Contracts
- Data Processing Agreement
- Data Privacy FAQ
- Avalara Europe Ltd. Services Data Processing Agreement
- Avalara, Inc. Services Data Processing Agreement
- Brazil Recruitment Notice
- California Consumer Privacy Act Disclosures
- Data Subject Rights
- EEA and United Kingdom Recruitment Notice
- India Recruitment Notice
- Privacy Notice
- Subprocessors
- United States Recruitment Notice
Data Processing Agreement
Effective September 19th 2024
DownloadTable of Contents
Avalara Contracting Entity | DPA |
---|---|
Avalara Europe Ltd. | *Executed version here. |
Avalara, Inc. | *Executed version here. |
Effective November 15th 2023 to September 19th 2024
DownloadTable of Contents
Avalara Contracting Entity | DPA |
---|---|
Avalara Europe Ltd. | *Executed version here. |
Avalara, Inc. | *Executed version here. |
Effective November 1st 2023 to November 15th 2023
DownloadTable of Contents
Avalara Contracting Entity | DPA |
---|---|
Avalara Europe Ltd. | *Executed version here. |
Avalara, Inc. | *Executed version here. |
Effective October 26th 2023 to November 1st 2023
DownloadTable of Contents
Avalara Contracting Entity | DPA |
---|---|
Avalara Europe Ltd. | *Executed Version here. |
Avalara, Inc. | *Executed Version here. |
Data Privacy FAQ
Effective October 26th 2023
DownloadTable of Contents
Avalara Europe Ltd. Services Data Processing Agreement
Effective November 15th 2023
DownloadTable of Contents
- Except as amended by this DPA, the Contract will remain in full force and effect.
- To the extent that the terms of this DPA and the Contract conflict, the terms of this DPA prevail.
- This DPA will automatically expire on the termination or expiration of the Contract.
- Control and Ownership. Customer owns and controls all Services Data. Services Data is disclosed by Customer to Avalara only for the limited and specified business purposes of assisting Customer in complying with tax and financial obligations. Avalara does not use, retain, or disclose Services Data, except: (a) in the interest and on behalf of Customer; (b) as necessary to provide the Services, or (c) as contemplated or directed by the Contract. Avalara returns or deletes Services Data at Customer’s request, as agreed in the Contract, or after the Contract expires or is terminated.
- Security. Avalara applies technical, administrative and organisational data security measures that meet or exceed the requirements described in Exhibit 1 (Security). Avalara may update and modify Exhibit 1 from time to time, provided that Avalara shall not materially reduce the level of security provided thereunder, except with Customer’s consent.
- Cooperation with Compliance Obligations. At Customer’s reasonable request, Avalara will (a) reasonably assist Customer with data access, deletion, portability and other requests, subject to compensation for any custom efforts required of Avalara and (b) enter into additional contractual agreements to meet specific requirements that are imposed by mandatory laws on Customer pertaining to Services Data and that, due to their nature, can only be satisfied by Avalara in its role as service provider or that Customer specifically explains and assigns to Avalara in an addendum or amendment to the applicable Contract, subject to additional cost reimbursement or fees as appropriate. If Customer can no longer legally use Avalara’s products due to changes in law or technology, Avalara shall allow Customer to terminate certain or all contracts and provide transition or migration assistance as reasonably required, subject to termination charges and fees as mutually agreed in good faith by the parties.
- Submit to Audits. Avalara submits to reasonable data security and privacy compliance audits subject to reasonable precautions and safeguards for the data of other customers. This includes a right for Customer to take reasonable and appropriate steps to help ensure that Avalara uses the Services Data in a manner consistent with Customer's legal obligations and the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Services Data
- Notify Breaches. Avalara notifies Customer of unauthorised access to Services Data and other security breaches as required by applicable law.
- No Information Selling or Sharing for Cross‐Context Behavioral Advertising; Compliance with the CCPA. Avalara does not accept or disclose any Services Data as consideration for any payments, services, or other items of value. Avalara does not sell or share any Services Data, as the terms “sell” and “share” are defined in the California Consumer Privacy Act of 2018, as amended, including by the California Privacy Rights Act (“CCPA”). Avalara processes Services Data only for the business purposes specified in the written Contract. Avalara does not retain, use, or disclose Services Data (a) for cross‐context behavioral advertising, or (b) outside the direct business relationship with the Customer. Avalara does not combine Services Data with other data if and to the extent this would be inconsistent with limitations on service providers or contractors under the CCPA. Avalara will comply with the obligations on service providers under the CCPA and provide the same level of privacy protections required of Customer under the CCPA. If Avalara determines it can no longer meet its obligations under the CCPA or its implementing regulations, it will notify Customer. Avalara understands the restrictions in this Section 6 and certifies it will comply with the same. If Avalara receives deidentified Services Data, Avalara will not attempt to reidentify the information except as permitted by the CCPA .
- Personal Data subject to the GDPR or similar laws: With respect to any Services Data that is subject to the EU General Data Protection Regulation (GDPR) or similar laws of other jurisdictions as "personal data," Avalara accepts the following obligations as a data importer, processor or sub-processor of Customer and warrants that Avalara
- processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by European Union or EU Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest; also, the processor shall immediately inform the controller if, in its opinion, an instruction infringes the GDPR, national data protection laws in the EU or other applicable law;
- ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- takes all measures required pursuant to Article 32 of the GDPR (security of processing);
- respects the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging another processor;
- taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR, including, without limitation, right to access, rectification, erasure and portability of the data subject's personal data; (for the avoidance of doubt, processor shall only assist and enable controller to meet controller’s obligations to satisfy data subjects' rights, but processor shall not respond directly to data subjects)
- assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (Security of personal data) taking into account the nature of processing and the information available to the processor;
- at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;
- makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
- Integration. This DPA is binding after a Contract has been signed between Avalara and Customer, and Customer may collect a signed copy of this DPA here or at https://avalara.na1.echosign.com/public/esignWidget?wid=CBFCIBAA3AAABLblqZhCV_CIBj5a1as7z3LRaE7FGGqhHIxcUIjcIf_NosDnnyU3iUwU0Zt1GwhoPnVcBSuQ*. This DPA shall not create third party beneficiary rights. Avalara does not accept or submit to additional requirements relating to Services Data, except as specifically and expressly agreed in writing with explicit reference to the Contract and this DPA.
- Notice. Avalara shall provide Customer with legal notices in writing by email, mail, or courier to the address provided by Customer. Except as otherwise specified in the Agreement, all notices to Avalara must be in writing and sent as follows:
Email: DataPrivacy@avalara.com
Attn: Legal Department
Avalara Europe Ltd.
Lanchester House
3rd Floor
Trafalgar Place
Brighton BN1 4FU
United Kingdom
- Avalara maintains a written security program under which Avalara periodically evaluates risks to Customer Data and maintains commercially reasonable technical, and physical safeguards to protect Customer Data against accidental or unauthorised access, disclosure, loss, destruction, or alteration. Avalara regularly evaluates the scope and coverage of the Security Program.
- Avalara teams classify and handle data using technical controls described below to ensure its integrity, availability, and confidentiality.
- Avalara maintains a central inventory of assets where the asset custodian is responsible for classifying and maintaining the asset and ensuring the use of the asset complies with the security program.
- Avalara maintains standards for user authentication, access provisioning, de-provisioning, performing periodic access reviews and restricting administrative access to ensure access is granted based on the principle of least privilege.
- Avalara maintains standards for segregation of network services and devices to ensure unrelated portions of the network are isolated from each other.
- Avalara maintains network zones and applies ingress and egress standards for the protection of data.
- Avalara systems encrypt data at rest and in transit between the Avalara networks and its customers to ensure integrity, security, and confidentiality of customer data.
- Avalara maintains processes to securely generate, store and manage encryption keys that prevent loss, theft, or compromise.
- Avalara maintains physical access controls to restrict entry to Avalara facilities. Physical controls may include badge readers, security personnel, staff supervision, video cameras, and other tools.
- Avalara maintains processes for retaining and securely deleting data no longer than necessary to provide its services.
- Direct database access is restricted using the corporate VPN. This can only be accessed via Avalara issued computing equipment.
- Avalara has disabled the ability to write data to USB mass storage devices on all Avalara issued computing equipment.
- Avalara maintains a Software Management Standard that defines software and services which are approved, acceptable, or prohibited to be used by Avalara personnel.
- Avalara monitors its applications and systems for vulnerabilities on a periodic basis. Identified vulnerabilities are remediated by taking actions to close them in a timely manner.
- Avalara maintains an incident response program to detect, analyse, prioritise, and handle cyber security events and incidents to prevent, detect, and deter the unauthorised access, loss, compromise, disclosure, modification, or destruction of Avalara’s electronic data assets and information, including personal information.
- Avalara performs root cause analyses for incidents based on the nature of the incident, to identify, document, and eliminate the cause of an incident and to prevent the issue from recurring. Changes to the Avalara Incident Response Plan and standard operating procedures is also part of this review.
- Security and audit logs are fed to the SIEM daily and retained for a period of one year. These logs cannot be modified by anyone.
- Daily recoverable backups of critical data are configured to be performed and replicated to a secondary location.
- Avalara maintains a Security Infraction Management Policy that describes how Avalara treats security incidents that result from deviations from Avalara’s security policies, standards, and procedures.
- Avalara maintains standards for making changes to applications, including customer-facing applications, by ensuring they are tested and approved by appropriate individuals before they are moved to production. Access to make production changes is restricted to authorised individuals.
- Avalara has established logical separation between production and lower environments.
- Avalara ensures test data is selected and handled in accordance with the technical controls specified in this document.
- All Avalara personnel must undergo the mandatory security awareness training at least annually.
- The Avalara Service Terms and Conditions along with the Vendor Security terms document are in place to communicate security commitments with vendors.
- The Avalara Security team periodically performs assessments of different systems by conducting phishing simulations, vulnerability scans, and penetration tests.
- The Avalara Compliance team periodically performs assessments of key systems. Remediation plans are defined as appropriate for the areas of non-compliance establishing clear ownership and accountability.
- The Avalara Risk Management Team periodically conducts risk assessments to identify risks arising from internal and external sources throughout the year to evaluate the organisation's control environment. Risk treatment plans are defined, as appropriate, for identified risks including establishing clear ownership and accountability. Risks are monitored to acceptable mitigation according to the Avalara Security Risk Assessment Standard and Process.
- Avalara maintains standards for Vendor Risk Management to define requirements for vendor selection, risk assessments with roles and responsibilities, contract lifecycle, exception handling and terminations.
Effective November 1st 2023 to November 15th 2023
DownloadTable of Contents
- Except as amended by this DPA, the Contract will remain in full force and effect.
- To the extent that the terms of this DPA and the Contract conflict, the terms of this DPA prevail.
- This DPA will automatically expire on the termination or expiration of the Contract.
- Control and Ownership. Customer owns and controls all Services Data. Services Data is disclosed by Customer to Avalara only for the limited and specified business purposes of assisting Customer in complying with tax and financial obligations. Avalara does not use, retain, or disclose Services Data, except: (a) in the interest and on behalf of Customer; (b) as necessary to provide the Services, or (c) as contemplated or directed by the Contract. Avalara returns or deletes Services Data at Customer’s request, as agreed in the Contract, or after the Contract expires or is terminated.
- Security. Avalara applies technical, administrative and organisational data security measures that meet or exceed the requirements described in Exhibit 1 (“Security”). Avalara may update and modify Exhibit 1 from time to time, provided that Avalara shall not materially reduce the level of security provided thereunder, except with Customer’s consent.
