Data Processing Addendum

This Data Processing Addendum (“DPA“) supplements and forms part of the Subscription Services Agreement, and unless indicated otherwise, applies exclusively to Auvik’s provision of access to the Services under the Subscription Services Agreement and Order(s) agreed to between Customer and Auvik (together the “Agreement”). By entering into the Agreement, the parties enter into this DPA on behalf of themselves and, to the extent required under applicable Data Protection Laws, in the name and on behalf of their Affiliates authorised to provide or receive (as applicable) the Services. For the purposes of this DPA only, and except where indicated otherwise, the term “Customer” shall include any relevant Participating Affiliate.

This DPA shall be effective on the effective date of the Agreement referencing this DPA (“Effective Date“).

1. Definitions

Affiliate” means an entity controlling, controlled by or under common control with a party to this Agreement at any time during the term of this Agreement, for so long as such ownership and control exists.

Customer” means the customer or MSP customer identified in the Order.

Customer Data” means (a) data from Customer’s environment, (b) Customer Confidential Information used to provision the Service. Through Customer configuration and use of the Services, Customer has control of the type and amount of Customer Data.

Customer Personal Data” means any Customer Data that is Personal Data of Data Subjects located in the EEA. 

Data Protection Laws” means all data protection and privacy laws applicable to the respective party in its role in the processing of Personal Data under the Agreement, including, where applicable, EU Data Protection Law.

Data Controller” means an entity that determines the purposes and means of the processing of Personal Data. 

Data Processor” means an entity that processes Personal Data on behalf of a Data Controller. 

EU Data Protection Law” means the General Data Protection Regulation (“GDPR”), and shall include the data protection and privacy laws of the United Kingdom.

EEA” means, for the purposes of this DPA, the European Economic Area and/or its member states, Switzerland, Iceland, Liechtenstein and Norway; and for the purposes of this DPA, the United Kingdom.

“Model Clauses” means the Standard Contractual Clauses for Processors as approved by the European Commission.

“Order” means the separate purchase order for Services pursuant to the Subscription Services Agreement, completed and executed by Auvik and Customer.

Participating Affiliate” means an Affiliate of the Customer that has not entered into an Order or other separate agreement directly with Auvik, and Customer has authorized access to and use of the Services under an existing Order between Auvik and the Customer.

Personal Data” means any information relating to an identified or identifiable natural person. 

Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Purposes” shall mean the data processing purposes described and defined in Section 3.4 of this DPA. 

Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data, but does not include any unsuccessful Security Incident. 

Services” means the Service provided by Auvik to Customer pursuant to the Agreement and any technical support provided by Auvik to Customer pursuant to the Agreement.

Sub-processor” means any Data Processor engaged by Auvik or its Affiliates to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA. Sub-processors may include third parties or Auvik’s Affiliates.

2. Scope and Applicability of this DPA

2.1 This DPA applies where and only to the extent that Auvik Processes Customer Personal Data on behalf of Customer as Data Processor in the course of providing Services pursuant to the Agreement. 

2.2 Notwithstanding expiry or termination of the Agreement, this DPA and Model Clauses (if applicable) will remain in effect until, and will automatically expire upon, deletion of all Customer Personal Data by Auvik as described in this DPA.

3. Roles and Scope of Processing

3.1 Role of the Parties. As between Auvik and Customer, Customer is either the Data Controller of Customer Personal Data, or in the case that Customer is acting on behalf of a third-party Data Controller, then a Data Processor, and Auvik shall process Customer Personal Data only as a Data Processor acting on behalf of Customer. To the extent any Service Data (as defined in the Agreement) is considered Personal Data under Applicable Data Protection Laws, Auvik is the Data Controller of such data and shall process such data in accordance with the Agreement and applicable Data Protection Laws. 

3.2 Customer Processing of Personal Data. Customer agrees that: (i) it will comply with its obligations under Data Protection Laws in respect of its processing of Personal Data, including any obligations specific to its role as a Data Controller (where Data Protection Laws recognise such concept); (ii) it has provided all notice and obtained all consents, permissions and rights necessary under Data Protection Laws for Auvik to lawfully process Personal Data for the Purposes; and (iii) it shall ensure its processing instructions are lawful and that the processing of Customer Personal Data in accordance with such instructions will not violate applicable Data Protection Laws. If Customer is itself a Data Processor acting on behalf of a third-party Data Controller, Customer warrants to Auvik that Customer’s instructions and actions with respect to that Customer Personal Data, including its appointment of Auvik as another Data Processor, have been authorized by the relevant Data Controller.

