This Policy and Notice (“Policy”) applies to use of www.avanan.com and our Security Platform owned and operated by Avanan, Inc. (“Avanan”, or we, our etc). Avanan respects the privacy of customers, vendors, website visitors, and others, and is committed to protecting the Personal Data that they share with us. This Policy describes how Avanan collects, uses, shares, secures and processes Personal Data in the course of providing threat detection services (“Services”), and outlines the ways in which our customers can control our use of that information. Note that those aspects of this Policy which are mandated by the EU General Data Protection Regulation (“GDPR”), in particular any rights (such as Data Subject rights detailed below) and duties conferred by GDPR, will apply only to the extent that GDPR applies. Capitalized terms not otherwise defined herein (other than section 1) take their meaning in GDPR.
1. How we collect Personal Data
Avanan is generally a Processor of Personal Data on behalf of its customers, the Controllers, and Avanan will process your Personal Data as a Processor when our customers deploy our cloud platform as a trial or purchased service to monitor their data and/or the data of their customers and/or partners. However, with respect to data of website users, employees, and contacts at its customers, Avanan may be the Controller. Avanan may process your Personal Data as a Controller when you contact us using our website or by telephone or otherwise, when you request a demo or trial of the Services or report any concerns, and when you when you or your organization contact Avanan or into a contract or business or services relationship with Avanan.
- Contact Information: such as name, telephone number, e-mail address, phone number;
- Other Personal Data to help provide service: such as employer, job title, location;
- Information related to the use of our websites: such information may include technical and behavioral information regarding use of our website and services, cookies, IP addresses and other online identifiers, clickstream;
- Cookies: As you visit or browse the Avanan website, we collect information about the device and browser you use, your network connection, your IP address, and information about the cookies installed on your device, and cookies we may place on your device. See www.avanan.com/legal/cookies.
- Forms: We collect Personal Data submitted by you via any request or contact forms on our website.
- Telephone: From telephone support users, we collect your phone number, organization name, and other Personal Data you provide us during our call or used to verify your identity.
- Chat: From chat support users, we collect your name, email address, information about the device and browser you use, your network connection, your IP address, chat transcript, and other Personal Data you provide us during our chat.
In addition, we receive, or are granted access to, information provided by our customers, in which case we are the Processor. In the course of providing the Services, we may collect some Personal Data to identify security risks may also contain some Personal Data. This information is used only used in protecting the IT infrastructure of Avanan and its customers.
2. Why we process Personal Data
We will use Personal Data to provide and improve our Services to our customers and others and meet our contractual, ethical and legal obligations, including for example:
- we use this data to verify your account, or the account for which you are the contact person, to provide and enhance our Services and to offer support;
- administering your account with Avanan including to identify and authenticate you.
- to enable us to meet our legal, contractual, ethical and business obligations;
- carrying out our obligations arising from any contracts entered into between you or your organization and Avanan and to provide you with the information that you request from Avanan and the Services; this includes also inspecting data we process on behalf of customers as part of our core services, to identify 'indicators of compromise’ – see section 8 of this Policy.
- verifying and carrying out financial transactions in relation to payments made in connection with the Services;
- contacting you for the purpose of providing you with technical assistance and other related information about the Services, replying to queries, troubleshooting, detecting and protecting against error, fraud or other criminal activity;
- contacting you to give you commercial and marketing information about events or promotions or additional services offered by Avanan;
- notifying you about changes to our Services and soliciting feedback in connection with your use of the Services;
- tracking use of the Services to enable us to optimize them;
- compliance and audit purposes, such as meeting our reporting obligations in our various jurisdictions, and for crime prevention and prosecution in so far as it relates to our staff, customers, facilities etc;
- to enforce our terms, policies and legal agreements, to comply with regulator or court orders and warrants and assist law enforcement agencies as required by law, to collect debts, to prevent fraud, infringements, identity theft and any other service misuse, and to take any action in any legal dispute and proceeding.
3. Legal basis for the processing of Personal Data
Avanan processes Personal Data on different legal bases:
Avanan processes Personal Data as a Processor, and does so where the Controller has declared that they have met their obligation to ensure the data processing is lawful, which is usually on the basis of their contract with third parties, including contracts with or on behalf of, data subjects.
Consent: We may in some circumstances process certain data only on the basis of consent, for example when we contact prospective customers who have agreed to be contacted to offer our services. If that is the case, you are not required to consent, but then we might not be able to contact you.
