apvanta

Legal preview

These documents are generated from docs-vault templates for workflow review. They contain placeholders and require business/counsel approval before being treated as final published legal terms.

apvanta GDPR and UK GDPR Addendum

Effective date: [DATE]

This GDPR and UK GDPR Addendum ("GDPR Addendum") supplements the apvanta Data Processing Addendum and applies when [LEGAL ENTITY: confirm exact Apvanta legal entity] ("Company," "we," "us," or "our") processes personal data subject to the EU General Data Protection Regulation, the UK General Data Protection Regulation, or the Swiss Federal Act on Data Protection in connection with the apvanta platform and related services.

This draft is intended for counsel review before publication or customer signature. If Company intentionally offers services to individuals in the European Economic Area or the United Kingdom, counsel should confirm whether Company must appoint an EU representative, a UK representative, or a Data Protection Officer.

1. Relationship to other terms

This GDPR Addendum is incorporated into the Data Processing Addendum, Terms of Service, order form, or other written agreement between Company and Customer. If there is a conflict, this GDPR Addendum controls only for processing of personal data subject to EU GDPR, UK GDPR, or Swiss data protection law.

2. Definitions

"Applicable GDPR Law" means, as applicable, the EU GDPR, UK GDPR, Swiss data protection law, and related implementing or replacement laws.

"Controller," "processor," "personal data," "personal data breach," "process," "processing," "data subject," "special category data," and "supervisory authority" have the meanings given under Applicable GDPR Law.

"Customer Personal Data" means personal data that Customer submits to the Service or causes Company to process on Customer's behalf.

"Restricted Transfer" means a transfer of personal data from the EEA, United Kingdom, or Switzerland to a country that does not have an applicable adequacy decision, where the transfer is restricted under Applicable GDPR Law.

3. Roles

For Customer Personal Data processed through customer-controlled events, registrations, uploads, recordings, chat, Q&A, attendee identity, event analytics, and similar customer-configured features, Customer is the controller and Company is the processor unless the parties agree otherwise in writing.

Company is an independent controller for personal data processed for Company account administration, billing, tax, fraud prevention, service security, legal compliance, aggregated business analytics, abuse prevention, and direct communications with Company account contacts.

Customer is responsible for identifying the lawful basis for its events and processing, providing privacy notices, obtaining required consents, responding to data subject requests where Customer is controller, and ensuring Customer's event configuration complies with Applicable GDPR Law.

4. Processor obligations

When acting as processor, Company will:

5. Customer obligations

Customer will:

6. Lawful bases and privacy notices

Company's public Privacy Policy should identify Company lawful bases for its controller processing, which may include performance of contract, legitimate interests, legal obligation, and consent where required.

Customer's event privacy notice should identify Customer's lawful bases for customer-controlled processing. Depending on the event, these may include contract, legitimate interests, consent, legal obligation, or other lawful bases available under Applicable GDPR Law.

Customer should not rely on Company platform terms as a substitute for Customer's own event-specific privacy notice where Customer controls the event and attendee relationship.

7. Data subject requests

If Company receives a data subject request relating to Customer Personal Data for which Customer is controller, Company may direct the requester to Customer or notify Customer where legally permitted. Company will reasonably assist Customer with fulfilling requests through Service functionality or support channels.

If Company receives a request relating to personal data for which Company is controller, Company will respond according to Applicable GDPR Law.

8. Personal data breaches

Company will notify Customer without undue delay after becoming aware of a personal data breach involving Customer Personal Data. Notice will include information reasonably available to Company, which may include the nature of the breach, categories of data affected, likely consequences, measures taken or proposed, and a contact point.

Customer is responsible for determining whether it must notify supervisory authorities, data subjects, customers, employers, schools, event attendees, or other parties, unless Company is legally required to notify directly.

9. Subprocessors

Customer authorizes Company to use subprocessors listed in the Subprocessor List. Company may update subprocessors from time to time. Customer may object to a new subprocessor on reasonable data protection grounds by contacting [PRIVACY EMAIL] within [30] days after notice.

If Customer objects and the parties cannot resolve the objection, Customer may stop using the affected Service feature or terminate the affected paid Service according to the agreement.

10. International transfers

For Restricted Transfers from the EEA, the parties agree that the European Commission Standard Contractual Clauses apply as follows, unless another lawful transfer mechanism applies:

For Restricted Transfers from the United Kingdom, the parties will use the UK International Data Transfer Addendum to the EU Standard Contractual Clauses or another lawful UK transfer mechanism.

For Restricted Transfers from Switzerland, the EU Standard Contractual Clauses apply with Swiss-specific modifications required by Swiss law.

11. Transfer impact assessment

Company will provide information reasonably available to help Customer assess Restricted Transfers, including subprocessors, processing locations, categories of data, security measures, and government access request practices where available.

Customer is responsible for determining whether the transfer mechanism and supplementary measures are adequate for Customer's use case.

12. Security measures

Company's technical and organizational measures may include, as applicable:

The exact measures may vary by Service feature, plan, infrastructure provider, and customer configuration.

13. Special category data and children

Customer must not use the Service to intentionally collect or process special category data, children's data, criminal offense data, health data, biometric data, or similarly sensitive data unless expressly permitted in writing and Customer has all required legal bases, notices, consents, safeguards, and agreements.

Events involving minors, schools, healthcare, employment, unions, religion, political activity, or regulated professional services require heightened review before launch.

14. Records and audits

Each party is responsible for maintaining records required by Applicable GDPR Law for its own processing activities. Company will make available information reasonably necessary to demonstrate compliance with this GDPR Addendum, subject to confidentiality, security, trade secret, and third-party restrictions.

Audits must be reasonable, limited to processor obligations, avoid disruption, and occur no more than once per year unless required by law or following a confirmed personal data breach.

15. Government and legal requests

Unless prohibited by law, Company will notify Customer of legally binding requests for Customer Personal Data. Company will review requests for facial validity and may challenge or narrow requests where appropriate.

16. Contact

Privacy contact: [PRIVACY EMAIL]

EU representative, if applicable: [EU REPRESENTATIVE NAME AND CONTACT]

UK representative, if applicable: [UK REPRESENTATIVE NAME AND CONTACT]

Data Protection Officer, if applicable: [DPO NAME AND CONTACT]