Privacy & Security FAQ

Avetta respects the privacy of its customers and is committed to protecting customers’ data.

This FAQ provides information about the relationship between Avetta, Avetta’s clients (each, a “Client”) and the suppliers participating in the Avetta Network (each, a “Supplier”) from a privacy perspective, and answers the common questions Suppliers have about how Avetta processes and protects their data. This FAQ is provided for informational purposes only. It should not be considered a substitute for legal advice and will not be incorporated into or form part of any contract with Avetta. Capitalized terms used on this page but not defined herein have the meaning set forth in the End User Service Agreement (“EUSA”).

1. How does a Supplier join the Avetta Network?

There are two common methods for Suppliers to join the Avetta Network: 

• A Client identifies a Supplier it wants to engage with and manage through the Avetta SaaS platform (the “Avetta Platform”). Subsequently Avetta in conjunction with the Client sends out an invitation to the Supplier, asking the Supplier to join the Avetta Network. This process supports the instance where the Client is seeking access to certain documents or other data about the Supplier, which data is subsequently provided by the Supplier to Avetta. Avetta then makes such data available to the Client through the Avetta Platform. Hence, the Supplier’s data is collected by Avetta in support of a request for such data from a Client with whom the Supplier does business.
• A Supplier can also join the Avetta Network on its own initiative, and then connect to Clients in the Avetta Network and provide documents and other data in accordance with the requirements set forth by any connected Clients.

2. What data does Avetta collect from Suppliers through the Avetta Platform?

In general, Avetta collects two types of data from Suppliers: General Access Data and Limited Access Data.

“General Access Data” includes a Supplier’s business name, description of services, business address, business contact information and other general business information.

“Limited Access Data” includes a Supplier’s data contained in the Prequalification Forms, specific insurance information, and other data collected during an Audit (an Audit refers to Avetta’s objective evaluation of Supplier’s procedures and practices to assess Supplier’s compliance with relevant regulatory standards or industry best practices). The specific scope of Limited Access Data Avetta collects from a Supplier depends on the requirements set by the Supplier’s connected Clients on the Avetta Platform.

3. Who can access Suppliers’ data via the Avetta Platform and why?

General Access Data is not publicly available data, but is password protected and shared only with the Clients and Suppliers that are part of the Avetta Network and in certain circumstances, with potential Clients. Displaying Suppliers’ General Access Data is a benefit/feature we offer to Suppliers, so that other Clients can search the Suppliers in the Avetta Network for potential work.

Limited Access Data can only be accessed by a Supplier’s connected Clients (and Prime Contractors if the Supplier is a Subcontractor). Limited Access Data is maintained for the benefit of connected Clients (e.g., to confirm that the Supplier meets to the requirements to work with the Client, or a particular worker is eligible to enter the Client’s worksite).

4. What personal data does Avetta collect from Suppliers?

General Access Data generally does not include any personal data, unless the business contact information provided by the Supplier contains an individual’s name or email address.

Limited Access Data may contain personal data, but the specific types of personal data included in Limited Access Data depend on the Avetta Services the Supplier has subscribed to and the requirements set by the Supplier’s connected Clients.

Please see Schedule B of our Data Processing Addendum (“DPA”) for the categories of personal data, the types of data subjects, the purposes of the processing, and other details of the processing Avetta will perform in connection with the provision of the services in accordance with the EUSA.

5. What are the purposes of the data processing?

The purposes of the data processing by Avetta are as follows:

• To be able to provide the Avetta Services.
• Personal data about workers are maintained in the Avetta Platform for the benefit of connected Clients (e.g., to confirm that a particular worker is eligible to enter the Client’s worksite).
• Aggregated and anonymized data is used by Avetta for:
  
  • Product development
  • Research
  • Market analysis
• Business contact data is used by Avetta for:
  
  • Direct marketing (e.g., sending of newsletters and promotional emails)
  • Business development
  • Customer support
• For Avetta’s other legitimate interests: see section 5 of Avetta’s Privacy Policy.