3.3 Customer Instructions. Auvik will process Customer Personal Data only for the Purposes and in accordance with Customer’s documented lawful instructions.

3.4 Details of Data Processing

  • Subject matter: The subject matter of the data processing under this DPA is the Customer Personal Data. 
  • Duration: As between Auvik and Customer, the duration of the data processing under this DPA is until the termination of the Agreement in accordance with its terms. 
  • Purpose: Customer Personal Data may only be processed by Auvik solely for the following purposes: 
    • The provision of the Services to the Customer as further described in the Agreement and the performance of Auvik’s obligations under the Agreement or as otherwise agreed by the parties in mutually executed written form; and (ii) processing initiated by Customer in their use of the Services (the “Purposes”). 
  • Nature of the processing: Auvik provides Services as described in the Agreement, which may process Customer Personal Data upon the instruction of the Customer to utilize the Auvik Services.
  • Categories of data subjects: Customer may submit Customer Personal Data which may include, but is not limited to, Personal Data relating to the following categories of data subjects:
    • Prospects, customers, business partners and vendors of Customer (who are natural persons); 
    • Employees or contact persons of Customer’s prospects, customers, business partners and vendors; 
    • Employees, agents, advisors, freelancers of Customer (who are natural persons); and/or 
    • Customer’s end-users authorized by Customer to use the Services. 
  • Types of Personal Data: Customer may submit Customer Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to, the following types of Personal Data:
    • Identification and contact data (name, address, title, contact details); 
    • Corporate payment card details; 
    • Employment details (employer, job title, geographic location, area of  responsibility); and/or
    • Technical information (IP addresses, usage data, cookies data, location data).

3.5 Access or Use. Auvik will not access or use Customer Personal Data, except as necessary for the Purposes, or as necessary to comply with the law or binding order of a governmental body.

4. Subprocessing

4.1 Authorized Sub-processors. Customer agrees that Auvik may engage Sub-processors to process Customer Personal Data on Customer’s behalf. Auvik will do so by entering into written agreements imposing data protection terms required by Data Protection Laws. The Sub-processors currently engaged by Auvik will be listed here https://www.auvik.com/sub-processors/.

5. Security

5.1 Security Measures. Auvik shall implement and maintain appropriate technical and organizational security measures to protect Customer Personal Data from Security Incidents and to preserve the security and confidentiality of the Customer Personal Data, in accordance with Auvik’s security standards. 

5.2 Updates to Security Measures. Customer is responsible for reviewing the information made available by Auvik relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Data Protection Laws. Customer acknowledges that the Security Measures are subject to technical progress and development and that Auvik may update or modify the Security Measures from time to time provided that such updates and modifications do not result in a material degradation of the overall security of the Services subscribed to by Customer. 

5.3 Confidentiality of processing. Auvik shall ensure that any person who is authorized by Auvik to process Customer Personal Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality. 

5.4 No Assessment of Customer Data by Auvik. Customer acknowledges that Auvik will not assess the contents of Customer Data in order to identify information subject to any specific legal requirements. Customer is solely responsible for complying with incident notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Security Incidents. 

5.5 Customer Responsibilities. Customer agrees that, without prejudice to Auvik’s obligations under Section 5.1 (Security Measures) and Section 9.3 (Security Incident Response):

  • Customer is responsible for its use of the Services, including making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Customer Personal Data, securing its account authentication credentials, managing its data back-up strategies, and protecting the security of Customer Personal Data when in transit to and from the Services and taking any appropriate steps to pseudonymize, securely encrypt, and/or backup any Customer Personal Data uploaded to the Services; and
  • Auvik has no obligation to protect Customer Personal Data that Customer elects to store or transfer outside of Auvik’s and its Sub-processors’ systems (for example, offline or on-premise storage).

6. International Transfers 

6.1 Auvik hosts Customer Data in the region selected by Customer (specified in the Agreement, an Order, and/or as requested by Customer), provided, however that Auvik may process Customer Data anywhere in the world where Auvik, its Affiliates or its Sub-processors maintain data processing operations. Auvik will at all times provide appropriate safeguards for the Customer Personal Data wherever it is processed, in accordance with the requirements of Data Protection Laws.

