Avasam Data Processing Addendum

This Data Processing Addendum (“Addendum“) forms part of the Avasam Terms of Service (“Agreement“) between:

  • Avasam Ltd (“Avasam“), a company registered in England and Wales with company number 11556922, whose registered office is at 9 Oliver Business Park, Oliver Road, London, NW10 7JB, United Kingdom; and
  • The “Controller” (the “Client“), who has agreed to the Avasam Terms of Service.

This Addendum reflects the parties’ agreement with regard to the Processing of Personal Data in accordance with the requirements of the Data Protection Legislation.

1. Definitions

In this Addendum, the following terms shall have the meanings set out below:

  • “Data Protection Legislation”: The UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018, and any other applicable data protection laws.
  • “Personal Data”: Any information relating to an identified or identifiable natural person (“Data Subject”) processed under this Addendum.
  • “Controller”: The entity that determines the purposes and means of the Processing of Personal Data.
  • “Processor”: The entity that processes Personal Data on behalf of the Controller.
  • “Processing”: Any operation or set of operations performed on Personal Data, whether or not by automated means.
  • “Subprocessor”: Any Processor engaged by Avasam to assist in Processing Personal Data on behalf of the Controller.
  • “Services”: The services provided by Avasam to the Controller under the Agreement.

2. Scope and Roles

2.1 Relationship of the Parties

  • Controller: The Client acts as the Data Controller with respect to Personal Data of its customers provided to Avasam in connection with the Services.
  • Processor: Avasam acts as a Data Processor when Processing Personal Data on behalf of the Controller in connection with the Services.

2.2 Subject Matter and Duration

  • Subject Matter: Processing of Personal Data necessary for the performance of the Services as specified in the Agreement and this Addendum.
  • Duration: This Addendum shall continue for the duration of the Agreement, and thereafter as long as Avasam possesses Personal Data related to the Services.

2.3 Nature and Purpose of Processing

  • Nature: Collection, storage, use, transmission, and deletion of Personal Data as necessary to provide the Services.
  • Purpose: To fulfill orders placed through the Avasam platform, facilitate order fulfillment by suppliers, and provide related support services as instructed by the Controller.

2.4 Types of Personal Data and Categories of Data Subjects
As detailed in Annex 1 – Data Processing Details.

3. Obligations of Avasam (Processor)

3.1 Processing Instructions
Avasam shall:

  • Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law. In such a case, Avasam shall inform the Controller of that legal requirement before Processing, unless prohibited by law.

3.2 Compliance with Laws

  • Avasam shall comply with all applicable Data Protection Legislation in the Processing of Personal Data.

3.3 Confidentiality

  • Ensure that all personnel authorized to process Personal Data are bound by confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

3.4 Security Measures

  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
    • Encryption of Personal Data in transit and at rest where appropriate.
    • Measures to ensure ongoing confidentiality, integrity, availability, and resilience of Processing systems and services.
    • Procedures for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of Processing.

3.5 Subprocessors

  • Authorization: The Controller authorizes Avasam to engage Subprocessors for the Processing of Personal Data.
  • List of Subprocessors: Avasam shall maintain an up-to-date list of Subprocessors and make it available to the Controller upon request.
  • Notification of Changes: Avasam shall inform the Controller of any intended changes concerning the addition or replacement of Subprocessors, giving the Controller the opportunity to object within 14 days.
  • Subprocessor Obligations: Avasam shall ensure that Subprocessors are bound by data protection obligations compatible with those of this Addendum.

3.6 Data Subject Rights

  • Assist the Controller by appropriate technical and organizational measures, insofar as possible, in fulfilling the Controller’s obligations to respond to requests to exercise Data Subject rights under the Data Protection Legislation.

3.7 Data Breach Notification

  • Notify the Controller without undue delay (and in any event within 24 hours) upon becoming aware of a Personal Data Breach affecting the Personal Data Processed under this Addendum.
  • Provide the Controller with sufficient information to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Legislation.

3.8 Data Protection Impact Assessments

  • Assist the Controller with data protection impact assessments and prior consultations with supervisory authorities or other competent data privacy authorities, if required.

3.9 Deletion or Return of Personal Data

  • At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of Services relating to Processing, and delete existing copies unless applicable law requires storage of the Personal Data.

3.10 Audit Rights

  • Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this Addendum and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
  • The Controller shall give reasonable notice of any audit or inspection and shall make reasonable efforts to minimize disruption to Avasam’s business.

