apvanta

Legal preview

These documents are generated from docs-vault templates for workflow review. They contain placeholders and require business/counsel approval before being treated as final published legal terms.

apvanta Data Processing Addendum

Effective date: [DATE]

This Data Processing Addendum ("DPA") applies when [LEGAL ENTITY: confirm exact Apvanta legal entity] ("Company," "we," "us," or "our") processes Customer Personal Data on behalf of a business customer ("Customer") through apvanta or related services.

This DPA is incorporated into the Terms of Service, an order form, or another written agreement between the parties. If there is a conflict between this DPA and the Terms, this DPA controls for processing of Customer Personal Data.

1. Definitions

"Customer Personal Data" means personal information or personal data that Customer submits to the Service or causes us to process on Customer's behalf.

"Data Protection Laws" means privacy and data protection laws that apply to the parties' processing of Customer Personal Data, including the California Consumer Privacy Act as amended by the California Privacy Rights Act where applicable.

"Controller," "processor," "business," "service provider," "contractor," "personal data," "personal information," "process," and "sell" have the meanings given by applicable Data Protection Laws.

2. Roles

For Customer Personal Data, Customer is the controller or business, and Company is the processor, service provider, or contractor, except where Company independently determines the purposes and means of processing for account administration, billing, security, fraud prevention, compliance, service analytics, or legal obligations.

3. Processing instructions

Company will process Customer Personal Data only:

Customer is responsible for ensuring its instructions are lawful and for providing required notices, consents, legal bases, and rights mechanisms for its events and users.

4. Processing details

Subject matter: live streaming, event hosting, recording, upload hosting, playback, gated/private event access, public anonymous viewing, support, billing, security, analytics, and related platform services.

Duration: the term of Customer's use of the Service plus any retention period required by law, backups, dispute resolution, security, or account administration.

Categories of data subjects: Customer personnel, administrators, hosts, speakers, moderators, attendees, viewers, registrants, support contacts, and other event participants.

Categories of personal data: account data, contact data, billing metadata, event registration data, access data, device and usage logs, streaming and playback telemetry, chat and Q&A content, recordings, uploaded content, support communications, and security logs.

Sensitive data: Customer should not submit sensitive personal information unless the Service documentation, plan, or written agreement expressly permits it and Customer has implemented appropriate notices, consents, and safeguards.

5. California service provider terms

Company will not sell or share Customer Personal Data, retain, use, or disclose it outside the direct business relationship with Customer, or combine it with personal information from other sources except as permitted by Data Protection Laws.

Company may process Customer Personal Data for permitted business purposes, including providing the Service, detecting security incidents, protecting against malicious or illegal activity, debugging, short-term transient use, internal service improvement, and other purposes allowed for service providers or contractors.

Company will notify Customer if Company determines it can no longer meet its obligations under applicable Data Protection Laws. Customer may take reasonable steps to stop and remediate unauthorized processing.

6. Confidentiality

Company will ensure that personnel authorized to process Customer Personal Data are bound by confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

7. Security

Company will maintain reasonable administrative, technical, and organizational safeguards designed to protect Customer Personal Data against unauthorized access, destruction, loss, alteration, or disclosure. Safeguards may include access controls, encryption in transit where appropriate, logging, monitoring, credential controls, vulnerability management, and incident response processes.

8. Subprocessors

Customer authorizes Company to use subprocessors to provide the Service. Current subprocessors are listed in the Subprocessor List. Company will impose written obligations on subprocessors designed to protect Customer Personal Data in a manner consistent with this DPA.

Company may update subprocessors from time to time. Customer may object to a new subprocessor by contacting [PRIVACY EMAIL] within [30] days after notice if Customer has a reasonable data protection basis for objection.

9. Security incidents

Company will notify Customer without undue delay after confirming a security incident involving Customer Personal Data. Notice will include information reasonably available to Company, which may include the nature of the incident, affected data, mitigation steps, and contact information.

Company's notice is not an admission of fault or liability.

10. Assistance

Taking into account the nature of processing and information available to Company, Company will reasonably assist Customer with data subject requests, security, incident response, and data protection impact assessments where required by Data Protection Laws. Company may charge reasonable fees for assistance that exceeds standard Service functionality.

11. Deletion and return

Upon termination or Customer's written request, Company will delete or return Customer Personal Data according to Service functionality, account settings, backup cycles, legal obligations, and legitimate retention needs. Company may retain Customer Personal Data where required by law or necessary for legal claims, security, fraud prevention, accounting, or compliance.

12. Audits

Upon reasonable written request, Company will provide information reasonably necessary to demonstrate compliance with this DPA. Audits must be limited to once annually unless required by law or after a confirmed security incident, must avoid disruption, and must protect Company confidential information and third-party information.

13. International transfers

If Customer Personal Data is transferred outside its country of origin, the parties will use appropriate transfer mechanisms required by applicable Data Protection Laws. If EU, UK, or Swiss transfer terms are needed, the parties should attach the applicable standard contractual clauses or a jurisdiction-specific addendum.

14. Contact

Privacy contact: [PRIVACY EMAIL]