Home
Legal
Trust Center
Data Processing Addendum

AVEVA Data Processing Addendum

This AVEVA Data Processing Addendum (this “Data Processing Addendum”) supplements and is hereby incorporated into and made a part of those certain AVEVA General Terms and Conditions, entered into by and between AVEVA and Customer (the “GTCs”) and therefore the Agreement between AVEVA and the Customer, to which this Data Processing Addendum is attached or included. Capitalized terms used in this Data Processing Addendum without definition shall have the same meanings ascribed to them in the GTCs.

1. DEFINITIONS.

1.1. References to Personal Data, Data Subject, Data Controller, Data Processor, Processing, or Personal Data Breach shall be as defined in equivalent or substantially the same definitions under the Applicable DP Legislation.

1.2. “Applicable DP Legislation” means any applicable laws and regulation in any relevant jurisdiction relating to the data protection, data privacy, use or processing of any Personal Data under this Agreement that apply to a Party, including where applicable: (i) EU Regulation 2018/1725 ("GDPR"); (ii) any laws or regulations ratifying, implementing, adopting, supplementing or replacing such applicable laws and regulation, in each case, as updated, amended or replaced from time to time and (iii) the GDPR as incorporated into law in the United Kingdom pursuant to Section 3 of the European Union (Withdrawal) Act 2018, the Data Protection Act 2018, the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419), or any other statute or statutory provision which modifies, consolidates, re-enacts or supersedes the GDPR following the cessation of application of European Union law to the United Kingdom as a result of the withdrawal of the United Kingdom from the European Union.

1.3. “Customer Personal Data” shall mean the Personal Data that is uploaded into the Products as Customer Content, or which is otherwise Processed by AVEVA as a Data Processor on behalf of Customer or one of its Affiliates as a Data Controller.

1.4. “EU Standard Contractual Clauses” shall mean the standard contractual clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller-to-processor transfers), adopted by the European Commission Decision, or by any reasonable authority in the United Kingdom (in respect of data in the United Kingdom) such other clauses approved under the Applicable DP Legislation from time to time.

1.5. “Sub-processor” means any third party engaged by AVEVA (including any AVEVA Affiliate) to process Customer Personal Data on behalf of Customer.

2. DATA PROTECTION.

2.1. Both Parties will comply with their respective obligations under the Applicable DP Legislation as relevant to this Agreement (and where an Affiliate of a Party is the Data Controller or Data Processor, such Party shall procure that its Affiliate complies with the Applicable DP Legislation). This Data Processing Addendum is in addition to, and does not relieve, remove or replace, a Party's obligations under the Applicable DP Legislation.

2.2. The Parties acknowledge that for the purposes of the Applicable DP Legislation, the Customer is the Data Controller and AVEVA is the Data Processor in respect of the Customer Personal Data. Customer shall not require AVEVA to undertake or engage in any processing activity regarding any Personal Data provided by Customer that requires, or would result in the capacity of a Data Controller in respect of the Personal Data. The following sets out the details of the Customer Personal Data and Processing to be undertaken by AVEVA on behalf of Customer.

Processing by AVEVA

Scope

Processing of the Customer Personal Data pursuant to provision of the Products, Services and Support Services.

Processing by AVEVA

Nature of Processing

Transfer, storage, hosting and such other processing activities that are required to provide and support the Products, and as otherwise set out in this Agreement or specified by the Customer.

Processing by AVEVA

Purpose of Processing

The provision of Products, Services and Support Services to the Customer.

Processing by AVEVA

Duration of the Processing

The duration of the TD Term, or as required to make relevant Customer Personal Data available to Customer, or such other period as required by applicable law including Applicable DP Legislation, whichever is longer.

Processing by AVEVA

Retention Period

As necessary for performance of obligations under the Agreement or as required by applicable law including Applicable DP Legislation, whichever is longer.

Processing by AVEVA

Types of Personal Data

The Customer Personal Data (as defined above) which may include but not be limited to name, email address, phone number and job title.

Processing by AVEVA

Categories of Data Subject

The Customer’s customers, employees, suppliers and related third parties.

2.3. Without prejudice to the generality of Section 2.1, the Customer will ensure that it (or its Affiliate) has a legal basis for Processing, including all necessary and appropriate consents and notices, to enable the lawful transfer of the Personal Data to AVEVA for the duration and purposes of this Agreement.

2.4. AVEVA shall process the Customer Personal Data only on the written instructions of the Customer (as detailed in Section 2.2 above and this Agreement) unless AVEVA is otherwise required by applicable laws including Applicable DP Legislation (in which case such Processing shall be carried out upon notice to Customer, where permitted by applicable law). Confirming acceptance to these terms shall constitute the Customer’s written instructions for AVEVA to undertake the Processing detailed in this Agreement and Section 2.2. AVEVA shall not publish, disclose or divulge any Customer Personal Data to any third party (save for Sub-processors appointed pursuant to section 2.7 herein) without the Customer’s prior written consent (such approval not to be unreasonably withheld or delayed), unless communication is required by Applicable DP Legislation or by any court or other authority of competent jurisdiction, provided that and to the extent lawfully permitted before making such communication AVEVA provides notice to the Customer and such communication must not reference the Customer (unless legally required to do so).

