Avalara Legal Center

Contracts

Data Processing Agreement
Data Privacy FAQ
Avalara Europe Ltd. Services Data Processing Agreement
Avalara, Inc. Services Data Processing Agreement
Brazil Recruitment Notice
California Consumer Privacy Act Disclosures
Data Subject Rights
EEA and United Kingdom Recruitment Notice
India Recruitment Notice
Privacy Notice
Subprocessors
United States Recruitment Notice

Data Processing Agreement

Version

Effective September 19th 2024

Download

The Data Processing Agreement in place between the Avalara contracting entity below and Customer is available below and is incorporated into the Agreement between the Avalara contracting entity below and Customer. Customer may download a signed DPA at the link below. FAQs are available here.

Avalara Contracting Entity	DPA
Avalara Europe Ltd.	Avalara Europe Ltd. Data Processing Agreement *Executed version here.
Avalara, Inc.	Avalara, Inc. Data Processing Agreement *Executed version here.

Effective November 15th 2023 to September 19th 2024

Download

Avalara Contracting Entity	DPA
Avalara Europe Ltd.	Avalara Europe Ltd. Data Processing Agreement *Executed version here.
Avalara, Inc.	Avalara, Inc. Data Processing Agreement *Executed version here.

Effective November 1st 2023 to November 15th 2023

Download

Avalara Contracting Entity	DPA
Avalara Europe Ltd.	Avalara Europe Ltd. Data Processing Agreement *Executed version here.
Avalara, Inc.	Avalara, Inc. Data Processing Agreement *Executed version here.

Effective October 26th 2023 to November 1st 2023

Download

Avalara Contracting Entity	DPA
Avalara Europe Ltd.	Avalara Europe Ltd. Data Processing Agreement *Executed Version here.
Avalara, Inc.	Avalara, Inc. Data Processing Agreement *Executed Version here.

Data Privacy FAQ

Version

Effective October 15th 2024

Download

Introduction

Avalara has prepared these Frequently Asked Questions (“FAQs”) to assist customers in understanding their obligations and Avalara’s obligations under privacy laws and regulations.

The FAQs do not, and are not intended to, constitute legal advice. All information, content, and materials available below are for general informational purposes only and do not form part of the agreement.

Why does Avalara make available a data processing agreement?

As part of Avalara main terms, Avalara offers a Services Data Processing Agreement (“DPA”) which provides helpful contractual terms for the processing of personal data. Avalara has customers around the globe and the DPA incorporates the core privacy principles that inform many international data protection laws.

What is Avalara’s role?

In relation to the provision of the services, Avalara acts as a data processor for the personal data that our customers submit. Therefore, Avalara processes personal data on behalf of and according to our customers’ instructions who are the data controllers.

How does Avalara perform onward data transfers?

In order to provide its service, Avalara may use subprocessors (both Avalara affiliates and third parties) located outside the European Economic Area ("EEA"), the United Kingdom, and Switzerland.

Avalara uses the following data transfer mechanisms to transfer personal data outside of the EEA, the United Kingdom, and Switzerland:

1) Adequacy Status

The EEA recognizes certain countries around the world as offering an adequate level of protection for personal data. That means when Avalara transfers personal data to such countries, no further measures are required.

2) Standard Contractual Clauses

The European Commission’s Standard Contractual Clauses (as updated by the Commission Implementing Decision EU 2021/914 of 4 June 2021) (“SCCs”) are model contract clauses developed by the European Commission to legitimize transfers of personal data from the European Economic Area to processors located in other countries.

The UK has indicated that Standard Contractual Clauses can also be used as a safeguard to legitimatize transfers of personal data from the UK to processors located in other countries and our DPA is updated with the addendum to the SCCs which came into force on 21 March 2022.

Avalara also relies on the SCCs, for the purpose of intra-group transfer of personal data. Avalara Europe Ltd. transfers personal data to Avalara Inc. as data importer and subprocessor under Avalara’s internal Data Transfer Agreement (which includes the SCCs). As the customers are the data controllers and Avalara Europe Ltd. is the data exporter, customers are not transferring personal data outside the EEA; only Avalara Europe Ltd. does so as a data processor and data exporter pursuant to the Data Transfer Agreement.

How to execute this DPA

This DPA has been pre-signed on behalf of Avalara, Inc. (“Avalara, Inc. Services Data Processing Agreement”)

and Avalara Europe Ltd. (“Avalara Europe Ltd. Services Data Processing Agreement”)

For the Avalara, Inc. Services Data Processing Agreement: please insert relevant details under page 3, fill in details under Exhibit 1 Annex 1 List of Parties and sign.

For the Avalara Europe Ltd. Services Data Processing Agreement: please insert relevant details under page 2 and sign.

For the avoidance of doubt, signature of the Avalara Inc. DPA on page 3 shall be deemed to constitute signature and acceptance of the Standard Contractual Clauses, including Schedule 2.

Effective October 26th 2023 to December 31st 2024

Download

Introduction

Avalara has prepared these Frequently Asked Questions (“FAQs”) to assist customers in understanding their obligations and Avalara’s obligations under privacy laws and regulations.

Why does Avalara make available a data processing agreement?

What is Avalara’s role?

How does Avalara perform onward data transfers?

In order to provide its service, Avalara may use subprocessors (both Avalara affiliates and third parties) located outside the European Economic Area ("EEA"), the United Kingdom, and Switzerland.

Avalara uses the following data transfer mechanisms to transfer personal data outside of the EEA, the United Kingdom, and Switzerland:

1) Adequacy Status

2) Standard Contractual Clauses

Avalara also relies on the SCCs, for the purpose of intra-group transfer of personal data. Avalara Europe Ltd. transfers personal data to Avalara Inc. as data importer and subprocessor under the Avalara’s internal Data Transfer Agreement (which includes the SCCs). As the customers are the data controllers and Avalara Europe Ltd. is the data exporter, customers are not transferring personal data outside the EEA; only Avalara Europe Ltd. does so as a data processor and data exporter pursuant to the Data Transfer Agreement.

How to execute this DPA

This DPA has been pre-signed on behalf of Avalara, Inc. (“Avalara, Inc. Services Data Processing Agreement”)

and Avalara Europe Ltd. (“Avalara Europe Ltd. Services Data Processing Agreement”)

For the Avalara, Inc. Services Data Processing Agreement: please insert relevant details under page 3, fill in details under Exhibit 1 Annex 1 List of Parties and sign.

For the Avalara Europe Ltd. Services Data Processing Agreement: please insert relevant details under page 2 and sign.

For the avoidance of doubt, signature of the Avalara Inc. DPA on page 3 shall be deemed to constitute signature and acceptance of the Standard Contractual Clauses, including Schedule 2.

Avalara Europe Ltd. Services Data Processing Agreement

Version

Effective November 15th 2023

Download

This Avalara Europe Ltd. Services Data Processing Agreement (“DPA”) is incorporated into the Contract between Avalara Europe Ltd. (“Avalara” or “us” or “our”) and Customer. If a provision of this DPA conflicts with a provision of the Contract, the provision in this DPA governs. Capitalised terms used and not otherwise defined in this DPA have the meanings provided in the Contract.

Except as amended by this DPA, the Contract will remain in full force and effect.
To the extent that the terms of this DPA and the Contract conflict, the terms of this DPA prevail.
This DPA will automatically expire on the termination or expiration of the Contract.

Avalara serves enterprises, public sector entities and other organisations (“Customer”) and protects Services Data in compliance with the terms of this DPA. “Services Data” means personal data relating to named or identifiable individuals that Customer’s authorised users (“Authorised Users”) provide in compliance with applicable law and our applicable service agreements or other commercial contract terms (“Contract”) when Customer uses our service offerings and related data processing services as described in our data sheets, service specifications, and other technical documentation, as amended from time to time (“Services”).

Control and Ownership. Customer owns and controls all Services Data. Services Data is disclosed by Customer to Avalara only for the limited and specified business purposes of assisting Customer in complying with tax and financial obligations. Avalara does not use, retain, or disclose Services Data, except: (a) in the interest and on behalf of Customer; (b) as necessary to provide the Services, or (c) as contemplated or directed by the Contract. Avalara returns or deletes Services Data at Customer’s request, as agreed in the Contract, or after the Contract expires or is terminated.
Security. Avalara applies technical, administrative and organisational data security measures that meet or exceed the requirements described in Exhibit 1 (Security). Avalara may update and modify Exhibit 1 from time to time, provided that Avalara shall not materially reduce the level of security provided thereunder, except with Customer’s consent.
Cooperation with Compliance Obligations. At Customer’s reasonable request, Avalara will (a) reasonably assist Customer with data access, deletion, portability and other requests, subject to compensation for any custom efforts required of Avalara and (b) enter into additional contractual agreements to meet specific requirements that are imposed by mandatory laws on Customer pertaining to Services Data and that, due to their nature, can only be satisfied by Avalara in its role as service provider or that Customer specifically explains and assigns to Avalara in an addendum or amendment to the applicable Contract, subject to additional cost reimbursement or fees as appropriate. If Customer can no longer legally use Avalara’s products due to changes in law or technology, Avalara shall allow Customer to terminate certain or all contracts and provide transition or migration assistance as reasonably required, subject to termination charges and fees as mutually agreed in good faith by the parties.
Submit to Audits. Avalara submits to reasonable data security and privacy compliance audits subject to reasonable precautions and safeguards for the data of other customers. This includes a right for Customer to take reasonable and appropriate steps to help ensure that Avalara uses the Services Data in a manner consistent with Customer's legal obligations and the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Services Data
Notify Breaches. Avalara notifies Customer of unauthorised access to Services Data and other security breaches as required by applicable law.
No Information Selling or Sharing for Cross‐Context Behavioral Advertising; Compliance with the CCPA. Avalara does not accept or disclose any Services Data as consideration for any payments, services, or other items of value. Avalara does not sell or share any Services Data, as the terms “sell” and “share” are defined in the California Consumer Privacy Act of 2018, as amended, including by the California Privacy Rights Act (“CCPA”). Avalara processes Services Data only for the business purposes specified in the written Contract. Avalara does not retain, use, or disclose Services Data (a) for cross‐context behavioral advertising, or (b) outside the direct business relationship with the Customer. Avalara does not combine Services Data with other data if and to the extent this would be inconsistent with limitations on service providers or contractors under the CCPA. Avalara will comply with the obligations on service providers under the CCPA and provide the same level of privacy protections required of Customer under the CCPA. If Avalara determines it can no longer meet its obligations under the CCPA or its implementing regulations, it will notify Customer. Avalara understands the restrictions in this Section 6 and certifies it will comply with the same. If Avalara receives deidentified Services Data, Avalara will not attempt to reidentify the information except as permitted by the CCPA .
Personal Data subject to the GDPR or similar laws: With respect to any Services Data that is subject to the EU General Data Protection Regulation (GDPR) or similar laws of other jurisdictions as "personal data," Avalara accepts the following obligations as a data importer, processor or sub-processor of Customer and warrants that Avalara
1. processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by European Union or EU Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest; also, the processor shall immediately inform the controller if, in its opinion, an instruction infringes the GDPR, national data protection laws in the EU or other applicable law;
2. ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
3. takes all measures required pursuant to Article 32 of the GDPR (security of processing);
4. respects the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging another processor;
5. taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR, including, without limitation, right to access, rectification, erasure and portability of the data subject's personal data; (for the avoidance of doubt, processor shall only assist and enable controller to meet controller’s obligations to satisfy data subjects' rights, but processor shall not respond directly to data subjects)
6. assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (Security of personal data) taking into account the nature of processing and the information available to the processor;
7. at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;
8. makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
Integration. This DPA is binding after a Contract has been signed between Avalara and Customer, and Customer may collect a signed copy of this DPA here or at https://avalara.na1.echosign.com/public/esignWidget?wid=CBFCIBAA3AAABLblqZhCV_CIBj5a1as7z3LRaE7FGGqhHIxcUIjcIf_NosDnnyU3iUwU0Zt1GwhoPnVcBSuQ*. This DPA shall not create third party beneficiary rights. Avalara does not accept or submit to additional requirements relating to Services Data, except as specifically and expressly agreed in writing with explicit reference to the Contract and this DPA.
Notice. Avalara shall provide Customer with legal notices in writing by email, mail, or courier to the address provided by Customer. Except as otherwise specified in the Agreement, all notices to Avalara must be in writing and sent as follows:

Email: DataPrivacy@avalara.com
Attn: Legal Department
Avalara Europe Ltd.
Lanchester House
3^rd Floor
Trafalgar Place
Brighton BN1 4FU
United Kingdom

Exhibit 1

SECURITY

Avalara maintains the following technical and organisation measures:

Avalara maintains a written security program under which Avalara periodically evaluates risks to Customer Data and maintains commercially reasonable technical, and physical safeguards to protect Customer Data against accidental or unauthorised access, disclosure, loss, destruction, or alteration. Avalara regularly evaluates the scope and coverage of the Security Program.
Avalara teams classify and handle data using technical controls described below to ensure its integrity, availability, and confidentiality.
Avalara maintains a central inventory of assets where the asset custodian is responsible for classifying and maintaining the asset and ensuring the use of the asset complies with the security program.
Avalara maintains standards for user authentication, access provisioning, de-provisioning, performing periodic access reviews and restricting administrative access to ensure access is granted based on the principle of least privilege.
Avalara maintains standards for segregation of network services and devices to ensure unrelated portions of the network are isolated from each other.
Avalara maintains network zones and applies ingress and egress standards for the protection of data.
Avalara systems encrypt data at rest and in transit between the Avalara networks and its customers to ensure integrity, security, and confidentiality of customer data.
Avalara maintains processes to securely generate, store and manage encryption keys that prevent loss, theft, or compromise.
Avalara maintains physical access controls to restrict entry to Avalara facilities. Physical controls may include badge readers, security personnel, staff supervision, video cameras, and other tools.
Avalara maintains processes for retaining and securely deleting data no longer than necessary to provide its services.
Direct database access is restricted using the corporate VPN. This can only be accessed via Avalara issued computing equipment.
Avalara has disabled the ability to write data to USB mass storage devices on all Avalara issued computing equipment.
Avalara maintains a Software Management Standard that defines software and services which are approved, acceptable, or prohibited to be used by Avalara personnel.
Avalara monitors its applications and systems for vulnerabilities on a periodic basis. Identified vulnerabilities are remediated by taking actions to close them in a timely manner.
Avalara maintains an incident response program to detect, analyse, prioritise, and handle cyber security events and incidents to prevent, detect, and deter the unauthorised access, loss, compromise, disclosure, modification, or destruction of Avalara’s electronic data assets and information, including personal information.
Avalara performs root cause analyses for incidents based on the nature of the incident, to identify, document, and eliminate the cause of an incident and to prevent the issue from recurring. Changes to the Avalara Incident Response Plan and standard operating procedures is also part of this review.
Security and audit logs are fed to the SIEM daily and retained for a period of one year. These logs cannot be modified by anyone.
Daily recoverable backups of critical data are configured to be performed and replicated to a secondary location.
Avalara maintains a Security Infraction Management Policy that describes how Avalara treats security incidents that result from deviations from Avalara’s security policies, standards, and procedures.
Avalara maintains standards for making changes to applications, including customer-facing applications, by ensuring they are tested and approved by appropriate individuals before they are moved to production. Access to make production changes is restricted to authorised individuals.
Avalara has established logical separation between production and lower environments.
Avalara ensures test data is selected and handled in accordance with the technical controls specified in this document.
All Avalara personnel must undergo the mandatory security awareness training at least annually.
The Avalara Service Terms and Conditions along with the Vendor Security terms document are in place to communicate security commitments with vendors.
The Avalara Security team periodically performs assessments of different systems by conducting phishing simulations, vulnerability scans, and penetration tests.
The Avalara Compliance team periodically performs assessments of key systems. Remediation plans are defined as appropriate for the areas of non-compliance establishing clear ownership and accountability.
The Avalara Risk Management Team periodically conducts risk assessments to identify risks arising from internal and external sources throughout the year to evaluate the organisation's control environment. Risk treatment plans are defined, as appropriate, for identified risks including establishing clear ownership and accountability. Risks are monitored to acceptable mitigation according to the Avalara Security Risk Assessment Standard and Process.
Avalara maintains standards for Vendor Risk Management to define requirements for vendor selection, risk assessments with roles and responsibilities, contract lifecycle, exception handling and terminations.

Effective November 1st 2023 to November 15th 2023

Download

Except as amended by this DPA, the Contract will remain in full force and effect.
To the extent that the terms of this DPA and the Contract conflict, the terms of this DPA prevail.
This DPA will automatically expire on the termination or expiration of the Contract.

Control and Ownership. Customer owns and controls all Services Data. Services Data is disclosed by Customer to Avalara only for the limited and specified business purposes of assisting Customer in complying with tax and financial obligations. Avalara does not use, retain, or disclose Services Data, except: (a) in the interest and on behalf of Customer; (b) as necessary to provide the Services, or (c) as contemplated or directed by the Contract. Avalara returns or deletes Services Data at Customer’s request, as agreed in the Contract, or after the Contract expires or is terminated.
Security. Avalara applies technical, administrative and organisational data security measures that meet or exceed the requirements described in Exhibit 1 (“Security”). Avalara may update and modify Exhibit 1 from time to time, provided that Avalara shall not materially reduce the level of security provided thereunder, except with Customer’s consent.
Cooperation with Compliance Obligations. At Customer’s reasonable request, Avalara will (a) reasonably assist Customer with data access, deletion, portability and other requests, subject to compensation for any custom efforts required of Avalara, (b) make available to Customer all information necessary to demonstrate compliance with any mandatory privacy laws imposed on Customer or to conduct or document data protection assessments required by such laws, and (c) enter into additional contractual agreements to meet specific requirements that are imposed by mandatory laws on Customer pertaining to Services Data and that, due to their nature, can only be satisfied by Avalara in its role as service provider or that Customer specifically explains and assigns to Avalara in an addendum or amendment to the applicable Contract, subject to additional cost reimbursement or fees as appropriate. If Customer can no longer legally use Avalara’s products due to changes in law or technology, Avalara shall allow Customer to terminate certain or all contracts and provide transition or migration assistance as reasonably required, subject to termination charges and fees as mutually agreed in good faith by the parties.
Submit to Audits. Avalara submits to reasonable data security and privacy compliance audits subject to reasonable precautions and safeguards for the data of other customers. This includes a right for Customer to take reasonable and appropriate steps to help ensure that Avalara uses the Services Data in a manner consistent with Customer's legal obligations and the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Services Data
Notify Breaches. Avalara notifies Customer of unauthorised access to Services Data and other security breaches as required by applicable law.
No Information Selling or Sharing for Cross‐Context Behavioral Advertising; Compliance with the CCPA. Avalara does not accept or disclose any Services Data as consideration for any payments, services, or other items of value. Avalara does not sell or share any Services Data, as the terms “sell” and “share” are defined in the California Consumer Privacy Act of 2018, as amended, including by the California Privacy Rights Act (“CCPA”). Avalara processes Services Data only for the business purposes specified in the written Contract. Avalara does not retain, use, or disclose Services Data (a) for cross‐context behavioral advertising, or (b) outside the direct business relationship with the Customer. Avalara does not combine Services Data with other data if and to the extent this would be inconsistent with limitations on service providers under the CCPA.
Personal Data subject to the GDPR or similar laws: With respect to any Services Data that is subject to the EU General Data Protection Regulation (GDPR) or similar laws of other jurisdictions as "personal data," Avalara accepts the following obligations as a data importer, processor or sub-processor of Customer and warrants that Avalara
1. processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by European Union or EU Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest; also, the processor shall immediately inform the controller if, in its opinion, an instruction infringes the GDPR, national data protection laws in the EU or other applicable law;
2. (b) ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
3. (c) takes all measures required pursuant to Article 32 of the GDPR (security of processing);
4. (d) respects the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging another processor;
5. (e) taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR, including, without limitation, right to access, rectification, erasure and portability of the data subject's personal data; (for the avoidance of doubt, processor shall only assist and enable controller to meet controller’s obligations to satisfy data subjects' rights, but processor shall not respond directly to data subjects)
6. (f) assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (Security of personal data) taking into account the nature of processing and the information available to the processor;
7. (g) at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;
8. (h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
Integration. This DPA is binding after a Contract has been signed between Avalara and Customer, and Customer may collect a signed copy of this DPA here or at https://avalara.na1.echosign.com/public/esignWidget?wid=CBFCIBAA3AAABLblqZhCV_CIBj5a1as7z3LRaE7FGGqhHIxcUIjcIf_NosDnnyU3iUwU0Zt1GwhoPnVcBSuQ*. This DPA shall not create third party beneficiary rights. Avalara does not accept or submit to additional requirements relating to Services Data, except as specifically and expressly agreed in writing with explicit reference to the Contract and this DPA.
Notice. Avalara shall provide Customer with legal notices in writing by email, mail, or courier to the address provided by Customer. Except as otherwise specified in the Agreement, all notices to Avalara must be in writing and sent as follows:

