Privacy & Security FAQ

Avetta respects the privacy of its customers and is committed to protecting customers’ data.

This FAQ provides information about the relationship between Avetta, Avetta’s clients (each, a “Client”) and the suppliers participating in the Avetta Network (each, a “Supplier”) from a privacy perspective, and answers the common questions Suppliers have about how Avetta processes and protects their data. This FAQ is provided for informational purposes only. It should not be considered a substitute for legal advice and will not be incorporated into or form part of any contract with Avetta. Capitalized terms used on this page but not defined herein have the meaning set forth in the End User Service Agreement (“EUSA”).

1. How does a Supplier join the Avetta Network?

There are two common methods for Suppliers to join the Avetta Network:

• A Client identifies a Supplier it wants to engage with and manage through the Avetta SaaS platform (the “Avetta Platform”). Subsequently Avetta in conjunction with the Client sends out an invitation to the Supplier, asking the Supplier to join the Avetta Network. This process supports the instance where the Client is seeking access to certain documents or other data about the Supplier, which data is subsequently provided by the Supplier to Avetta. Avetta then makes such data available to the Client through the Avetta Platform. Hence, the Supplier’s data is collected by Avetta in support of a request for such data from a Client with whom the Supplier does business.
• A Supplier can also join the Avetta Network on its own initiative, and then connect to Clients in the Avetta Network and provide documents and other data in accordance with the requirements set forth by any connected Clients.

2. What data does Avetta collect from Suppliers through the Avetta Platform?

In general, Avetta collects two types of data from Suppliers: General Access Data and Limited Access Data.

“General Access Data” includes a Supplier’s business name, description of services, business address, business contact information and other general business information.

“Limited Access Data” includes a Supplier’s data contained in the prequalification forms (PQFs), specific insurance information, safety statistics such as experience modification rate (EMR) and OSHA data, any and all data collected during an Audit (an Audit refers to Avetta’s objective evaluation of Supplier’s procedures and practices to assess Supplier’s compliance with relevant regulatory standards, industry best practices, or other criteria or parameters determined by connected Clients), and workers’ data if a Supplier uses our worker product(s). The specific scope of Limited Access Data Avetta collects from a Supplier depends on the Avetta Services the Supplier has subscribed to and the requirements set by the Supplier’s connected Clients on the Avetta Platform.

3. Who can access Suppliers’ data via the Avetta Platform and why?

General Access Data is not publicly available data, but is password protected and shared only with the Clients and Suppliers that are part of the Avetta Network and in certain circumstances, with potential Clients. Displaying Suppliers’ General Access Data is a benefit/feature we offer to Suppliers, so that other Clients can search the Suppliers in the Avetta Network for potential work.

Limited Access Data can only be accessed by a Supplier’s connected Clients (and Prime Contractors if the Supplier is a Subcontractor). Limited Access Data is maintained for the benefit of connected Clients (e.g., to confirm that the Supplier meets to the requirements to work with the Client, or a particular worker is eligible to enter the Client’s worksite). Limited Access Data can be further categorized into two groups: (i) standard compliance data, accessible by all connected Clients (and Prime Contractors when applicable), and (ii) client specific compliance data, accessible solely by the Client defining the specific requirements (and any Prime Contractors for that Client when applicable). It is important to note that workers’ data submitted through our worker products falls under the category of client-specific compliance data, and access to this data is limited to the Client setting out the requirements for site access.

4. What personal data does Avetta collect from Suppliers?

General Access Data generally does not include any personal data, unless the business contact information provided by the Supplier contains an individual’s name or email address.

Limited Access Data may contain personal data, but the specific types of personal data included in Limited Access Data depend on the Avetta Services the Supplier has subscribed to and the requirements set by the Supplier’s connected Clients.

Please see Schedule B of our Data Processing Addendum (“DPA”) for the categories of personal data, the types of data subjects, the purposes of the processing, and other details of the processing Avetta will perform in connection with the provision of the services in accordance with the EUSA.