Contract: We process details of our customers and their contact persons based on fulfillment of contract, or in preparation for entering a contract, at the request of the data subject. You are not obligated to provide this Personal Data, but where we do not have contact details, we might not be able to provide Services.
Legal obligation: Avanan may be required to process certain data in fulfillment of its legal obligations, including regulatory or ethical obligations and best practices, or to enforce our legal rights.
Protection of legitimate interests: Avanan processes data for the legitimate interest of sales and marketing, of being in touch with actual or potential customers, improving, optimizing and personalizing the Services, to transfer data between Avanan’s companies and locations to effectively run an international business, and in order to protect Avanan’s legitimate interests or the interests of third parties.
4. Data transfer to selected third parties
Data transfer to the USA: Personal data is transferred from EU, UK and Switzerland to the USA based on the EU Commission's Standard Contractual Clauses for EU controllers to non-EU processors, available here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en
Data may be transferred to the following entities , in which case we take all steps reasonably necessary to ensure the data is subject to appropriate safeguards, and is treated in accordance with this policy:
- to carefully selected and verified service providers and business partners with whom we cooperate to be able to offer you Services. We do this subject to strict conditions of data processing on your behalf or on the basis of your express agreement - for example transfer to third party malware analysis provider, if you have selected this feature;
- to our corporate services providers, such as storage and backup, ERP, CRM, billing and invoicing, distributors and agents, communication and IT infrastructure providers, affiliates;
- to our group companies;
- n the event that We are involved in a merger, reorganization, dissolution, sale of business or assets or similar event, information disclosed to or collected by us may be transferred to our successor, or to the purchaser of such assets, as applicable;
- to other third parties (for example public authorities) to the extent that we are legally obligated to do so, including, for example, pursuant to any law, subpoena, legal process, court, judicial, regulatory or governmental authority, or if in our discretion use or disclosure is necessary to investigate fraud or any threat to the safety of any individual.
5. Protection of Your Personal Data
We employ various technical and administrative measures such as encryption and authentication tools to protect and maintain the security, integrity, and availability of your data, as applicable. Though protection against unauthorized access cannot be guaranteed, Avanan is committed to protecting Personal Data by means of physical, electronic, and process security controls commensurate with the current state of the art. Additionally, we use the following measures as appropriate:
- Strict criteria for authorization to access Personal Data according to a business “need-to-know” principle and for a specified purpose (strictly controlled and limited logical access);
- Transfer of data in encrypted format;
- Storage of data in encrypted format;
- Firewall safeguarding of production systems;
- Monitoring of access to production systems to detect the misuse of any Personal Data.
6. Retention of Personal Data
In line with the principal of data minimization, we keep your data only as long as is necessary to satisfy the purpose for which the data is intended to be processed. To that end, Avanan has established a process to identify systems where Personal Data exists. All Personal Data associated with a given customer account is retained for customers for 30 days after the term of the agreement with such customer, after which time it is either erased or anonymized.
7. Use for the assessment of Indicators of Compromise (IoCs)
Avanan, in its capacity as a Processor, analyzes customer files, emails and other content for threats posed by malware as well as communication with malicious hosts on the internet. Avanan will collect and analyze certain artifacts - files, URLs, and email content that could pose a threat to the organizations (“Artifacts”) - that are transmitted to, from and within the SaaS environment. Avanan takes steps to avoid collecting information from our customer’s network that could personally identify their end users or collect or view any data that could be reasonably associated to such information. However, the data we collect through our Services to identify security risks may also contain some Personal Data. This information is only used in protecting the IT infrastructure of Avanan and its customers. Content within the SaaS account, which Avanan may inspect and assess includes:
- The domain names of senders or recipients of information transmitted via the SaaS account including the host (IP Address) that resolved the domain;
- The content of files, emails other communications that are stored in the SaaS and could pose a risk to an organization;
- Emails to which Avanan has visibility;
- Executable programs, scripts, documents or other potential Artifacts that may contain executable code transmitted via the SaaS Account;
- Email headers and any potentially malicious content in the email body, including potentially suspicious or malicious Email attachments or URLs.