Email: DataPrivacy@avalara.com
Attn: Legal Department
Avalara Europe Ltd.
Lanchester House
3^rd Floor
Trafalgar Place
Brighton BN1 4FU
United Kingdom

Exhibit 1

SECURITY

Avalara maintains the following technical and organisation measures:

Avalara maintains a written security program under which Avalara periodically evaluates risks to Customer Data and maintains commercially reasonable technical, and physical safeguards to protect Customer Data against accidental or unauthorised access, disclosure, loss, destruction, or alteration. Avalara regularly evaluates the scope and coverage of the Security Program.
Avalara teams classify and handle data using technical controls described below to ensure its integrity, availability, and confidentiality.
Avalara maintains a central inventory of assets where the asset custodian is responsible for classifying and maintaining the asset and ensuring the use of the asset complies with the security program.
Avalara maintains standards for user authentication, access provisioning, de-provisioning, performing periodic access reviews and restricting administrative access to ensure access is granted based on the principle of least privilege.
Avalara maintains standards for segregation of network services and devices to ensure unrelated portions of the network are isolated from each other.
Avalara maintains network zones and applies ingress and egress standards for the protection of data.
Avalara systems encrypt data at rest and in transit between the Avalara networks and its customers to ensure integrity, security, and confidentiality of customer data.
Avalara maintains processes to securely generate, store and manage encryption keys that prevent loss, theft, or compromise.
Avalara maintains physical access controls to restrict entry to Avalara facilities. Physical controls may include badge readers, security personnel, staff supervision, video cameras, and other tools.
Avalara maintains processes for retaining and securely deleting data no longer than necessary to provide its services.
Direct database access is restricted using the corporate VPN. This can only be accessed via Avalara issued computing equipment.
Avalara has disabled the ability to write data to USB mass storage devices on all Avalara issued computing equipment.
Avalara maintains a Software Management Standard that defines software and services which are approved, acceptable, or prohibited to be used by Avalara personnel.
Avalara monitors its applications and systems for vulnerabilities on a periodic basis. Identified vulnerabilities are remediated by taking actions to close them in a timely manner.
Avalara maintains an incident response program to detect, analyse, prioritise, and handle cyber security events and incidents to prevent, detect, and deter the unauthorised access, loss, compromise, disclosure, modification, or destruction of Avalara’s electronic data assets and information, including personal information.
Avalara performs root cause analyses for incidents based on the nature of the incident, to identify, document, and eliminate the cause of an incident and to prevent the issue from recurring. Changes to the Avalara Incident Response Plan and standard operating procedures is also part of this review.
Security and audit logs are fed to the SIEM daily and retained for a period of one year. These logs cannot be modified by anyone.
Daily recoverable backups of critical data are configured to be performed and replicated to a secondary location.
Avalara maintains a Security Infraction Management Policy that describes how Avalara treats security incidents that result from deviations from Avalara’s security policies, standards, and procedures.
Avalara maintains standards for making changes to applications, including customer-facing applications, by ensuring they are tested and approved by appropriate individuals before they are moved to production. Access to make production changes is restricted to authorised individuals.
Avalara has established logical separation between production and lower environments.
Avalara ensures test data is selected and handled in accordance with the technical controls specified in this document.
All Avalara personnel must undergo the mandatory security awareness training at least annually.
The Avalara Service Terms and Conditions along with the Vendor Security terms document are in place to communicate security commitments with vendors.
The Avalara Security team periodically performs assessments of different systems by conducting phishing simulations, vulnerability scans, and penetration tests.
The Avalara Compliance team periodically performs assessments of key systems. Remediation plans are defined as appropriate for the areas of non-compliance establishing clear ownership and accountability.
The Avalara Risk Management Team periodically conducts risk assessments to identify risks arising from internal and external sources throughout the year to evaluate the organisation's control environment. Risk treatment plans are defined, as appropriate, for identified risks including establishing clear ownership and accountability. Risks are monitored to acceptable mitigation according to the Avalara Security Risk Assessment Standard and Process.
Avalara maintains standards for Vendor Risk Management to define requirements for vendor selection, risk assessments with roles and responsibilities, contract lifecycle, exception handling and terminations.

Effective October 26th 2023 to November 1st 2023

Download

Last updated August 8, 2022

This DPA is incorporated into the Contract between Avalara Europe Ltd. (“Avalara” or “us” or “our”) and Customer. If a provision of this Avalara Europe Ltd. Services Data Processing Agreement (“DPA”) conflicts with a provision of the Contract, the provision in this DPA governs. Capitalised terms used and not otherwise defined in this DPA have the meanings provided in the Contract.

Except as amended by this DPA, the Contract will remain in full force and effect.
To the extent that the terms of this DPA and the Contract conflict, the terms of this DPA prevail.
This DPA will automatically expire on the termination or expiration of the Contract.

Avalara serves enterprises, public sector entities and other organisations (“Customer”) and protects Services Data in compliance with the terms of this DPA. Services Data means personal data relating to named or identifiable individuals that Customer’s authorised users (“Authorised Users”) provide in compliance with applicable law and our applicable service agreements or other commercial contract terms (“Contract”) when Customer uses our service offerings and related data processing services as described in our data sheets, service specifications, and other technical documentation, as amended from time to time (“Services”).

1. Control and Ownership. Customer owns and controls all Services Data. Avalara does not use Services Data, except: (a) in the interest and on behalf of Customer; (b) as necessary to provide the Services, or (c) as contemplated or directed by the Contract. Avalara returns or deletes Services Data at Customer’s request, as agreed in the Contract, or after the Contract expires or is terminated.

2. Security. Avalara applies technical, administrative and organisational data security measures that meet or exceed the requirements described in Exhibit 1 (“Security”). Avalara may update and modify Exhibit 1 from time to time, provided that Avalara must not reduce the level of security provided thereunder, except with Customer’s consent or with 90 days prior written notice.

3. Cooperation with Compliance Obligations. At Customer’s reasonable request, Avalara will (a) reasonably assist Customer with data access, deletion, portability and other requests, subject to compensation for any custom efforts required of Avalara, and (b) enter into additional contractual agreements to meet specific requirements that are imposed by mandatory laws on Customer pertaining to Services Data and that, due to their nature, can only be satisfied by Avalara in its role as service provider or that Customer specifically explains and assigns to Avalara in an addendum or amendment to the applicable Contract, subject to additional cost reimbursement or fees as appropriate. If Customer can no longer legally use Avalara’s products due to changes in law or technology, Avalara shall allow Customer to terminate certain or all contracts and provide transition or migration assistance as reasonably required, subject to termination charges and fees as mutually agreed in good faith by the parties.

4. Submit to Audits. Avalara submits to reasonable data security and privacy compliance audits subject to reasonable precautions and safeguards for the data of other customers.

5. Notify Breaches. Avalara notifies Customer of unauthorised access to Services Data and other security breaches as required by applicable law.

6. No Information Selling or Sharing for Cross‐Context Behavioral Advertising. Avalara does not accept or disclose any Services Data as consideration for any payments, services, or other items of value. Avalara does not sell or share any Services Data, as the terms “sell” and “share” are defined in the California Consumer Privacy Act of 2018, as amended, including by the California Privacy Rights Act (“CCPA”). Avalara processes Services Data only for the business purposes specified in the written Contract. Avalara does not retain, use, or disclose Services Data (a) for cross‐context behavioral advertising, or (b) outside the direct business relationship with the Customer. Avalara does not combine Services Data with other data if and to the extent this would be inconsistent with limitations on service providers under the CCPA.

7. Personal Data subject to the GDPR or similar laws: With respect to any Services Data that is subject to the EU General Data Protection Regulation (GDPR) or similar laws of other countries as "personal data," Avalara accepts the following obligations as a data importer, processor or sub-processor of Customer and warrants that Avalara

(a) processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by European Union or EU Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest; also, the processor shall immediately inform the controller if, in its opinion, an instruction infringes the GDPR, national data protection laws in the EU or other applicable law;
(b) ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(c) takes all measures required pursuant to Article 32 of the GDPR (security of processing);
(d) respects the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging another processor;
(e) taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR, including, without limitation, right to access, rectification, erasure and portability of the data subject's personal data; (for the avoidance of doubt, processor shall only assist and enable controller to meet controller’s obligations to satisfy data subjects' rights, but processor shall not respond directly to data subjects)
(f) assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (Security of personal data) taking into account the nature of processing and the information available to the processor;
(g) at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;
(h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

8. Integration. This DPA is binding after a Contract has been signed between Avalara and Customer, and Customer may collect a signed copy of this DPA at here or https://avalara.na1.echosign.com/public/esignWidget?wid=CBFCIBAA3AAABLblqZhB05c1e2iTcpxkELW8vTvPqk4U8ZyPEAzxTu9ldh7un3AHSdm8-TmV9ovhX8SMAjac. This DPA shall not create third party beneficiary rights. Avalara does not accept or submit to additional requirements relating to Services Data, except as specifically and expressly agreed in writing with explicit reference to the Contract and this DPA.

9. Notice. Avalara shall provide Customer with legal notices in writing by email, mail, or courier to the address provided by Customer. Except as otherwise specified in the Agreement, all notices to Avalara must be in writing and sent as follows:

Email: DataPrivacy@avalara.com
Attn: Legal Department
Avalara Europe Ltd.
Lanchester House
3^rd Floor
Trafalgar Place
Brighton BN1 4FU
United Kingdom

EXHIBIT 1: SECURITY

Avalara maintains the following technical and organisation measures:

Avalara maintains a written security program under which Avalara periodically evaluates risks to Customer Data and maintains commercially reasonable technical, and physical safeguards to protect Customer Data against accidental or unauthorised access, disclosure, loss, destruction, or alteration. Avalara regularly evaluates the scope and coverage of the Security Program.
Avalara teams classify and handle data using technical controls described below to ensure its integrity, availability, and confidentiality.
Avalara maintains a central inventory of assets where the asset custodian is responsible for classifying and maintaining the asset and ensuring the use of the asset complies with the security program.
Avalara maintains standards for user authentication, access provisioning, de-provisioning, performing periodic access reviews and restricting administrative access to ensure access is granted based on the principle of least privilege.
Avalara maintains standards for segregation of network services and devices to ensure unrelated portions of the network are isolated from each other.
Avalara maintains network zones and applies ingress and egress standards for the protection of data.
Avalara systems encrypt data at rest and in transit between the Avalara networks and its customers to ensure integrity, security, and confidentiality of customer data.
Avalara maintains processes to securely generate, store and manage encryption keys that prevent loss, theft, or compromise.
Avalara maintains physical access controls to restrict entry to Avalara facilities. Physical controls may include badge readers, security personnel, staff supervision, video cameras, and other tools.
Avalara maintains processes for retaining and securely deleting data no longer than necessary to provide its services.
Direct database access is restricted using the corporate VPN. This can only be accessed via Avalara issued computing equipment.
Avalara has disabled the ability to write data to USB mass storage devices on all Avalara issued computing equipment.
Avalara maintains a Software Management Standard that defines software and services which are approved, acceptable, or prohibited to be used by Avalara personnel.
Avalara monitors its applications and systems for vulnerabilities on a periodic basis. Identified vulnerabilities are remediated by taking actions to close them in a timely manner.
Avalara maintains an incident response program to detect, analyse, prioritise, and handle cyber security events and incidents to prevent, detect, and deter the unauthorised access, loss, compromise, disclosure, modification, or destruction of Avalara’s electronic data assets and information, including personal information.
Avalara performs root cause analyses for incidents based on the nature of the incident, to identify, document, and eliminate the cause of an incident and to prevent the issue from recurring. Changes to the Avalara Incident Response Plan and standard operating procedures is also part of this review.
Security and audit logs are fed to the SIEM daily and retained for a period of one year. These logs cannot be modified by anyone.
Daily recoverable backups of critical data are configured to be performed and replicated to a secondary location.
Avalara maintains a Security Infraction Management Policy that describes how Avalara treats security incidents that result from deviations from Avalara’s security policies, standards, and procedures.
Avalara maintains standards for making changes to applications, including customer-facing applications, by ensuring they are tested and approved by appropriate individuals before they are moved to production. Access to make production changes is restricted to authorised individuals.
Avalara has established logical separation between production and lower environments.
Avalara ensures test data is selected and handled in accordance with the technical controls specified in this document.
All Avalara personnel must undergo the mandatory security awareness training at least annually.
The Avalara Service Terms and Conditions along with the Vendor Security terms document are in place to communicate security commitments with vendors.
The Avalara Security team periodically performs assessments of different systems by conducting phishing simulations, vulnerability scans, and penetration tests.
The Avalara Compliance team periodically performs assessments of key systems. Remediation plans are defined as appropriate for the areas of non-compliance establishing clear ownership and accountability.
The Avalara Risk Management Team periodically conducts risk assessments to identify risks arising from internal and external sources throughout the year to evaluate the organisation's control environment. Risk treatment plans are defined, as appropriate, for identified risks including establishing clear ownership and accountability. Risks are monitored to acceptable mitigation according to the Avalara Security Risk Assessment Standard and Process.
Avalara maintains standards for Vendor Risk Management to define requirements for vendor selection, risk assessments with roles and responsibilities, contract lifecycle, exception handling and terminations.

Avalara, Inc. Services Data Processing Agreement

Version

Effective October 15th 2024

Download

This Avalara, Inc. Services Data Processing Agreement (“DPA”) is incorporated into the Contract between Avalara, Inc. (“Avalara” or “us” or “our”) and Customer. If a provision of this DPA conflicts with a provision of the Contract, the provision in this DPA governs. Capitalized terms used and not otherwise defined in this DPA have the meanings provided in the Contract.

Except as amended by this DPA, the Contract will remain in full force and effect.
To the extent that the terms of this DPA and the Contract conflict, the terms of this DPA prevail.
This DPA will automatically expire on the termination or expiration of the Contract.

Avalara serves enterprises, public sector entities and other organizations (“Customer”) and protects Services Data in compliance with the terms of this DPA. “Services Data” means personal data relating to named or identifiable individuals that Customer’s authorized users (“Authorized Users”) provide in compliance with applicable law and our applicable service agreements or other commercial contract terms (“Contract”) when Customer uses our service offerings and related data processing services as described in our data sheets, service specifications, and other technical documentation, as amended from time to time (“Services”).

Control and Ownership. Customer owns and controls all Services Data. Services Data is disclosed by Customer to Avalara only for the limited and specified business purposes of assisting Customer in complying with tax and financial obligations. Avalara does not use, retain, or disclose Services Data, except: (a) in the interest and on behalf of Customer; (b) as necessary to provide the Services, or (c) as contemplated or directed by the Contract. Avalara returns or deletes Services Data at Customer’s request, as agreed in the Contract, or after the Contract expires or is terminated, subject to applicable law.
Security. Avalara applies technical, administrative and organizational data security measures that meet or exceed the requirements described in Avalara’s Technical and Organisational Measures in Exhibit 1, Annex II (“TOMs”). Avalara may update and modify its TOMs from time to time, provided that Avalara shall not materially reduce the level of security provided thereunder, except with Customer’s consent.
Cooperation with Compliance Obligations. At Customer’s reasonable request, Avalara will (a) reasonably assist Customer with data access, deletion, portability and other requests, subject to compensation for any custom efforts required of Avalara and (b) enter into additional contractual agreements to meet specific requirements that are imposed by mandatory laws on Customer pertaining to Services Data and that, due to their nature, can only be satisfied by Avalara in its role as service provider or that Customer specifically explains and assigns to Avalara in an addendum or amendment to the applicable Contract, subject to additional cost reimbursement or fees as appropriate. If Customer can no longer legally use Avalara’s products due to changes in law or technology, Avalara shall allow Customer to terminate certain or all contracts and provide transition or migration assistance as reasonably required, subject to termination charges and fees as mutually agreed in good faith by the parties.
Submit to Audits. Avalara submits to reasonable data security and privacy compliance audits subject to reasonable precautions and safeguards for the data of other customers. This includes a right for Customer to take reasonable and appropriate steps to help ensure that Avalara uses the Services Data in a manner consistent with Customer's legal obligations and the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Services Data.
Notify Breaches. Avalara notifies Customer of unauthorized access to Services Data and other security breaches as required by applicable law.
No Information Selling or Sharing for Cross‐Context Behavioral Advertising; Compliance with the CCPA. Avalara does not accept or disclose any Services Data as consideration for any payments, services or other items of value. Avalara does not sell or share any Services Data, as the terms “sell” and “share” are defined in the California Consumer Privacy Act of 2018, as amended, including by the California Privacy Rights Act (“CCPA”). Avalara processes Services Data only for the business purposes specified in the written Contract. Avalara does not retain, use, or disclose Services Data (a) for cross‐context behavioral advertising, or (b) outside the direct business relationship with the Customer. Avalara does not combine Services Data with other data if and to the extent this would be inconsistent with limitations on service providers or contractors under the CCPA. Avalara will comply with the obligations on service providers under the CCPA and provide the same level of privacy protections required of Customer under the CCPA. If Avalara determines it can no longer meet its obligations under the CCPA or its implementing regulations, it will notify Customer. Avalara understands the restrictions in this Section 6 and certifies it will comply with the same. If Avalara receives deidentified Services Data, Avalara will not attempt to reidentify the information except as permitted by the CCPA.
Personal Data subject to the GDPR or similar laws: With respect to any Services Data that is subject to the EU General Data Protection Regulation (GDPR) or similar laws of other jurisdictions as "personal data," Avalara accepts the following obligations as a data importer, processor or sub-processor of Customer and warrants that Avalara:
1. processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by European Union or EU Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest; also, the processor shall immediately inform the controller if, in its opinion, an instruction infringes the GDPR, national data protection laws in the EU or other applicable law;
2. ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
3. takes all measures required pursuant to Article 32 of the GDPR (security of processing);
4. respects the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging another processor;
5. taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR, including, without limitation, right to access, rectification, erasure and portability of the data subject's personal data; (for the avoidance of doubt, processor shall only assist and enable controller to meet controller’s obligations to satisfy data subjects' rights, but processor shall not respond directly to data subjects)
6. assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (Security of personal data) taking into account the nature of processing and the information available to the processor;
7. at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;
8. makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
EU Standard Contractual Clauses: For Services Data that is subject to the GDPR, Avalara complies with the EU Standard Contractual Clauses for international transfers in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (EU SCCs) for the transfer of personal data outside the European Economic Area (EEA), Modules 1-3 as noted below, in Exhibit 1. Under such EU SCCs, Customer will act as data exporter. Customer may be based within or outside the EEA. Customer may receive personal data from the EEA as a controller and as a processor under separate agreements. Avalara is based outside the EEA, acts as data importer, provides services to data exporter under separate commercial agreement(s) and agrees to the EU SCCs as a processor or sub-processor under Modules 2 and 3. Data exporter will provide all relevant instructions under Module 2 (as the controller) and under Module 3 (on the controller’s behalf). Customer instructs Avalara to provide Avalara’s standard services as described in Avalara’s commercial terms and service descriptions. For limited business contact information concerning individual representatives who provide instructions to Avalara, Avalara agrees to the EU SCCs as a controller under Module 1.
Switzerland: For transfers of Services Data from Switzerland, Avalara agrees to the EU SCCs as set out in Section 8 subject to the following amendments: The Federal Data Protection and Information Commissioner is the competent supervisory authority in so far as the data transfer falls under Swiss law. Switzerland is also to be considered as a Member State within the meaning of the EU SCCs so that data subjects can file claims according to clause 18c of the EU SCCs at their habitual residence in Switzerland. Until the revised Swiss Federal Act on Data Protection enters into force that does no longer protect data of legal persons but only data of natural persons, the EU SCCs also applies to data of legal persons.
United Kingdom: With respect to transfers of Services Data from the United Kingdom of Great Britain and Northern Ireland to countries not deemed to have adequate data protection regimes under all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the United Kingdom of Great Britain and Northern Ireland, Avalara agrees to the EU SCCs as set out in Section 8 and the International Data Transfer Addendum to the EU SCCs in Exhibit 2. Any conflicts between the EU SCCs and the International Data Transfer Addendum to the EU SCCs shall be resolved as provided in the International Data Transfer Addendum to the EU SCCs.
Integration. This DPA is binding after a Contract has been signed between Avalara and Customer, and Customer may collect a signed copy of this DPA at here or https://avalara.na1.echosign.com/public/esignWidget?wid=CBFCIBAA3AAABLblqZhDjdoPrd_VbexJ4FZiqWiIRPUfxmjUSdJ4zZrK0UtHVNV_5dy9HD28JAMepyhq1bw8*. This DPA shall not create third party beneficiary rights. Avalara does not accept or submit to additional requirements relating to Services Data, except as specifically and expressly agreed in writing with explicit reference to the Contract and this DPA.
Notice. Avalara shall provide Customer with legal notices in writing by email, mail, or courier to the address provided by Customer. Except as otherwise specified in the Agreement, all notices to Avalara must be in writing and sent as follows:

Email: DataPrivacy@avalara.com

Attn: Legal Department
Avalara, Inc.
Suite 100
512 S Mangum St.
Durham, NC 27701, USA

Exhibit 1

STANDARD CONTRACTUAL CLAUSES

The EU SCCs, modules 1-3, available at Standard Contractual Clauses (SCC) | European Commission (europa.eu) or on a successor website designated by the EU commission, are incorporated herein by reference. Customer will provide all instructions under these EU SCCs as the controller and on the controller’s behalf.