5. What are the purposes of the data processing?

The purposes of the data processing by Avetta are as follows:

• To be able to provide the Avetta Services.
• Personal data about workers are maintained in the Avetta Platform for the benefit of connected Clients (e.g., to confirm that a particular worker is eligible to enter the Client’s worksite).
• Aggregated and anonymized data is used by Avetta for:
  
  • Product development
  • Research
  • Market analysis
• Business contact data is used by Avetta for:
  
  • Direct marketing (e.g., sending of newsletters and promotional emails)
  • Business development
  • Customer support
• For Avetta’s other legitimate interests: see section 5 of Avetta’s Privacy Policy.

6. What is Avetta’s role under the GDPR when processing Suppliers’ personal data?

Avetta is a processor to the extent the processing of personal data is carried out on behalf of and under the direction of the Supplier, such as processing of the Supplier’s personal data contained in the PQFs, OSHA data sets, data sets gathered during an Audit, workers’ data contained in worker product(s), or other data submitted to Avetta based on the requirements determined by the Supplier’s connected Clients.

Avetta is a controller to the extent the processing of personal data is for Avetta’s own purposes in connection with the provision of the services or for Avetta’s legitimate business interests, such as billing, account management, technical support, fraud prevention, and sales and marketing (for example, sending newsletters to Suppliers’ admin users).

7. How does Avetta protect Suppliers’ data?

Avetta is bound by the confidentiality provisions contained in section 13 of the EUSA and commits to processing and protecting Suppliers’ personal data in accordance with the DPA.

Avetta maintains robust technical, physical, administrative and organizational controls designed to maintain the confidentiality, security and integrity of the confidential information, including personal data, entrusted to it, and has implemented systems and procedures for detecting, preventing and responding to attacks, intrusions, and system failures, and regular testing and monitoring of the effectiveness of such systems and procedures, including, without limitation, through vulnerability scans and penetration testing. Avetta holds both the ISO/IEC 27001:2013 (standards for information security management systems (ISMS)) and 27701:2019 (Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001) certifications, as well as ISO/IEC 27017:2015 (standards for security controls applicable to the provision and use of cloud services), ISO/IEC 27018:2019 (standards for or protection of personally identifiable information in public clouds), and ISO/IEC 22301:2019 (standards for business continuity management systems) certifications, and undertakes annual SOC 2 Type II independent audits.

For additional information on Avetta’s organizational and technical measures to protect customers’ data, please see Annex II to the DPA.

8. Who may Avetta disclose Suppliers’ data to?

Generally speaking, Avetta may disclose a Supplier’s data to:

• Its group affiliates and service providers/contractors (such as AWS for cloud hosting services, third-party products integrated into the Avetta Platform, Salesforce for CRM, network security service providers, and other tools it uses in the course of business);
• As explained in Q3, the users of the Avetta Services as part of the product offering (General Access Data available to users on the Avetta Platform and Limited Access Data shared only with the Supplier’s connected Clients and Prime Contractors, if any); and
• Other recipients including third parties in connection with M&A activities and parties to whom the disclosure is not based on “consent” as the legal basis (for example, Avetta may be compelled to disclose a Supplier’s data to law enforcement agencies).

Please see section 6 of our Privacy Policy for further information.

9. Does Avetta sell any Suppliers’ data?

Avetta does not sell any data that Suppliers have submitted to us in the course of using the Avetta Platform.

However, we may use cookies and similar technologies on our general website (not the Avetta Platform) for advertising purposes, which may be considered “selling” or “sharing” of a website visitor’s personal data under the California Consumer Privacy Act of 2018. Nevertheless, we do not engage in any “sale” of personal data for monetary consideration.

10. Certain Avetta Services provide customers with access to AskAva™, an AI-powered tool designed to generate work site safety suggestions. Does Avetta use Customer Content to train AskAva, and how does this tool handle personal data?

Avetta does not use any Customer Content to train AskAva. AskAva is powered by OpenAI. Given the suggestions are generated by AI, they may have errors or be incomplete.

The appropriate use of AskAva does not involve users entering any personal data. Users are advised against inputting personal data, as it is unnecessary for generating work site safety suggestions. Personal data will only be shared with OpenAI for processing if a user intentionally provides such data.

Use of AskAva is entirely optional, and if you do not want OpenAI to process your data, you should not use AskAva. For information about how OpenAI processes data, please refer to OpenAI’s documentation regarding its API.