3.11 International Data Transfers

  • Avasam shall not transfer Personal Data outside the UK unless it takes such measures as are necessary to ensure the transfer is in compliance with Data Protection Legislation.
  • Where applicable, Avasam shall enter into Standard Contractual Clauses or rely on other approved transfer mechanisms to ensure adequate protection of Personal Data.

4. Obligations of the Controller

4.1 Compliance with Laws

  • The Controller shall comply with all obligations applicable to it under the Data Protection Legislation with respect to Processing of Personal Data.

4.2 Instructions

  • The Controller shall provide documented instructions to Avasam for the Processing of Personal Data.
  • The Controller shall ensure that its instructions comply with Data Protection Legislation and that the Processing of Personal Data in accordance with such instructions will not cause Avasam to be in breach of any Data Protection Legislation.

4.3 Warranties

  • The Controller warrants that:
    • It has all necessary rights to provide the Personal Data to Avasam for Processing in connection with the Services.
    • The Controller has provided necessary notices to, and obtained any necessary consents from, Data Subjects for the Processing of Personal Data as described in this Addendum.

4.4 Indemnity

  • The Controller shall indemnify and hold harmless Avasam against all claims, actions, thirdparty claims, losses, damages, and expenses incurred by Avasam arising from any breach of this Addendum or Data Protection Legislation by the Controller.

5. Mutual Obligations

5.1 Data Security

  • Both parties shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, theft, alteration, or disclosure.

5.2 Record Keeping

  • Each party shall maintain accurate records to demonstrate compliance with this Addendum and Data Protection Legislation.

6. General Terms

6.1 Limitation of Liability

  • Each party’s liability arising out of or related to this Addendum, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Agreement.

6.2 Amendments

  • This Addendum may be amended at any time by a written agreement between the parties.
  • Avasam reserves the right to update this Addendum as necessary to reflect changes in law or best practices. Any amendments will be communicated to the Controller in writing.

6.3 Governing Law and Jurisdiction

  • This Addendum is governed by the laws of the United Kingdom.
  • Any disputes arising from or in connection with this Addendum shall be subject to the exclusive jurisdiction of the courts of England and Wales.

6.4 Severability

  • If any provision of this Addendum is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.
Annex 1 – Data Processing Details

1. Subject Matter of Processing
Processing of Personal Data necessary to provide the Services under the Agreement, including facilitating order placement, fulfillment, and related support activities.

2. Duration of Processing
For the duration of the Agreement and until all Personal Data is deleted or returned in accordance with this Addendum.

3. Nature and Purpose of Processing

  • Nature: Collection, storage, use, transmission, and deletion of Personal Data.
  • Purpose: To fulfill orders placed by the Controller’s customers through the Avasam platform, facilitate order fulfillment by suppliers, and provide related support services.

4. Categories of Data Subjects

  • Customers of the Controller who place orders through the Controller’s sales channels integrated with the Avasam platform.

5. Types of Personal Data

  • Identification Data: Name, title.
  • Contact Data: Delivery address, billing address, email address, telephone numbers.
  • Order Details: Product details, quantity, price, shipping method, special delivery instructions.
  • Transactional Data: Payment information (note: Avasam does not store payment card details), order history.

6. Special Categories of Personal Data

  • None intentionally collected or processed.

7. Processing Instructions

  • Avasam shall process Personal Data only as necessary to provide the Services in accordance with the Agreement and this Addendum.

8. Subprocessors

  • Avasam may engage the following categories of Subprocessors:
    • Suppliers: Suppliers who fulfill orders on behalf of the Controller.
    • Hosting Providers: Data center and cloud service providers.
    • Payment Processors: Entities that process payments on behalf of Avasam (note: payment card details are not stored by Avasam).
    • Customer Support Tools: Providers of customer relationship management (CRM) and support ticketing systems.
  • A current list of Subprocessors can be provided upon request.

9. Technical and Organizational Security Measures

  • Access Control: Role-based access controls to restrict access to Personal Data to authorized personnel only.
  • Encryption: Use of encryption technologies to protect Personal Data in transit and at rest where appropriate.
  • Physical Security: Secure facilities with controlled access.
  • Network Security: Firewalls, intrusion detection systems, and regular vulnerability assessments.
  • Data Minimization: Collection and retention of only the minimum Personal Data necessary for the purposes.
  • Employee Training: Regular training on data protection and information security practices.
  • Incident Response Plan: Procedures for responding to and managing data breaches or security incidents.