Where the EU SCCs require that the parties make an election, the parties make the elections reflected below. Any optional clauses in the EU SCCs not expressly selected below are omitted from this DPA.

for purposes of Clause 9 of the EU SCCs, Option 2 (‘General authorization’) shall apply and Avalara shall inform customer in writing of any intended changes to sub-processors at least 30 days in advance;
in Clause 11 (a) of the EU SCCs, the optional language shall be deleted; and
for purposes of Clause 17 and Clause 18 of the EU SCCs, the Member State for purposes of governing law, forum and jurisdiction shall be Luxembourg.

Annex I

A. LIST OF PARTIES

For purposes of Annex 1.A (List of Parties) of the EU SCCs: (i) Avalara processes personal data to provide Services to Customer and Avalara shall be the ‘data importer’; and (ii) Customer shall be the ‘data exporter’. Avalara can be contacted through the Avalara Global Privacy Office at dataprivacy@avalara.com. Customer provides personal data to Avalara to obtain Avalara’s Services and can be contacted through the contact information provided by Customer to Avalara.

B. DESCRIPTION OF TRANSFER

For the details of the processing of personal data required for Annex 1.B of the EU SCCs, see below:

MODULE ONE: Transfer controller to controller

Categories of data subjects whose personal data is transferred

Individual employees and representatives of data exporter who instruct data importer, send purchase orders, process invoices, arrange for payment, make support calls, use data importer's services, and otherwise do business with data importer.

Categories of personal data transferred

Business contact information, service usage, payment status and other information relating to how data exporter uses data importer's services.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures

Sensitive data is not transferred on a controller-to-controller basis.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)

Continuous as initiated by customer in each case as part of each tax or regulatory audit period during which customer contracts for Avalara’s Services.

Nature of the processing

Data importer uses data as a controller to do business with data exporter, sell services, issue invoices, provide technical support, perform services, address customer questions, improve services and develop new services and offerings.

Purpose(s) of the data transfer and further processing

Communications and business collaboration between data exporter and data importer.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

For the term of the contract and so long as data importer markets additional services to data exporter.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Same as above.

MODULE TWO AND THREE: Transfer controller and processor to processor

Categories	Tax Calculation	Return Preparation	Tax Identification Registration	Fiscal Representation	Document Management
Categories of data subjects whose personal data is transferred	Customer’s customers	Customer if it is a sole traders/proprietor using personal contact information for its business; Customer’s Authorized Users	Customer’s owners and directors	Customer’s owners and directors	Customer’s contact details; Customer’s customers
Categories of personal data transferred	Delivery addresses, tax identifiers for sole traders/proprietorships, names, access credentials	Tax identifier for sole traders/proprietorship, names and contact details, access credentials for Authorized Users	Names and contact details of owners and directors as required by regulatory authorities, including proof of identification and date of birth	Names and contact details, proof of identification, tax identifiers for sole traders/proprietorships	Names and contact details, tax identifiers for sole traders/proprietorships
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.	None	None	Passport images, which could include racial, ethnic, or religious information; access to data is subject to roles-based access controls	Passport images, which could include racial, ethnic, or religious information; access to data is subject to roles-based access controls	None
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)	Continuous as initiated by customer in each case as part of each tax or regulatory audit period during which customer contracts for Avalara’s Services.
Nature of the processing	Calculating various types of tax	Preparing and filing tax returns	Registering Customer to collect and remit various tax types	Providing Fiscal Representation services	Using and managing tax related documents
Purpose(s) of the data transfer and further processing	Assist Customer in complying with tax obligations	Assist Customer in complying with tax obligations	Assist Customer in complying with tax obligations	Assist Customer in complying with tax and financial obligations	Assist Customer in complying with tax obligations
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period	Unless deletion is requested by the controller, the data will be processed until the end of applicable tax or regulatory audit periods.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing	Processor uses subprocessors for certain hosting, support, logging, monitoring, warehousing, infrastructure, and analytics purposes

C. COMPETENT SUPERVISORY AUTHORITY

For purposes of Clause 13 and Annex 1.C of the EU SCCs, where no competent supervisory authority is identified through the rules of such Clause 13, the competent supervisory authority is the authority in Luxembourg.

Annex II

TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

For the purposes of Annex 2 of the EU SCCs, the technical and organizational measures implemented by Avalara are as described below.

Avalara maintains the following technical and organization measures:

Avalara maintains a written security program under which Avalara periodically evaluates risks to Customer Data and maintains commercially reasonable technical, and physical safeguards to protect Customer Data against accidental or unauthorized access, disclosure, loss, destruction, or alteration. Avalara regularly evaluates the scope and coverage of the Security Program.
Avalara teams classify and handle data using technical controls described below to ensure its integrity, availability, and confidentiality.
Avalara maintains a central inventory of assets where the asset custodian is responsible for classifying and maintaining the asset and ensuring the use of the asset complies with the security program.
Avalara maintains standards for user authentication, access provisioning, de-provisioning, performing periodic access reviews and restricting administrative access to ensure access is granted based on the principle of least privilege.
Avalara maintains standards for segregation of network services and devices to ensure unrelated portions of the network are isolated from each other.
Avalara maintains network zones and applies ingress and egress standards for the protection of data.
Avalara systems encrypt data at rest and in transit between the Avalara networks and its customers to ensure integrity, security, and confidentiality of customer data.
Avalara maintains processes to securely generate, store and manage encryption keys that prevent loss, theft, or compromise.
Avalara maintains physical access controls to restrict entry to Avalara facilities. Physical controls may include badge readers, security personnel, staff supervision, video cameras, and other tools.
Avalara maintains processes for retaining and securely deleting data no longer than necessary to provide its services.
Direct database access is restricted using the corporate VPN. This can only be accessed via Avalara issued computing equipment.
Avalara has disabled the ability to write data to USB mass storage devices on all Avalara issued computing equipment.
Avalara maintains a Software Management Standard that defines software and services which are approved, acceptable, or prohibited to be used by Avalara personnel.
Avalara monitors its applications and systems for vulnerabilities on a periodic basis. Identified vulnerabilities are remediated by taking actions to close them in a timely manner.
Avalara maintains an incident response program to detect, analyze, prioritize, and handle cyber security events and incidents to prevent, detect, and deter the unauthorized access, loss, compromise, disclosure, modification, or destruction of Avalara’s electronic data assets and information, including personal information.
Avalara performs root cause analyses for incidents based on the nature of the incident, to identify, document, and eliminate the cause of an incident and to prevent the issue from recurring. Changes to the Avalara Incident Response Plan and standard operating procedures is also part of this review.
Security and audit logs are fed to the SIEM daily and retained for a period of one year. These logs cannot be modified by anyone.
Daily recoverable backups of critical data are configured to be performed and replicated to a secondary location.
Avalara maintains a Security Infraction Management Policy that describes how Avalara treats security incidents that result from deviations from Avalara’s security policies, standards, and procedures.
Avalara maintains standards for making changes to applications, including customer-facing applications, by ensuring they are tested and approved by appropriate individuals before they are moved to production. Access to make production changes is restricted to authorized individuals.
Avalara has established logical separation between production and lower environments.
Avalara ensures test data is selected and handled in accordance with the technical controls specified in this document.
All Avalara personnel must undergo the mandatory security awareness training at least annually.
The Avalara Service Terms and Conditions along with the Vendor Security terms document are in place to communicate security commitments with vendors.
The Avalara Security team periodically performs assessments of different systems by conducting phishing simulations, vulnerability scans, and penetration tests.
The Avalara Compliance team periodically performs assessments of key systems. Remediation plans are defined as appropriate for the areas of non-compliance establishing clear ownership and accountability.
The Avalara Risk Management Team periodically conducts risk assessments to identify risks arising from internal and external sources throughout the year to evaluate the organization's control environment. Risk treatment plans are defined, as appropriate, for identified risks including establishing clear ownership and accountability. Risks are monitored to acceptable mitigation according to the Avalara Security Risk Assessment Standard and Process.
Avalara maintains standards for Vendor Risk Management to define requirements for vendor selection, risk assessments with roles and responsibilities, contract lifecycle, exception handling and terminations.

Annex III

LIST OF SUB-PROCESSORS

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

The controller has provided general authorisation for the engagement of subprocessors from an agreed list, available at Subprocessors (avalara.com).

Exhibit 2

The International Data Transfer Addendum to the EU SCCs (“UK addendum”), available at International data transfer agreement and guidance | ICO or on a successor website designated by the UK ICO, are incorporated herein by reference.

The parties are as reflected in the signature block to this DPA.

The parties select the version of the approved EU SCCs referenced in section 8 of this DPA including the appendix information which is as described in Exhibit 1.

The appendix information in table 3 of the UK addendum is as set out in the annexes to the EU SCCs in Exhibit 1.

The list of sub processors is as provided at Subprocessors (avalara.com).

Either party may end the UK addendum as set out in section 19 of the same.

Effective November 15th 2023 to October 15th 2024

Download

Except as amended by this DPA, the Contract will remain in full force and effect.
To the extent that the terms of this DPA and the Contract conflict, the terms of this DPA prevail.
This DPA will automatically expire on the termination or expiration of the Contract.

Control and Ownership. Customer owns and controls all Services Data. Services Data is disclosed by Customer to Avalara only for the limited and specified business purposes of assisting Customer in complying with tax and financial obligations. Avalara does not use, retain, or disclose Services Data, except: (a) in the interest and on behalf of Customer; (b) as necessary to provide the Services, or (c) as contemplated or directed by the Contract. Avalara returns or deletes Services Data at Customer’s request, as agreed in the Contract, or after the Contract expires or is terminated, subject to applicable law.
Security. Avalara applies technical, administrative and organizational data security measures that meet or exceed the requirements described in Avalara’s Technical and Organisational Measures in Exhibit 1, Annex II (“TOMs”). Avalara may update and modify its TOMs from time to time, provided that Avalara shall not materially reduce the level of security provided thereunder, except with Customer’s consent.
Cooperation with Compliance Obligations. At Customer’s reasonable request, Avalara will (a) reasonably assist Customer with data access, deletion, portability and other requests, subject to compensation for any custom efforts required of Avalara and (b) enter into additional contractual agreements to meet specific requirements that are imposed by mandatory laws on Customer pertaining to Services Data and that, due to their nature, can only be satisfied by Avalara in its role as service provider or that Customer specifically explains and assigns to Avalara in an addendum or amendment to the applicable Contract, subject to additional cost reimbursement or fees as appropriate. If Customer can no longer legally use Avalara’s products due to changes in law or technology, Avalara shall allow Customer to terminate certain or all contracts and provide transition or migration assistance as reasonably required, subject to termination charges and fees as mutually agreed in good faith by the parties.
Submit to Audits. Avalara submits to reasonable data security and privacy compliance audits subject to reasonable precautions and safeguards for the data of other customers. This includes a right for Customer to take reasonable and appropriate steps to help ensure that Avalara uses the Services Data in a manner consistent with Customer's legal obligations and the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Services Data.
Notify Breaches. Avalara notifies Customer of unauthorized access to Services Data and other security breaches as required by applicable law.
No Information Selling or Sharing for Cross‐Context Behavioral Advertising; Compliance with the CCPA. Avalara does not accept or disclose any Services Data as consideration for any payments, services or other items of value. Avalara does not sell or share any Services Data, as the terms “sell” and “share” are defined in the California Consumer Privacy Act of 2018, as amended, including by the California Privacy Rights Act (“CCPA”). Avalara processes Services Data only for the business purposes specified in the written Contract. Avalara does not retain, use, or disclose Services Data (a) for cross‐context behavioral advertising, or (b) outside the direct business relationship with the Customer. Avalara does not combine Services Data with other data if and to the extent this would be inconsistent with limitations on service providers or contractors under the CCPA. Avalara will comply with the obligations on service providers under the CCPA and provide the same level of privacy protections required of Customer under the CCPA. If Avalara determines it can no longer meet its obligations under the CCPA or its implementing regulations, it will notify Customer. Avalara understands the restrictions in this Section 6 and certifies it will comply with the same. If Avalara receives deidentified Services Data, Avalara will not attempt to reidentify the information except as permitted by the CCPA.
Personal Data subject to the GDPR or similar laws: With respect to any Services Data that is subject to the EU General Data Protection Regulation (GDPR) or similar laws of other jurisdictions as "personal data," Avalara accepts the following obligations as a data importer, processor or sub-processor of Customer and warrants that Avalara:
1. processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by European Union or EU Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest; also, the processor shall immediately inform the controller if, in its opinion, an instruction infringes the GDPR, national data protection laws in the EU or other applicable law;
2. ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
3. takes all measures required pursuant to Article 32 of the GDPR (security of processing);
4. respects the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging another processor;
5. taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR, including, without limitation, right to access, rectification, erasure and portability of the data subject's personal data; (for the avoidance of doubt, processor shall only assist and enable controller to meet controller’s obligations to satisfy data subjects' rights, but processor shall not respond directly to data subjects)
6. assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (Security of personal data) taking into account the nature of processing and the information available to the processor;
7. at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;
8. makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
EU Standard Contractual Clauses: For Services Data that is subject to the GDPR, Avalara complies with the EU Standard Contractual Clauses for international transfers in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (EU SCCs) for the transfer of personal data outside the European Economic Area (EEA), Modules 1-3 as noted below, in Exhibit 1. Under such EU SCCs, Customer will act as data exporter. Customer may be based within or outside the EEA. Customer may receive personal data from the EEA as a controller and as a processor under separate agreements. Avalara is based outside the EEA, acts as data importer, provides services to data exporter under separate commercial agreement(s) and agrees to the EU SCCs as a processor or sub-processor under Modules 2 and 3. Data exporter will provide all relevant instructions under Module 2 (as the controller) and under Module 3 (on the controller’s behalf). Customer instruct Avalara to provide Avalara’s standard services as described in Avalara’s commercial terms and service descriptions. For limited business contact information concerning individual representatives who provide instructions to Avalara, Avalara agrees to the EU SCCs as a controller under Module 1.
Switzerland: For transfers of Services Data from Switzerland, Avalara agrees to the EU SCCs as set out in Section 8 subject to the following amendments: The Federal Data Protection and Information Commissioner is the competent supervisory authority in so far as the data transfer falls under Swiss law. Switzerland is also to be considered as a Member State within the meaning of the EU SCCs so that data subjects can file claims according to clause 18c of the EU SCCs at their habitual residence in Switzerland. Until the revised Swiss Federal Act on Data Protection enters into force that does no longer protect data of legal persons but only data of natural persons, the EU SCCs also applies to data of legal persons.
United Kingdom: With respect to transfers of Services Data from the United Kingdom of Great Britain and Northern Ireland to countries not deemed to have adequate data protection regimes under all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the United Kingdom of Great Britain and Northern Ireland, Avalara agrees to the EU SCCs as set out in Section 8 and the International Data Transfer Addendum to the EU SCCs in Exhibit 2. Any conflicts between the EU SCCs and the International Data Transfer Addendum to the EU SCCs shall be resolved as provided in the International Data Transfer Addendum to the EU SCCs.
Integration. This DPA is binding after a Contract has been signed between Avalara and Customer, and Customer may collect a signed copy of this DPA at here or https://avalara.na1.echosign.com/public/esignWidget?wid=CBFCIBAA3AAABLblqZhDjdoPrd_VbexJ4FZiqWiIRPUfxmjUSdJ4zZrK0UtHVNV_5dy9HD28JAMepyhq1bw8*. This DPA shall not create third party beneficiary rights. Avalara does not accept or submit to additional requirements relating to Services Data, except as specifically and expressly agreed in writing with explicit reference to the Contract and this DPA.
Notice. Avalara shall provide Customer with legal notices in writing by email, mail, or courier to the address provided by Customer. Except as otherwise specified in the Agreement, all notices to Avalara must be in writing and sent as follows:

Email: DataPrivacy@avalara.com

Attn: Legal Department

Avalara, Inc.

Suite 1800

255 South King Street

Seattle, WA 98104, USA

Exhibit 1

STANDARD CONTRACTUAL CLAUSES

for purposes of Clause 9 of the EU SCCs, Option 2 (‘General authorization’) shall apply and Avalara shall inform customer in writing of any intended changes to sub-processors at least 30 days in advance;
in Clause 11 (a) of the EU SCCs, the optional language shall be deleted; and
for purposes of Clause 17 and Clause 18 of the EU SCCs, the Member State for purposes of governing law, forum and jurisdiction shall be Luxembourg.

Annex I

A. LIST OF PARTIES

B. DESCRIPTION OF TRANSFER

For the details of the processing of personal data required for Annex 1.B of the EU SCCs, see below:

MODULE ONE: Transfer controller to controller

Categories of data subjects whose personal data is transferred

Categories of personal data transferred

Business contact information, service usage, payment status and other information relating to how data exporter uses data importer's services.

Sensitive data is not transferred on a controller-to-controller basis.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)

Continuous as initiated by customer in each case as part of each tax or regulatory audit period during which customer contracts for Avalara’s Services.

Nature of the processing

Purpose(s) of the data transfer and further processing

Communications and business collaboration between data exporter and data importer.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

For the term of the contract and so long as data importer markets additional services to data exporter.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Same as above.