- Cooperation with Compliance Obligations. At Customer’s reasonable request, Avalara will (a) reasonably assist Customer with data access, deletion, portability and other requests, subject to compensation for any custom efforts required of Avalara, (b) make available to Customer all information necessary to demonstrate compliance with any mandatory privacy laws imposed on Customer or to conduct or document data protection assessments required by such laws, and (c) enter into additional contractual agreements to meet specific requirements that are imposed by mandatory laws on Customer pertaining to Services Data and that, due to their nature, can only be satisfied by Avalara in its role as service provider or that Customer specifically explains and assigns to Avalara in an addendum or amendment to the applicable Contract, subject to additional cost reimbursement or fees as appropriate. If Customer can no longer legally use Avalara’s products due to changes in law or technology, Avalara shall allow Customer to terminate certain or all contracts and provide transition or migration assistance as reasonably required, subject to termination charges and fees as mutually agreed in good faith by the parties.
- Submit to Audits. Avalara submits to reasonable data security and privacy compliance audits subject to reasonable precautions and safeguards for the data of other customers. This includes a right for Customer to take reasonable and appropriate steps to help ensure that Avalara uses the Services Data in a manner consistent with Customer's legal obligations and the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Services Data
- Notify Breaches. Avalara notifies Customer of unauthorised access to Services Data and other security breaches as required by applicable law.
- No Information Selling or Sharing for Cross‐Context Behavioral Advertising; Compliance with the CCPA. Avalara does not accept or disclose any Services Data as consideration for any payments, services, or other items of value. Avalara does not sell or share any Services Data, as the terms “sell” and “share” are defined in the California Consumer Privacy Act of 2018, as amended, including by the California Privacy Rights Act (“CCPA”). Avalara processes Services Data only for the business purposes specified in the written Contract. Avalara does not retain, use, or disclose Services Data (a) for cross‐context behavioral advertising, or (b) outside the direct business relationship with the Customer. Avalara does not combine Services Data with other data if and to the extent this would be inconsistent with limitations on service providers under the CCPA.
- Personal Data subject to the GDPR or similar laws: With respect to any Services Data that is subject to the EU General Data Protection Regulation (GDPR) or similar laws of other jurisdictions as "personal data," Avalara accepts the following obligations as a data importer, processor or sub-processor of Customer and warrants that Avalara
- processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by European Union or EU Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest; also, the processor shall immediately inform the controller if, in its opinion, an instruction infringes the GDPR, national data protection laws in the EU or other applicable law;
- (b) ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- (c) takes all measures required pursuant to Article 32 of the GDPR (security of processing);
- (d) respects the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging another processor;
- (e) taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR, including, without limitation, right to access, rectification, erasure and portability of the data subject's personal data; (for the avoidance of doubt, processor shall only assist and enable controller to meet controller’s obligations to satisfy data subjects' rights, but processor shall not respond directly to data subjects)
- (f) assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (Security of personal data) taking into account the nature of processing and the information available to the processor;
- (g) at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;
- (h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
- Integration. This DPA is binding after a Contract has been signed between Avalara and Customer, and Customer may collect a signed copy of this DPA here or at https://avalara.na1.echosign.com/public/esignWidget?wid=CBFCIBAA3AAABLblqZhCV_CIBj5a1as7z3LRaE7FGGqhHIxcUIjcIf_NosDnnyU3iUwU0Zt1GwhoPnVcBSuQ*. This DPA shall not create third party beneficiary rights. Avalara does not accept or submit to additional requirements relating to Services Data, except as specifically and expressly agreed in writing with explicit reference to the Contract and this DPA.
- Notice. Avalara shall provide Customer with legal notices in writing by email, mail, or courier to the address provided by Customer. Except as otherwise specified in the Agreement, all notices to Avalara must be in writing and sent as follows:
Email: DataPrivacy@avalara.com
Attn: Legal Department
Avalara Europe Ltd.
Lanchester House
3rd Floor
Trafalgar Place
Brighton BN1 4FU
United Kingdom
- Avalara maintains a written security program under which Avalara periodically evaluates risks to Customer Data and maintains commercially reasonable technical, and physical safeguards to protect Customer Data against accidental or unauthorised access, disclosure, loss, destruction, or alteration. Avalara regularly evaluates the scope and coverage of the Security Program.
- Avalara teams classify and handle data using technical controls described below to ensure its integrity, availability, and confidentiality.
- Avalara maintains a central inventory of assets where the asset custodian is responsible for classifying and maintaining the asset and ensuring the use of the asset complies with the security program.
- Avalara maintains standards for user authentication, access provisioning, de-provisioning, performing periodic access reviews and restricting administrative access to ensure access is granted based on the principle of least privilege.
- Avalara maintains standards for segregation of network services and devices to ensure unrelated portions of the network are isolated from each other.
- Avalara maintains network zones and applies ingress and egress standards for the protection of data.
- Avalara systems encrypt data at rest and in transit between the Avalara networks and its customers to ensure integrity, security, and confidentiality of customer data.
- Avalara maintains processes to securely generate, store and manage encryption keys that prevent loss, theft, or compromise.
- Avalara maintains physical access controls to restrict entry to Avalara facilities. Physical controls may include badge readers, security personnel, staff supervision, video cameras, and other tools.
- Avalara maintains processes for retaining and securely deleting data no longer than necessary to provide its services.
- Direct database access is restricted using the corporate VPN. This can only be accessed via Avalara issued computing equipment.
- Avalara has disabled the ability to write data to USB mass storage devices on all Avalara issued computing equipment.
- Avalara maintains a Software Management Standard that defines software and services which are approved, acceptable, or prohibited to be used by Avalara personnel.
- Avalara monitors its applications and systems for vulnerabilities on a periodic basis. Identified vulnerabilities are remediated by taking actions to close them in a timely manner.
- Avalara maintains an incident response program to detect, analyse, prioritise, and handle cyber security events and incidents to prevent, detect, and deter the unauthorised access, loss, compromise, disclosure, modification, or destruction of Avalara’s electronic data assets and information, including personal information.
- Avalara performs root cause analyses for incidents based on the nature of the incident, to identify, document, and eliminate the cause of an incident and to prevent the issue from recurring. Changes to the Avalara Incident Response Plan and standard operating procedures is also part of this review.
- Security and audit logs are fed to the SIEM daily and retained for a period of one year. These logs cannot be modified by anyone.
- Daily recoverable backups of critical data are configured to be performed and replicated to a secondary location.
- Avalara maintains a Security Infraction Management Policy that describes how Avalara treats security incidents that result from deviations from Avalara’s security policies, standards, and procedures.
- Avalara maintains standards for making changes to applications, including customer-facing applications, by ensuring they are tested and approved by appropriate individuals before they are moved to production. Access to make production changes is restricted to authorised individuals.
- Avalara has established logical separation between production and lower environments.
- Avalara ensures test data is selected and handled in accordance with the technical controls specified in this document.
- All Avalara personnel must undergo the mandatory security awareness training at least annually.
- The Avalara Service Terms and Conditions along with the Vendor Security terms document are in place to communicate security commitments with vendors.
- The Avalara Security team periodically performs assessments of different systems by conducting phishing simulations, vulnerability scans, and penetration tests.
- The Avalara Compliance team periodically performs assessments of key systems. Remediation plans are defined as appropriate for the areas of non-compliance establishing clear ownership and accountability.
- The Avalara Risk Management Team periodically conducts risk assessments to identify risks arising from internal and external sources throughout the year to evaluate the organisation's control environment. Risk treatment plans are defined, as appropriate, for identified risks including establishing clear ownership and accountability. Risks are monitored to acceptable mitigation according to the Avalara Security Risk Assessment Standard and Process.
- Avalara maintains standards for Vendor Risk Management to define requirements for vendor selection, risk assessments with roles and responsibilities, contract lifecycle, exception handling and terminations.
Effective October 26th 2023 to November 1st 2023
DownloadTable of Contents
- Except as amended by this DPA, the Contract will remain in full force and effect.
- To the extent that the terms of this DPA and the Contract conflict, the terms of this DPA prevail.
- This DPA will automatically expire on the termination or expiration of the Contract.
(b) ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(c) takes all measures required pursuant to Article 32 of the GDPR (security of processing);
(d) respects the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging another processor;
(e) taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR, including, without limitation, right to access, rectification, erasure and portability of the data subject's personal data; (for the avoidance of doubt, processor shall only assist and enable controller to meet controller’s obligations to satisfy data subjects' rights, but processor shall not respond directly to data subjects)
(f) assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (Security of personal data) taking into account the nature of processing and the information available to the processor;
(g) at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;
(h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
Attn: Legal Department
Avalara Europe Ltd.
Lanchester House
3rd Floor
Trafalgar Place
Brighton BN1 4FU
United Kingdom
EXHIBIT 1: SECURITY
- Avalara maintains a written security program under which Avalara periodically evaluates risks to Customer Data and maintains commercially reasonable technical, and physical safeguards to protect Customer Data against accidental or unauthorised access, disclosure, loss, destruction, or alteration. Avalara regularly evaluates the scope and coverage of the Security Program.
- Avalara teams classify and handle data using technical controls described below to ensure its integrity, availability, and confidentiality.
- Avalara maintains a central inventory of assets where the asset custodian is responsible for classifying and maintaining the asset and ensuring the use of the asset complies with the security program.
- Avalara maintains standards for user authentication, access provisioning, de-provisioning, performing periodic access reviews and restricting administrative access to ensure access is granted based on the principle of least privilege.
- Avalara maintains standards for segregation of network services and devices to ensure unrelated portions of the network are isolated from each other.
- Avalara maintains network zones and applies ingress and egress standards for the protection of data.
- Avalara systems encrypt data at rest and in transit between the Avalara networks and its customers to ensure integrity, security, and confidentiality of customer data.
- Avalara maintains processes to securely generate, store and manage encryption keys that prevent loss, theft, or compromise.
- Avalara maintains physical access controls to restrict entry to Avalara facilities. Physical controls may include badge readers, security personnel, staff supervision, video cameras, and other tools.
- Avalara maintains processes for retaining and securely deleting data no longer than necessary to provide its services.
- Direct database access is restricted using the corporate VPN. This can only be accessed via Avalara issued computing equipment.
- Avalara has disabled the ability to write data to USB mass storage devices on all Avalara issued computing equipment.
- Avalara maintains a Software Management Standard that defines software and services which are approved, acceptable, or prohibited to be used by Avalara personnel.
- Avalara monitors its applications and systems for vulnerabilities on a periodic basis. Identified vulnerabilities are remediated by taking actions to close them in a timely manner.
- Avalara maintains an incident response program to detect, analyse, prioritise, and handle cyber security events and incidents to prevent, detect, and deter the unauthorised access, loss, compromise, disclosure, modification, or destruction of Avalara’s electronic data assets and information, including personal information.
- Avalara performs root cause analyses for incidents based on the nature of the incident, to identify, document, and eliminate the cause of an incident and to prevent the issue from recurring. Changes to the Avalara Incident Response Plan and standard operating procedures is also part of this review.
- Security and audit logs are fed to the SIEM daily and retained for a period of one year. These logs cannot be modified by anyone.
- Daily recoverable backups of critical data are configured to be performed and replicated to a secondary location.
- Avalara maintains a Security Infraction Management Policy that describes how Avalara treats security incidents that result from deviations from Avalara’s security policies, standards, and procedures.