6. What is Avetta’s role under the GDPR when processing Suppliers’ personal data?

Avetta is a processor to the extent the processing of personal data is carried out on behalf of and under the direction of the Supplier, such as processing of the Supplier’s personal data contained in the Prequalification Forms, OSHA data sets, data sets gathered during an Audit, or other data submitted to Avetta based on the requirements determined by the Supplier’s connected Clients.

Avetta is a controller to the extent the processing of personal data is for Avetta’s own purposes in connection with the provision of the services or for Avetta’s legitimate business interests, such as billing, account management, technical support, fraud prevention, and sales and marketing (for example, sending newsletters to users).

7. How does Avetta protect Suppliers’ data?

Avetta is bound by the confidentiality provisions contained in section 13 of the EUSA and commits to processing and protecting Suppliers’ personal data in accordance with the DPA.

Avetta maintains robust technical, physical, administrative and organizational controls designed to maintain the confidentiality, security and integrity of the confidential information, including personal data, entrusted to it, and has implemented systems and procedures for detecting, preventing and responding to attacks, intrusions, and system failures, and regular testing and monitoring of the effectiveness of such systems and procedures, including, without limitation, through vulnerability scans and penetration testing. Avetta holds both the ISO/IEC 27001:2013 (standards for information security management systems (ISMS)) and 27701:2019 (Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001) certifications, as well as ISO/IEC 27017:2015 (standards for security controls applicable to the provision and use of cloud services) and ISO/IEC 27018:2019 (standards for or protection of personally identifiable information in public clouds) certifications, and undertakes annual SOC 2 Type II independent audits.

For additional information on Avetta’s organizational and technical measures to protect customers’ data, please see Annex II to the DPA.

8. Who may Avetta disclose Suppliers’ data to?

Generally speaking, Avetta may disclose a Supplier’s data to:

• Its group affiliates and service providers/contractors (such as AWS for cloud hosting services, third-party products integrated into the Avetta Platform, Salesforce for CRM, network security service providers, and other tools it uses in the course of business);
• As explained in Q3, the users of the Avetta Services as part of the product offering (General Access Data available to users on the Avetta Platform and Limited Access Data shared only with the Supplier’s connected Clients and Prime Contractors, if any); and
• Other recipients including third parties in connection with M&A activities and parties to whom the disclosure is not based on “consent” as the legal basis (for example, Avetta may be compelled to disclose a Supplier’s data to law enforcement agencies).

Please see section 6 of our Privacy Policy for further information.

9. Where does Avetta store Suppliers’ data?

The table below describes the server locations where Avetta processes and stores data for the SaaS services. In general, Avetta selects servers in the countries where local laws provide a higher level of protection of individuals’ privacy rights.

10. Will personal data be transferred outside the jurisdictions where data subjects reside?

Avetta’s headquarters are located in the United States and Avetta contracts with various third-party vendors (processors/sub-processors) to provide the services. The personal data are likely to be transferred outside the jurisdictions where data subjects reside.

11. What are the cross-border transfer mechanisms Avetta uses to transfer data?

Standard contractual clauses (c-c and c-p transfers) and the UK addendum. For details, please see section 7 of the DPA.

Avetta does not rely on the EU-US and Swiss-US Privacy Shield Frameworks for cross-border data transfers. However, it continues to keep the commitments and maintain the certifications to demonstrate the ongoing commitment to protecting its customers’ personal data. A copy of Avetta’s certifications is available on the Privacy Shield website here.

12. What are the terms governing the relationship between Avetta and Suppliers?

The contractual relationship between Avetta and a Supplier is governed by:

• Avetta’s End User Service Agreement (EUSA): https://www.avetta.com/end-user-service-agreement
• Avetta’s Data Processing Addendum to EUSA: https://www.avetta.com/data-processing-supplier

For additional information about Avetta’s privacy and security program, please go to our legal information page: https://www.avetta.com/legal-information. Avetta continuously evaluates the effectiveness of its privacy and security program and commits to monitoring and implementing changes that are appropriate or necessary due to legal, market, or practice developments.