MODULE TWO AND THREE: Transfer controller and processor to processor

Categories	Tax Calculation	Return Preparation	Tax Identification Registration	Fiscal Representation	Document Management
Categories of data subjects whose personal data is transferred	Customer’s customers	Customer if it is a sole traders/proprietor using personal contact information for its business; Customer’s Authorized Users	Customer’s owners and directors	Customer’s owners and directors	Customer’s contact details; Customer’s customers
Categories of personal data transferred	Delivery addresses, tax identifiers for sole traders/proprietorships, names, access credentials	Tax identifier for sole traders/proprietorship, names and contact details, access credentials for Authorized Users	Names and contact details of owners and directors as required by regulatory authorities, including proof of identification and date of birth	Names and contact details, proof of identification, tax identifiers for sole traders/proprietorships	Names and contact details, tax identifiers for sole traders/proprietorships
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.	None	None	Passport images, which could include racial, ethnic, or religious information; access to data is subject to roles-based access controls	Passport images, which could include racial, ethnic, or religious information; access to data is subject to roles-based access controls	None
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)	Continuous as initiated by customer in each case as part of each tax or regulatory audit period during which customer contracts for Avalara’s Services.
Nature of the processing	Calculating various types of tax	Preparing and filing tax returns	Registering Customer to collect and remit various tax types	Providing Fiscal Representation services	Using and managing tax related documents
Purpose(s) of the data transfer and further processing	Assist Customer in complying with tax obligations	Assist Customer in complying with tax obligations	Assist Customer in complying with tax obligations	Assist Customer in complying with tax and financial obligations	Assist Customer in complying with tax obligations
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period	Unless deletion is requested by the controller, the data will be processed until the end of applicable tax or regulatory audit periods.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing	Processor uses subprocessors for certain hosting, support, logging, monitoring, warehousing, infrastructure, and analytics purposes

C. COMPETENT SUPERVISORY AUTHORITY

Annex II

TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

For the purposes of Annex 2 of the EU SCCs, the technical and organizational measures implemented by Avalara are as described below.

Avalara maintains the following technical and organization measures:

Avalara maintains a written security program under which Avalara periodically evaluates risks to Customer Data and maintains commercially reasonable technical, and physical safeguards to protect Customer Data against accidental or unauthorized access, disclosure, loss, destruction, or alteration. Avalara regularly evaluates the scope and coverage of the Security Program.
Avalara teams classify and handle data using technical controls described below to ensure its integrity, availability, and confidentiality.
Avalara maintains a central inventory of assets where the asset custodian is responsible for classifying and maintaining the asset and ensuring the use of the asset complies with the security program.
Avalara maintains standards for user authentication, access provisioning, de-provisioning, performing periodic access reviews and restricting administrative access to ensure access is granted based on the principle of least privilege.
Avalara maintains standards for segregation of network services and devices to ensure unrelated portions of the network are isolated from each other.
Avalara maintains network zones and applies ingress and egress standards for the protection of data.
Avalara systems encrypt data at rest and in transit between the Avalara networks and its customers to ensure integrity, security, and confidentiality of customer data.
Avalara maintains processes to securely generate, store and manage encryption keys that prevent loss, theft, or compromise.
Avalara maintains physical access controls to restrict entry to Avalara facilities. Physical controls may include badge readers, security personnel, staff supervision, video cameras, and other tools.
Avalara maintains processes for retaining and securely deleting data no longer than necessary to provide its services.
Direct database access is restricted using the corporate VPN. This can only be accessed via Avalara issued computing equipment.
Avalara has disabled the ability to write data to USB mass storage devices on all Avalara issued computing equipment.
Avalara maintains a Software Management Standard that defines software and services which are approved, acceptable, or prohibited to be used by Avalara personnel.
Avalara monitors its applications and systems for vulnerabilities on a periodic basis. Identified vulnerabilities are remediated by taking actions to close them in a timely manner.
Avalara maintains an incident response program to detect, analyze, prioritize, and handle cyber security events and incidents to prevent, detect, and deter the unauthorized access, loss, compromise, disclosure, modification, or destruction of Avalara’s electronic data assets and information, including personal information.
Avalara performs root cause analyses for incidents based on the nature of the incident, to identify, document, and eliminate the cause of an incident and to prevent the issue from recurring. Changes to the Avalara Incident Response Plan and standard operating procedures is also part of this review.
Security and audit logs are fed to the SIEM daily and retained for a period of one year. These logs cannot be modified by anyone.
Daily recoverable backups of critical data are configured to be performed and replicated to a secondary location.
Avalara maintains a Security Infraction Management Policy that describes how Avalara treats security incidents that result from deviations from Avalara’s security policies, standards, and procedures.
Avalara maintains standards for making changes to applications, including customer-facing applications, by ensuring they are tested and approved by appropriate individuals before they are moved to production. Access to make production changes is restricted to authorized individuals.
Avalara has established logical separation between production and lower environments.
Avalara ensures test data is selected and handled in accordance with the technical controls specified in this document.
All Avalara personnel must undergo the mandatory security awareness training at least annually.
The Avalara Service Terms and Conditions along with the Vendor Security terms document are in place to communicate security commitments with vendors.
The Avalara Security team periodically performs assessments of different systems by conducting phishing simulations, vulnerability scans, and penetration tests.
The Avalara Compliance team periodically performs assessments of key systems. Remediation plans are defined as appropriate for the areas of non-compliance establishing clear ownership and accountability.
The Avalara Risk Management Team periodically conducts risk assessments to identify risks arising from internal and external sources throughout the year to evaluate the organization's control environment. Risk treatment plans are defined, as appropriate, for identified risks including establishing clear ownership and accountability. Risks are monitored to acceptable mitigation according to the Avalara Security Risk Assessment Standard and Process.
Avalara maintains standards for Vendor Risk Management to define requirements for vendor selection, risk assessments with roles and responsibilities, contract lifecycle, exception handling and terminations.

Annex III

LIST OF SUB-PROCESSORS

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

The controller has provided general authorisation for the engagement of subprocessors from an agreed list, available at Subprocessors (avalara.com).

Exhibit 2

The parties are as reflected in the signature block to this DPA.

The parties select the version of the approved EU SCCs referenced in section 8 of this DPA including the appendix information which is as described in Exhibit 1.

The appendix information in table 3 of the UK addendum is as set out in the annexes to the EU SCCs in Exhibit 1.

The list of sub processors is as provided at Subprocessors (avalara.com).

Either party may end the UK addendum as set out in section 19 of the same.

Effective November 1st 2023 to November 15th 2023

Download

Except as amended by this DPA, the Contract will remain in full force and effect.
To the extent that the terms of this DPA and the Contract conflict, the terms of this DPA prevail.
This DPA will automatically expire on the termination or expiration of the Contract.

Control and Ownership. Customer owns and controls all Services Data. Services Data is disclosed by Customer to Avalara only for the limited and specified business purposes of assisting Customer in complying with tax and financial obligations. Avalara does not use, retain, or disclose Services Data, except: (a) in the interest and on behalf of Customer; (b) as necessary to provide the Services, or (c) as contemplated or directed by the Contract. Avalara returns or deletes Services Data at Customer’s request, as agreed in the Contract, or after the Contract expires or is terminated, subject to applicable law.
Security. Avalara applies technical, administrative and organizational data security measures that meet or exceed the requirements described in Avalara’s Technical and Organisational Measures in Exhibit 1, Annex II (“TOMs”). Avalara may update and modify its TOMs from time to time, provided that Avalara shall not materially reduce the level of security provided thereunder, except with Customer’s consent.
Cooperation with Compliance Obligations. At Customer’s reasonable request, Avalara will (a) reasonably assist Customer with data access, deletion, portability and other requests, subject to compensation for any custom efforts required of Avalara, (b) make available to Customer all information necessary to demonstrate compliance with any mandatory privacy laws imposed on Customer or to conduct or document data protection assessments required by such laws, and (c) enter into additional contractual agreements to meet specific requirements that are imposed by mandatory laws on Customer pertaining to Services Data and that, due to their nature, can only be satisfied by Avalara in its role as service provider or that Customer specifically explains and assigns to Avalara in an addendum or amendment to the applicable Contract, subject to additional cost reimbursement or fees as appropriate. If Customer can no longer legally use Avalara’s products due to changes in law or technology, Avalara shall allow Customer to terminate certain or all contracts and provide transition or migration assistance as reasonably required, subject to termination charges and fees as mutually agreed in good faith by the parties.
Submit to Audits. Avalara submits to reasonable data security and privacy compliance audits subject to reasonable precautions and safeguards for the data of other customers. This includes a right for Customer to take reasonable and appropriate steps to help ensure that Avalara uses the Services Data in a manner consistent with Customer's legal obligations and the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Services Data.
Notify Breaches. Avalara notifies Customer of unauthorized access to Services Data and other security breaches as required by applicable law.
No Information Selling or Sharing for Cross‐Context Behavioral Advertising; Compliance with the CCPA. Avalara does not accept or disclose any Services Data as consideration for any payments, services or other items of value. Avalara does not sell or share any Services Data, as the terms “sell” and “share” are defined in the California Consumer Privacy Act of 2018, as amended, including by the California Privacy Rights Act (“CCPA”). Avalara processes Services Data only for the business purposes specified in the written Contract. Avalara does not retain, use, or disclose Services Data (a) for cross‐context behavioral advertising, or (b) outside the direct business relationship with the Customer. Avalara does not combine Services Data with other data if and to the extent this would be inconsistent with limitations on service providers or contractors under the CCPA. Avalara will comply with the obligations on service providers under the CCPA and provide the same level of privacy protections required of Customer under the CCPA. If Avalara determines it can no longer meet its obligations under the CCPA or its implementing regulations, it will notify Customer. Avalara understands the restrictions in this section 6 and certifies it will comply with the same. If Avalara receives deidentified Services Data, Avalara will not attempt to reidentify the information except as permitted by the CCPA.
Personal Data subject to the GDPR or similar laws: With respect to any Services Data that is subject to the EU General Data Protection Regulation (GDPR) or similar laws of other jurisdictions as "personal data," Avalara accepts the following obligations as a data importer, processor or sub-processor of Customer and warrants that Avalara:
1. processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by European Union or EU Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest; also, the processor shall immediately inform the controller if, in its opinion, an instruction infringes the GDPR, national data protection laws in the EU or other applicable law;
2. ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
3. takes all measures required pursuant to Article 32 of the GDPR (security of processing);
4. respects the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging another processor;
5. taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR, including, without limitation, right to access, rectification, erasure and portability of the data subject's personal data; (for the avoidance of doubt, processor shall only assist and enable controller to meet controller’s obligations to satisfy data subjects' rights, but processor shall not respond directly to data subjects)
6. assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (Security of personal data) taking into account the nature of processing and the information available to the processor;
7. at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;
8. makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
EU Standard Contractual Clauses: For Services Data that is subject to the GDPR, Avalara complies with the EU Standard Contractual Clauses for international transfers in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (EU SCCs) for the transfer of personal data outside the European Economic Area (EEA), Modules 1-3 as noted below, in Exhibit 1. Under such EU SCCs, Customer will act as data exporter. Customer may be based within or outside the EEA. Customer may receive personal data from the EEA as a controller and as a processor under separate agreements. Avalara is based outside the EEA, acts as data importer, provides services to data exporter under separate commercial agreement(s) and agrees to the EU SCCs as a processor or sub-processor under Modules 2 and 3. Data exporter will provide all relevant instructions under Module 2 (as the controller) and under Module 3 (on the controller’s behalf). Customer instruct Avalara to provide Avalara’s standard services as described in Avalara’s commercial terms and service descriptions. For limited business contact information concerning individual representatives who provide instructions to Avalara, Avalara agrees to the EU SCCs as a controller under Module 1.
Switzerland: For transfers of Services Data from Switzerland, Avalara agrees to the EU SCCs as set out in Section 8 subject to the following amendments: The Federal Data Protection and Information Commissioner is the competent supervisory authority in so far as the data transfer falls under Swiss law. Switzerland is also to be considered as a Member State within the meaning of the EU SCCs so that data subjects can file claims according to clause 18c of the EU SCCs at their habitual residence in Switzerland. Until the revised Swiss Federal Act on Data Protection enters into force that does no longer protect data of legal persons but only data of natural persons, the EU SCCs also applies to data of legal persons.
United Kingdom: With respect to transfers of Services Data from the United Kingdom of Great Britain and Northern Ireland to countries not deemed to have adequate data protection regimes under all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the United Kingdom of Great Britain and Northern Ireland, Avalara agrees to the EU SCCs as set out in Section 8 and the International Data Transfer Addendum to the EU SCCs in Exhibit 2. Any conflicts between the EU SCCs and the International Data Transfer Addendum to the EU SCCs shall be resolved as provided in the International Data Transfer Addendum to the EU SCCs.
Integration. This DPA is binding after a Contract has been signed between Avalara and Customer, and Customer may collect a signed copy of this DPA at here or https://avalara.na1.echosign.com/public/esignWidget?wid=CBFCIBAA3AAABLblqZhDjdoPrd_VbexJ4FZiqWiIRPUfxmjUSdJ4zZrK0UtHVNV_5dy9HD28JAMepyhq1bw8*. This DPA shall not create third party beneficiary rights. Avalara does not accept or submit to additional requirements relating to Services Data, except as specifically and expressly agreed in writing with explicit reference to the Contract and this DPA.
Notice. Avalara shall provide Customer with legal notices in writing by email, mail, or courier to the address provided by Customer. Except as otherwise specified in the Agreement, all notices to Avalara must be in writing and sent as follows:

Email: DataPrivacy@avalara.com

Attn: Legal Department

Avalara, Inc.

Suite 1800

255 South King Street

Seattle, WA 98104, USA

Exhibit 1

STANDARD CONTRACTUAL CLAUSES

for purposes of Clause 9 of the EU SCCs, Option 2 (‘General authorization’) shall apply and Avalara shall inform customer in writing of any intended changes to sub-processors at least 30 days in advance;
in Clause 11 (a) of the EU SCCs, the optional language shall be deleted; and
for purposes of Clause 17 and Clause 18 of the EU SCCs, the Member State for purposes of governing law, forum and jurisdiction shall be Luxembourg.

Annex I

A. LIST OF PARTIES

B. DESCRIPTION OF TRANSFER

For the details of the processing of personal data required for Annex 1.B of the EU SCCs, see below:

MODULE ONE: Transfer controller to controller

Categories of data subjects whose personal data is transferred

Categories of personal data transferred

Business contact information, service usage, payment status and other information relating to how data exporter uses data importer's services.

Sensitive data is not transferred on a controller-to-controller basis.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)

Continuous as initiated by customer in each case as part of each tax or regulatory audit period during which customer contracts for Avalara’s Services.

Nature of the processing

Purpose(s) of the data transfer and further processing

Communications and business collaboration between data exporter and data importer.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

For the term of the contract and so long as data importer markets additional services to data exporter.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Same as above.

MODULE TWO AND THREE: Transfer controller and processor to processor

Categories	Tax Calculation	Return Preparation	Tax Identification Registration	Fiscal Representation	Document Management
Categories of data subjects whose personal data is transferred	Customer’s customers	Customer if it is a sole traders/proprietor using personal contact information for its business; Customer’s Authorized Users	Customer’s owners and directors	Customer’s owners and directors	Customer’s contact details; Customer’s customers
Categories of personal data transferred	Delivery addresses, tax identifiers for sole traders/proprietorships, names, access credentials	Tax identifier for sole traders/proprietorship, names and contact details, access credentials for Authorized Users	Names and contact details of owners and directors as required by regulatory authorities, including proof of identification and date of birth	Names and contact details, proof of identification, tax identifiers for sole traders/proprietorships	Names and contact details, tax identifiers for sole traders/proprietorships
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.	None	None	Passport images, which could include racial, ethnic, or religious information; access to data is subject to roles-based access controls	Passport images, which could include racial, ethnic, or religious information; access to data is subject to roles-based access controls	None
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)	Continuous as initiated by customer in each case as part of each tax or regulatory audit period during which customer contracts for Avalara’s Services.
Nature of the processing	Calculating various types of tax	Preparing and filing tax returns	Registering Customer to collect and remit various tax types	Providing Fiscal Representation services	Using and managing tax related documents
Purpose(s) of the data transfer and further processing	Assist Customer in complying with tax obligations	Assist Customer in complying with tax obligations	Assist Customer in complying with tax obligations	Assist Customer in complying with tax and financial obligations	Assist Customer in complying with tax obligations
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period	Unless deletion is requested by the controller, the data will be processed until the end of applicable tax or regulatory audit periods.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing	Processor uses subprocessors for certain hosting, support, logging, monitoring, warehousing, infrastructure, and analytics purposes

C. COMPETENT SUPERVISORY AUTHORITY

Annex II

TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

For the purposes of Annex 2 of the EU SCCs, the technical and organizational measures implemented by Avalara are as described below.

Avalara maintains the following technical and organization measures:

Avalara maintains a written security program under which Avalara periodically evaluates risks to Customer Data and maintains commercially reasonable technical, and physical safeguards to protect Customer Data against accidental or unauthorized access, disclosure, loss, destruction, or alteration. Avalara regularly evaluates the scope and coverage of the Security Program.
Avalara teams classify and handle data using technical controls described below to ensure its integrity, availability, and confidentiality.
Avalara maintains a central inventory of assets where the asset custodian is responsible for classifying and maintaining the asset and ensuring the use of the asset complies with the security program.
Avalara maintains standards for user authentication, access provisioning, de-provisioning, performing periodic access reviews and restricting administrative access to ensure access is granted based on the principle of least privilege.
Avalara maintains standards for segregation of network services and devices to ensure unrelated portions of the network are isolated from each other.
Avalara maintains network zones and applies ingress and egress standards for the protection of data.
Avalara systems encrypt data at rest and in transit between the Avalara networks and its customers to ensure integrity, security, and confidentiality of customer data.
Avalara maintains processes to securely generate, store and manage encryption keys that prevent loss, theft, or compromise.
Avalara maintains physical access controls to restrict entry to Avalara facilities. Physical controls may include badge readers, security personnel, staff supervision, video cameras, and other tools.
Avalara maintains processes for retaining and securely deleting data no longer than necessary to provide its services.
Direct database access is restricted using the corporate VPN. This can only be accessed via Avalara issued computing equipment.
Avalara has disabled the ability to write data to USB mass storage devices on all Avalara issued computing equipment.
Avalara maintains a Software Management Standard that defines software and services which are approved, acceptable, or prohibited to be used by Avalara personnel.
Avalara monitors its applications and systems for vulnerabilities on a periodic basis. Identified vulnerabilities are remediated by taking actions to close them in a timely manner.
Avalara maintains an incident response program to detect, analyze, prioritize, and handle cyber security events and incidents to prevent, detect, and deter the unauthorized access, loss, compromise, disclosure, modification, or destruction of Avalara’s electronic data assets and information, including personal information.
Avalara performs root cause analyses for incidents based on the nature of the incident, to identify, document, and eliminate the cause of an incident and to prevent the issue from recurring. Changes to the Avalara Incident Response Plan and standard operating procedures is also part of this review.
Security and audit logs are fed to the SIEM daily and retained for a period of one year. These logs cannot be modified by anyone.
Daily recoverable backups of critical data are configured to be performed and replicated to a secondary location.
Avalara maintains a Security Infraction Management Policy that describes how Avalara treats security incidents that result from deviations from Avalara’s security policies, standards, and procedures.
Avalara maintains standards for making changes to applications, including customer-facing applications, by ensuring they are tested and approved by appropriate individuals before they are moved to production. Access to make production changes is restricted to authorized individuals.
Avalara has established logical separation between production and lower environments.
Avalara ensures test data is selected and handled in accordance with the technical controls specified in this document.
All Avalara personnel must undergo the mandatory security awareness training at least annually.
The Avalara Service Terms and Conditions along with the Vendor Security terms document are in place to communicate security commitments with vendors.
The Avalara Security team periodically performs assessments of different systems by conducting phishing simulations, vulnerability scans, and penetration tests.
The Avalara Compliance team periodically performs assessments of key systems. Remediation plans are defined as appropriate for the areas of non-compliance establishing clear ownership and accountability.
The Avalara Risk Management Team periodically conducts risk assessments to identify risks arising from internal and external sources throughout the year to evaluate the organization's control environment. Risk treatment plans are defined, as appropriate, for identified risks including establishing clear ownership and accountability. Risks are monitored to acceptable mitigation according to the Avalara Security Risk Assessment Standard and Process.
Avalara maintains standards for Vendor Risk Management to define requirements for vendor selection, risk assessments with roles and responsibilities, contract lifecycle, exception handling and terminations.