2.5. AVEVA shall ensure that it has in place appropriate technical and organizational measures, to protect against unauthorized or unlawful Processing of Customer Personal Data and against accidental loss or destruction of, or damage to, Customer Personal Data, appropriate and proportionate to the harm that might result from the same, having regard to the state of technological development and the cost of implementing any measures which shall include the measures set out in Appendix A of this Data Processing Addendum.

2.6. AVEVA shall, in relation to any Customer Personal Data Processed in connection with the performance by AVEVA of its obligations under this Agreement:

2.6.1. ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and

2.6.2. where required under the Applicable DP Legislation, only transfer any Personal Data outside of the country or economic area (as applicable) of residence of the data subjects provided:

2.6.2.1. (i) the Customer has given its prior written consent where required by the Applicable DP Legislation. By signing and entering into the Agreement with AVEVA which incorporates this Data Processing Addendum, the Customer will provide consent to transfer Personal Data outside of the country or economic area of residence of the data subject provided;

2.6.2.2. (ii) the transfer is to a country in which AVEVA’s Affiliates or a third-party sub-processor (appointed pursuant to section 2.7 herein) operate in; or (iii) where necessary for any redundancy or backup purposes on the basis that AVEVA notifies the Customer of any such additional geographical location not identified in the Transaction Document;

2.6.2.3. Customer may object in writing to a proposed transfer of Customer Personal Data pursuant to clauses 2.6.2.1(ii) or (iii), and shall describe its reasons for the objection, and may request corrective steps to be taken;

2.6.2.4. if the Customer objects to the transfer of Customer Personal Data, AVEVA shall use it best efforts to address the objection through one of the following options (to be selected at AVEVA’s sole discretion): (i) AVEVA will abort its plans to transfer the Customer Personal Data; or (ii) AVEVA will take the corrective steps requested by the Customer in its objection (which removes the Customer’s objection) and proceed to transfer the Customer Personal Data. If AVEVA is unable to address the objection through such means, AVEVA may cease to provide, or the Customer may agree not to use (temporarily or permanently), the particular aspect of the Service or Product that would involve the transfer of the Customer Personal Data. Termination rights, as applicable and agreed in this Agreement, shall apply accordingly; and

2.6.2.5. Customer acknowledges that AVEVA and its Sub processors may maintain data processing operations in countries that are outside of the country or economic area of residence of the data subject. To the extent that AVEVA processes on behalf of Customer any Customer Personal Data subject to the GDPR in a country that has not received a finding of adequacy by the European Commission, AVEVA agrees to process such data as a “data importer” in compliance with the Standard Contractual Clauses (with Customer and/or its Affiliates as the “data exporter”),

2.6.3. taking into account the nature of the Processing and the information available to AVEVA, assist the Customer, at the Customer's cost, in responding to any request from a Data Subject under Applicable DP Legislation and in ensuring compliance with its obligations under the Applicable DP Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators, as applicable;

2.6.4. notify the Customer without undue delay on becoming aware of a Personal Data Breach;

2.6.5. On termination of the Agreement, delete or return Customer Personal Data and copies thereof to the Customer unless required by applicable law including Applicable DP Legislation to continue to store the Customer Personal Data (in which case AVEVA shall retain the same as required by applicable law and its confidentiality obligation under this Agreement) for the Retention Period; and

2.6.6. makes available to the Customer all information necessary to demonstrate AVEVA’s compliance with its obligations under this Section 2.6 and subject to AVEVA’s reasonable security procedures, business and operational requirements and AVEVA’s confidentiality obligations, allow for audits, including inspections, conducted by the Customer its supervisory authority or regulator, at Customer’s own cost and expense, upon Customer giving AVEVA prior written notice of no less than thirty (30) days of its intent to conducts such audit or inspection. For the avoidance of doubt, such audit and inspection shall only be for the purposes of determining AVEVA’s compliance with its obligations under this Data Processing Addendum.

