Personal Data Transfer Addendum
This Personal Data Transfer Addendum (“Addendum”) to the Agreement is by and between Customer and Aviatrix and applies to transfers of Personal Data from the Customer to Aviatrix, provided that the Customer is located in the EEA, the UK, Switzerland, or otherwise transfers Personal Data to Aviatrix subject to the export requirements of the Data Protection Laws of the EEA, the UK, Switzerland.
Terms not otherwise defined in this Addendum shall have the meanings ascribed to them in the Agreement.
1. EEA / UK / SWISS PERSONAL DATA TRANSFERS
1.1 Application of Standard Contractual Clauses. The Standard Contractual Clauses and the additional terms in this clause 1 will apply to transfer of Personal Data:
- where Data Exporter (as defined below) is in a country in the EEA; or the UK; or Switzerland; or
- where the Data Exporter (as defined below) is located outside countries that have an adequacy decision from the European Commission, but processes Personal Data directly subject to the Data Protection Laws of the applicable country in the EEA; or the UK; or Switzerland; or is contractually obliged to impose safeguards that are equivalent to those safeguards required under the Data Protection Laws of the applicable country in the EEA; or the UK; or Switzerland on any third parties with whom they share the Personal Data and transfers either directly or via onward transfer, the Personal Data to Data Importer (as defined below).
1.2 Incorporation of the Standard Contractual Clauses. The Standard Contractual Clauses are hereby incorporated by reference. The Standard Contractual Clauses shall be executed by:
- Customer on behalf of itself and/or any Affiliate that transfers Personal Data (the “Data Exporter”); and
- Aviatrix (the “Data Importer”).
1.3 Interpretation of the Standard Contractual Clauses. The Standard Contractual Clauses shall constitute a separate agreement between each Data Importer and Data Exporter.
1.4 EU transfers. In relation to transfers of Customer Personal Data protected by the GDPR the Standard Contractual Clauses shall apply, completed as follows:
- Module One of the EU SCCs (Transfer controller to controller) will apply;
- in Clause 7, the optional docking clause will apply;
- in Clause 11, the optional language will not apply;
- in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Dutch law;
- in Clause 18(b), disputes shall be resolved before the courts of Amsterdam, the Netherlands;
- Annex I of the EU SCCs shall be deemed completed with the information set out in Annex 1 to this Addendum, as applicable; and
- Annex II of the EU SCCs shall be deemed completed with the information set out in Annex 2 to this Addendum.
1.5 UK transfers. In relation to transfers of Customer Personal Data protected by the UK GDPR, the EU SCCs will apply, with the following modifications:
- where Customer and Aviatrix are lawfully permitted to rely on the EU SCCs for transfers of Personal Data from the United Kingdom subject to completion of a “UK Addendum to the EU Standard Contractual Clauses” (“UK Addendum”) issued by the Information Commissioner’s Office under s.119A(1) of the Data Protection Act 2018 (available via: international-data-transfer-addendum.pdf), then (a) the EU SCCs, completed as set out above shall also apply to transfers of such European Personal Data, subject to (b); (b) the UK Addendum shall be deemed executed between Customer and Aviatrix, and the EU SCCs shall be deemed amended (solely for transfers from the UK) as specified by the UK Addendum in respect of the transfer of such European Personal Data from the UK.
1.6 Swiss transfers. In relation to transfers of Customer Personal Data protected by the Swiss FADP, the EU SCCs will also apply, with the following modifications:
- any references in the EU SCCs to ‘General Data Protection Regulation’ or “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss FADP;
- references to “EU”, “Union”, “Member State” and “Member State law” shall be interpreted as references to Switzerland and Swiss law, as the case may be;
- references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the Swiss Federal Data Protection and Information Commissioner and competent courts in Switzerland; and
- the EU SCCs also protect the data of legal entities until the entry into force of the revised Swiss Federal Act on Data Protection.
2. DEFINITIONS
“Standard Contractual Clauses” means, where the GDPR applies, the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (available via: Standard contractual clauses for international transfers – European Commission) (“EU SCCs”).
“Swiss FADP” means the Swiss Federal Act on Data Protection.
“UK GDPR” means the GDPR as amended and transposed into the laws of the United Kingdom pursuant to the European Union (Withdrawal) Act 2018 and the European Union (Withdrawal Agreement) Act 2020.
ANNEX I
A. LIST OF PARTIES
Data exporter(s):
Name: Customer and its Affiliates
Address: as included in the Order
Contact person’s name, position and contact details: as included in the Order or as otherwise provided
Activities relevant to the data transferred: all activities included in part B of this Annex I.
Signature and date: as included in the Order
Role (controller/processor): controller
Data importer(s):
Name: Aviatrix Systems, Inc.
Address: as included in the Order or as otherwise provided
Contact person’s name, position and contact details: as included in the Order or as otherwise provided
Activities relevant to the data transferred: all activities included in part B of this Annex I.