Annex III

LIST OF SUB-PROCESSORS

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

The controller has provided general authorisation for the engagement of subprocessors from an agreed list, available at Subprocessors (avalara.com).

Exhibit 2

The parties are as reflected in the signature block to this DPA.

The parties select the version of the approved EU SCCs referenced in section 8 of this DPA including the appendix information which is as described in Exhibit 1.

The appendix information in table 3 of the UK addendum is as set out in the annexes to the EU SCCs in Exhibit 1.

The list of sub processors is as provided at Subprocessors (avalara.com).

Either party may end the UK addendum as set out in section 19 of the same.

Effective October 26th 2023 to November 1st 2023

Download

Last updated February 14, 2023

This DPA is incorporated into the Contract between Avalara, Inc. (“Avalara” or “us” or “our”) and Customer. If a provision of this Avalara, Inc. Services Data Processing Agreement (“DPA”) conflicts with a provision of the Contract, the provision in this DPA governs. Capitalized terms used and not otherwise defined in this DPA have the meanings provided in the Contract.

Except as amended by this DPA, the Contract will remain in full force and effect.
To the extent that the terms of this DPA and the Contract conflict, the terms of this DPA prevail.
This DPA will automatically expire on the termination or expiration of the Contract.

Avalara serves enterprises, public sector entities and other organizations (“Customer”) and protects Services Data in compliance with the terms of this DPA. Services Data means personal data relating to named or identifiable individuals that Customer’s authorized users (“Authorized Users”) provide in compliance with applicable law and our applicable service agreements or other commercial contract terms (“Contract”) when Customer uses our service offerings and related data processing services as described in our data sheets, service specifications, and other technical documentation, as amended from time to time (“Services”).

2. Security. Avalara applies technical, administrative and organizational data security measures that meet or exceed the requirements described in Avalara’s Technical and Organisational Measures in Exhibit 1, Annex II (“TOMs”). Avalara may update and modify its TOMs from time to time, provided that Avalara must not reduce the level of security provided thereunder, except with Customer’s consent or with 90 days prior written notice.

4. Submit to Audits. Avalara submits to reasonable data security and privacy compliance audits subject to reasonable precautions and safeguards for the data of other customers.

5. Notify Breaches. Avalara notifies Customer of unauthorized access to Services Data and other security breaches as required by applicable law.

6. No Information Selling or Sharing for Cross‐Context Behavioral Advertising. Avalara does not accept or disclose any Services Data as consideration for any payments, services or other items of value. Avalara does not sell or share any Services Data, as the terms “sell” and “share” are defined in the California Consumer Privacy Act of 2018, as amended, including by the California Privacy Rights Act (“CCPA”). Avalara processes Services Data only for the business purposes specified in the written Contract. Avalara does not retain, use, or disclose Services Data (a) for cross‐context behavioral advertising, or (b) outside the direct business relationship with the Customer. Avalara does not combine Services Data with other data if and to the extent this would be inconsistent with limitations on service providers under the CCPA.

8. EU Standard Contractual Clauses: For Services Data that is subject to the GDPR, Avalara complies with the EU Standard Contractual Clauses for international transfers in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (EU SCCs) for the transfer of personal data outside the European Economic Area (EEA), Modules 1-3 as noted below, in Exhibit 1. Under such EU SCCs, Customer will act as data exporter. Customer may be based within or outside the EEA. Customer may receive personal data from the EEA as a controller and as a processor under separate agreements. Avalara is based outside the EEA, acts as data importer, provides services to data exporter under separate commercial agreement(s) and agrees to the EU SCCs as a processor or sub-processor under Modules 2 and 3. Data exporter will provide all relevant instructions under Module 2 (as the controller) and under Module 3 (on the controller’s behalf). Customer instruct Avalara to provide Avalara’s standard services as described in Avalara’s commercial terms and service descriptions. For limited business contact information concerning individual representatives who provide instructions to Avalara, Avalara agrees to the EU SCCs as a controller under Module 1.

9. Switzerland: For transfers of Services Data from Switzerland, Avalara agrees to the EU SCCs as set out in Section 8 subject to the following amendments: The Federal Data Protection and Information Commissioner is the competent supervisory authority in so far as the data transfer falls under Swiss law. Switzerland is also to be considered as a Member State within the meaning of the EU SCCs so that data subjects can file claims according to clause 18c of the EU SCCs at their habitual residence in Switzerland. Until the revised Swiss Federal Act on Data Protection enters into force that does no longer protect data of legal persons but only data of natural persons, the EU SCCs also applies to data of legal persons.

10. United Kingdom: With respect to transfers of Services Data from the United Kingdom of Great Britain and Northern Ireland to countries not deemed to have adequate data protection regimes under all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the United Kingdom of Great Britain and Northern Ireland, Avalara agrees to the EU SCCs as set out in Section 8 and the International Data Transfer Addendum to the EU SCCs in Exhibit 2. Any conflicts between the EU SCCs and the International Data Transfer Addendum to the EU SCCs shall be resolved as provided in the International Data Transfer Addendum to the EU SCCs.

11. Integration. This DPA is binding after a Contract has been signed between Avalara and Customer, and Customer may collect a signed copy of this DPA at here or https://avalara.na1.echosign.com/public/esignWidget?wid=CBFCIBAA3AAABLblqZhD8qGCX455w96VKreWqVy5W0RbQ_E1XtKdKuZpn1hVkh8z3XJDKKePI-McnHEXenqA*. This DPA shall not create third party beneficiary rights. Avalara does not accept or submit to additional requirements relating to Services Data, except as specifically and expressly agreed in writing with explicit reference to the Contract and this DPA.

12. Notice. Avalara shall provide Customer with legal notices in writing by email, mail, or courier to the address provided by Customer. Except as otherwise specified in the Agreement, all notices to Avalara must be in writing and sent as follows:

Email: DataPrivacy@avalara.com
Attn: Legal Department
Avalara, Inc.
Suite 1800
255 South King Street
Seattle, WA 98104, USA

EXHIBIT 1:

STANDARD CONTRACTUAL CLAUSES

for purposes of Clause 9 of the EU SCCs, Option 2 (‘General authorization’) shall apply and Avalara shall inform customer in writing of any intended changes to sub-processors at least 30 days in advance;
in Clause 11 (a) of the EU SCCs, the optional language shall be deleted; and
for purposes of Clause 17 and Clause 18 of the EU SCCs, the Member State for purposes of governing law, forum and jurisdiction shall be Luxembourg.

Annex I

A. LIST OF PARTIES

B. DESCRIPTION OF TRANSFER

For the details of the processing of personal data required for Annex 1.B of the EU SCCs, see below:

MODULE ONE: Transfer controller to controller

Categories of data subjects whose personal data is transferred

Categories of personal data transferred

Business contact information, service usage, payment status and other information relating to how data exporter uses data importer's services.

Sensitive data is not transferred on a controller-to-controller basis.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)

Continuous as initiated by customer in each case as part of each tax or regulatory audit period during which customer contracts for Avalara’s Services.

Nature of the processing

Purpose(s) of the data transfer and further processing

Communications and business collaboration between data exporter and data importer.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

For the term of the contract and so long as data importer markets additional services to data exporter.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Same as above.

MODULE TWO AND THREE: Transfer controller and processor to processor

Categories	Tax Calculation	Return Preparation	Tax Identification Registration	Fiscal Representation	Document Management
Categories of data subjects whose personal data is transferred	Customer’s customers	Customer if it is a sole traders/proprietor using personal contact information for its business; Customer’s Authorized Users	Customer’s owners and directors	Customer’s owners and directors	Customer’s contact details; Customer’s customers
Categories of personal data transferred	Delivery addresses, tax identifiers for sole traders/proprietorships, names, access credentials	Tax identifier for sole traders/proprietorship, names and contact details, access credentials for Authorized Users	Names and contact details of owners and directors as required by regulatory authorities, including proof of identification and date of birth	Names and contact details, proof of identification, tax identifiers for sole traders/proprietorships	Names and contact details, tax identifiers for sole traders/proprietorships
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.	None	None	Passport images, which could include racial, ethnic, or religious information; access to data is subject to roles-based access controls	Passport images, which could include racial, ethnic, or religious information; access to data is subject to roles-based access controls	None
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)	Continuous as initiated by customer in each case as part of each tax or regulatory audit period during which customer contracts for Avalara’s Services.
Nature of the processing	Calculating various types of tax	Preparing and filing tax returns	Registering Customer to collect and remit various tax types	Providing Fiscal Representation services	Using and managing tax related documents
Purpose(s) of the data transfer and further processing	Assist Customer in complying with tax obligations	Assist Customer in complying with tax obligations	Assist Customer in complying with tax obligations	Assist Customer in complying with tax and financial obligations	Assist Customer in complying with tax obligations
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period	Unless deletion is requested by the controller, the data will be processed until the end of applicable tax or regulatory audit periods.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing	Processor uses subprocessors for certain hosting, support, logging, monitoring, warehousing, infrastructure, and analytics purposes

C. COMPETENT SUPERVISORY AUTHORITY

Annex II

TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

For the purposes of Annex 2 of the EU SCCs, the technical and organizational measures implemented by Avalara are as described below.

Avalara maintains the following technical and organization measures:

Avalara maintains a written security program under which Avalara periodically evaluates risks to Customer Data and maintains commercially reasonable technical, and physical safeguards to protect Customer Data against accidental or unauthorized access, disclosure, loss, destruction, or alteration. Avalara regularly evaluates the scope and coverage of the Security Program.
Avalara teams classify and handle data using technical controls described below to ensure its integrity, availability, and confidentiality.
Avalara maintains a central inventory of assets where the asset custodian is responsible for classifying and maintaining the asset and ensuring the use of the asset complies with the security program.
Avalara maintains standards for user authentication, access provisioning, de-provisioning, performing periodic access reviews and restricting administrative access to ensure access is granted based on the principle of least privilege.
Avalara maintains standards for segregation of network services and devices to ensure unrelated portions of the network are isolated from each other.
Avalara maintains network zones and applies ingress and egress standards for the protection of data.
Avalara systems encrypt data at rest and in transit between the Avalara networks and its customers to ensure integrity, security, and confidentiality of customer data.
Avalara maintains processes to securely generate, store and manage encryption keys that prevent loss, theft, or compromise.
Avalara maintains physical access controls to restrict entry to Avalara facilities. Physical controls may include badge readers, security personnel, staff supervision, video cameras, and other tools.
Avalara maintains processes for retaining and securely deleting data no longer than necessary to provide its services.
Direct database access is restricted using the corporate VPN. This can only be accessed via Avalara issued computing equipment.
Avalara has disabled the ability to write data to USB mass storage devices on all Avalara issued computing equipment.
Avalara maintains a Software Management Standard that defines software and services which are approved, acceptable, or prohibited to be used by Avalara personnel.
Avalara monitors its applications and systems for vulnerabilities on a periodic basis. Identified vulnerabilities are remediated by taking actions to close them in a timely manner.
Avalara maintains an incident response program to detect, analyze, prioritize, and handle cyber security events and incidents to prevent, detect, and deter the unauthorized access, loss, compromise, disclosure, modification, or destruction of Avalara’s electronic data assets and information, including personal information.
Avalara performs root cause analyses for incidents based on the nature of the incident, to identify, document, and eliminate the cause of an incident and to prevent the issue from recurring. Changes to the Avalara Incident Response Plan and standard operating procedures is also part of this review.
Security and audit logs are fed to the SIEM daily and retained for a period of one year. These logs cannot be modified by anyone.
Daily recoverable backups of critical data are configured to be performed and replicated to a secondary location.
Avalara maintains a Security Infraction Management Policy that describes how Avalara treats security incidents that result from deviations from Avalara’s security policies, standards, and procedures.
Avalara maintains standards for making changes to applications, including customer-facing applications, by ensuring they are tested and approved by appropriate individuals before they are moved to production. Access to make production changes is restricted to authorized individuals.
Avalara has established logical separation between production and lower environments.
Avalara ensures test data is selected and handled in accordance with the technical controls specified in this document.
All Avalara personnel must undergo the mandatory security awareness training at least annually.
The Avalara Service Terms and Conditions along with the Vendor Security terms document are in place to communicate security commitments with vendors.
The Avalara Security team periodically performs assessments of different systems by conducting phishing simulations, vulnerability scans, and penetration tests.
The Avalara Compliance team periodically performs assessments of key systems. Remediation plans are defined as appropriate for the areas of non-compliance establishing clear ownership and accountability.
The Avalara Risk Management Team periodically conducts risk assessments to identify risks arising from internal and external sources throughout the year to evaluate the organization's control environment. Risk treatment plans are defined, as appropriate, for identified risks including establishing clear ownership and accountability. Risks are monitored to acceptable mitigation according to the Avalara Security Risk Assessment Standard and Process.
Avalara maintains standards for Vendor Risk Management to define requirements for vendor selection, risk assessments with roles and responsibilities, contract lifecycle, exception handling and terminations.

Annex III

LIST OF SUB-PROCESSORS

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

The controller has provided general authorisation for the engagement of subprocessors from an agreed list, available at Subprocessors (avalara.com).

Exhibit 2

The parties are as reflected in the signature block to this DPA.

The parties select the version of the approved EU SCCs referenced in section 8 of this DPA including the appendix information which is as described in Exhibit 1.

The appendix information in table 3 of the UK addendum is as set out in the annexes to the EU SCCs in Exhibit 1.

The list of sub processors is as provided at Subprocessors (avalara.com).

Either party may end the UK addendum as set out in section 19 of the same.

Brazil Recruitment Notice

Version

Effective May 30th 2023

Download

Page: /

Please download the PDF to view this document. Download

California Consumer Privacy Act Disclosures

Version

Effective April 30th 2024

Download

This notice and policy supplements information contained in the privacy policy (“Privacy Policy”) and notices at collection provided by Avalara, Inc. and its corporate business affiliates (“Avalara”) and applies solely to residents of the State of California (“consumers” or “you”) with respect to personal information Avalara processes as a business. Any terms defined in the California Consumer Privacy Act of 2018, as amended from time to time, including by the California Privacy Rights Act of 2020 and its implementing regulations (“CCPA”) have the same meaning when used in this notice and policy. This notice and policy does not reflect our collection, use, or disclosure of California residents’ personal information, or data subject rights, where an exception or exemption under the CCPA applies.

1. CCPA RIGHTS

As a California resident, you have the following rights under the CCPA:

The right to know what personal information we have collected about you, including the categories of personal information, including the categories of personal information, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting, selling, or sharing personal information, the categories of third parties to whom the business discloses personal information, and the specific pieces of personal information we have collected about you.
The right to delete personal information that we have collected from you, subject to certain exceptions.
The right to correct inaccurate personal information that we maintain about you.
The right to opt-out of the sale or sharing of your personal information by us.
The right to limit our use and disclosure of sensitive personal information to purposes specified in subsection 7027(l) of the CCPA regulations. We do not use or disclose sensitive personal information for purposes other than those specified in subsection 7027(m) of the CCPA regulations.
The right not to receive discriminatory treatment by us for the exercise of privacy rights conferred by the CCPA, in violation of California Civil Code § 1798.125, including an employee's, applicant's, or independent contractor's right not to be retaliated against for the exercise of their CCPA rights

To submit a request to exercise a right, please submit an email request to dataprivacy@avalara.com or call our toll-free number at 1-877-814-9390.

You may opt-out of the sale or sharing of your personal information for targeted advertising through our Cookie Policy or by implementing the Global Privacy Control.

2. NOTICE AT COLLECTION ONLINE

We have set out below categories of personal information about California residents we collect online.

Category of personal information or sensitive personal information under CCPA definitions	Purpose for collection and use of personal information	Sold or shared	Retention time
Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers. Specifically, real name, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, social security number, driver’s license number, passport number, and account name.	Provide and improve services, authenticate for service access, fraud detection and prevention, security, troubleshoot, event planning and hosting, consider individuals for job opportunities and onboarding processes for hired individuals, communicate with you, provide materials you request, including white paper downloads, provide chat functionality on our website, to follow up with you upon your registrations for online seminars or in-person events, understand your preferences to enhance your experience and send you relevant information about us, our affiliates, and partners.	Yes	Online form data is deleted after five years of inactivity; log data is retained for a minimum of one year
Any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information, but excluding publicly available information that is lawfully made available to the general public from federal, state, or local government records. (The categories of personal information described in the California Customer Records Act (Cal. Civ. Code § 1798.80(e)) Specifically, name, address, telephone number, social security number, education, employment, employment history, bank account number, medical information, or health insurance information.	Provide and improve services, authenticate for service access, fraud detection and prevention, security, troubleshoot, event planning and hosting, consider individuals for job opportunities and onboarding processes for hired individuals, communicate with you, provide materials you request, including white paper downloads, provide chat functionality on our website, to follow up with you upon your registrations for online seminars or in-person events, understand your preferences to enhance your experience and send you relevant information about us, our affiliates, and partners.	No	Online form data is deleted after five years of inactivity
Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website application, or advertisement. Specifically, information regarding a consumer’s interaction with an internet website application or advertisement.	Provide and improve services, authenticate for service access, fraud detection and prevention, security, troubleshoot, event planning and hosting, communicate with you, provide materials you request, including white paper downloads, provide chat functionality on our website, to follow up with you upon your registrations for online seminars or in-person events, understand your preferences to enhance your experience and send you relevant information about us, our affiliates, and partners.	Yes	No more than 140 days
Geolocation data. Specifically, location using IP addresses.	Provide and improve services.	Yes	30 days
Professional or Employment related information. Specifically, employer and job title.	Provide and improve services, event planning and hosting, consider individuals for job opportunities and onboarding processes for hired individuals, to communicate with you, white paper downloads, provide chat functionality on our website, to follow up with you upon your registrations for online seminars or in-person events, provide material you request, understand your preferences to enhance your experience, and send you relevant information about us, our affiliates.	No	Online form data is deleted after five years of inactivity
A consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account. Specifically, account log-in and credentials allowing access to an account.	Contact details and password when users create an account with Avalara's website	No	Lifetime of customer

3. NOTICE OF COLLECTION OF SENSITIVE PERSONAL INFORMATION

We have set out below categories of sensitive personal information about California residents we collect.

Category of sensitive personal information under CCPA definitions	Purpose for collection and use of sensitive personal information	Sold or shared	Retention time
A consumer’s social security, driver’s license, state identification card, or passport number.	Provide services, authenticate for service access, fraud detection and prevention, security, including anti-money laundering and know-your-customer obligations, and onboarding processes for hired individuals.	No	Customer and employee data is kept for the duration of such relationships and to meet our regulatory obligations; with respect to customer data, such obligations may vary by product.
A consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account. Specifically, account log-in and credentials allowing access to an account.	Provide services.	No	Customer and employee data is kept for the duration of such relationships and to meet our regulatory obligations; with respect to customer data, such obligations may vary by product.
A consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership.	Comply with regulatory obligations.	No	The duration of the employment relationship and to meet our regulatory obligations.
The contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication. Specifically, email messages.	Fraud detection and prevention, and security.	No	To meet our regulatory obligations.
Personal information collected and analyzed concerning a consumer’s health. Specifically, health information related to employee benefits, leave, and accommodations.	Provide services.	No	The duration of the employment relationship and to meet our regulatory obligations.

4. OUR PERSONAL INFORMATION HANDLING PRACTICES IN 2023

We have set out below categories of personal information about California residents we have collected and disclosed for a business purpose in the preceding 12 months. The table is followed by a description of the purposes for which we collected personal information.