11. Where does Avetta store Suppliers’ data?

The table below describes the server locations where Avetta processes and stores data for the SaaS services. In general, Avetta selects servers in the countries where local laws provide a higher level of protection of individuals’ privacy rights.

Please note that our non-production data is stored in Canada.

12. Will personal data be transferred outside the jurisdictions where data subjects reside?

Avetta’s headquarters are located in the United States and Avetta contracts with various third-party vendors (processors/sub-processors) to provide the services. The personal data are likely to be transferred outside the jurisdictions where data subjects reside.

13. What are the cross-border transfer mechanisms Avetta uses to transfer data?

When transferring personal data outside the EEA or the UK, we:

(i) ensure that the country in which personal data will be handled has been deemed “adequate” by the European Commission or the UK, as applicable;

(ii) include in our contracts the Standard Contractual Clauses approved by the European Commission (as applicable) for transferring personal data from the EEA or the UK, and additionally the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses for transferring personal data from the UK; or

(iii) rely on other legally compliant mechanisms or conditions for such data transfer.

For data transfers to the United States, Avetta has elected to self-certify to the EU-US Data Privacy Framework (“EU-US DPF”), the UK Extension to the EU-US Data Privacy Framework (“UK Extension”), and the Swiss-US Data Privacy Framework (“Swiss-US DPF,” together with “EU-US DPF” and “UK Extension,” “DPF”) administered by the US Department of Commerce. The European Commission has issued an adequacy decision for the EU-US DPF, confirming that the US ensures an adequate level of protection, comparable to that of the European Union, for personal data transferred from the EU to US companies under the framework. Likewise, the UK authority has determined that the UK Extension does not undermine the level of data protection for UK data subjects when their data is transferred to the US and has therefore established the UK-US data bridge with the US through the UK Extension. As a participant of the DPF program, Avetta commits to upholding the DPF Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement, and Liability when processing personal data. For further information, please refer to our Data Privacy Framework Notice, which is available here.

In the event the applicable data protection laws have prescribed additional requirements or modified the existing mechanisms for cross-border data transfers, we will take appropriate measures, including working with our customers, to implement the requirements or update the transfer mechanisms to enable the lawful transfer of data subjects’ personal data outside their home country.

For further information, please see section 7 of the DPA.

14. How does Avetta comply with the GDPR and other applicable data protection laws?

As an organization doing business in multiple jurisdictions, Avetta is subject to a number of data protection laws (such as the GDPR, UK GDPR, CCPA, PIPEDA, and the Australian Privacy Act 1988). Our privacy program was built on a foundation based on the GDPR requirements. To further address the global compliance needs, we have adopted the following approach: we first identify the common requirements of the applicable data protection laws, identify gaps and implement the solutions to address the common requirements, and then we analyze the variations and assess the necessity of customizing the program to meet local requirements or implementing these requirements across all jurisdictions.

Generally speaking, we adhere to the data privacy principles that require personal data to be:

• processed lawfully, fairly and in a transparent manner (lawfulness, fairness and transparency);
• collected only for specified, explicit and legitimate purposes (purpose limitation);
• adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (data minimization);
• accurate and where necessary kept up to date throughout the life cycle of the personal data (accuracy);
• not retained in a form which permits identification of data subjects for longer than necessary for the purposes for which the data is processed (storage limitation);
• processed in a manner that ensures its security using appropriate technical and organizational measures to protect against unauthorized or unlawful processing and against accidental loss, destruction or damage (security, integrity and confidentiality);
• not transferred to another country without appropriate safeguards in place (transfer limitation); and
• made available to data subjects and allow data subjects to exercise certain rights in relation to their personal data (data subject's rights and requests).

15. What are the terms governing the relationship between Avetta and Suppliers?

The contractual relationship between Avetta and a Supplier is governed by:

• Avetta’s End User Service Agreement (EUSA)
• Avetta’s Data Processing Addendum to EUSA

For additional information about Avetta’s privacy and security program, please go to our legal information page. Avetta continuously evaluates the effectiveness of its privacy and security program and commits to monitoring and implementing changes that are appropriate or necessary due to legal, market, or practice developments.