- Avalara maintains standards for making changes to applications, including customer-facing applications, by ensuring they are tested and approved by appropriate individuals before they are moved to production. Access to make production changes is restricted to authorised individuals.
- Avalara has established logical separation between production and lower environments.
- Avalara ensures test data is selected and handled in accordance with the technical controls specified in this document.
- All Avalara personnel must undergo the mandatory security awareness training at least annually.
- The Avalara Service Terms and Conditions along with the Vendor Security terms document are in place to communicate security commitments with vendors.
- The Avalara Security team periodically performs assessments of different systems by conducting phishing simulations, vulnerability scans, and penetration tests.
- The Avalara Compliance team periodically performs assessments of key systems. Remediation plans are defined as appropriate for the areas of non-compliance establishing clear ownership and accountability.
- The Avalara Risk Management Team periodically conducts risk assessments to identify risks arising from internal and external sources throughout the year to evaluate the organisation's control environment. Risk treatment plans are defined, as appropriate, for identified risks including establishing clear ownership and accountability. Risks are monitored to acceptable mitigation according to the Avalara Security Risk Assessment Standard and Process.
- Avalara maintains standards for Vendor Risk Management to define requirements for vendor selection, risk assessments with roles and responsibilities, contract lifecycle, exception handling and terminations.
Avalara, Inc. Services Data Processing Agreement
Effective November 15th 2023
DownloadTable of Contents
This Avalara, Inc. Services Data Processing Agreement (“DPA”) is incorporated into the Contract between Avalara, Inc. (“Avalara” or “us” or “our”) and Customer. If a provision of this DPA conflicts with a provision of the Contract, the provision in this DPA governs. Capitalized terms used and not otherwise defined in this DPA have the meanings provided in the Contract.
- Except as amended by this DPA, the Contract will remain in full force and effect.
- To the extent that the terms of this DPA and the Contract conflict, the terms of this DPA prevail.
- This DPA will automatically expire on the termination or expiration of the Contract.
Avalara serves enterprises, public sector entities and other organizations (“Customer”) and protects Services Data in compliance with the terms of this DPA. “Services Data” means personal data relating to named or identifiable individuals that Customer’s authorized users (“Authorized Users”) provide in compliance with applicable law and our applicable service agreements or other commercial contract terms (“Contract”) when Customer uses our service offerings and related data processing services as described in our data sheets, service specifications, and other technical documentation, as amended from time to time (“Services”).
- Control and Ownership. Customer owns and controls all Services Data. Services Data is disclosed by Customer to Avalara only for the limited and specified business purposes of assisting Customer in complying with tax and financial obligations. Avalara does not use, retain, or disclose Services Data, except: (a) in the interest and on behalf of Customer; (b) as necessary to provide the Services, or (c) as contemplated or directed by the Contract. Avalara returns or deletes Services Data at Customer’s request, as agreed in the Contract, or after the Contract expires or is terminated, subject to applicable law.
- Security. Avalara applies technical, administrative and organizational data security measures that meet or exceed the requirements described in Avalara’s Technical and Organisational Measures in Exhibit 1, Annex II (“TOMs”). Avalara may update and modify its TOMs from time to time, provided that Avalara shall not materially reduce the level of security provided thereunder, except with Customer’s consent.
- Cooperation with Compliance Obligations. At Customer’s reasonable request, Avalara will (a) reasonably assist Customer with data access, deletion, portability and other requests, subject to compensation for any custom efforts required of Avalara and (b) enter into additional contractual agreements to meet specific requirements that are imposed by mandatory laws on Customer pertaining to Services Data and that, due to their nature, can only be satisfied by Avalara in its role as service provider or that Customer specifically explains and assigns to Avalara in an addendum or amendment to the applicable Contract, subject to additional cost reimbursement or fees as appropriate. If Customer can no longer legally use Avalara’s products due to changes in law or technology, Avalara shall allow Customer to terminate certain or all contracts and provide transition or migration assistance as reasonably required, subject to termination charges and fees as mutually agreed in good faith by the parties.
- Submit to Audits. Avalara submits to reasonable data security and privacy compliance audits subject to reasonable precautions and safeguards for the data of other customers. This includes a right for Customer to take reasonable and appropriate steps to help ensure that Avalara uses the Services Data in a manner consistent with Customer's legal obligations and the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Services Data.
- Notify Breaches. Avalara notifies Customer of unauthorized access to Services Data and other security breaches as required by applicable law.
- No Information Selling or Sharing for Cross‐Context Behavioral Advertising; Compliance with the CCPA. Avalara does not accept or disclose any Services Data as consideration for any payments, services or other items of value. Avalara does not sell or share any Services Data, as the terms “sell” and “share” are defined in the California Consumer Privacy Act of 2018, as amended, including by the California Privacy Rights Act (“CCPA”). Avalara processes Services Data only for the business purposes specified in the written Contract. Avalara does not retain, use, or disclose Services Data (a) for cross‐context behavioral advertising, or (b) outside the direct business relationship with the Customer. Avalara does not combine Services Data with other data if and to the extent this would be inconsistent with limitations on service providers or contractors under the CCPA. Avalara will comply with the obligations on service providers under the CCPA and provide the same level of privacy protections required of Customer under the CCPA. If Avalara determines it can no longer meet its obligations under the CCPA or its implementing regulations, it will notify Customer. Avalara understands the restrictions in this Section 6 and certifies it will comply with the same. If Avalara receives deidentified Services Data, Avalara will not attempt to reidentify the information except as permitted by the CCPA.
- Personal Data subject to the GDPR or similar laws: With respect to any Services Data that is subject to the EU General Data Protection Regulation (GDPR) or similar laws of other jurisdictions as "personal data," Avalara accepts the following obligations as a data importer, processor or sub-processor of Customer and warrants that Avalara:
- processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by European Union or EU Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest; also, the processor shall immediately inform the controller if, in its opinion, an instruction infringes the GDPR, national data protection laws in the EU or other applicable law;
- ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- takes all measures required pursuant to Article 32 of the GDPR (security of processing);
- respects the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging another processor;
- taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR, including, without limitation, right to access, rectification, erasure and portability of the data subject's personal data; (for the avoidance of doubt, processor shall only assist and enable controller to meet controller’s obligations to satisfy data subjects' rights, but processor shall not respond directly to data subjects)
- assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (Security of personal data) taking into account the nature of processing and the information available to the processor;
- at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;
- makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
- EU Standard Contractual Clauses: For Services Data that is subject to the GDPR, Avalara complies with the EU Standard Contractual Clauses for international transfers in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (EU SCCs) for the transfer of personal data outside the European Economic Area (EEA), Modules 1-3 as noted below, in Exhibit 1. Under such EU SCCs, Customer will act as data exporter. Customer may be based within or outside the EEA. Customer may receive personal data from the EEA as a controller and as a processor under separate agreements. Avalara is based outside the EEA, acts as data importer, provides services to data exporter under separate commercial agreement(s) and agrees to the EU SCCs as a processor or sub-processor under Modules 2 and 3. Data exporter will provide all relevant instructions under Module 2 (as the controller) and under Module 3 (on the controller’s behalf). Customer instruct Avalara to provide Avalara’s standard services as described in Avalara’s commercial terms and service descriptions. For limited business contact information concerning individual representatives who provide instructions to Avalara, Avalara agrees to the EU SCCs as a controller under Module 1.
- Switzerland: For transfers of Services Data from Switzerland, Avalara agrees to the EU SCCs as set out in Section 8 subject to the following amendments: The Federal Data Protection and Information Commissioner is the competent supervisory authority in so far as the data transfer falls under Swiss law. Switzerland is also to be considered as a Member State within the meaning of the EU SCCs so that data subjects can file claims according to clause 18c of the EU SCCs at their habitual residence in Switzerland. Until the revised Swiss Federal Act on Data Protection enters into force that does no longer protect data of legal persons but only data of natural persons, the EU SCCs also applies to data of legal persons.
- United Kingdom: With respect to transfers of Services Data from the United Kingdom of Great Britain and Northern Ireland to countries not deemed to have adequate data protection regimes under all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the United Kingdom of Great Britain and Northern Ireland, Avalara agrees to the EU SCCs as set out in Section 8 and the International Data Transfer Addendum to the EU SCCs in Exhibit 2. Any conflicts between the EU SCCs and the International Data Transfer Addendum to the EU SCCs shall be resolved as provided in the International Data Transfer Addendum to the EU SCCs.
- Integration. This DPA is binding after a Contract has been signed between Avalara and Customer, and Customer may collect a signed copy of this DPA at here or https://avalara.na1.echosign.com/public/esignWidget?wid=CBFCIBAA3AAABLblqZhDjdoPrd_VbexJ4FZiqWiIRPUfxmjUSdJ4zZrK0UtHVNV_5dy9HD28JAMepyhq1bw8*. This DPA shall not create third party beneficiary rights. Avalara does not accept or submit to additional requirements relating to Services Data, except as specifically and expressly agreed in writing with explicit reference to the Contract and this DPA.
- Notice. Avalara shall provide Customer with legal notices in writing by email, mail, or courier to the address provided by Customer. Except as otherwise specified in the Agreement, all notices to Avalara must be in writing and sent as follows:
Email: DataPrivacy@avalara.com
Attn: Legal Department
Avalara, Inc.
Suite 1800
255 South King Street
Seattle, WA 98104, USA
Exhibit 1
The EU SCCs, modules 1-3, available at Standard Contractual Clauses (SCC) | European Commission (europa.eu) or on a successor website designated by the EU commission, are incorporated herein by reference. Customer will provide all instructions under these EU SCCs as the controller and on the controller’s behalf.
Where the EU SCCs require that the parties make an election, the parties make the elections reflected below. Any optional clauses in the EU SCCs not expressly selected below are omitted from this DPA.
- for purposes of Clause 9 of the EU SCCs, Option 2 (‘General authorization’) shall apply and Avalara shall inform customer in writing of any intended changes to sub-processors at least 30 days in advance;
- in Clause 11 (a) of the EU SCCs, the optional language shall be deleted; and
- for purposes of Clause 17 and Clause 18 of the EU SCCs, the Member State for purposes of governing law, forum and jurisdiction shall be Luxembourg.
Annex I
A. LIST OF PARTIES
For purposes of Annex 1.A (List of Parties) of the EU SCCs: (i) Avalara processes personal data to provide Services to Customer and Avalara shall be the ‘data importer’; and (ii) Customer shall be the ‘data exporter’. Avalara can be contacted through the Avalara Global Privacy Office at dataprivacy@avalara.com. Customer provides personal data to Avalara to obtain Avalara’s Services and can be contacted through the contact information provided by Customer to Avalara.
B. DESCRIPTION OF TRANSFER
For the details of the processing of personal data required for Annex 1.B of the EU SCCs, see below:
MODULE ONE: Transfer controller to controller
Categories of data subjects whose personal data is transferred
Individual employees and representatives of data exporter who instruct data importer, send purchase orders, process invoices, arrange for payment, make support calls, use data importer's services, and otherwise do business with data importer.
Categories of personal data transferred
Business contact information, service usage, payment status and other information relating to how data exporter uses data importer's services.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures
Sensitive data is not transferred on a controller-to-controller basis.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)
Continuous as initiated by customer in each case as part of each tax or regulatory audit period during which customer contracts for Avalara’s Services.