Category of personal information or sensitive personal information with reference to CCPA definitions	Categories of third parties personal information was disclosed to	Business or commercial purpose for disclosure
Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.	Our service providers including our CRM service provider, cloud services and data warehousing providers, data analytics providers, logging and log management services, HR and recruiting software providers, benefits providers, security services, communication and productivity software and services, social networks, Avalara affiliates and subsidiaries, partners, to third parties subject to compelled disclosures, and to payment processors.	To perform services on our behalf, including to organize data, maintain the security of our systems and networks, manage our employee base and provide benefits, better understand our customers, prospective customers, and employees, marketing, and advertising. To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes. To Vista, our private equity sponsor, and its affiliates, including Vista Consulting Group (US), for administration, research, database development, workforce analytics and business operation purposes. To our partners, to provide integrations that enable our services to interconnect with third party software and to support our mutual customers. We may also disclose your data to our partners to co-sponsor events that you choose to attend. To our payment processor, to manage credit card processing. To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also disclose your data to third parties to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also disclose your personal information tothird parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company.
Any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information, but excluding publicly available information that is lawfully made available to the general public from federal, state, or local government records. (The categories of personal information described in the California Customer Records Act (Cal. Civ. Code § 1798.80(e)) Specifically, name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, or other financial information, medical information, or health insurance information.	Our service providers including our CRM service provider, cloud services and data warehousing providers, data analytics providers, logging and log management services, HR and recruiting software providers, benefits providers, security services, communication and productivity software and services, social networks, Avalara affiliates and subsidiaries, partners, to third parties subject to compelled disclosures, and to payment processors.	To service providers and vendors to perform services on our behalf, including to organize data, maintain the security of our systems and networks, manage our employee base and provide benefits, better understand our customers, prospective customers, and employees, marketing, and advertising. To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes. To Vista, our private equity sponsor, and its affiliates, including Vista Consulting Group (US), for administration, research, database development, workforce analytics and business operation purposes. To our partners, to provide integrations that enable our services to interconnect with third party software and to support our mutual customers. We may also disclose your data to our partners to co-sponsor events that you choose to attend. To our payment processor, to manage credit card processing. To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also disclose your data to third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also disclose your personal information to third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company.
Characteristics of protected classifications under California or federal law. Specifically, gender, marital status, race/ethnicity, gender identity, disability, requests for family care leave, medical leave, pregnancy disability leave, military and veteran status, and age if 40 years or older.	Our service providers, including our CRM service provider, cloud services and data warehousing providers, data analytics providers, logging and log management services, HR and recruiting software providers, benefits providers, security services, communication and productivity software and services, social networks, Avalara affiliates and subsidiaries, partners, third parties subject to compelled disclosures, and payment processors.	To service providers and vendors to perform services on our behalf, including to organize data, manage our employee base and provide benefits, and better understand our employees. To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes. To Vista, our private equity sponsor, and its affiliates, including Vista Consulting Group (US), for administration, research, database development, workforce analytics and business operation purposes. To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also disclose your data to third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also disclose your personal information to third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company.
Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. Specifically, records of products or services purchased including those purchased by employees as work-related expenses.	Our service providers including our CRM service provider, cloud services and data warehousing providers, data analytics providers, logging and log management services, HR and recruiting software providers, benefits providers, security services, communication and productivity software and services, social networks, Avalara affiliates and subsidiaries, partners, to third parties subject to compelled disclosures, and to payment processors.	To service providers and vendors to perform services on our behalf, including to organize data, maintain the security of our systems and networks, manage our employee base and provide benefits, better understand our customers, prospective customers, and employees, marketing, and advertising. To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes. To Vista, our private equity sponsor, and its affiliates, including Vista Consulting Group (US), for administration, research, database development, workforce analytics and business operation purposes. To our partners, to provide integrations that enable our services to interconnect with third party software and to support our mutual customers. We may also disclose your data to our partners to co-sponsor events that you choose to attend. To our payment processor, to manage credit card processing. To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also disclose your data to third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also disclose your personal information to third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company.
Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website application, or advertisement. Specifically, browsing history, search history, and information regarding a consumer’s interaction with an internet website application or advertisement.	Our service providers including our CRM service provider, cloud services and data warehousing providers, data analytics providers, logging and log management services, HR and recruiting software providers, benefits providers, security services, communication and productivity software and services, social networks, Avalara affiliates and subsidiaries, partners, to third parties subject to compelled disclosures, and to payment processors.	To service providers and vendors to perform services on our behalf, including to organize data, maintain the security of our systems and networks, manage our employee base and provide benefits, better understand our customers, prospective customers, and employees, marketing, and advertising. To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes. To Vista, our private equity sponsor, and its affiliates, including Vista Consulting Group (US), for administration, research, database development, workforce analytics and business operation purposes. To our partners, to provide integrations that enable our services to interconnect with third party software and to support our mutual customers. We may also disclose your data to our partners to co-sponsor events that you choose to attend. To our payment processor, to manage credit card processing. To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also disclose your data to third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also disclose your personal information to third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company.
Geolocation data. Specifically, location information based on IP addresses	Our service providers including our CRM service provider, cloud services and data warehousing providers, data analytics providers, logging and log management services, HR and recruiting software providers, benefits providers, security services, communication and productivity software and services, social networks, Avalara affiliates and subsidiaries, partners, to third parties subject to compelled disclosures, and to payment processors.	To service providers and vendors to perform services on our behalf, including to organize data, maintain the security of our systems and networks, manage our employee base and provide benefits, better understand our customers, prospective customers, and employees, marketing, and advertising. To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes. To Vista, our private equity sponsor, and its affiliates, including Vista Consulting Group (US), for administration, research, database development, workforce analytics and business operation purposes. To our partners, to provide integrations that enable our services to interconnect with third party software and to support our mutual customers. We may also disclose your data to our partners to co-sponsor events that you choose to attend. To our payment processor, to manage credit card processing. To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also disclose your data to third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also disclose your personal information to third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company.
Audio, electronic, visual, thermal, olfactory, or similar information. Specifically, data relating to Avalara employees’ use of computers, software, networks, communications devices, and other similar systems that we or our affiliates own or make available to you; or you connect to or use for the purposes of providing services to us or our affiliates; and information relating to your activities on our or our affiliates' premises.	Our service providers including our CRM service provider, cloud services and data warehousing providers, data analytics providers, logging and log management services, HR and recruiting software providers, benefits providers, security services, communication and productivity software and services, social networks, Avalara affiliates and subsidiaries, partners, to third parties subject to compelled disclosures, and to payment processors.	To service providers and vendors to perform services on our behalf, including to organize data, maintain the security of our systems and networks, manage our employee base and provide benefits, better understand our customers, prospective customers, and employees, marketing, and advertising. To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes. To Vista, our private equity sponsor, and its affiliates, including Vista Consulting Group (US), for administration, research, database development, workforce analytics and business operation purposes. To our partners, to provide integrations that enable our services to interconnect with third party software and to support our mutual customers. We may also disclose your data to our partners to co-sponsor events that you choose to attend. To our payment processor, to manage credit card processing. To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also disclose your data to third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also disclose your personal information to third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company.
Professional or Employment related information. Specifically, job information, compensation, benefits, contact information, work history.	Our service providers including our CRM service provider, cloud services and data warehousing providers, data analytics providers, logging and log management services, HR and recruiting software providers, benefits providers, security services, communication and productivity software and services, social networks, Avalara affiliates and subsidiaries, partners, to third parties subject to compelled disclosures, and to payment processors.	To service providers and vendors to perform services on our behalf, including to organize data, maintain the security of our systems and networks, manage our employee base and provide benefits, better understand our customers, prospective customers, and employees, marketing, and advertising. To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes. To Vista, our private equity sponsor, and its affiliates, including Vista Consulting Group (US), for administration, research, database development, workforce analytics and business operation purposes. To our partners, to provide integrations that enable our services to interconnect with third party software and to support our mutual customers. We may also disclose your data to our partners to co-sponsor events that you choose to attend. To our payment processor, to manage credit card processing. To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also disclose your data to third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also disclose your personal information to third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company.
Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99). Specifically, education history.	Our service providers including our CRM service provider, cloud services and data warehousing providers, data analytics providers, logging and log management services, HR and recruiting software providers, benefits providers, security services, communication and productivity software and services, social networks, Avalara affiliates and subsidiaries, partners, to third parties subject to compelled disclosures, and to payment processors.	To service providers and vendors to perform services on our behalf, including to organize data, manage our employee base and provide benefits, better understand our customers, prospective customers, and employees, marketing, and advertising. To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes. To Vista, our private equity sponsor, and its affiliates, including Vista Consulting Group (US), for administration, research, database development, workforce analytics and business operation purposes. To our partners, to provide integrations that enable our services to interconnect with third party software and to support our mutual customers. We may also disclose your data to our partners to co-sponsor events that you choose to attend. To our payment processor, to manage credit card processing. To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also disclose your data to third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also disclose your personal information to third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company.
A consumer’s social security, driver’s license, state identification card, or passport number.	Our service providers including our CRM service provider, cloud services and data warehousing providers, data analytics providers, logging and log management services, HR and recruiting software providers, benefits providers, security services, communication and productivity software and services, social networks, Avalara affiliates and subsidiaries, partners, to third parties subject to compelled disclosures, and to payment processors.	To service providers and vendors to perform services on our behalf, including to organize data, manage our employee base and provide benefits, better understand our customers, prospective customers, and employees, marketing, and advertising. To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes. To Vista, our private equity sponsor, and its affiliates, including Vista Consulting Group (US), for administration, research, database development, workforce analytics and business operation purposes. To our partners, to provide integrations that enable our services to interconnect with third party software and to support our mutual customers. We may also disclose your data to our partners to co-sponsor events that you choose to attend. To our payment processor, to manage credit card processing. To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also disclose your data to third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also disclose your personal information to third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company.
A consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account. Specifically, account log-in, credentials allowing access to an account.	Our service providers including our CRM service provider, cloud services and data warehousing providers, data analytics providers, logging and log management services, HR and recruiting software providers, benefits providers, security services, communication and productivity software and services, social networks, Avalara affiliates and subsidiaries, partners, to third parties subject to compelled disclosures, and to payment processors.	To service providers and vendors to perform services on our behalf, including to organize data, manage our employee base and provide benefits, better understand our customers, prospective customers, and employees, marketing, and advertising. To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes. To Vista, our private equity sponsor, and its affiliates, including Vista Consulting Group (US), for administration, research, database development, workforce analytics and business operation purposes. To our partners, to provide integrations that enable our services to interconnect with third party software and to support our mutual customers. We may also disclose your data to our partners to co-sponsor events that you choose to attend. To our payment processor, to manage credit card processing. To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also disclose your data to third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also disclose your personal information to third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company.
A consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership. Specifically, racial or ethnic origin.	Our service providers including our CRM service provider, cloud services and data warehousing providers, data analytics providers, logging and log management services, HR and recruiting software providers, benefits providers, security services, communication and productivity software and services, social networks, Avalara affiliates and subsidiaries, partners, to third parties subject to compelled disclosures, and to payment processors.	To service providers and vendors to perform services on our behalf, including to organize data, manage our employee base and provide benefits, better understand our customers, prospective customers, and employees, marketing, and advertising. To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes. To Vista, our private equity sponsor, and its affiliates, including Vista Consulting Group (US), for administration, research, database development, workforce analytics and business operation purposes. To our partners, to provide integrations that enable our services to interconnect with third party software and to support our mutual customers. We may also disclose your data to our partners to co-sponsor events that you choose to attend. To our payment processor, to manage credit card processing. To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also disclose your data to third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also disclose your personal information to third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company.
The contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication. Specifically, email messages of Avalara employees.	Our service providers including our CRM service provider, cloud services and data warehousing providers, data analytics providers, logging and log management services, HR and recruiting software providers, benefits providers, security services, communication and productivity software and services, Avalara affiliates and subsidiaries, and to third parties subject to compelled disclosures.	To service providers and vendors to perform services on our behalf, including to organize data, maintain the security of our systems and networks, manage our employee base and provide benefits, better understand our customers, prospective customers, and employees. To our subsidiaries and affiliates (those entities under common control), to provide services, such as technical operations and account management purposes. To Vista, our private equity sponsor, and its affiliates, including Vista Consulting Group (US), for administration, research, database development, workforce analytics and business operation purposes. To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also disclose your data to third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also disclose your personal information to third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company.
Personal information collected and analyzed concerning a consumer’s health. Specifically, health information related to receiving employee benefits, leaves, and accommodations.	Our service providers including our CRM service provider, cloud services and data warehousing providers, data analytics providers, logging and log management services, HR and recruiting software providers, benefits providers, security services, communication and productivity software and services, social networks, Avalara affiliates and subsidiaries, partners, to third parties subject to compelled disclosures, and to payment processors.	To service providers and vendors to perform services on our behalf, including to organize data, manage our employee base and provide benefits, better understand our customers, prospective customers, and employees, marketing, and advertising. To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes. To Vista, our private equity sponsor, and its affiliates, including Vista Consulting Group (US), for administration, research, database development, workforce analytics and business operation purposes. To our partners, to provide integrations that enable our services to interconnect with third party software and to support our mutual customers. We may also disclose your data to our partners to co-sponsor events that you choose to attend. To our payment processor, to manage credit card processing. To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also disclose your data to third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also disclose your personal information to third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company.

Business or Commercial Purpose for Collecting Personal Information. Avalara uses the personal information that it collects to provide and improve services, authenticate for service access, detect and prevent fraud, security, troubleshoot, plan and host events, communicate with you, provide materials you request, including white paper downloads, provide chat functionality on our website, to follow up with you upon your registrations for online seminars or in-person events, understand your preferences to enhance your experience and send you relevant information about us, our affiliates, and partners.

Avalara collects such information from the following categories of sources:

Directly from You. Avalara may collect personal information when you: inquire about one of our services or purchase our services; send an email to Avalara or start a live chat with us; interact with our website, products or services; register for an event or seminar; download content like white papers; create an account with us; and use our mobile services.
Cookies and Other Technologies. Avalara and its affiliates and trusted third parties may use cookies or other technologies to collect data about your device and activity on our website.
Third Parties, including Service Providers. Avalara may also collect personal data from other sources, including third parties from whom we have purchased data, and we may combine this data with data we already have about you. For example, we may collect personal data from:
- Partners. Avalara may engage in joint marketing activities or event sponsorships with our third-party partners and we may collect personal data about you from these activities. We also allow partners to provide referrals to Avalara of individuals who may be interested in learning more about Avalara’s services.
- Service Providers. Avalara may also engage with third party service providers who help us understand how our customers are using Avalara’s services.

5. COMMITMENT REGARDING DEIDENTIFIED INFORMATION

If we process deidentified information, we will maintain the information in a deidentified form and not attempt to reidentify the information, except that we may attempt to reidentify the information solely for the purpose of determining whether the deidentification processes used satisfy legal requirements.

6. AUTHORIZED AGENT

You can designate an authorized agent to make a request under the CCPA on your behalf if:

The authorized agent is a natural person or a business entity and the agent provides proof that you gave the agent signed permission to submit the request; and
You directly confirm with Avalara that you provided the authorized agent with permission to submit the request.

If you use an authorized agent to submit a request to exercise your right to know, correct or your right to request deletion, please provide any information Avalara requests to verify your identity. The information that Avalara asks you to provide to verify your identity will depend on your prior interactions with us and the sensitivity of the personal information at issue.

If you provide an authorized agent with power of attorney pursuant to Probate Code sections 4121 to 4130, it may not be necessary to perform these steps and we will respond to any request from such authorized agent in accordance with the CCPA.

7. CONTACT FOR MORE INFORMATION

If you have any questions or comments about this notice and policy, the ways in which we collect and use your personal information, your choices and rights regarding such use, please do not hesitate to contact us at:

Email address: dataprivacy@avalara.com
Postal address: Avalara, Inc., Attention: General Counsel, 255 S. King Street, Suite 1200, Seattle, WA 98104

Effective January 1st 2024 to April 30th 2024

Download

1. RIGHT TO REQUEST DELETION, CORRECTION OF INACCURATE PERSONAL INFORMATION, AND SPECIFIC PIECES OF PERSONAL INFORMATION COLLECTED, RIGHT NOT TO RECEIVE DISCRIMINATORY TREATMENT FOR THE EXERCISE OF CCPA RIGHTS

You have the right to request that we disclose what personal information we collect, use, or disclose about you specifically and to request the correction and deletion of personal information. To submit a request to exercise a right, please submit an email request to dataprivacy@avalara.com or call our toll-free number at 1-877-814-9390.

Avalara may ask that you provide certain information to verify your identity. The information that we ask you to provide to verify your identity will depend on your prior interactions with us and the sensitivity of the personal information at issue. Avalara will respond to your request in accordance with the CCPA. If we deny your request, we will explain why.

When a business sells your personal information or shares it for cross context behavioural advertising, you have a right to opt out of such sale or sharing. We do not have actual knowledge that we sell or share for cross context behavioral advertising, the personal information of California resident consumers under 16 years of age.

When a business uses or discloses sensitive personal information for reasons triggering an opt out right under the CCPA, you have the right to limit the use or disclosure of sensitive information by the business. We do not use or disclose sensitive personal information for purposes triggering a right to limit under the CCPA.

You have the right not to receive discriminatory treatment by a business for the exercise of privacy rights conferred by the CCPA in violation of California Civil Code § 1798.125, including an employee’s, applicant’s, or independent contractor’s right not to be retaliated against for the exercise of their CCPA rights.

2. NOTICE AT COLLECTION ONLINE

We have set out below categories of personal information about California residents we collect online.

Category of personal information or sensitive personal information under CCPA definitions	Purpose for collection and use of personal information	Sold or shared	Retention time
Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers. Specifically, real name, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, social security number, driver’s license number, passport number, and account name.	Provide and improve services, authenticate for service access, fraud detection and prevention, security, troubleshoot, event planning and hosting, consider individuals for job opportunities and onboarding processes for hired individuals, communicate with you, provide materials you request, including white paper downloads, provide chat functionality on our website, to follow up with you upon your registrations for online seminars or in-person events, understand your preferences to enhance your experience and send you relevant information about us, our affiliates, and partners.	Shared	Online form data is deleted after five years of inactivity; log data is retained for a minimum of one year
Any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information, but excluding publicly available information that is lawfully made available to the general public from federal, state, or local government records. (The categories of personal information described in the California Customer Records Act (Cal. Civ. Code § 1798.80(e)) Specifically, name, address, telephone number, social security number, education, employment, employment history, bank account number, medical information, or health insurance information.	Provide and improve services, authenticate for service access, fraud detection and prevention, security, troubleshoot, event planning and hosting, consider individuals for job opportunities and onboarding processes for hired individuals, communicate with you, provide materials you request, including white paper downloads, provide chat functionality on our website, to follow up with you upon your registrations for online seminars or in-person events, understand your preferences to enhance your experience and send you relevant information about us, our affiliates, and partners.	Shared	Online form data is deleted after five years of inactivity
Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website application, or advertisement. Specifically, information regarding a consumer’s interaction with an internet website application or advertisement.	Provide and improve services, authenticate for service access, fraud detection and prevention, security, troubleshoot, event planning and hosting, communicate with you, provide materials you request, including white paper downloads, provide chat functionality on our website, to follow up with you upon your registrations for online seminars or in-person events, understand your preferences to enhance your experience and send you relevant information about us, our affiliates, and partners.	Sold and shared	No more than 140 days
Geolocation data. Specifically, location using IP addresses.	Provide and improve services.	Shared	30 days
Professional or Employment related information. Specifically, employer and job title.	Provide and improve services, event planning and hosting, consider individuals for job opportunities and onboarding processes for hired individuals, to communicate with you, white paper downloads, provide chat functionality on our website, to follow up with you upon your registrations for online seminars or in-person events, provide material you request, understand your preferences to enhance your experience, and send you relevant information about us, our affiliates.	Shared	Online form data is deleted after five years of inactivity
A consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account. Specifically, account log-in and credentials allowing access to an account.	Contact details and password when users create an account with Avalara's website	Shared	Lifetime of customer

3. NOTICE OF COLLECTION OF SENSITIVE PERSONAL INFORMATION

We have set out below categories of sensitive personal information about California residents we collect.

