Avoca, Data Processing Agreement

This Data Processing Agreement (“DPA”) is incorporated into the Order between Avoca and Customer referencing this DPA. Capitalized terms in this DPA will be understood to have the meanings given to them in the Master Customer Agreement referenced in the Order (the “Agreement”), unless expressly defined otherwise in this DPA.

1. Data Processing, Subject Matter, and Roles
   1. Data Processing. In the course of providing the Services to Customer pursuant to the Agreement, Avoca may Process Customer Data that constitutes “personal data,” “personal information,” “ personally identifiable information,” or an analogous term under applicable Law (“Personal Data”). The Parties agree to comply with this DPA and all privacy and data protection Laws applicable to the Processing of Personal Data under the Agreement, including, as applicable, the General Data Protection and California Consumer Protection Act (collectively, “Data Protection Laws”).
   2. Subject Matter. The subject matter, nature, and purpose of the Processing of Personal Data, the types of Personal Data, and the categories of “Data Subjects” (as such term is defined under applicable Data Protection Laws) are set out in Schedule I.
   3. Roles. Customer is a “Controller” or “Business” (as such terms are defined under applicable Data Protection Law) and appoints Avoca as a “Processor” or “Services Provider” (as such terms are defined under applicable Data Protection Law) on behalf of Customer. Customer is responsible for compliance with the requirements of Data Protection Law applicable to Controllers and Businesses.
   4. Processing Instructions. Avoca shall Process Personal Data on behalf of and only in accordance with Customer’s documented instructions for the following purposes: (a) Processing in accordance with this DPA or the Agreement; (b) Processing initiated by Customer in its use of the Services; and (c) Processing to comply with other reasonable documented instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of this DPA or the Agreement.
   5. Personnel. Avoca will ensure that all personnel authorized to Process Personal Data are subject to an obligation of confidentiality.
   6. CCPA Limitations on Processing. Except as permitted by applicable Data Protection Law, the Agreement, or this DPA, Avoca is prohibited from: (a) retaining, using, or disclosing Personal Data for any purpose other than for the purposes of performing the Services or in accordance with Customer’s documented instructions (including as set forth in the Agreement); (b) retaining, using, or disclosing Personal Data outside of the direct business relationship between the Parties; (c) combining Personal Data with “ Personal Information” (as such term is defined under the CCPA) obtained from, or on behalf of, sources other than Customer; and (d) “Selling ” or “Sharing” (as such terms are defined under the CCPA) Personal Data.
2. Security and Security Incident
   1. Security. Avoca will implement appropriate technical and organizational measures designed to ensure a level of security appropriate to the risks presented by the Processing of Personal Data as described on https://trust.avoca.ai/ (“Security Measures”).
   2. Security Incident. Avoca will promptly notify Customer after becoming aware of any actual or reasonably suspected breach of its Security Measures that results in unauthorized access to, or use or disclosure of, Personal Data in its possession or control (“Security Incident”) and take reasonable efforts to investigate and mitigate the Security Incident.
3. Subprocessing
   1. Subprocessors. Customer hereby authorizes Avoca to engage any Processor that processes Personal Data on behalf of Avoca listed on https://trust.avoca.ai/subprocessors/ (“Subprocessors”).
   2. Subprocessor Agreements. Avoca has entered into a written agreement with each Subprocessors in accordance with applicable Data Protection Law.
   3. Subprocessor Changes. Avoca will provide prior notice of any intended change to Subprocessors on https://trust.avoca.ai/subprocessors/, and Customer agrees to check https://trust.avoca.ai/subprocessors/ for Avoca to notify customer of changes to Subprocessors. Customer may object to Avoca’s use of a new Subprocessor within ten (10) days of Avoca’s notice of the intended change of Subprocessor based on reasonable grounds that the appointment of such Subprocessor will result in a material violation of Data Protection Law by providing written notice to Avoca detailing the grounds of such objection. Avoca will use commercially reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid the Processing of Personal Data by the objected-to new Subprocessor without unreasonably burdening Customer. If Avoca is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days, Customer may terminate the applicable Order the with respect only to those Services which cannot be provided by Avoca without the use of the objected-to new Subprocessor by providing written notice to Avoca. Avoca will refund Customer any prepaid fees covering the remainder of the term of such Order following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Customer.