Nature of the processing
Data importer uses data as a controller to do business with data exporter, sell services, issue invoices, provide technical support, perform services, address customer questions, improve services and develop new services and offerings.
Purpose(s) of the data transfer and further processing
Communications and business collaboration between data exporter and data importer.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
For the term of the contract and so long as data importer markets additional services to data exporter.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
Same as above.
MODULE TWO AND THREE: Transfer controller and processor to processor
Categories | Tax Calculation | Return Preparation | Tax Identification Registration | Fiscal Representation | Document Management |
Categories of data subjects whose personal data is transferred | Customer’s customers | Customer if it is a sole traders/proprietor using personal contact information for its business; Customer’s Authorized Users | Customer’s owners and directors | Customer’s owners and directors | Customer’s contact details; Customer’s customers |
Categories of personal data transferred | Delivery addresses, tax identifiers for sole traders/proprietorships, names, access credentials | Tax identifier for sole traders/proprietorship, names and contact details, access credentials for Authorized Users | Names and contact details of owners and directors as required by regulatory authorities, including proof of identification and date of birth | Names and contact details, proof of identification, tax identifiers for sole traders/proprietorships | Names and contact details, tax identifiers for sole traders/proprietorships |
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. | None | None | Passport images, which could include racial, ethnic, or religious information; access to data is subject to roles-based access controls | Passport images, which could include racial, ethnic, or religious information; access to data is subject to roles-based access controls | None |
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis) | Continuous as initiated by customer in each case as part of each tax or regulatory audit period during which customer contracts for Avalara’s Services. | ||||
Nature of the processing | Calculating various types of tax | Preparing and filing tax returns | Registering Customer to collect and remit various tax types | Providing Fiscal Representation services | Using and managing tax related documents |
Purpose(s) of the data transfer and further processing | Assist Customer in complying with tax obligations | Assist Customer in complying with tax obligations | Assist Customer in complying with tax obligations | Assist Customer in complying with tax and financial obligations | Assist Customer in complying with tax obligations |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period | Unless deletion is requested by the controller, the data will be processed until the end of applicable tax or regulatory audit periods. | ||||
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing | Processor uses subprocessors for certain hosting, support, logging, monitoring, warehousing, infrastructure, and analytics purposes |
C. COMPETENT SUPERVISORY AUTHORITY
For purposes of Clause 13 and Annex 1.C of the EU SCCs, where no competent supervisory authority is identified through the rules of such Clause 13, the competent supervisory authority is the authority in Luxembourg.
Annex II
TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
For the purposes of Annex 2 of the EU SCCs, the technical and organizational measures implemented by Avalara are as described below.
Avalara maintains the following technical and organization measures:
- Avalara maintains a written security program under which Avalara periodically evaluates risks to Customer Data and maintains commercially reasonable technical, and physical safeguards to protect Customer Data against accidental or unauthorized access, disclosure, loss, destruction, or alteration. Avalara regularly evaluates the scope and coverage of the Security Program.
- Avalara teams classify and handle data using technical controls described below to ensure its integrity, availability, and confidentiality.
- Avalara maintains a central inventory of assets where the asset custodian is responsible for classifying and maintaining the asset and ensuring the use of the asset complies with the security program.
- Avalara maintains standards for user authentication, access provisioning, de-provisioning, performing periodic access reviews and restricting administrative access to ensure access is granted based on the principle of least privilege.
- Avalara maintains standards for segregation of network services and devices to ensure unrelated portions of the network are isolated from each other.
- Avalara maintains network zones and applies ingress and egress standards for the protection of data.
- Avalara systems encrypt data at rest and in transit between the Avalara networks and its customers to ensure integrity, security, and confidentiality of customer data.
- Avalara maintains processes to securely generate, store and manage encryption keys that prevent loss, theft, or compromise.
- Avalara maintains physical access controls to restrict entry to Avalara facilities. Physical controls may include badge readers, security personnel, staff supervision, video cameras, and other tools.
- Avalara maintains processes for retaining and securely deleting data no longer than necessary to provide its services.
- Direct database access is restricted using the corporate VPN. This can only be accessed via Avalara issued computing equipment.
- Avalara has disabled the ability to write data to USB mass storage devices on all Avalara issued computing equipment.
- Avalara maintains a Software Management Standard that defines software and services which are approved, acceptable, or prohibited to be used by Avalara personnel.
- Avalara monitors its applications and systems for vulnerabilities on a periodic basis. Identified vulnerabilities are remediated by taking actions to close them in a timely manner.
- Avalara maintains an incident response program to detect, analyze, prioritize, and handle cyber security events and incidents to prevent, detect, and deter the unauthorized access, loss, compromise, disclosure, modification, or destruction of Avalara’s electronic data assets and information, including personal information.
- Avalara performs root cause analyses for incidents based on the nature of the incident, to identify, document, and eliminate the cause of an incident and to prevent the issue from recurring. Changes to the Avalara Incident Response Plan and standard operating procedures is also part of this review.
- Security and audit logs are fed to the SIEM daily and retained for a period of one year. These logs cannot be modified by anyone.
- Daily recoverable backups of critical data are configured to be performed and replicated to a secondary location.
- Avalara maintains a Security Infraction Management Policy that describes how Avalara treats security incidents that result from deviations from Avalara’s security policies, standards, and procedures.
- Avalara maintains standards for making changes to applications, including customer-facing applications, by ensuring they are tested and approved by appropriate individuals before they are moved to production. Access to make production changes is restricted to authorized individuals.
- Avalara has established logical separation between production and lower environments.
- Avalara ensures test data is selected and handled in accordance with the technical controls specified in this document.
- All Avalara personnel must undergo the mandatory security awareness training at least annually.
- The Avalara Service Terms and Conditions along with the Vendor Security terms document are in place to communicate security commitments with vendors.
- The Avalara Security team periodically performs assessments of different systems by conducting phishing simulations, vulnerability scans, and penetration tests.
- The Avalara Compliance team periodically performs assessments of key systems. Remediation plans are defined as appropriate for the areas of non-compliance establishing clear ownership and accountability.
- The Avalara Risk Management Team periodically conducts risk assessments to identify risks arising from internal and external sources throughout the year to evaluate the organization's control environment. Risk treatment plans are defined, as appropriate, for identified risks including establishing clear ownership and accountability. Risks are monitored to acceptable mitigation according to the Avalara Security Risk Assessment Standard and Process.
- Avalara maintains standards for Vendor Risk Management to define requirements for vendor selection, risk assessments with roles and responsibilities, contract lifecycle, exception handling and terminations.
Annex III
LIST OF SUB-PROCESSORS
MODULE TWO: Transfer controller to processor
MODULE THREE: Transfer processor to processor
The controller has provided general authorisation for the engagement of subprocessors from an agreed list, available at Subprocessors (avalara.com).
Exhibit 2
The International Data Transfer Addendum to the EU SCCs (“UK addendum”), available at International data transfer agreement and guidance | ICO or on a successor website designated by the UK ICO, are incorporated herein by reference.
The parties are as reflected in the signature block to this DPA.
The parties select the version of the approved EU SCCs referenced in section 8 of this DPA including the appendix information which is as described in Exhibit 1.
The appendix information in table 3 of the UK addendum is as set out in the annexes to the EU SCCs in Exhibit 1.
The list of sub processors is as provided at Subprocessors (avalara.com).
Either party may end the UK addendum as set out in section 19 of the same.
Effective November 1st 2023 to November 15th 2023
DownloadTable of Contents
This Avalara, Inc. Services Data Processing Agreement (“DPA”) is incorporated into the Contract between Avalara, Inc. (“Avalara” or “us” or “our”) and Customer. If a provision of this DPA conflicts with a provision of the Contract, the provision in this DPA governs. Capitalized terms used and not otherwise defined in this DPA have the meanings provided in the Contract.
- Except as amended by this DPA, the Contract will remain in full force and effect.
- To the extent that the terms of this DPA and the Contract conflict, the terms of this DPA prevail.
- This DPA will automatically expire on the termination or expiration of the Contract.
Avalara serves enterprises, public sector entities and other organizations (“Customer”) and protects Services Data in compliance with the terms of this DPA. “Services Data” means personal data relating to named or identifiable individuals that Customer’s authorized users (“Authorized Users”) provide in compliance with applicable law and our applicable service agreements or other commercial contract terms (“Contract”) when Customer uses our service offerings and related data processing services as described in our data sheets, service specifications, and other technical documentation, as amended from time to time (“Services”).
- Control and Ownership. Customer owns and controls all Services Data. Services Data is disclosed by Customer to Avalara only for the limited and specified business purposes of assisting Customer in complying with tax and financial obligations. Avalara does not use, retain, or disclose Services Data, except: (a) in the interest and on behalf of Customer; (b) as necessary to provide the Services, or (c) as contemplated or directed by the Contract. Avalara returns or deletes Services Data at Customer’s request, as agreed in the Contract, or after the Contract expires or is terminated, subject to applicable law.
- Security. Avalara applies technical, administrative and organizational data security measures that meet or exceed the requirements described in Avalara’s Technical and Organisational Measures in Exhibit 1, Annex II (“TOMs”). Avalara may update and modify its TOMs from time to time, provided that Avalara shall not materially reduce the level of security provided thereunder, except with Customer’s consent.
- Cooperation with Compliance Obligations. At Customer’s reasonable request, Avalara will (a) reasonably assist Customer with data access, deletion, portability and other requests, subject to compensation for any custom efforts required of Avalara, (b) make available to Customer all information necessary to demonstrate compliance with any mandatory privacy laws imposed on Customer or to conduct or document data protection assessments required by such laws, and (c) enter into additional contractual agreements to meet specific requirements that are imposed by mandatory laws on Customer pertaining to Services Data and that, due to their nature, can only be satisfied by Avalara in its role as service provider or that Customer specifically explains and assigns to Avalara in an addendum or amendment to the applicable Contract, subject to additional cost reimbursement or fees as appropriate. If Customer can no longer legally use Avalara’s products due to changes in law or technology, Avalara shall allow Customer to terminate certain or all contracts and provide transition or migration assistance as reasonably required, subject to termination charges and fees as mutually agreed in good faith by the parties.
- Submit to Audits. Avalara submits to reasonable data security and privacy compliance audits subject to reasonable precautions and safeguards for the data of other customers. This includes a right for Customer to take reasonable and appropriate steps to help ensure that Avalara uses the Services Data in a manner consistent with Customer's legal obligations and the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Services Data.
- Notify Breaches. Avalara notifies Customer of unauthorized access to Services Data and other security breaches as required by applicable law.
- No Information Selling or Sharing for Cross‐Context Behavioral Advertising; Compliance with the CCPA. Avalara does not accept or disclose any Services Data as consideration for any payments, services or other items of value. Avalara does not sell or share any Services Data, as the terms “sell” and “share” are defined in the California Consumer Privacy Act of 2018, as amended, including by the California Privacy Rights Act (“CCPA”). Avalara processes Services Data only for the business purposes specified in the written Contract. Avalara does not retain, use, or disclose Services Data (a) for cross‐context behavioral advertising, or (b) outside the direct business relationship with the Customer. Avalara does not combine Services Data with other data if and to the extent this would be inconsistent with limitations on service providers or contractors under the CCPA. Avalara will comply with the obligations on service providers under the CCPA and provide the same level of privacy protections required of Customer under the CCPA. If Avalara determines it can no longer meet its obligations under the CCPA or its implementing regulations, it will notify Customer. Avalara understands the restrictions in this section 6 and certifies it will comply with the same. If Avalara receives deidentified Services Data, Avalara will not attempt to reidentify the information except as permitted by the CCPA.