Category of sensitive personal information under CCPA definitions	Purpose for collection and use of sensitive personal information	Sold or shared	Retention time
A consumer’s social security, driver’s license, state identification card, or passport number.	Provide services, authenticate for service access, fraud detection and prevention, security, including anti-money laundering and know-your-customer obligations, and onboarding processes for hired individuals.	Shared	Customer and employee data is kept for the duration of such relationships and to meet our regulatory obligations; with respect to customer data, such obligations may vary by product.
A consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account. Specifically, account log-in and credentials allowing access to an account.	Provide services.	Shared	Customer and employee data is kept for the duration of such relationships and to meet our regulatory obligations; with respect to customer data, such obligations may vary by product.
A consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership.	Comply with regulatory obligations.	Shared	The duration of the employment relationship and to meet our regulatory obligations.
The contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication. Specifically, email messages.	Fraud detection and prevention, and security.	Shared	To meet our regulatory obligations.
Personal information collected and analyzed concerning a consumer’s health. Specifically, health information related to employee benefits, leave, and accommodations.	Provide services.	Shared	The duration of the employment relationship and to meet our regulatory obligations.

4. OUR PERSONAL INFORMATION HANDLING PRACTICES IN 2023

Category of personal information or sensitive personal information with reference to CCPA definitions

Categories of third parties personal information was disclosed to

Business or commercial purpose for disclosure

Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.

Our service providers including our CRM service provider, cloud services and data warehousing providers, data analytics providers, logging and log management services, HR and recruiting software providers, benefits providers, security services, communication and productivity software and services, social networks, Avalara affiliates and subsidiaries, partners, to third parties subject to compelled disclosures, and to payment processors.

We may share your data with service providers and vendors to perform services on our behalf, including to organize data, maintain the security of our systems and networks, manage our employee base and provide benefits, better understand our customers, prospective customers, and employees, marketing, and advertising.

To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes.

To Vista, our private equity sponsor, and its affiliates, including Vista Consulting Group (US), for administration, research, database development, workforce analytics and business operation purposes.

To our partners, to provide integrations that enable our services to interconnect with third party software and to support our mutual customers. We may also share your data with our partners to co-sponsor events that you choose to attend.

To our payment processor, to manage credit card processing.

To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also share your data with third parties to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also share your personal information with third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company.

Any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information, but excluding publicly available information that is lawfully made available to the general public from federal, state, or local government records.

(The categories of personal information described in the California Customer Records Act (Cal. Civ. Code § 1798.80(e))

Specifically, name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, or other financial information, medical information, or health insurance information.

To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes.

To our payment processor, to manage credit card processing.

To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also share your data with third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also share your personal information with third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company.

Characteristics of protected classifications under California or federal law.

Specifically, gender, marital status, race/ethnicity, gender identity, disability, requests for family care leave, medical leave, pregnancy disability leave, military and veteran status, and age if 40 years or older.

Our service providers, including our CRM service provider, cloud services and data warehousing providers, data analytics providers, logging and log management services, HR and recruiting software providers, benefits providers, security services, communication and productivity software and services, social networks, Avalara affiliates and subsidiaries, partners, third parties subject to compelled disclosures, and payment processors.

We may share your data with service providers and vendors to perform services on our behalf, including to organize data, manage our employee base and provide benefits, and better understand our employees.

To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes.

To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also share your data with third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also share your personal information with third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company.

Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

Specifically, records of products or services purchased including those purchased by employees as work-related expenses.

To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes.

To our payment processor, to manage credit card processing.

To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also share your data with third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also share your personal information with third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company.

Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website application, or advertisement.

Specifically, browsing history, search history, and information regarding a consumer’s interaction with an internet website application or advertisement.

To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes.

To our payment processor, to manage credit card processing.

To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also share your data with third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also share your personal information with third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company.

Geolocation data.

Specifically, location information based on IP addresses

To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes.

To our payment processor, to manage credit card processing.

To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also share your data with third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also share your personal information with third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company.

Audio, electronic, visual, thermal, olfactory, or similar information.

Specifically, data relating to Avalara employees’ use of computers, software, networks, communications devices, and other similar systems that we or our affiliates own or make available to you; or you connect to or use for the purposes of providing services to us or our affiliates; and information relating to your activities on our or our affiliates' premises.

To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes.

To our payment processor, to manage credit card processing.

To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also share your data with third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also share your personal information with third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company.

Professional or Employment related information.

Specifically, job information, compensation, benefits, contact information, work history.

To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes.

To our payment processor, to manage credit card processing.

To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also share your data with third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also share your personal information with third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company.

Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99).

Specifically, education history.

We may share your data with service providers and vendors to perform services on our behalf, including to organize data, manage our employee base and provide benefits, better understand our customers, prospective customers, and employees, marketing, and advertising.

To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes.

To our payment processor, to manage credit card processing.

To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also share your data with third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also share your personal information with third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company.

A consumer’s social security, driver’s license, state identification card, or passport number.

To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes.

To our payment processor, to manage credit card processing.

To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also share your data with third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also share your personal information with third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company.

A consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account.

Specifically, account log-in, credentials allowing access to an account.

To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes.

To our payment processor, to manage credit card processing.

To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also share your data with third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also share your personal information with third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company.

A consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership.

Specifically, racial or ethnic origin.

To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes.

To our payment processor, to manage credit card processing.

To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also share your data with third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also share your personal information with third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company.

The contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication.

Specifically, email messages of Avalara employees.

Our service providers including our CRM service provider, cloud services and data warehousing providers, data analytics providers, logging and log management services, HR and recruiting software providers, benefits providers, security services, communication and productivity software and services, Avalara affiliates and subsidiaries, and to third parties subject to compelled disclosures.

To our subsidiaries and affiliates (those entities under common control), to provide services, such as technical operations and account management purposes.

To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also share your data with third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also share your personal information with third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company.

Personal information collected and analyzed concerning a consumer’s health.

Specifically, health information related to receiving employee benefits, leaves, and accommodations.

To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes.

To our payment processor, to manage credit card processing.

To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also share your data with third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also share your personal information with third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company.

Avalara collects such information from the following categories of sources:

Directly from You. Avalara may collect personal information when you: inquire about one of our services or purchase our services; send an email to Avalara or start a live chat with us; interact with our website, products or services; register for an event or seminar; download content like white papers; create an account with us; and use our mobile services.
Cookies and Other Technologies. Avalara and its affiliates and trusted third parties may use cookies or other technologies to collect data about your device and activity on our website.
Third Parties, including Service Providers. Avalara may also collect personal data from other sources, including third parties from whom we have purchased data, and we may combine this data with data we already have about you. For example, we may collect personal data from:
- Partners. Avalara may engage in joint marketing activities or event sponsorships with our third-party partners and we may collect personal data about you from these activities. We also allow partners to provide referrals to Avalara of individuals who may be interested in learning more about Avalara’s services.
- Service Providers. Avalara may also engage with third party service providers who help us understand how our customers are using Avalara’s services.

5. COMMITMENT REGARDING DEIDENTIFIED INFORMATION

6. AUTHORIZED AGENT

You can designate an authorized agent to make a request under the CCPA on your behalf if:

The authorized agent is a natural person or a business entity and the agent provides proof that you gave the agent signed permission to submit the request; and
You directly confirm with Avalara that you provided the authorized agent with permission to submit the request.

7. CONTACT FOR MORE INFORMATION

Email address: dataprivacy@avalara.com
Postal address: Avalara, Inc., Attention: General Counsel, 255 S. King Street, Suite 1200, Seattle, WA 98104

Data Subject Rights

Version

Effective March 14th 2024

Download

Individuals residing in the European Economic Area (“EEA”) and the United Kingdom have a number of rights in relation to their personal data processed by Avalara. These are summarized below. Please note that exercising these rights is subject to certain requirements and conditions as set forth in applicable laws. These rights may also be limited in certain circumstances, for example if fulfilling a request would reveal personal information about another person, where they would infringe the rights of another (including Avalara), or if an individual asks us to delete information which we are required by law or have compelling legitimate interests to keep. Relevant exemptions are included, as applicable, in Regulation (EU) 2016/679 (the General Data Protection Regulation, or “GDPR”), the United Kingdom’s retained version of the GDPR as implemented by the Data Protection Act 2018, and applicable local laws. We will inform individuals of any relevant exemptions it on which we rely upon when responding to any request received.

Right of access: You have the right to obtain from Avalara confirmation as to whether your personal data is being processed, and, where that is the case, to request access to your personal data. The access information includes – inter alia – the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipients to whom the personal data have been or will be disclosed.

You have the right to obtain a copy of the personal data undergoing processing. Subject to applicable law, we may charge a reasonable fee for copies, based on administrative costs.
Right to rectification: You have the right to obtain from Avalara the rectification of inaccurate personal data concerning you. Depending on the purposes of the processing, you may have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to erasure (to be forgotten): You have the right to ask Avalara to erase your personal data.
Right to restriction of processing: You have the right to request restriction of processing of your personal data, in which case, it would be marked and processed by Avalara only for certain purposes.
Right to data portability: You have the right to receive the personal data that you have provided to Avalara in a structured, commonly used and machine-readable format and you have the right to transmit the personal data to another entity without hindrance from us.
Right to object: You may have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data by Avalara, and we can be required to no longer process your personal data. If you have a right to object and you exercise this right, your personal data will no longer be processed for such purposes by Avalara. Exercising this right will not incur any cost. Such a right to object may not exist, in particular, if the processing of your personal data is necessary to take steps prior to entering into a contract or to perform a contract already concluded.

If you wish to exercise these rights, or if you have questions or complaints regarding this notice, please email us at dataprivacy@avalara.com.

You also have the right to lodge a complaint with the competent supervisory authority for data protection issues.

Retention and Deletion of Personal Data

Avalara and our service providers store the personal data of EEA and UK users for the time necessary to achieve the purposes for which the information is collected, in accordance with applicable data protection laws. When we no longer need to store or use your personal data to comply with contractual, statutory or regulatory obligations to which we are subject (for example, statutory retention periods or if we need it to preserve evidence within legal statutes of limitation) or for other purposes in accordance with applicable law, we will remove it from our systems and records or take steps to properly anonymize it so that you can no longer be identified from it.

EEA and United Kingdom Recruitment Notice

Version

Effective December 10th 2022

Download

Page: /

Please download the PDF to view this document. Download

India Recruitment Notice

Version

Effective March 10th 2023

Download

Page: /

Please download the PDF to view this document. Download

Privacy Notice

Version

Effective May 28th 2024

Download

Last Updated: May 28, 2024

Avalara, Inc., is committed to protecting the privacy of individuals whose personal data we collect (“you” or “your). Avalara may collect personal data from individuals who register to use Avalara’s services, applications, and programs (“Services”), visitors to our website, individuals who request information, prospective customers, and event attendees. This Privacy Notice describes how Avalara and its subsidiaries and affiliated companies (“Avalara” or “we”) collect, use, and disclose personal data, and the choices Avalara offers regarding its collection and use of personal data.

Personal Data Collected

Data collected from you:
Avalara collects personal data directly from you, for instance when you inquire about one of Avalara’s Services or send an email to Avalara, or from your interactions with our website, products or Services. Details include:

Contact details. When you inquire about our Services, register for an event or seminar, download content like white papers, communicate with us by email, or enter a live chat, we may collect your contact details, such as your name, company, address, phone number, fax number, and email address. If your company uses the Services and we provision you an account, we may collect your name, email address, and associated IP address as part of your company's use of the Services.

Account creation. When you create an account with us via our website, we may collect your contact details and a password.

Billing data. When you purchase Services or register to attend an event, we may collect billing and payment information.

Device and usage data. When you use our website or our Services, we may also automatically collect data about your device and about your usage of and activity on our website and Services. For example, we collect your device’s operating system type, IP address, device identifiers, browser type, device type, domain name, access times, and the duration of visit, and other information.

Data from our mobile apps. When you use our mobile Services, we may collect your contact details, the geographic location of the device, the geographic locations you provide to our Services, and geographic areas derived from your IP address. We may also collect information about your invoices such as postal addresses, invoice numbers, exemption certificate numbers, item descriptions, quantities, and amounts.

Chat data. When you start a live chat, Avalara will collect a log about your interaction with Avalara’s chat agents.

Cookies and Other Technologies. When you navigate our website, we may use cookies or other technologies to collect data about your device and activity on our website. For more information about the Cookies and Other Technologies we use, the data we collect and your choices, please click here.

Personal data collected from other sources:

Avalara may also collect personal data from other sources, including third parties from whom we have purchased data, and we may combine this data with data we already have about you. For example, we may collect personal data from:

Partners. Avalara may engage in joint marketing activities or event sponsorships with our third-party partners and we may collect personal data about you from these activities. We also allow partners to provide referrals to Avalara of individuals who may be interested in learning more about Avalara’s Services. We rely on our partners to obtain your permission before sharing your personal data with us.

Service Providers. Avalara may also engage with third party service providers who help us understand how our customers are using Avalara’s Services.

How We Use Your Personal Data

Avalara uses your data to provide you with and improve upon the Services that you or your company requests, to communicate with you, and to advertise to you through third party publishers.

Providing and Improving Avalara’s Services. Avalara uses the data you provide, or data that we collect when you use our Services, to operate our Services, provide you with the Service that you or your company has requested, and to continually improve our Service offerings, internal systems, website, and processes. We may use your data to authenticate your ability to access and use the Services. We also use your data to detect and prevent fraud, protect the security of our website and Services, and enhance the safety of our Services.

We may also use data provided by you or collected by third party service providers or partners on our behalf to troubleshoot or provide customer support.

We may also use your data to plan and host corporate events, including online webinars.

Communicating with you. Avalara’s website allows you to download white papers, fill out forms for more details about our Services, and to engage with us via our chat functionality. You can also register to attend online seminars or in-person events. We use this information to provide you with the material you requested, to follow up with you about your interest in the Services, or to register you for the event you request. We may also use personal data to understand you and your preferences so that we may enhance your experience and send you information about Avalara, our affiliates, and our partners, such as information about promotions or events.

Avalara may also receive personal data from other sources, including third parties from whom we have purchased data, and combine this with the data we already have about you. This helps us to update, expand and analyze our records, identify new customers, and create more tailored advertising to provide products and services that may be of interest to you.

If you follow or like Avalara on third party social media sites, we can see your public profile and may direct advertising to you.

Advertising. We may use data collected via cookies and other technologies to manage our advertising on other sites or to provide you offers or advertisements, including for third-party services, based upon your browsing activities and interests. For more details, please click here.

Legal bases for processing (EEA and UK users). We collect and process information about users based in the European Economic Area (“EEA”) and the United Kingdom (“UK”) where we have a basis to do so under applicable law. Avalara relies on one of the following four legal bases for processing your data:

Contract. When you or your company enter into an agreement with us, we will process your data to fulfill the terms of our contract.
Legitimate interest. We have a legitimate interest in protecting the safety and security of our Services, operating and improving the Services, supporting our customers, marketing and promoting the Services, and protecting our interests.
Consent. In some cases, you will give us consent to use your data for a specific purpose.
Legal obligation. We may be required to process your data to comply with a legal obligation.

EEA and UK users have a number of rights in relation to their personal data processed by Avalara. Individuals residing in the EEA or the UK can review a summary of those rights here.

Why We Share Personal Data

Service Providers. Avalara may share your data with our contracted service providers and vendors so that these service providers and vendors can perform services on our behalf. For example, we use a third-party customer relationship management platform or data analytics platform to organize data and better understand our customers and prospective customers. These service providers are authorized to use your data only as necessary to provide the requested services to us. We may also share personal data with third-party social networking websites, like LinkedIn, for our marketing and advertising on those websites. Unless described in this Privacy Notice, Avalara does not share, sell, rent, or trade any data with third parties for their promotional purposes.

Affiliates and Subsidiaries. We may share your data with our subsidiaries and affiliates (those entities under common control) to provide the Services you request, such as customer support, marketing, technical operations, and account management purposes.

Avalara Partners. Avalara’s extensive partner network provides a broad range of integrations that enable our Services to interconnect with third party software. We may share your data with these partners to support our mutual customers. We may also share your data with our partners who co-sponsor events that you choose to attend.

Billing. Avalara uses a third-party service provider to manage credit card processing. This service provider is not permitted to store, retain, or use billing information except for the sole purpose of credit card processing on our behalf.

Compelled Disclosure. Avalara reserves the right to share your data if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also disclose your data to protect the rights and property of Avalara, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. Finally, we may also need to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company.

How to Manage Your Personal Data

Communication Preferences. If you have received promotional communications from Avalara via email and would like to opt-out of future communications, you can click on the “unsubscribe” link located on the bottom of the emails message or you can go here. If you unsubscribe from receiving promotional communications, you may still receive transactional messages regarding Service notifications, updates to our terms or Privacy Notice, or our ongoing relationship. To opt out of other forms of communication, you may unsubscribe by contacting us using the information in the “Contacting Us" section below.

Managing personal data. Avalara provides different accounts with varying functionality depending on the Services users access. Avalara accounts generally permit you to update your user settings or profile by logging into the applicable website or Service with your username and password. If you do not have an account but wish to make a request to manage your data, you can contact Avalara using the information in the “Contact Us” section below.

Requests to manage your data will be addressed within a reasonable timeframe. If you are an employee of an Avalara customer, you may also wish to contact your company’s system administrator for assistance in managing your data.

California Privacy Rights

California residents can review Avalara’s California Consumer Privacy Act disclosures here.

International Transfers of Personal Data

Avalara may process and store your data in your region or we may transfer it to the United States or to other countries in which we have affiliates, subsidiaries, or service providers. You can find a list of our global offices here. We may transfer data from the European Economic Area and Switzerland to other countries and, when we do, we use legal mechanisms like contracts to make sure there is an adequate transfer mechanism in place.

Data Controller

Avalara is the data controller for some of the personal data described in this Privacy Notice and is located at 512 S Mangum St #100, Durham, NC 27701. Our telephone number is 1-877-814-9390. If you use Avalara’s Services through your company or organization, then Avalara may be the data processor with respect to your data and your company or organization may be the data controller.

Monitoring of Incoming Emails

All incoming emails sent to Avalara email accounts will be archived and may be scanned by Avalara and/or our external service providers to detect and prevent threats to our systems, investigate illegal or inappropriate behavior, and/or eliminate unsolicited promotional emails (“spam”). If you have any concerns about this process, please contact us.

Changes to this Privacy Notice

Avalara reserves the right to change this Privacy Notice. When we make changes to the Privacy Notice, we will update this page and change the "last updated" date above.

Contact Us

If you have any questions or complaints about this Privacy Notice, please email us at dataprivacy@avalara.com.

Effective March 27th 2024 to May 28th 2024

Download

Last Updated: February 14, 2023

Personal Data Collected

Account creation. When you create an account with us via our website, we may collect your contact details and a password.

Billing data. When you purchase Services or register to attend an event, we may collect billing and payment information.

Service Providers. Avalara may also engage with third party service providers who help us understand how our customers are using Avalara’s Services.

How We Use Your Personal Data

Avalara uses your data to provide you with and improve upon the Services that you or your company requests, to communicate with you, and to advertise to you through third party publishers.

We may also use data provided by you or collected by third party service providers or partners on our behalf to troubleshoot or provide customer support.

Contract. When you or your company enter into an agreement with us, we will process your data to fulfill the terms of our contract.
Legitimate interest. We have a legitimate interest in protecting the safety and security of our Services, operating and improving the Services, supporting our customers, marketing and promoting the Services, and protecting our interests.
Consent. In some cases, you will give us consent to use your data for a specific purpose.
Legal obligation. We may be required to process your data to comply with a legal obligation.

EEA and UK users have a number of rights in relation to their personal data processed by Avalara. Individuals residing in the EEA or the UK can review a summary of those rights here.

Why We Share Personal Data

How to Manage Your Personal Data

California Privacy Rights

California residents can review Avalara’s California Consumer Privacy Act disclosures here.

