecture, including multiple, logically separated Cloudflare virtual environments, leveraging private, DMZs, and untrusted zones within the cloud service infrastructure.
Monitoring and Auditing
The SaaS Services systems and networks are monitored for security incidents, system health, network abnormalities, processing activity, infrastructure processing levels, and availability. Avetta uses an intrusion detection system to monitor network activity which will alert Avetta designated team members of suspicious behavior. Web application firewalls are also implemented for all public web services.
Avetta logs application, network, user, and operating system events to a local syslog server and SIEM. These logs are automatically analyzed and reviewed for suspicious activity and threats. Any system activity anomalies are escalated with appropriate action that may be required. Avetta utilizes security information and event management systems providing continuous security analysis of the Avetta networks and security environment where alerting, detecting, and reporting of indicators of possible or suspicious activity are recorded. All of these capabilities and activities are administered by Avetta’s DevOps and Cybersecurity staff.
Vulnerability Management
Avetta performs periodic web application vulnerability assessments, static code analysis, and external security assessments as part of its comprehensive security program to help ensure proper security controls are implemented and operating effectively. On a semi-annual basis, Avetta hires independent third-party vulnerability and penetration testers to perform both network and web vulnerability assessments. The scope of these external audits includes compliance against the Open Web Application Security Project (OWASP) Top 10 Web Vulnerabilities. Vulnerability assessment results are incorporated into the Avetta software development lifecycle (“SDLC”) to remediate identified vulnerabilities. Specific vulnerabilities are prioritized and entered into the Avetta internal ticket system for tracking through resolution.
Secure Software Development
Avetta follows secure development practices within its SDLC. These practices include static code analysis and real-time code analysis tools. Peer reviews are also conducted prior to code being deployed into the production environment. Separate processing environments have been implemented at Avetta: production, testing/quality assurance, and demo. Avetta software developers are required to take secure coding training annually.
Avetta Cybersecurity Team
Avetta has a dedicated security team led by a Cybersecurity Manager who has a master’s degree in Cybersecurity. The team conducts regular company-wide security training, security exercises, and regular vulnerability and penetration exercises. Through these efforts, the Cybersecurity team ensures regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures are in order to ensure the security of the processing of customer data.
The Cybersecurity team also participates in annual audits and certifications and attends cybersecurity seminars.
Privacy and Data Protection
Avetta has created a thorough Information Security and Privacy Policy. The policy outlines the procedures that are followed to ensure safeguarding of customer information. It further outlines the controls that are implemented which include data retention, accessibility and authentication guidelines, acceptable use guidelines, and data privacy guidelines.
ANNEX III – LIST OF SUB-PROCESSORS
Avetta’s current list of sub-processors may be found at: https://www.avetta.com/privacy/processors.