7. Lawful Disclosure

7.1 If a law enforcement agency sends Auvik a demand for Customer Personal Data (e.g., a subpoena or court order), Auvik will attempt to redirect the law enforcement agency to request that data directly from Customer. As part of this effort, Auvik may provide Customer contact information to the law enforcement agency. If compelled to disclose Customer Personal Data to a law enforcement agency, then Auvik will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy to the extent Auvik is legally permitted to do so.

8. Return or Deletion of Data

8.1 Deletion by Customer. Auvik will enable Customer to delete Customer Personal Data during the Subscription Term in a manner consistent with the functionality of the Service. 

8.2 Deletion on Termination. For 30 days following termination or expiration of the Agreement, Customer shall have the option to retrieve any remaining Customer Personal Data in accordance with the Agreement. Thereafter, Customer instructs Auvik to automatically delete all remaining (if any) Customer Personal Data (including copies). Auvik shall not be required to delete Customer Personal Data to the extent (i) Auvik is required by applicable law or order of a governmental or regulatory body to retain some or all of the Customer Personal Data; and/or (ii), Customer Personal Data has been archived on back-up systems, which Customer Personal Data Auvik shall securely isolate and protect from any further processing, except to the extent required by applicable law.

8.3 Security Incident Response. Upon confirming a Security Incident, Auvik shall: (i) notify Customer without undue delay, and in any event such notification shall, where feasible, occur no later than 72 hours from Auvik confirming the Security Incident; (ii) provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer; and (iii) Auvik shall promptly take reasonable steps to contain, investigate, and mitigate any Security Incident. Auvik’s notification of or response to a Security Incident under this Section 8.3 (Security Incident Response) will not be construed as an acknowledgment by Auvik of any fault or liability with respect to the Security Incident.

9. Co-operation

9.1 The Services provide Customer with controls that Customer may use to retrieve, correct, delete or restrict Customer Personal Data, which Customer may use to assist it in connection with its obligations under the GDPR, including its obligations relating to responding to requests from data subjects or applicable data protection authorities. To the extent that Customer is unable to access the relevant Customer Personal Data within the Services using such controls or otherwise, taking into account the nature of the Processing, Auvik shall (at Customer’s request and expense) provide reasonable cooperation to assist Customer to respond to any requests from individuals or applicable data protection authorities relating to the processing of Customer Personal Data under the Agreement. In the event that any request from individuals or applicable data protection authorities is made directly to Auvik where such request identifies Customer, Auvik shall not respond to such communication directly without Customer’s prior authorization, unless legally compelled to do so, and instead, after being notified by Auvik, Customer shall respond. If Auvik is required to respond to such a request, Auvik will promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so. 

9.2 Customer acknowledges that Auvik is required under the GDPR to: (i) collect and maintain records of certain information, including the name and contact details of each Data Processor and/or Data Controller on behalf of which Auvik is acting and, where applicable, of such Data Processor or Data Controller’s local representative and data protection officer; and (ii) make such information available to the supervisory authorities. Accordingly, if GDPR applies to the processing of Customer Personal Data, Customer will, where requested, provide such information to Auvik via the Services or other means provided by Auvik, and will ensure that all information provided is kept accurate and up-to-date. 

9.3 To the extent Auvik is required under EU Data Protection Law, Auvik shall (at Customer’s request and expense) provide reasonably requested information regarding the Services to enable the Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.

10. Relationship with the Agreement

10.1 The parties agree that this DPA shall replace and supersede any existing data processing addendum, attachment or exhibit (including the Model Clauses (as applicable)) the parties may have previously entered into in connection with the Services, unless otherwise expressly agreed in an Order.. 

10.2 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict in connection with the Processing of Customer Personal Data.

10.3 Notwithstanding anything to the contrary in the Agreement or this DPA, the liability of each party and each party’s Affiliates under this DPA shall be subject to the limitations on liability set out in the Agreement. Without limiting either of the parties’ obligations under the Agreement, Customer agrees that any regulatory penalties incurred by Auvik in relation to the Customer Personal Data that arise as a result of, or in connection with, Customer’s failure to comply with its obligations under this DPA or any applicable Data Protection Laws shall count toward and reduce Auvik’s liability under the Agreement as if it were a liability to the Customer under the Agreement. 

10.4 Any claims against Auvik or its Affiliates under this DPA shall only be brought by the Customer entity that is a party to the Agreement against the Auvik entity that is a party to the Agreement. In no event shall this DPA or any party restrict or limit the rights of any data subject or of any competent supervisory authority. 

10.5 This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.

Effective June 12, 2025