1. This Data Protection Agreement (“DPA”) is made by and between Customer (as defined in the TOS (as defined below)) and Avanan Inc. (“Avanan”) (each a “Party” and together the “Parties”) as required by EU General Data Protection Regulation 2016/679 ("GDPR") Article 28. This DPA is hereby annexed to, incorporated into, and constitutes an integral part of Avanan’s Terms of Service agreed by and between the Parties on [DATE] (“TOS”). Capitalized terms not specifically defined herein shall have the meaning ascribed to them in GDPR.
2. In so far as Avanan processes Personal Data governed by GDPR on behalf of Customer in the course of providing the Services (as defined in the TOS) Avanan is the Processor, and Customer is the Controller, of such Personal Data.
3. Avanan processes Personal Data only pursuant to Customer's documented instructions, and the TOS, and communicated directly to Avanan, unless Processing is required by applicable laws to which Avanan is subject, in which case Avanan shall inform Customer of that legal requirement before the relevant Processing of that Personal Data, unless prohibited from doing so by law. Customer instructs Avanan to process the Personal Data for the following purposes: (i) providing the Services; and (ii) compliance with other reasonable and lawful instructions provided by Customer where such instructions are consistent with the terms of the TOS and other applicable agreements between Avanan and Customer.
4. Avanan's personnel engaged in processing Personal Data are and will remain committed to confidentiality. Avanan takes industry appropriate technical and organizational measures to ensure the security of its processing of Personal Data.
5. Avanan will engage sub-processors only in accordance with GDPR Article 28. For the removal of doubt, Customer specifically authorizes Avanan to engage sub-processors as described in the Privacy Policy (as defined in the TOS). Avanan processes data in the USA, Israel or elsewhere, in accordance with GDPR Chapter V.
6. Avanan will reasonably assist Customer in responding to requests for exercising Data Subjects' rights. Avanan will likewise reasonably endeavor to assist Customer with its obligations pursuant to GDPR Articles 32-36, including data security, data protection impact assessments, and breach notifications. Avanan will inform Customer if it is asked to do something infringing the GDPR or other applicable law.
7. Avanan will endeavor to delete and procure the deletion of Personal Data where so instructed by Customer, unless retention is required by applicable laws.
8. Avanan will make available all information necessary, and reasonably available to Avanan, to demonstrate compliance with GDPR obligations under Articles 28 and 32. Avanan may allow for and contribute to audits and inspection in this regard.
9. Avanan may process the types of Personal Data, relating to such categories of Data Subjects, as are detailed in the TOS.
10. This DPA will remain in force for the duration of the force of the TOS. The terms of this DPA will prevail over any conflicting terms in other agreements between the parties hereto. Any alteration or modification of this DPA is not valid unless made in writing and executed by duly authorized personnel of both parties.
11. Customer may not assign this DPA, without consent of Avanan, other than in connection with a change of control, merger, acquisition, of Customer and/or sale of all or substantially all of its assets.
12. Invalidation of one or more of the provisions under this DPA will not affect the remaining provisions. Invalid provisions will be replaced, to the extent possible, by such valid provisions which achieve essentially the same objectives.
13. Customer's Data Protection Officer for the purposes of GDPR is Michael Landewe, available at 1-855-528-2626 extension 707.
14. Customer shall implement appropriate technical and organizational measures to ensure, and to be able to demonstrate, that Processing is performed in accordance with GDPR. Without derogating from anything in the TOS, Customer represents that all data provided by Customer to Avanan is provided lawfully, under GDPR and all applicable laws.
15. Avanan’s data protection personnel may be contacted at privacy@avanan.com.