International Transfers of Personal Data

Data Controller

Avalara is the data controller for some of the personal data described in this Privacy Notice and is located at 255 South King Street, Suite 1800, Seattle, Washington 98104. Our telephone number is . If you use Avalara’s Services through your company or organization, then Avalara is the data processor with respect to your data and your company or organization is the data controller.

Monitoring of Incoming Emails

Changes to this Privacy Notice

Avalara reserves the right to change this Privacy Notice. When we make changes to the Privacy Notice, we will update this page and change the "last updated" date above.

Contact Us

If you have any questions or complaints about this Privacy Notice, please email us at dataprivacy@avalara.com.

Effective February 14th 2023 to March 27th 2024

Download

Last Updated: February 14, 2023

Personal Data Collected

Account creation. When you create an account with us via our website, we may collect your contact details and a password.

Billing data. When you purchase Services or register to attend an event, we may collect billing and payment information.

Service Providers. Avalara may also engage with third party service providers who help us understand how our customers are using Avalara’s Services.

How We Use Your Personal Data

Avalara uses your data to provide you with and improve upon the Services that you or your company requests, to communicate with you, and to advertise to you through third party publishers.

We may also use data provided by you or collected by third party service providers or partners on our behalf to troubleshoot or provide customer support.

Contract. When you or your company enter into an agreement with us, we will process your data to fulfill the terms of our contract.
Legitimate interest. We have a legitimate interest in protecting the safety and security of our Services, operating and improving the Services, supporting our customers, marketing and promoting the Services, and protecting our interests.
Consent. In some cases, you will give us consent to use your data for a specific purpose.
Legal obligation. We may be required to process your data to comply with a legal obligation.

EEA and UK users have a number of rights in relation to their personal data processed by Avalara. Individuals residing in the EEA or the UK can review a summary of those rights here.

Why We Share Personal Data

How to Manage Your Personal Data

California Privacy Rights

California residents can review Avalara’s California Consumer Privacy Act disclosures here.

International Transfers of Personal Data

Data Controller

Monitoring of Incoming Emails

Changes to this Privacy Notice

Avalara reserves the right to change this Privacy Notice. When we make changes to the Privacy Notice, we will update this page and change the "last updated" date above.

Contact Us

If you have any questions or complaints about this Privacy Notice, please email us at dataprivacy@avalara.com.

Subprocessors

Version

Effective April 20th 2024

Download

Avalara uses third parties, subprocessors, to provide specific functionality within Avalara’s services. If Customer objects to the addition of a subprocessor, Customer must email legal@avalara.com. Otherwise, continued use of the Services signifies Customer’s acceptance of new subprocessors. The following subprocessors may access and process personal information of Avalara’s customers:

Date Added	Entity Name	Purpose	Entity Control
February 24, 2020	Adobe, Inc.	Tag management system	United States
February 24, 2020	Amazon Web Services, Inc. (AWS)	Cloud-based computing and data hosting services	United States
February 24, 2020	Atlassian Pty Ltd.	Cloud-based project management and collaboration software tools	Australia
June 17, 2022	BigID, Inc.	Data discovery and privacy compliance services	United States
June 17, 2022	Confluent, Inc.	Event data processing and real-time data pipeline engine	United States
June 17, 2022	Content Square, Inc.	Customer experience analytics service	United States
November 1, 2023	Cribl, Inc.	Cloud-based data observability platform	United States
June 17, 2022	Databricks, Inc.	Cloud-based data warehousing	United States
February 24, 2020	FullStory, Inc.	Customer experience analytics service	United States
March 13, 2023	Hex Technologies, Inc.	Application analytics service	United States
September 3, 2021	IDology, Inc.	Age verification service for Avalara Age Verification (an add-on feature to AvaTax for Beverage Alcohol)	United States
February 24, 2020	Microsoft Corporation	Cloud-based and on-premises office productivity tools and a business analytics service	United States
February 10, 2022	Mimecast North America, Inc.	Email security and archiving	United States
April 3, 2020	MongoDB, Inc.	General purpose database platform	United States
April 20, 2024	Monte Carlo Data, Inc.	Application analytics service	United States
February 24, 2020	Okta, Inc.	Cloud-based access management service	United States
February 20, 2024	OwnBackup Inc.	Data backup service	United States
June 21, 2023	Proofpoint, Inc.	Security tool	United States
February 24, 2020	Rapid 7 Ireland Limited	Log management and analytics service	United States
February 24, 2020	Salesforce.com, Inc.	Customer management platform	United States
February 24, 2020	Slack Technologies, Inc.	Communication and productivity software as a service and related technology	United States
June 8, 2020	Snowflake Inc.	Cloud-based data warehousing	United States
February 24, 2020	Splunk, Inc.	Real-time cloud monitoring service	United States
February 24, 2020	Sumo Logic, Inc.	Cloud-based logs and metrics management service	United States
February 24, 2020	Twilio, Inc.	Customer data infrastructure platform	United States
September 17, 2020	Uplevel, Inc.	Data analysis tool relating to Avalara team behavior to maximize effectiveness	United States

Avalara Group Sub-processors

The following entities are subsidiaries or affiliates of Avalara (as Avalara is defined in the Terms). Accordingly, they function as subprocessors when they perform activities to provide the Services. Depending on the geographic location of Customer and the Services provided, Avalara may engage one or more of its subsidiaries or affiliates as subprocessors to deliver some or all of the Services provided to Customer. Avalara subsidiaries or affiliates are as follows:

Entity Name	Country
Avalara, Inc.	United States
AFT France SAS	France
AFT Italy S.r.L.	Italy
Avalara FT Spain SL	Spain
AFTC Fiscal Services UK Ltd	United Kingdom
AFTC, Inc.	United States
AvaFuel LLC	United States
Avalara Brasil – Assessoria e Consultoria Tributária e Tecnológica Ltda	Brazil
Avalara Canada ULC	Canada
Avalara Client Trust	United States
Avalara EU Holdings UK Limited	United Kingdom
Avalara Europe Ltd	United Kingdom
Avalara FT Poland	Polish
Avalara Luxembourg S.a.r.l.	Luxembourg
Avalara Technologies Private Limited	India
EDIGrid Romania	Romania
Impendulo ApS	Denmark
Impendulo BV	Netherlands
Impendulo Hellas Mon. Epe	Greece
Impendulo Lda	Portugal
Impendulo Limited	United Kingdom
Impendulo Limited (CY)	Cyprus
Impendulo Oy	Finland
Impendulo SARL	France
INPOSIA Solutions France	France
INPOSIA Solutions GmbH	Germany
INPOSIA Solutions Italia S.r.L.	Italy
INPOSIA Turkey	Turkey
Transaction Tax Consulting Group, LLC	United States
Transaction Tax Resources, Inc.	United States
VAT Applications NV	Belgium
VAT House Services NV	Belgium

Effective February 20th 2024 to April 20th 2024

Download

Date Added	Entity Name	Purpose	Entity Control
February 24, 2020	Adobe, Inc.	Tag management system	United States
February 24, 2020	Amazon Web Services, Inc. (AWS)	Cloud-based computing and data hosting services	United States
February 24, 2020	Atlassian Pty Ltd.	Cloud-based project management and collaboration software tools	Australia
June 17, 2022	BigID, Inc.	Data discovery and privacy compliance services	United States
June 17, 2022	Confluent, Inc.	Event data processing and real-time data pipeline engine	United States
June 17, 2022	Content Square, Inc.	Customer experience analytics service	United States
November 1, 2023	Cribl, Inc.	Cloud-based data observability platform	United States
June 17, 2022	Databricks, Inc.	Cloud-based data warehousing	United States
February 24, 2020	FullStory, Inc.	Customer experience analytics service	United States
March 13, 2023	Hex Technologies, Inc.	Application analytics service	United States
September 3, 2021	IDology, Inc.	Age verification service for Avalara Age Verification (an add-on feature to AvaTax for Beverage Alcohol)	United States
February 24, 2020	Microsoft Corporation	Cloud-based and on-premises office productivity tools and a business analytics service	United States
February 10, 2022	Mimecast North America, Inc.	Email security and archiving	United States
April 3, 2020	MongoDB, Inc.	General purpose database platform	United States
February 24, 2020	Okta, Inc.	Cloud-based access management service	United States
February 20, 2024	OwnBackup Inc.	Data backup service	United States
June 21, 2023	Proofpoint, Inc.	Security tool	United States
February 24, 2020	Rapid 7 Ireland Limited	Log management and analytics service	United States
February 24, 2020	Salesforce.com, Inc.	Customer management platform	United States
February 24, 2020	Slack Technologies, Inc.	Communication and productivity software as a service and related technology	United States
June 8, 2020	Snowflake Inc.	Cloud-based data warehousing	United States
February 24, 2020	Splunk, Inc.	Real-time cloud monitoring service	United States
February 24, 2020	Sumo Logic, Inc.	Cloud-based logs and metrics management service	United States
February 24, 2020	Twilio, Inc.	Customer data infrastructure platform	United States
September 17, 2020	Uplevel, Inc.	Data analysis tool relating to Avalara team behavior to maximize effectiveness	United States

Avalara Group Sub-processors

Entity Name	Country
Avalara, Inc.	United States
AFT France SAS	France
AFT Italy S.r.L.	Italy
Avalara FT Spain SL	Spain
AFTC Fiscal Services UK Ltd	United Kingdom
AFTC, Inc.	United States
AvaFuel LLC	United States
Avalara Brasil – Assessoria e Consultoria Tributária e Tecnológica Ltda	Brazil
Avalara Canada ULC	Canada
Avalara Client Trust	United States
Avalara EU Holdings UK Limited	United Kingdom
Avalara Europe Ltd	United Kingdom
Avalara FT Poland	Polish
Avalara Luxembourg S.a.r.l.	Luxembourg
Avalara Technologies Private Limited	India
EDIGrid Romania	Romania
Impendulo ApS	Denmark
Impendulo BV	Netherlands
Impendulo Hellas Mon. Epe	Greece
Impendulo Lda	Portugal
Impendulo Limited	United Kingdom
Impendulo Limited (CY)	Cyprus
Impendulo Oy	Finland
Impendulo SARL	France
INPOSIA Solutions France	France
INPOSIA Solutions GmbH	Germany
INPOSIA Solutions Italia S.r.L.	Italy
INPOSIA Turkey	Turkey
Transaction Tax Consulting Group, LLC	United States
Transaction Tax Resources, Inc.	United States
VAT Applications NV	Belgium
VAT House Services NV	Belgium

Effective November 1st 2023 to February 20th 2024

Download

Date Added	Entity Name	Purpose	Entity Control
February 24, 2020	Adobe, Inc.	Tag management system	United States
February 24, 2020	Amazon Web Services, Inc. (AWS)	Cloud-based computing and data hosting services	United States
February 24, 2020	Atlassian Pty Ltd.	Cloud-based project management and collaboration software tools	Australia
June 17, 2022	BigID, Inc.	Data discovery and privacy compliance services	United States
June 17, 2022	Confluent, Inc.	Event data processing and real-time data pipeline engine	United States
June 17, 2022	Content Square, Inc.	Customer experience analytics service	United States
November 1, 2023	Cribl, Inc.	Cloud-based data observability platform	United States
June 17, 2022	Databricks, Inc.	Cloud-based data warehousing	United States
February 24, 2020	FullStory, Inc.	Customer experience analytics service	United States
March 13, 2023	Hex Technologies, Inc.	Application analytics service	United States
September 3, 2021	IDology, Inc.	Age verification service for Avalara Age Verification (an add-on feature to AvaTax for Beverage Alcohol)	United States
February 24, 2020	Microsoft Corporation	Cloud-based and on-premises office productivity tools and a business analytics service	United States
February 10, 2022	Mimecast North America, Inc.	Email security and archiving	United States
April 3, 2020	MongoDB, Inc.	General purpose database platform	United States
February 24, 2020	Okta, Inc.	Cloud-based access management service	United States
June 21, 2023	Proofpoint, Inc.	Security tool	United States
February 24, 2020	Rapid 7 Ireland Limited	Log management and analytics service	United States
February 24, 2020	Salesforce.com, Inc.	Customer management platform	United States
February 24, 2020	Slack Technologies, Inc.	Communication and productivity software as a service and related technology	United States
June 8, 2020	Snowflake Inc.	Cloud-based data warehousing	United States
February 24, 2020	Splunk, Inc.	Real-time cloud monitoring service	United States
February 24, 2020	Sumo Logic, Inc.	Cloud-based logs and metrics management service	United States
February 24, 2020	Twilio, Inc.	Customer data infrastructure platform	United States
September 17, 2020	Uplevel, Inc.	Data analysis tool relating to Avalara team behavior to maximize effectiveness	United States

Avalara Group Sub-processors

Entity Name	Country
Avalara, Inc.	United States
AFT France SAS	France
AFT Italy S.r.L.	Italy
Avalara FT Spain SL	Spain
AFTC Fiscal Services UK Ltd	United Kingdom
AFTC, Inc.	United States
AvaFuel LLC	United States
Avalara Brasil – Assessoria e Consultoria Tributária e Tecnológica Ltda	Brazil
Avalara Canada ULC	Canada
Avalara Client Trust	United States
Avalara EU Holdings UK Limited	United Kingdom
Avalara Europe Ltd	United Kingdom
Avalara FT Poland	Polish
Avalara Luxembourg S.a.r.l.	Luxembourg
Avalara Technologies Private Limited	India
EDIGrid Romania	Romania
Impendulo ApS	Denmark
Impendulo BV	Netherlands
Impendulo Hellas Mon. Epe	Greece
Impendulo Lda	Portugal
Impendulo Limited	United Kingdom
Impendulo Limited (CY)	Cyprus
Impendulo Oy	Finland
Impendulo SARL	France
INPOSIA Solutions France	France
INPOSIA Solutions GmbH	Germany
INPOSIA Solutions Italia S.r.L.	Italy
INPOSIA Turkey	Turkey
Transaction Tax Consulting Group, LLC	United States
Transaction Tax Resources, Inc.	United States
VAT Applications NV	Belgium
VAT House Services NV	Belgium

Effective October 26th 2023 to November 1st 2023

Download

Last updated: June 21, 2023

Date Added	Entity Name	Purpose	Entity Control
February 24, 2020	Adobe, Inc.	Tag management system	United States
February 24, 2020	Amazon Web Services, Inc. (AWS)	Cloud-based computing and data hosting services	United States
February 24, 2020	Atlassian Pty Ltd.	Cloud-based project management and collaboration software tools	Australia
June 17, 2022	BigID, Inc.	Data discovery and privacy compliance services	United States
June 17, 2022	Confluent, Inc.	Event data processing and real-time data pipeline engine	United States
June 17, 2022	Content Square, Inc.	Customer experience analytics service	United States
June 17, 2022	Databricks, Inc.	Cloud-based data warehousing	United States
February 24, 2020	FullStory, Inc.	Customer experience analytics service	United States
March 13, 2023	Hex Technologies, Inc.	Application analytics service	United States
September 3, 2021	IDology, Inc.	Age verification service for Avalara Age Verification (an add-on feature to AvaTax for Beverage Alcohol)	United States
February 24, 2020	Microsoft Corporation	Cloud-based and on-premises office productivity tools and a business analytics service	United States
February 10, 2022	Mimecast North America, Inc.	Email security and archiving	United States
April 3, 2020	MongoDB, Inc.	General purpose database platform	United States
February 24, 2020	Okta, Inc.	Cloud-based access management service	United States
June 21, 2023	Proofpoint, Inc.	Security tool	United States
February 24, 2020	Rapid 7 Ireland Limited	Log management and analytics service	United States
February 24, 2020	Salesforce.com, Inc.	Customer management platform	United States
February 24, 2020	Slack Technologies, Inc.	Communication and productivity software as a service and related technology	United States
June 8, 2020	Snowflake Inc.	Cloud-based data warehousing	United States
February 24, 2020	Splunk, Inc.	Real-time cloud monitoring service	United States
February 24, 2020	Sumo Logic, Inc.	Cloud-based logs and metrics management service	United States
February 24, 2020	Twilio, Inc.	Customer data infrastructure platform	United States
September 17, 2020	Uplevel, Inc.	Data analysis tool relating to Avalara team behavior to maximize effectiveness	United States

Avalara Group Sub-processors

Entity Name	Country
Avalara, Inc.	United States
AFT France SAS	France
AFT Italy S.r.L.	Italy
Avalara FT Spain SL	Spain
AFTC Fiscal Services UK Ltd	United Kingdom
AFTC, Inc.	United States
AvaFuel LLC	United States
Avalara Brasil – Assessoria e Consultoria Tributária e Tecnológica Ltda	Brazil
Avalara Canada ULC	Canada
Avalara Client Trust	United States
Avalara EU Holdings UK Limited	United Kingdom
Avalara Europe Ltd	United Kingdom
Avalara FT Poland	Polish
Avalara Luxembourg S.a.r.l.	Luxembourg
Avalara Technologies Private Limited	India
EDIGrid Romania	Romania
Impendulo ApS	Denmark
Impendulo BV	Netherlands
Impendulo Hellas Mon. Epe	Greece
Impendulo Lda	Portugal
Impendulo Limited	United Kingdom
Impendulo Limited (CY)	Cyprus
Impendulo Oy	Finland
Impendulo SARL	France
INPOSIA Solutions France	France
INPOSIA Solutions GmbH	Germany
INPOSIA Solutions Italia S.r.L.	Italy
INPOSIA Turkey	Turkey
Transaction Tax Consulting Group, LLC	United States
Transaction Tax Resources, Inc.	United States
VAT Applications NV	Belgium
VAT House Services NV	Belgium

United States Recruitment Notice

Version

Effective January 1st 2023

Download

Page: /

Please download the PDF to view this document. Download

Contracts

Data Processing Agreement

Effective September 19th 2024

Table of Contents

Effective November 15th 2023 to September 19th 2024

Table of Contents

Effective November 1st 2023 to November 15th 2023

Table of Contents

Effective October 26th 2023 to November 1st 2023

Table of Contents

Data Privacy FAQ

Effective October 15th 2024

Table of Contents

Effective October 26th 2023 to December 31st 2024

Table of Contents

Avalara Europe Ltd. Services Data Processing Agreement

Effective November 15th 2023

Table of Contents

Effective November 1st 2023 to November 15th 2023

Table of Contents

Effective October 26th 2023 to November 1st 2023

Table of Contents

EXHIBIT 1: SECURITY

Avalara, Inc. Services Data Processing Agreement

Effective October 15th 2024

Table of Contents

Effective November 15th 2023 to October 15th 2024

Table of Contents

Effective November 1st 2023 to November 15th 2023

Table of Contents

Effective October 26th 2023 to November 1st 2023

Table of Contents

Brazil Recruitment Notice

Effective May 30th 2023

Table of Contents

California Consumer Privacy Act Disclosures

Effective April 30th 2024

Table of Contents

Effective January 1st 2024 to April 30th 2024

Table of Contents

Data Subject Rights

Effective March 14th 2024

Table of Contents

Retention and Deletion of Personal Data

EEA and United Kingdom Recruitment Notice

Effective December 10th 2022

Table of Contents

India Recruitment Notice

Effective March 10th 2023

Table of Contents

Privacy Notice

Effective May 28th 2024

Table of Contents

Personal Data Collected

How We Use Your Personal Data

Why We Share Personal Data

How to Manage Your Personal Data

California Privacy Rights

International Transfers of Personal Data

Data Controller

Monitoring of Incoming Emails

Changes to this Privacy Notice

Contact Us

Effective March 27th 2024 to May 28th 2024

Table of Contents

Personal Data Collected

How We Use Your Personal Data

Why We Share Personal Data

How to Manage Your Personal Data

California Privacy Rights

International Transfers of Personal Data

Data Controller

Monitoring of Incoming Emails

Changes to this Privacy Notice

Contact Us

Effective February 14th 2023 to March 27th 2024

Table of Contents

Personal Data Collected

How We Use Your Personal Data

Why We Share Personal Data