Signature and date: as included in the Order
Role (controller/processor): controller
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose Personal Data is transferred
- Employees, contractors, managers, board members and other natural persons using the Customer’s IT infrastructure
Categories of Personal Data transferred
- Contact details of representatives of the Customers (for the purposes of managing the relationship between Aviatrix and the Customer, billing, log support tickets)
- IP addresses and (occassionally) historic user log-in data of (included in the log files) shared for support issue resolution
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
- Not applicable
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
- Contact details are provided when Customer representatives creates and registers with Aviatrix for support, software management or billing purposes, and when Customer representatives issue a request for support
- Log files generated by the Aviatrix Software running in the Customer’s enviroment can be required to resolve support issues regarding the Aviatrix Software and may be shared by the Customer on an ad hoc basis
- Log files or other Usage Data generated by the Cloud Service running on Aviatrix’s infrastructure can be required to resolve support issues regarding the Cloud and will be available to Aviatrix on a continous basis
Nature of the processing
- For contact details: Collecting, keeping up to date, and use for managing the relationship
- For log files: collecting and analysing for the purposes of providing support.
Purpose(s) of the data transfer and further processing
- Managing the relationship between the Customer and Aviatrix
- Providing support when necessary
- Where appropriate, marketing purposes
The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period
- Contact details of Customer representatives will be retained during the relationship between Aviatrix and the Customer and as long as necessary for regulatory and/or audit purposes thereafter
- Log files will be retained for 30 calendar days
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
Aviatrix relies on external IT service providers (for example provider(s) of CRM software and software enabling our customers to raise support tickets) Most of our data processors are based in the United States and we have controller-processor Standard Contractual Clauses in place to govern the transfer of Personal Data to these processors, if necessary.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens)
ANNEX II – TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organisational measures implemented by the processor(s) / data importer(s) (including any relevant certifications) to ensure an appropriate level of security, considering the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Measure | Description |
Measures of pseudonymisation and encryption of personal data | Aviatrix uses TLS (Transport Layer Security) AES-256 encryption (both in-transit and at rest)
Please also see Security at Aviatrix – Aviatrix |
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services | All Aviatrix employees that have access to Customer (personal) data are bound by confidentiality. In addition, all employees complete an annual security training program and employ best practises when handling Customer (personal) data.
Aviatrix is SOC(Service Organization Control)2 certified. For more detail, please see also: Security at Aviatrix – Aviatrix Aviatrix has in place physical, electronic, and administrative security measures appropriate to the risks and sensitivity of the personal data we process. We have processes to store personal information that we have collected in secure operating environments. For more detail also see our privacy policy: Privacy Policy – Aviatrix |
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident | Aviatrix has defined and documented its Platform recovery plans in the Business Continuity Management Policy and Technical Recovery Plans. This plan requires hourly backup of our IT systems and annual backup recovery testing. Management reviews and approves the plans annually. |
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures to ensure the security of the processing | Aviatrix works with industry leading security firms to perform annual network and application layer penetration tests.
Aviatrix is SOC(Service Organization Control)2 certified. For more detail, please see also Security at Aviatrix – Aviatrix |
Measures for user identification and authorization | Representatives of Customers who have an Aviatrix account can authenticate using username, password, and MFA (Multi Factor Authentication)
All credentials are hosted in the application database, which is encrypted at rest. |
Measures for the protection of data during transmission | · All services are using TLS 1.2.
· All data in transit between gateways, within the data plane IPSEC encrypted. Communications between the control plane and data plane are encrypted via HTTPS/TLS1.2. |
Measures for the protection of data during storage | · Encrypted EBS volumes which are created by default in the installation process.
· System backups written to S3 buckets. Encryption for this bucket is controlled by the customer through the use of KMS. |
Measures for ensuring physical security of locations at which personal data are processed | Aviatrix has a robust Information Security Management System in place as defined within our security policy. which covers secure working areas, securing our IT equipment wherever it may be, restricting access to our buildings and offices to appropriate personnel, amongst others.
Our physical security practices include reception attendance during work hours, requirements for visitors to register, badge access to all non-public areas, and we rely on (after hours) access and video recording. All personal data are processed remotely within AWS (Amazon Web Services) controlled datacentres, which provide comprehensive physical security measures. We are also SOC2 Type2 certified. |
Measures for ensuring events logging | Aviatrix logs all material security incidents, including incidents that constitute a data breach under the GDPR (General Data Protection Regulation). |
Measures for ensuring system configuration, including default configuration | Aviatrix production environments are deployed using CI/CD pipelines and scripts to ensure a configuration baseline that meets security requirements defined within the security policy. |
Measures for internal IT and IT security governance and management | Aviatrix is SOC-2 certified.
Aviatrix manages production configurations using cloud native utilities and cloud anomaly detection tools implemented to scan for external threats. The cloud native utility tool monitors the production resource configurations against defined rules. The cloud anomaly detection tool continuously monitors the Platform for malicious activity and unauthorized behaviour. When issues with the production servers’ configurations are detected, the tool logs and alerts the Security team to analyse and prioritize the issues. |
Measures for certification/assurance of processes and products | Aviatrix is SOC-2 certified. |
Measures for ensuring data minimisation | Aviatrix only processes the necessary Customer personal data to manage its relationship with the Customer and personal data contained in log files (possibly IP addresses and (occasionally) log-in data). The log files are deleted after 30 calendar days. |
Measures for ensuring data quality | Customer representatives can update their personal data through the account settings. |
Measures for ensuring limited data retention | Please refer to “Data Retention” in our privacy policy: Privacy Policy – Aviatrix. Log files containing Customer personal data will only be retained for 30 calendar days. |
Measures for ensuring accountability | Aviatrix has in place an appropriate governance model and policies ensuring accountability. |
Measures for allowing data portability and ensuring erasure | Please refer to “Your Privacy Rights” in our Privacy Policy to review how we deal with data subject rights: Privacy Policy – Aviatrix |