- Personal Data subject to the GDPR or similar laws: With respect to any Services Data that is subject to the EU General Data Protection Regulation (GDPR) or similar laws of other jurisdictions as "personal data," Avalara accepts the following obligations as a data importer, processor or sub-processor of Customer and warrants that Avalara:
- processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by European Union or EU Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest; also, the processor shall immediately inform the controller if, in its opinion, an instruction infringes the GDPR, national data protection laws in the EU or other applicable law;
- ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- takes all measures required pursuant to Article 32 of the GDPR (security of processing);
- respects the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging another processor;
- taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR, including, without limitation, right to access, rectification, erasure and portability of the data subject's personal data; (for the avoidance of doubt, processor shall only assist and enable controller to meet controller’s obligations to satisfy data subjects' rights, but processor shall not respond directly to data subjects)
- assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (Security of personal data) taking into account the nature of processing and the information available to the processor;
- at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;
- makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
- EU Standard Contractual Clauses: For Services Data that is subject to the GDPR, Avalara complies with the EU Standard Contractual Clauses for international transfers in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (EU SCCs) for the transfer of personal data outside the European Economic Area (EEA), Modules 1-3 as noted below, in Exhibit 1. Under such EU SCCs, Customer will act as data exporter. Customer may be based within or outside the EEA. Customer may receive personal data from the EEA as a controller and as a processor under separate agreements. Avalara is based outside the EEA, acts as data importer, provides services to data exporter under separate commercial agreement(s) and agrees to the EU SCCs as a processor or sub-processor under Modules 2 and 3. Data exporter will provide all relevant instructions under Module 2 (as the controller) and under Module 3 (on the controller’s behalf). Customer instruct Avalara to provide Avalara’s standard services as described in Avalara’s commercial terms and service descriptions. For limited business contact information concerning individual representatives who provide instructions to Avalara, Avalara agrees to the EU SCCs as a controller under Module 1.
- Switzerland: For transfers of Services Data from Switzerland, Avalara agrees to the EU SCCs as set out in Section 8 subject to the following amendments: The Federal Data Protection and Information Commissioner is the competent supervisory authority in so far as the data transfer falls under Swiss law. Switzerland is also to be considered as a Member State within the meaning of the EU SCCs so that data subjects can file claims according to clause 18c of the EU SCCs at their habitual residence in Switzerland. Until the revised Swiss Federal Act on Data Protection enters into force that does no longer protect data of legal persons but only data of natural persons, the EU SCCs also applies to data of legal persons.
- United Kingdom: With respect to transfers of Services Data from the United Kingdom of Great Britain and Northern Ireland to countries not deemed to have adequate data protection regimes under all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the United Kingdom of Great Britain and Northern Ireland, Avalara agrees to the EU SCCs as set out in Section 8 and the International Data Transfer Addendum to the EU SCCs in Exhibit 2. Any conflicts between the EU SCCs and the International Data Transfer Addendum to the EU SCCs shall be resolved as provided in the International Data Transfer Addendum to the EU SCCs.
- Integration. This DPA is binding after a Contract has been signed between Avalara and Customer, and Customer may collect a signed copy of this DPA at here or https://avalara.na1.echosign.com/public/esignWidget?wid=CBFCIBAA3AAABLblqZhDjdoPrd_VbexJ4FZiqWiIRPUfxmjUSdJ4zZrK0UtHVNV_5dy9HD28JAMepyhq1bw8*. This DPA shall not create third party beneficiary rights. Avalara does not accept or submit to additional requirements relating to Services Data, except as specifically and expressly agreed in writing with explicit reference to the Contract and this DPA.
- Notice. Avalara shall provide Customer with legal notices in writing by email, mail, or courier to the address provided by Customer. Except as otherwise specified in the Agreement, all notices to Avalara must be in writing and sent as follows:
Email: DataPrivacy@avalara.com
Attn: Legal Department
Avalara, Inc.
Suite 1800
255 South King Street
Seattle, WA 98104, USA
Exhibit 1
STANDARD CONTRACTUAL CLAUSES
The EU SCCs, modules 1-3, available at Standard Contractual Clauses (SCC) | European Commission (europa.eu) or on a successor website designated by the EU commission, are incorporated herein by reference. Customer will provide all instructions under these EU SCCs as the controller and on the controller’s behalf.
Where the EU SCCs require that the parties make an election, the parties make the elections reflected below. Any optional clauses in the EU SCCs not expressly selected below are omitted from this DPA.
- for purposes of Clause 9 of the EU SCCs, Option 2 (‘General authorization’) shall apply and Avalara shall inform customer in writing of any intended changes to sub-processors at least 30 days in advance;
- in Clause 11 (a) of the EU SCCs, the optional language shall be deleted; and
- for purposes of Clause 17 and Clause 18 of the EU SCCs, the Member State for purposes of governing law, forum and jurisdiction shall be Luxembourg.
Annex I
A. LIST OF PARTIES
For purposes of Annex 1.A (List of Parties) of the EU SCCs: (i) Avalara processes personal data to provide Services to Customer and Avalara shall be the ‘data importer’; and (ii) Customer shall be the ‘data exporter’. Avalara can be contacted through the Avalara Global Privacy Office at dataprivacy@avalara.com. Customer provides personal data to Avalara to obtain Avalara’s Services and can be contacted through the contact information provided by Customer to Avalara.
B. DESCRIPTION OF TRANSFER
For the details of the processing of personal data required for Annex 1.B of the EU SCCs, see below:
MODULE ONE: Transfer controller to controller
Categories of data subjects whose personal data is transferred
Individual employees and representatives of data exporter who instruct data importer, send purchase orders, process invoices, arrange for payment, make support calls, use data importer's services, and otherwise do business with data importer.
Categories of personal data transferred
Business contact information, service usage, payment status and other information relating to how data exporter uses data importer's services.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures
Sensitive data is not transferred on a controller-to-controller basis.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)
Continuous as initiated by customer in each case as part of each tax or regulatory audit period during which customer contracts for Avalara’s Services.
Nature of the processing
Data importer uses data as a controller to do business with data exporter, sell services, issue invoices, provide technical support, perform services, address customer questions, improve services and develop new services and offerings.
Purpose(s) of the data transfer and further processing
Communications and business collaboration between data exporter and data importer.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
For the term of the contract and so long as data importer markets additional services to data exporter.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
Same as above.
MODULE TWO AND THREE: Transfer controller and processor to processor
Categories | Tax Calculation | Return Preparation | Tax Identification Registration | Fiscal Representation | Document Management |
Categories of data subjects whose personal data is transferred | Customer’s customers | Customer if it is a sole traders/proprietor using personal contact information for its business; Customer’s Authorized Users | Customer’s owners and directors | Customer’s owners and directors | Customer’s contact details; Customer’s customers |
Categories of personal data transferred | Delivery addresses, tax identifiers for sole traders/proprietorships, names, access credentials | Tax identifier for sole traders/proprietorship, names and contact details, access credentials for Authorized Users | Names and contact details of owners and directors as required by regulatory authorities, including proof of identification and date of birth | Names and contact details, proof of identification, tax identifiers for sole traders/proprietorships | Names and contact details, tax identifiers for sole traders/proprietorships |
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. | None | None | Passport images, which could include racial, ethnic, or religious information; access to data is subject to roles-based access controls | Passport images, which could include racial, ethnic, or religious information; access to data is subject to roles-based access controls | None |
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis) | Continuous as initiated by customer in each case as part of each tax or regulatory audit period during which customer contracts for Avalara’s Services. | ||||
Nature of the processing | Calculating various types of tax | Preparing and filing tax returns | Registering Customer to collect and remit various tax types | Providing Fiscal Representation services | Using and managing tax related documents |
Purpose(s) of the data transfer and further processing | Assist Customer in complying with tax obligations | Assist Customer in complying with tax obligations | Assist Customer in complying with tax obligations | Assist Customer in complying with tax and financial obligations | Assist Customer in complying with tax obligations |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period | Unless deletion is requested by the controller, the data will be processed until the end of applicable tax or regulatory audit periods. | ||||
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing | Processor uses subprocessors for certain hosting, support, logging, monitoring, warehousing, infrastructure, and analytics purposes |
C. COMPETENT SUPERVISORY AUTHORITY
For purposes of Clause 13 and Annex 1.C of the EU SCCs, where no competent supervisory authority is identified through the rules of such Clause 13, the competent supervisory authority is the authority in Luxembourg.
Annex II
TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
For the purposes of Annex 2 of the EU SCCs, the technical and organizational measures implemented by Avalara are as described below.
Avalara maintains the following technical and organization measures:
- Avalara maintains a written security program under which Avalara periodically evaluates risks to Customer Data and maintains commercially reasonable technical, and physical safeguards to protect Customer Data against accidental or unauthorized access, disclosure, loss, destruction, or alteration. Avalara regularly evaluates the scope and coverage of the Security Program.
- Avalara teams classify and handle data using technical controls described below to ensure its integrity, availability, and confidentiality.
- Avalara maintains a central inventory of assets where the asset custodian is responsible for classifying and maintaining the asset and ensuring the use of the asset complies with the security program.
- Avalara maintains standards for user authentication, access provisioning, de-provisioning, performing periodic access reviews and restricting administrative access to ensure access is granted based on the principle of least privilege.
- Avalara maintains standards for segregation of network services and devices to ensure unrelated portions of the network are isolated from each other.
- Avalara maintains network zones and applies ingress and egress standards for the protection of data.
- Avalara systems encrypt data at rest and in transit between the Avalara networks and its customers to ensure integrity, security, and confidentiality of customer data.
- Avalara maintains processes to securely generate, store and manage encryption keys that prevent loss, theft, or compromise.
- Avalara maintains physical access controls to restrict entry to Avalara facilities. Physical controls may include badge readers, security personnel, staff supervision, video cameras, and other tools.
- Avalara maintains processes for retaining and securely deleting data no longer than necessary to provide its services.
- Direct database access is restricted using the corporate VPN. This can only be accessed via Avalara issued computing equipment.
- Avalara has disabled the ability to write data to USB mass storage devices on all Avalara issued computing equipment.
- Avalara maintains a Software Management Standard that defines software and services which are approved, acceptable, or prohibited to be used by Avalara personnel.
- Avalara monitors its applications and systems for vulnerabilities on a periodic basis. Identified vulnerabilities are remediated by taking actions to close them in a timely manner.
- Avalara maintains an incident response program to detect, analyze, prioritize, and handle cyber security events and incidents to prevent, detect, and deter the unauthorized access, loss, compromise, disclosure, modification, or destruction of Avalara’s electronic data assets and information, including personal information.
- Avalara performs root cause analyses for incidents based on the nature of the incident, to identify, document, and eliminate the cause of an incident and to prevent the issue from recurring. Changes to the Avalara Incident Response Plan and standard operating procedures is also part of this review.
- Security and audit logs are fed to the SIEM daily and retained for a period of one year. These logs cannot be modified by anyone.
- Daily recoverable backups of critical data are configured to be performed and replicated to a secondary location.
- Avalara maintains a Security Infraction Management Policy that describes how Avalara treats security incidents that result from deviations from Avalara’s security policies, standards, and procedures.
- Avalara maintains standards for making changes to applications, including customer-facing applications, by ensuring they are tested and approved by appropriate individuals before they are moved to production. Access to make production changes is restricted to authorized individuals.