8. International transfers of Personal Data
To ensure adequate data protections are in place, Avanan has established dedicated processing facilities within the European Union. With that, Avanan is an international organization, including companies, resellers, agents and customers in multiple jurisdictions. Avanan transfers data including Personal Data from its various locations and jurisdictions to other jurisdictions as follows:
- To and within countries considered by the European Commission to offer an adequate level of protection for the personal information of EU Member State residents; this includes Israel and other countries; and
- To and within the United States of America and additional non-EU locations, to support the provision of the Services and intended purposes listed above, Avanan uses a number of service providers that are commissioned by Avanan within the framework of the strict conditions of data processing in accordance with data protection legislation, including Privacy Shield certification (details here), Model Clauses (available here), or other applicable mechanisms.
We may transfer your Personal Data outside of the EEA, in order to:
- Store or backup the information;
- Enable us to provide you with the Services and fulfill our contract with you;
- Fulfill any legal, audit, ethical or compliance obligations which require us to make that transfer;
- Facilitate the operation of our group businesses, where it is in our legitimate interests and we have concluded these are not overridden by your rights;
- To serve our customers across multiple jurisdictions; and
- To operate parent company, subsidiaries and affiliates in an efficient and optimal manner.
9. Data subject rights
Where GDPR and other local laws apply, such laws stipulate data subjects’ various rights over their data. These rights are to be met by the Controller, and will apply to Avanan where it is Controller. These rights may include the following, depending on the circumstances: rights to data portability, rights to access data, rights to rectify data, rights to object to processing, and the right to erase data. You may have the right to lodge a complaint with a supervisory authority. Where we process Personal Data based on your consent, you have the right to withdraw you consent, which will not affect the lawfulness of processing prior to the withdrawal of consent. To submit questions and requests to exercise these right contact us as detailed in the next section. Avanan may undertake a process to identify a data subject exercising their rights, and may keep details of such rights exercised for its own compliance and audit requirements. Where Personal Data is processed by Avanan as a Processor, relevant data subjects’ rights must be asserted only through the Controller. Likewise, where Personal Data is provided by a party being the data subject's employer or service provider, such data subject rights will have to be affected through that party. Note that data subject rights cannot be exercised in a manner inconsistent with the rights of Avanan employees and staff, with Avanan proprietary rights, and third-party rights.
Note that We do not knowingly Control any Personal Data relating to people under the age 16. Please inform us if you believe we may be doing so in error, in which case we will, where possible, delete such data or otherwise ensure its lawful processing by Avanan.
10. Complaints and contacting us and our data protection team
Avanan takes your data protection rights very seriously. Enquiries or request to exercise data subjects’ rights, may be sent to our Data Protection Officer or professionals and in parallel to Avanan at email@example.com, or to:
259 WEST 30th STREET
New York, NY 10001
1-855-528-2626 extension 707
11. Third parties, Changes to this Policy
Note that Avanan’s website may include third-party links for your use and reference. Avanan is not responsible for the data protection practices or other aspect of these websites.
The contents of this statement may be altered at any time, at our discretion.
12. EU-U.S. PRIVACY SHIELD AND SWISS-U.S. PRIVACY SHIELD
Avanan participates in, and has certified its compliance with, the EU-US. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States. Avanan has certified to the U.S. Department of Commerce that it adheres to Privacy Shield principles. We are committed to subjecting all Personal Data received from European Union (EU) member countries and Switzerland, respectively, in reliance on each Privacy Shield Framework, to the Framework’s applicable Principles. If there is any conflict between this policy and the Privacy Shield, the Privacy Shield principles shall govern. To learn more about the Privacy Shield Frameworks, and to view our certification, visit the U.S. Department of Commerce’s Privacy Shield List: https://www.privacyshield.gov
Avanan is responsible for the processing of personal data it receives under each Privacy Shield Framework and subsequently may transfer it to a third party acting as an agent on its behalf. Avanan complies with the Privacy Shield Principles for all onward transfers of personal data from the EU and Switzerland and the UK, including the onward transfer of liability provisions.
With respect to personal data received or transferred pursuant to the Privacy Shield Frameworks, Avanan is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
In compliance with the Privacy Shield Principles, Avanan commits to resolve complaints about our collection or use of your personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Avanan at:
Avanan has further committed to refer unresolved Privacy Shield complaints to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please visit https://www.jamsadr.com/about/submit-a-case for more information or to file a complaint. The services of JAMS are provided at no cost to you.
Under certain conditions, more fully described on the Privacy Shield website, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.
Avanan commits to cooperate with the panel established by the EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) and comply with the advice given by such authorities with regard to human resources data transferred from the EU and Switzerland in the context of the employment relationship.