4. Audit.If the Security Measures are not sufficient to demonstrate Avoca’s compliance with the obligations set out in this DPA and Customer is required by Data Protection Laws to conduct an audit of Avoca’s applicable controls and compliance with this DPA (an “Audit”), Customer may, at Customer’s sole cost and expense and no more than once every twelve (12) months unless otherwise required by Data Protection Laws, request an Audit of Avoca, provided such Audit (a) is conducted by Customer or a third-party auditor designated by Customer and reasonably acceptable to Avoca that has executed an appropriate confidentiality agreement with Avoca, (b) is conducted during reasonable times and of reasonable duration, (c) is conducted in accordance with mutually agreed upon scope and terms and in accordance with Avoca’s standard security procedures, and (d) does not involve any of Avoca’s production environments, networks, or systems. Customer may use the results of an Audit only for the purposes of meeting Customer’s regulatory audit requirements or confirming compliance with the requirements of the DPA.
5. Assistance.Taking into account the nature of the Processing and the information available to Avoca, Avoca will provide, at Customer’s sole cost, reasonable assistance to Customer designed to satisfy Customer’s obligations under Data Protection Law, including in connection with implementing appropriate technical and organizational measures, complying with Data Subject and “Consumer” (as such term is defined under applicable Data Protection Laws) requests, replying to inquiries, complaints, investigations, and inquiries, conducting data protection impact assessments, conducting data protection assessments, and conducting prior consultations with regulators.
6. International Data Transfers
   1. European Data Transfers. Avoca will obtain Customer’s specific prior written authorization for any transfer of Personal Data subject to European Data Protection Law that is not subject to an adequacy decision by the European Commission (“International Data Transfer”). Customer hereby authorizes Avoca to conduct International Data Transfers outside the European Economic Area (“EEA”) or Switzerland: (a) to any country subject to a valid adequacy decision of the European Commission; (b) on the basis of an organization’s binding corporate rules approved by EEA Supervisory Authorities; and (c) to any data importer with whom Avoca has entered into the clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council as amended or replaced from time to time (“SCCs”).
   2. European Transfer Mechanisms. Customer and Avoca conclude Module 2 (Controller-to-Processor) of the SCCs and, to the extent Customer is a Processor on behalf of a Third-Party Controller, Module 3 (Processor-to-Subprocessor) of the SCCs, which are hereby incorporated and completed as follows: the “data exporter” is Customer; the “data importer” is Avoca; the optional docking clause in Clause 7 is implemented; Option 1 of Clause 9(a) is implemented and the time period therein is 30 days; the optional redress clause in Clause 11(a) is struck; Option 1 in Clause 17 is implemented and the governing law is the law of Ireland; the courts in Clause 18(b) are the Courts of Ireland; Annexes I and II to the SCCs are Schedule I to this DPA. For International Data Transfers from Switzerland, Data Subjects who have their habitual residence in Switzerland may bring claims under the SCCs before the courts of Switzerland.
   3. UK Data Transfers. Customer hereby authorizes Avoca to perform International Data Transfers outside the UK subject to the requirements: (a) to any country subject to a valid adequacy decision issued by the UK Government; (b) on the basis of an organization’s binding corporate rules approved by the UK Information Commissioner; and to any data importer with whom Avoca has entered into the addendum to the SCCs issued by the UK Information Commissioner under Section 119A(1) of the UK Data Protection Act 2018 (version B1.0, in force March 21, 2022) (“UK Addendum”) or other standard contractual clauses issued by the UK Information Commissioner, as appropriate.
   4. UK Transfer Mechanism. Customer and Avoca conclude the UK Addendum which is hereby incorporated and applies to International Data Transfers outside the UK. Part 1 of the UK Addendum is completed as follows: (a) in Table 1, the “Exporter” is Customer and the “Importer ” is Avoca, their details are set forth in this DPA and the Agreement; (b) in Table 2, the first option is selected and the “Approved EU SCCs ” are the SCCs referred to in Section 9.2 of this DPA; (c) in Table 3, Annexes 1 (A and B), II, and III to the “Approved EU SCCs” are Schedule I to this DPA; and (d) in Table 4, both the “Importer” and the “Exporter” can terminate the UK Addendum.
7. Return and Deletion.Upon expiration or termination of the Agreement, Avoca will promptly return or delete Personal Data, provided that Avoca may retain copies of Personal Data (a) as expressly agreed upon by the Parties, (b) as necessary to comply with Laws, and (c) to the extent contained in standard backups, subject to this Agreement’s confidentiality provisions and the protections of this DPA.