- Avalara has established logical separation between production and lower environments.
- Avalara ensures test data is selected and handled in accordance with the technical controls specified in this document.
- All Avalara personnel must undergo the mandatory security awareness training at least annually.
- The Avalara Service Terms and Conditions along with the Vendor Security terms document are in place to communicate security commitments with vendors.
- The Avalara Security team periodically performs assessments of different systems by conducting phishing simulations, vulnerability scans, and penetration tests.
- The Avalara Compliance team periodically performs assessments of key systems. Remediation plans are defined as appropriate for the areas of non-compliance establishing clear ownership and accountability.
- The Avalara Risk Management Team periodically conducts risk assessments to identify risks arising from internal and external sources throughout the year to evaluate the organization's control environment. Risk treatment plans are defined, as appropriate, for identified risks including establishing clear ownership and accountability. Risks are monitored to acceptable mitigation according to the Avalara Security Risk Assessment Standard and Process.
- Avalara maintains standards for Vendor Risk Management to define requirements for vendor selection, risk assessments with roles and responsibilities, contract lifecycle, exception handling and terminations.
Annex III
LIST OF SUB-PROCESSORS
MODULE TWO: Transfer controller to processor
MODULE THREE: Transfer processor to processor
The controller has provided general authorisation for the engagement of subprocessors from an agreed list, available at Subprocessors (avalara.com).
Exhibit 2
The International Data Transfer Addendum to the EU SCCs (“UK addendum”), available at International data transfer agreement and guidance | ICO or on a successor website designated by the UK ICO, are incorporated herein by reference.
The parties are as reflected in the signature block to this DPA.
The parties select the version of the approved EU SCCs referenced in section 8 of this DPA including the appendix information which is as described in Exhibit 1.
The appendix information in table 3 of the UK addendum is as set out in the annexes to the EU SCCs in Exhibit 1.
The list of sub processors is as provided at Subprocessors (avalara.com).
Either party may end the UK addendum as set out in section 19 of the same.
Effective October 26th 2023 to November 1st 2023
DownloadTable of Contents
- Except as amended by this DPA, the Contract will remain in full force and effect.
- To the extent that the terms of this DPA and the Contract conflict, the terms of this DPA prevail.
- This DPA will automatically expire on the termination or expiration of the Contract.
(b) ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(c) takes all measures required pursuant to Article 32 of the GDPR (security of processing);
(d) respects the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging another processor;
(e) taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR, including, without limitation, right to access, rectification, erasure and portability of the data subject's personal data; (for the avoidance of doubt, processor shall only assist and enable controller to meet controller’s obligations to satisfy data subjects' rights, but processor shall not respond directly to data subjects)
(f) assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (Security of personal data) taking into account the nature of processing and the information available to the processor;
(g) at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;
(h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
Attn: Legal Department
Avalara, Inc.
Suite 1800
255 South King Street
Seattle, WA 98104, USA
- for purposes of Clause 9 of the EU SCCs, Option 2 (‘General authorization’) shall apply and Avalara shall inform customer in writing of any intended changes to sub-processors at least 30 days in advance;
- in Clause 11 (a) of the EU SCCs, the optional language shall be deleted; and
- for purposes of Clause 17 and Clause 18 of the EU SCCs, the Member State for purposes of governing law, forum and jurisdiction shall be Luxembourg.
Categories | Tax Calculation | Return Preparation | Tax Identification Registration | Fiscal Representation | Document Management |
---|---|---|---|---|---|
Categories of data subjects whose personal data is transferred | Customer’s customers | Customer if it is a sole traders/proprietor using personal contact information for its business; Customer’s Authorized Users | Customer’s owners and directors | Customer’s owners and directors | Customer’s contact details; Customer’s customers |
Categories of personal data transferred | Delivery addresses, tax identifiers for sole traders/proprietorships, names, access credentials | Tax identifier for sole traders/proprietorship, names and contact details, access credentials for Authorized Users | Names and contact details of owners and directors as required by regulatory authorities, including proof of identification and date of birth | Names and contact details, proof of identification, tax identifiers for sole traders/proprietorships | Names and contact details, tax identifiers for sole traders/proprietorships |
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. | None | None | Passport images, which could include racial, ethnic, or religious information; access to data is subject to roles-based access controls | Passport images, which could include racial, ethnic, or religious information; access to data is subject to roles-based access controls | None |
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis) | Continuous as initiated by customer in each case as part of each tax or regulatory audit period during which customer contracts for Avalara’s Services. | ||||
Nature of the processing | Calculating various types of tax | Preparing and filing tax returns | Registering Customer to collect and remit various tax types | Providing Fiscal Representation services | Using and managing tax related documents |
Purpose(s) of the data transfer and further processing | Assist Customer in complying with tax obligations | Assist Customer in complying with tax obligations | Assist Customer in complying with tax obligations | Assist Customer in complying with tax and financial obligations | Assist Customer in complying with tax obligations |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period | Unless deletion is requested by the controller, the data will be processed until the end of applicable tax or regulatory audit periods. | ||||
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing | Processor uses subprocessors for certain hosting, support, logging, monitoring, warehousing, infrastructure, and analytics purposes |
- Avalara maintains a written security program under which Avalara periodically evaluates risks to Customer Data and maintains commercially reasonable technical, and physical safeguards to protect Customer Data against accidental or unauthorized access, disclosure, loss, destruction, or alteration. Avalara regularly evaluates the scope and coverage of the Security Program.
- Avalara teams classify and handle data using technical controls described below to ensure its integrity, availability, and confidentiality.
- Avalara maintains a central inventory of assets where the asset custodian is responsible for classifying and maintaining the asset and ensuring the use of the asset complies with the security program.
- Avalara maintains standards for user authentication, access provisioning, de-provisioning, performing periodic access reviews and restricting administrative access to ensure access is granted based on the principle of least privilege.
- Avalara maintains standards for segregation of network services and devices to ensure unrelated portions of the network are isolated from each other.
- Avalara maintains network zones and applies ingress and egress standards for the protection of data.
- Avalara systems encrypt data at rest and in transit between the Avalara networks and its customers to ensure integrity, security, and confidentiality of customer data.
- Avalara maintains processes to securely generate, store and manage encryption keys that prevent loss, theft, or compromise.
- Avalara maintains physical access controls to restrict entry to Avalara facilities. Physical controls may include badge readers, security personnel, staff supervision, video cameras, and other tools.
- Avalara maintains processes for retaining and securely deleting data no longer than necessary to provide its services.
- Direct database access is restricted using the corporate VPN. This can only be accessed via Avalara issued computing equipment.
- Avalara has disabled the ability to write data to USB mass storage devices on all Avalara issued computing equipment.
- Avalara maintains a Software Management Standard that defines software and services which are approved, acceptable, or prohibited to be used by Avalara personnel.
- Avalara monitors its applications and systems for vulnerabilities on a periodic basis. Identified vulnerabilities are remediated by taking actions to close them in a timely manner.
- Avalara maintains an incident response program to detect, analyze, prioritize, and handle cyber security events and incidents to prevent, detect, and deter the unauthorized access, loss, compromise, disclosure, modification, or destruction of Avalara’s electronic data assets and information, including personal information.
- Avalara performs root cause analyses for incidents based on the nature of the incident, to identify, document, and eliminate the cause of an incident and to prevent the issue from recurring. Changes to the Avalara Incident Response Plan and standard operating procedures is also part of this review.
- Security and audit logs are fed to the SIEM daily and retained for a period of one year. These logs cannot be modified by anyone.
- Daily recoverable backups of critical data are configured to be performed and replicated to a secondary location.
- Avalara maintains a Security Infraction Management Policy that describes how Avalara treats security incidents that result from deviations from Avalara’s security policies, standards, and procedures.
- Avalara maintains standards for making changes to applications, including customer-facing applications, by ensuring they are tested and approved by appropriate individuals before they are moved to production. Access to make production changes is restricted to authorized individuals.
- Avalara has established logical separation between production and lower environments.
- Avalara ensures test data is selected and handled in accordance with the technical controls specified in this document.
- All Avalara personnel must undergo the mandatory security awareness training at least annually.
- The Avalara Service Terms and Conditions along with the Vendor Security terms document are in place to communicate security commitments with vendors.
- The Avalara Security team periodically performs assessments of different systems by conducting phishing simulations, vulnerability scans, and penetration tests.
- The Avalara Compliance team periodically performs assessments of key systems. Remediation plans are defined as appropriate for the areas of non-compliance establishing clear ownership and accountability.
- The Avalara Risk Management Team periodically conducts risk assessments to identify risks arising from internal and external sources throughout the year to evaluate the organization's control environment. Risk treatment plans are defined, as appropriate, for identified risks including establishing clear ownership and accountability. Risks are monitored to acceptable mitigation according to the Avalara Security Risk Assessment Standard and Process.
- Avalara maintains standards for Vendor Risk Management to define requirements for vendor selection, risk assessments with roles and responsibilities, contract lifecycle, exception handling and terminations.
Brazil Recruitment Notice
California Consumer Privacy Act Disclosures
Effective April 30th 2024
DownloadTable of Contents
- The right to know what personal information we have collected about you, including the categories of personal information, including the categories of personal information, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting, selling, or sharing personal information, the categories of third parties to whom the business discloses personal information, and the specific pieces of personal information we have collected about you.
- The right to delete personal information that we have collected from you, subject to certain exceptions.
- The right to correct inaccurate personal information that we maintain about you.
- The right to opt-out of the sale or sharing of your personal information by us.
- The right to limit our use and disclosure of sensitive personal information to purposes specified in subsection 7027(l) of the CCPA regulations. We do not use or disclose sensitive personal information for purposes other than those specified in subsection 7027(m) of the CCPA regulations.