2.7. The Customer hereby consents to AVEVA appointing third-party sub-processors of Customer Personal Data under this Agreement (“Sub-processors”), provided that:

2.7.1. (i) The Customer has provided its prior written consent for appointment of such Sub-processor; or (ii) Sub-processor is an Affiliate of AVEVA or identified AVEVA’s list of Sub-processors as specified at

https://www.aveva.com/en/legal/trust/data-processing/

and as updated by AVEVA from time to time and notified to the Customer;

2.7.2. The Customer may object in writing to use of a Sub-processor, and shall describe its reasons for the objection, and may request corrective steps to be taken;

2.7.3. If the Customer objects to the use of a Sub-processor, AVEVA shall use it best efforts to address the objection through one of the following options (to be selected at AVEVA’s sole discretion): (i) AVEVA will abort its plans to use the Sub-processor for the processing of Customer Personal Data; or (ii) AVEVA will take the corrective steps requested by the Customer in its objection (which removes the Customer’s objection) and proceed to use the Sub-processor for the processing of Customer Personal Data. If AVEVA is unable to address the objection through such means, AVEVA may cease to provide, or the Customer may agree not to use (temporarily or permanently), the particular aspect of the Service or Product that would involve the use the Sub-processor for the processing of Customer Personal Data. Termination rights, as applicable and agreed in this Agreement, shall apply accordingly; and

2.7.4. AVEVA has entered into, or (as the case may be) will enter into with the third-party sub-processor a written agreement incorporating terms which are substantially similar to those set out in this Data Processing Addendum. AVEVA acknowledges and agrees that it remains liable to the Customer for any breach of the terms of this Data Processing Addendum by any Sub-processor.

Appendix A (Information Security of Customer Personal Data)

AVEVA shall exercise reasonable efforts to implement the following measures in connection with information security of Customer Personal Data:

a) backing-up the Customer Personal Data at regular intervals;

b) ensuring that AVEVA is able, at all times, to restore lost or damaged Customer Personal Data from the latest back-up;

c) not using the Customer Personal Data except as required for the performance of its obligations under the Agreement;

d) upon Customer’s written request, grant Customer access to annual SAE18 SOC 2/ISAE3402 SOC (Type II) reports in respect of specific Software supplied under the Agreement (where stated to be available for that Software in the applicable Transaction Document or Software Schedule) addressing data security requirements stated in this Data Processing Addendum;

e) complying with information management procedures and safeguards based on Good Industry Practice, including those concerning the security of the Customer Personal Data For the purpose of this Data Processing Addendum, “Good Industry Practice” means that degree of skill, care and prudence which would ordinarily be expected of a skilled and experienced supplier of software products and services of the same or a similar nature to the Products, Services and Support Services;

f) maintaining and enforcing safeguards against the destruction, loss, or alteration of Customer Personal Data that are no less rigorous than those maintained by AVEVA for its own information of a similar nature or that otherwise comply with Good Industry Practice;

g) in the event of any destruction, loss, or reduction in the accessibility or usability of Customer Personal Data, which is caused by AVEVA, at AVEVA’s own cost, restoring such data using Good Industry Practice data restoration techniques;

h) taking all necessary precautions, in accordance with Good Industry Practice, to prevent any Malicious Code (as defined in the Software and Support Addendum) affecting the Products or Services and the Customer Personal Data, including but not limited to using the latest versions of anti-virus software (including latest definitions and updates) available from an industry accepted anti-virus software vendor to check for and delete Malicious Code;

i) notifying the Customer as soon as practicable upon becoming aware of any Security Incident and providing the Customer with a detailed description of the Security Incident, the type of Customer Personal Data that is the subject of the Security Incident, the identity of any affected individuals and all other information and cooperation which the Customer may reasonably request. For the purpose of this Data Processing Addendum, “Security Incident” shall mean any incident resulting in loss, destruction or material alteration of Customer Personal Data, or unauthorized third-party access to Customer Personal Data;

j) taking immediate action, at AVEVA’s own cost, to investigate any Security Incident, to identify, prevent and mitigate the effects of such Security Incident and, with the Customer’s prior agreement, to carry out any recovery or other action necessary to remedy the Security Incident. AVEVA must ensure that any such recovery or other action does not compromise any technical information or artefacts (including, for example, logs) which would reasonably be required by the Customer to understand the Security Incident, mitigate its effects and/or prevent its recurrence;

k) not issuing, publishing or otherwise making available to any third party any press release or other communication concerning a Security Incident without the Customer's prior approval (such approval not to be unreasonably withheld or delayed), unless communication is required by Applicable DP Legislation or by any court or other authority of competent jurisdiction provided that before making such communication AVEVA to the extent lawful provides notice to the Customer that it will be making such communication and such communication must not reference the Customer (unless legally required to do so);

l) use of data centres where Customer Personal Data is stored, accessed or otherwise processed, in accordance with Good Industry Practice;

m) keeping any Customer Personal Data in electronic form logically separated from any information, data or material of any third party;

n) ensuring that access to the Products, Services and Customer Personal Data by AVEVA’s personnel is restricted on a strict need to know basis and that all AVEVA’s personnel who are granted such access have completed appropriate security training; and

o) performing continuous service improvement and continuous monitoring of the Services including but not limited to conducting annual ethical hacking and penetration testing of the security of AVEVA’s systems used in connection with the provision of the Products and Services and promptly rectifying any security vulnerabilities identified by such testing.