- The right not to receive discriminatory treatment by us for the exercise of privacy rights conferred by the CCPA, in violation of California Civil Code § 1798.125, including an employee's, applicant's, or independent contractor's right not to be retaliated against for the exercise of their CCPA rights
Category of personal information or sensitive personal information under CCPA definitions | Purpose for collection and use of personal information | Sold or shared | Retention time |
Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers. Specifically, real name, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, social security number, driver’s license number, passport number, and account name. | Provide and improve services, authenticate for service access, fraud detection and prevention, security, troubleshoot, event planning and hosting, consider individuals for job opportunities and onboarding processes for hired individuals, communicate with you, provide materials you request, including white paper downloads, provide chat functionality on our website, to follow up with you upon your registrations for online seminars or in-person events, understand your preferences to enhance your experience and send you relevant information about us, our affiliates, and partners. | Yes | Online form data is deleted after five years of inactivity; log data is retained for a minimum of one year |
Any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information, but excluding publicly available information that is lawfully made available to the general public from federal, state, or local government records. (The categories of personal information described in the California Customer Records Act (Cal. Civ. Code § 1798.80(e)) Specifically, name, address, telephone number, social security number, education, employment, employment history, bank account number, medical information, or health insurance information. | Provide and improve services, authenticate for service access, fraud detection and prevention, security, troubleshoot, event planning and hosting, consider individuals for job opportunities and onboarding processes for hired individuals, communicate with you, provide materials you request, including white paper downloads, provide chat functionality on our website, to follow up with you upon your registrations for online seminars or in-person events, understand your preferences to enhance your experience and send you relevant information about us, our affiliates, and partners. | No | Online form data is deleted after five years of inactivity |
Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website application, or advertisement. Specifically, information regarding a consumer’s interaction with an internet website application or advertisement. | Provide and improve services, authenticate for service access, fraud detection and prevention, security, troubleshoot, event planning and hosting, communicate with you, provide materials you request, including white paper downloads, provide chat functionality on our website, to follow up with you upon your registrations for online seminars or in-person events, understand your preferences to enhance your experience and send you relevant information about us, our affiliates, and partners. | Yes | No more than 140 days |
Geolocation data. Specifically, location using IP addresses. | Provide and improve services. | Yes | 30 days |
Professional or Employment related information. Specifically, employer and job title. | Provide and improve services, event planning and hosting, consider individuals for job opportunities and onboarding processes for hired individuals, to communicate with you, white paper downloads, provide chat functionality on our website, to follow up with you upon your registrations for online seminars or in-person events, provide material you request, understand your preferences to enhance your experience, and send you relevant information about us, our affiliates. | No | Online form data is deleted after five years of inactivity |
A consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account. Specifically, account log-in and credentials allowing access to an account. | Contact details and password when users create an account with Avalara's website | No | Lifetime of customer |
Category of sensitive personal information under CCPA definitions | Purpose for collection and use of sensitive personal information | Sold or shared | Retention time |
A consumer’s social security, driver’s license, state identification card, or passport number. | Provide services, authenticate for service access, fraud detection and prevention, security, including anti-money laundering and know-your-customer obligations, and onboarding processes for hired individuals. | No | Customer and employee data is kept for the duration of such relationships and to meet our regulatory obligations; with respect to customer data, such obligations may vary by product. |
A consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account. Specifically, account log-in and credentials allowing access to an account. | Provide services. | No | Customer and employee data is kept for the duration of such relationships and to meet our regulatory obligations; with respect to customer data, such obligations may vary by product. |
A consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership. | Comply with regulatory obligations. | No | The duration of the employment relationship and to meet our regulatory obligations. |
The contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication. Specifically, email messages. | Fraud detection and prevention, and security. | No | To meet our regulatory obligations. |
Personal information collected and analyzed concerning a consumer’s health. Specifically, health information related to employee benefits, leave, and accommodations. | Provide services. | No | The duration of the employment relationship and to meet our regulatory obligations. |
Category of personal information or sensitive personal information with reference to CCPA definitions | Categories of third parties personal information was disclosed to | Business or commercial purpose for disclosure |
Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers. | Our service providers including our CRM service provider, cloud services and data warehousing providers, data analytics providers, logging and log management services, HR and recruiting software providers, benefits providers, security services, communication and productivity software and services, social networks, Avalara affiliates and subsidiaries, partners, to third parties subject to compelled disclosures, and to payment processors. | To perform services on our behalf, including to organize data, maintain the security of our systems and networks, manage our employee base and provide benefits, better understand our customers, prospective customers, and employees, marketing, and advertising. To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes. To Vista, our private equity sponsor, and its affiliates, including Vista Consulting Group (US), for administration, research, database development, workforce analytics and business operation purposes. To our partners, to provide integrations that enable our services to interconnect with third party software and to support our mutual customers. We may also disclose your data to our partners to co-sponsor events that you choose to attend. To our payment processor, to manage credit card processing. To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also disclose your data to third parties to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also disclose your personal information tothird parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company. |
Any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information, but excluding publicly available information that is lawfully made available to the general public from federal, state, or local government records. (The categories of personal information described in the California Customer Records Act (Cal. Civ. Code § 1798.80(e)) Specifically, name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, or other financial information, medical information, or health insurance information. | Our service providers including our CRM service provider, cloud services and data warehousing providers, data analytics providers, logging and log management services, HR and recruiting software providers, benefits providers, security services, communication and productivity software and services, social networks, Avalara affiliates and subsidiaries, partners, to third parties subject to compelled disclosures, and to payment processors. | To service providers and vendors to perform services on our behalf, including to organize data, maintain the security of our systems and networks, manage our employee base and provide benefits, better understand our customers, prospective customers, and employees, marketing, and advertising. To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes. To Vista, our private equity sponsor, and its affiliates, including Vista Consulting Group (US), for administration, research, database development, workforce analytics and business operation purposes. To our partners, to provide integrations that enable our services to interconnect with third party software and to support our mutual customers. We may also disclose your data to our partners to co-sponsor events that you choose to attend. To our payment processor, to manage credit card processing. To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also disclose your data to third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also disclose your personal information to third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company. |
Characteristics of protected classifications under California or federal law. Specifically, gender, marital status, race/ethnicity, gender identity, disability, requests for family care leave, medical leave, pregnancy disability leave, military and veteran status, and age if 40 years or older. | Our service providers, including our CRM service provider, cloud services and data warehousing providers, data analytics providers, logging and log management services, HR and recruiting software providers, benefits providers, security services, communication and productivity software and services, social networks, Avalara affiliates and subsidiaries, partners, third parties subject to compelled disclosures, and payment processors. | To service providers and vendors to perform services on our behalf, including to organize data, manage our employee base and provide benefits, and better understand our employees. To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes. To Vista, our private equity sponsor, and its affiliates, including Vista Consulting Group (US), for administration, research, database development, workforce analytics and business operation purposes. To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also disclose your data to third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also disclose your personal information to third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company. |
Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. Specifically, records of products or services purchased including those purchased by employees as work-related expenses. | Our service providers including our CRM service provider, cloud services and data warehousing providers, data analytics providers, logging and log management services, HR and recruiting software providers, benefits providers, security services, communication and productivity software and services, social networks, Avalara affiliates and subsidiaries, partners, to third parties subject to compelled disclosures, and to payment processors. | To service providers and vendors to perform services on our behalf, including to organize data, maintain the security of our systems and networks, manage our employee base and provide benefits, better understand our customers, prospective customers, and employees, marketing, and advertising. To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes. To Vista, our private equity sponsor, and its affiliates, including Vista Consulting Group (US), for administration, research, database development, workforce analytics and business operation purposes. To our partners, to provide integrations that enable our services to interconnect with third party software and to support our mutual customers. We may also disclose your data to our partners to co-sponsor events that you choose to attend. To our payment processor, to manage credit card processing. To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also disclose your data to third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also disclose your personal information to third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company. |
Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website application, or advertisement. Specifically, browsing history, search history, and information regarding a consumer’s interaction with an internet website application or advertisement. | Our service providers including our CRM service provider, cloud services and data warehousing providers, data analytics providers, logging and log management services, HR and recruiting software providers, benefits providers, security services, communication and productivity software and services, social networks, Avalara affiliates and subsidiaries, partners, to third parties subject to compelled disclosures, and to payment processors. | To service providers and vendors to perform services on our behalf, including to organize data, maintain the security of our systems and networks, manage our employee base and provide benefits, better understand our customers, prospective customers, and employees, marketing, and advertising. To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes. To Vista, our private equity sponsor, and its affiliates, including Vista Consulting Group (US), for administration, research, database development, workforce analytics and business operation purposes. To our partners, to provide integrations that enable our services to interconnect with third party software and to support our mutual customers. We may also disclose your data to our partners to co-sponsor events that you choose to attend. To our payment processor, to manage credit card processing. To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also disclose your data to third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also disclose your personal information to third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company. |
Geolocation data. Specifically, location information based on IP addresses | Our service providers including our CRM service provider, cloud services and data warehousing providers, data analytics providers, logging and log management services, HR and recruiting software providers, benefits providers, security services, communication and productivity software and services, social networks, Avalara affiliates and subsidiaries, partners, to third parties subject to compelled disclosures, and to payment processors. | To service providers and vendors to perform services on our behalf, including to organize data, maintain the security of our systems and networks, manage our employee base and provide benefits, better understand our customers, prospective customers, and employees, marketing, and advertising. To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes. To Vista, our private equity sponsor, and its affiliates, including Vista Consulting Group (US), for administration, research, database development, workforce analytics and business operation purposes. To our partners, to provide integrations that enable our services to interconnect with third party software and to support our mutual customers. We may also disclose your data to our partners to co-sponsor events that you choose to attend. To our payment processor, to manage credit card processing. To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also disclose your data to third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also disclose your personal information to third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company. |
Audio, electronic, visual, thermal, olfactory, or similar information. Specifically, data relating to Avalara employees’ use of computers, software, networks, communications devices, and other similar systems that we or our affiliates own or make available to you; or you connect to or use for the purposes of providing services to us or our affiliates; and information relating to your activities on our or our affiliates' premises. | Our service providers including our CRM service provider, cloud services and data warehousing providers, data analytics providers, logging and log management services, HR and recruiting software providers, benefits providers, security services, communication and productivity software and services, social networks, Avalara affiliates and subsidiaries, partners, to third parties subject to compelled disclosures, and to payment processors. | To service providers and vendors to perform services on our behalf, including to organize data, maintain the security of our systems and networks, manage our employee base and provide benefits, better understand our customers, prospective customers, and employees, marketing, and advertising. To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes. To Vista, our private equity sponsor, and its affiliates, including Vista Consulting Group (US), for administration, research, database development, workforce analytics and business operation purposes. To our partners, to provide integrations that enable our services to interconnect with third party software and to support our mutual customers. We may also disclose your data to our partners to co-sponsor events that you choose to attend. To our payment processor, to manage credit card processing. To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also disclose your data to third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also disclose your personal information to third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company. |
Professional or Employment related information. Specifically, job information, compensation, benefits, contact information, work history. | Our service providers including our CRM service provider, cloud services and data warehousing providers, data analytics providers, logging and log management services, HR and recruiting software providers, benefits providers, security services, communication and productivity software and services, social networks, Avalara affiliates and subsidiaries, partners, to third parties subject to compelled disclosures, and to payment processors. | To service providers and vendors to perform services on our behalf, including to organize data, maintain the security of our systems and networks, manage our employee base and provide benefits, better understand our customers, prospective customers, and employees, marketing, and advertising. To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes. To Vista, our private equity sponsor, and its affiliates, including Vista Consulting Group (US), for administration, research, database development, workforce analytics and business operation purposes. To our partners, to provide integrations that enable our services to interconnect with third party software and to support our mutual customers. We may also disclose your data to our partners to co-sponsor events that you choose to attend. To our payment processor, to manage credit card processing. To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also disclose your data to third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also disclose your personal information to third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company. |
Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99). Specifically, education history. | Our service providers including our CRM service provider, cloud services and data warehousing providers, data analytics providers, logging and log management services, HR and recruiting software providers, benefits providers, security services, communication and productivity software and services, social networks, Avalara affiliates and subsidiaries, partners, to third parties subject to compelled disclosures, and to payment processors. | To service providers and vendors to perform services on our behalf, including to organize data, manage our employee base and provide benefits, better understand our customers, prospective customers, and employees, marketing, and advertising. To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes. To Vista, our private equity sponsor, and its affiliates, including Vista Consulting Group (US), for administration, research, database development, workforce analytics and business operation purposes. To our partners, to provide integrations that enable our services to interconnect with third party software and to support our mutual customers. We may also disclose your data to our partners to co-sponsor events that you choose to attend. To our payment processor, to manage credit card processing. To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also disclose your data to third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also disclose your personal information to third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company. |
A consumer’s social security, driver’s license, state identification card, or passport number. | Our service providers including our CRM service provider, cloud services and data warehousing providers, data analytics providers, logging and log management services, HR and recruiting software providers, benefits providers, security services, communication and productivity software and services, social networks, Avalara affiliates and subsidiaries, partners, to third parties subject to compelled disclosures, and to payment processors. | To service providers and vendors to perform services on our behalf, including to organize data, manage our employee base and provide benefits, better understand our customers, prospective customers, and employees, marketing, and advertising. To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes. To Vista, our private equity sponsor, and its affiliates, including Vista Consulting Group (US), for administration, research, database development, workforce analytics and business operation purposes. To our partners, to provide integrations that enable our services to interconnect with third party software and to support our mutual customers. We may also disclose your data to our partners to co-sponsor events that you choose to attend. To our payment processor, to manage credit card processing. To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also disclose your data to third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also disclose your personal information to third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company. |
A consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account. Specifically, account log-in, credentials allowing access to an account. | Our service providers including our CRM service provider, cloud services and data warehousing providers, data analytics providers, logging and log management services, HR and recruiting software providers, benefits providers, security services, communication and productivity software and services, social networks, Avalara affiliates and subsidiaries, partners, to third parties subject to compelled disclosures, and to payment processors. | To service providers and vendors to perform services on our behalf, including to organize data, manage our employee base and provide benefits, better understand our customers, prospective customers, and employees, marketing, and advertising. To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes. To Vista, our private equity sponsor, and its affiliates, including Vista Consulting Group (US), for administration, research, database development, workforce analytics and business operation purposes. To our partners, to provide integrations that enable our services to interconnect with third party software and to support our mutual customers. We may also disclose your data to our partners to co-sponsor events that you choose to attend. To our payment processor, to manage credit card processing. To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also disclose your data to third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also disclose your personal information to third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company. |
A consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership. Specifically, racial or ethnic origin. | Our service providers including our CRM service provider, cloud services and data warehousing providers, data analytics providers, logging and log management services, HR and recruiting software providers, benefits providers, security services, communication and productivity software and services, social networks, Avalara affiliates and subsidiaries, partners, to third parties subject to compelled disclosures, and to payment processors. | To service providers and vendors to perform services on our behalf, including to organize data, manage our employee base and provide benefits, better understand our customers, prospective customers, and employees, marketing, and advertising. To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes. To Vista, our private equity sponsor, and its affiliates, including Vista Consulting Group (US), for administration, research, database development, workforce analytics and business operation purposes. To our partners, to provide integrations that enable our services to interconnect with third party software and to support our mutual customers. We may also disclose your data to our partners to co-sponsor events that you choose to attend. To our payment processor, to manage credit card processing. To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also disclose your data to third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also disclose your personal information to third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company. |
The contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication. Specifically, email messages of Avalara employees. | Our service providers including our CRM service provider, cloud services and data warehousing providers, data analytics providers, logging and log management services, HR and recruiting software providers, benefits providers, security services, communication and productivity software and services, Avalara affiliates and subsidiaries, and to third parties subject to compelled disclosures. | To service providers and vendors to perform services on our behalf, including to organize data, maintain the security of our systems and networks, manage our employee base and provide benefits, better understand our customers, prospective customers, and employees. To our subsidiaries and affiliates (those entities under common control), to provide services, such as technical operations and account management purposes. To Vista, our private equity sponsor, and its affiliates, including Vista Consulting Group (US), for administration, research, database development, workforce analytics and business operation purposes. To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also disclose your data to third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also disclose your personal information to third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company. |
Personal information collected and analyzed concerning a consumer’s health. Specifically, health information related to receiving employee benefits, leaves, and accommodations. | Our service providers including our CRM service provider, cloud services and data warehousing providers, data analytics providers, logging and log management services, HR and recruiting software providers, benefits providers, security services, communication and productivity software and services, social networks, Avalara affiliates and subsidiaries, partners, to third parties subject to compelled disclosures, and to payment processors. | To service providers and vendors to perform services on our behalf, including to organize data, manage our employee base and provide benefits, better understand our customers, prospective customers, and employees, marketing, and advertising. To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes. To Vista, our private equity sponsor, and its affiliates, including Vista Consulting Group (US), for administration, research, database development, workforce analytics and business operation purposes. To our partners, to provide integrations that enable our services to interconnect with third party software and to support our mutual customers. We may also disclose your data to our partners to co-sponsor events that you choose to attend. To our payment processor, to manage credit card processing. To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also disclose your data to third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also disclose your personal information to third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company. |
- Directly from You. Avalara may collect personal information when you: inquire about one of our services or purchase our services; send an email to Avalara or start a live chat with us; interact with our website, products or services; register for an event or seminar; download content like white papers; create an account with us; and use our mobile services.
- Cookies and Other Technologies. Avalara and its affiliates and trusted third parties may use cookies or other technologies to collect data about your device and activity on our website.
- Third Parties, including Service Providers. Avalara may also collect personal data from other sources, including third parties from whom we have purchased data, and we may combine this data with data we already have about you. For example, we may collect personal data from:
- Partners. Avalara may engage in joint marketing activities or event sponsorships with our third-party partners and we may collect personal data about you from these activities. We also allow partners to provide referrals to Avalara of individuals who may be interested in learning more about Avalara’s services.
- Service Providers. Avalara may also engage with third party service providers who help us understand how our customers are using Avalara’s services.
- The authorized agent is a natural person or a business entity and the agent provides proof that you gave the agent signed permission to submit the request; and
- You directly confirm with Avalara that you provided the authorized agent with permission to submit the request.
Postal address: Avalara, Inc., Attention: General Counsel, 255 S. King Street, Suite 1200, Seattle, WA 98104
Effective January 1st 2024 to April 30th 2024
DownloadTable of Contents
This notice and policy supplements information contained in the privacy policy (“Privacy Policy”) and notices at collection provided by Avalara, Inc. and its corporate business affiliates (“Avalara”) and applies solely to residents of the State of California (“consumers” or “you”) with respect to personal information Avalara processes as a business. Any terms defined in the California Consumer Privacy Act of 2018, as amended from time to time, including by the California Privacy Rights Act of 2020 and its implementing regulations (“CCPA”) have the same meaning when used in this notice and policy. This notice and policy does not reflect our collection, use, or disclosure of California residents’ personal information, or data subject rights, where an exception or exemption under the CCPA applies.
1. RIGHT TO REQUEST DELETION, CORRECTION OF INACCURATE PERSONAL INFORMATION, AND SPECIFIC PIECES OF PERSONAL INFORMATION COLLECTED, RIGHT NOT TO RECEIVE DISCRIMINATORY TREATMENT FOR THE EXERCISE OF CCPA RIGHTS
You have the right to request that we disclose what personal information we collect, use, or disclose about you specifically and to request the correction and deletion of personal information. To submit a request to exercise a right, please submit an email request to dataprivacy@avalara.com or call our toll-free number at 1-877-814-9390.
Avalara may ask that you provide certain information to verify your identity. The information that we ask you to provide to verify your identity will depend on your prior interactions with us and the sensitivity of the personal information at issue. Avalara will respond to your request in accordance with the CCPA. If we deny your request, we will explain why.
When a business sells your personal information or shares it for cross context behavioural advertising, you have a right to opt out of such sale or sharing. We do not have actual knowledge that we sell or share for cross context behavioral advertising, the personal information of California resident consumers under 16 years of age.
When a business uses or discloses sensitive personal information for reasons triggering an opt out right under the CCPA, you have the right to limit the use or disclosure of sensitive information by the business. We do not use or disclose sensitive personal information for purposes triggering a right to limit under the CCPA.
You have the right not to receive discriminatory treatment by a business for the exercise of privacy rights conferred by the CCPA in violation of California Civil Code § 1798.125, including an employee’s, applicant’s, or independent contractor’s right not to be retaliated against for the exercise of their CCPA rights.
2. NOTICE AT COLLECTION ONLINE
We have set out below categories of personal information about California residents we collect online.
Category of personal information or sensitive personal information under CCPA definitions | Purpose for collection and use of personal information | Sold or shared | Retention time |
Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers. Specifically, real name, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, social security number, driver’s license number, passport number, and account name. | Provide and improve services, authenticate for service access, fraud detection and prevention, security, troubleshoot, event planning and hosting, consider individuals for job opportunities and onboarding processes for hired individuals, communicate with you, provide materials you request, including white paper downloads, provide chat functionality on our website, to follow up with you upon your registrations for online seminars or in-person events, understand your preferences to enhance your experience and send you relevant information about us, our affiliates, and partners. | Shared | Online form data is deleted after five years of inactivity; log data is retained for a minimum of one year |
Any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information, but excluding publicly available information that is lawfully made available to the general public from federal, state, or local government records. (The categories of personal information described in the California Customer Records Act (Cal. Civ. Code § 1798.80(e)) Specifically, name, address, telephone number, social security number, education, employment, employment history, bank account number, medical information, or health insurance information. | Provide and improve services, authenticate for service access, fraud detection and prevention, security, troubleshoot, event planning and hosting, consider individuals for job opportunities and onboarding processes for hired individuals, communicate with you, provide materials you request, including white paper downloads, provide chat functionality on our website, to follow up with you upon your registrations for online seminars or in-person events, understand your preferences to enhance your experience and send you relevant information about us, our affiliates, and partners. | Shared | Online form data is deleted after five years of inactivity |
Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website application, or advertisement. Specifically, information regarding a consumer’s interaction with an internet website application or advertisement. | Provide and improve services, authenticate for service access, fraud detection and prevention, security, troubleshoot, event planning and hosting, communicate with you, provide materials you request, including white paper downloads, provide chat functionality on our website, to follow up with you upon your registrations for online seminars or in-person events, understand your preferences to enhance your experience and send you relevant information about us, our affiliates, and partners. | Sold and shared | No more than 140 days |
Geolocation data. Specifically, location using IP addresses. | Provide and improve services. | Shared | 30 days |
Professional or Employment related information. Specifically, employer and job title. | Provide and improve services, event planning and hosting, consider individuals for job opportunities and onboarding processes for hired individuals, to communicate with you, white paper downloads, provide chat functionality on our website, to follow up with you upon your registrations for online seminars or in-person events, provide material you request, understand your preferences to enhance your experience, and send you relevant information about us, our affiliates. | Shared | Online form data is deleted after five years of inactivity |
A consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account. Specifically, account log-in and credentials allowing access to an account. | Contact details and password when users create an account with Avalara's website | Shared | Lifetime of customer |
3. NOTICE OF COLLECTION OF SENSITIVE PERSONAL INFORMATION
We have set out below categories of sensitive personal information about California residents we collect.
Category of sensitive personal information under CCPA definitions | Purpose for collection and use of sensitive personal information | Sold or shared | Retention time |
A consumer’s social security, driver’s license, state identification card, or passport number. | Provide services, authenticate for service access, fraud detection and prevention, security, including anti-money laundering and know-your-customer obligations, and onboarding processes for hired individuals. | Shared | Customer and employee data is kept for the duration of such relationships and to meet our regulatory obligations; with respect to customer data, such obligations may vary by product. |
A consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account. Specifically, account log-in and credentials allowing access to an account. | Provide services. | Shared | Customer and employee data is kept for the duration of such relationships and to meet our regulatory obligations; with respect to customer data, such obligations may vary by product. |
A consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership. | Comply with regulatory obligations. | Shared | The duration of the employment relationship and to meet our regulatory obligations. |
The contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication. Specifically, email messages. | Fraud detection and prevention, and security. | Shared | To meet our regulatory obligations. |
Personal information collected and analyzed concerning a consumer’s health. Specifically, health information related to employee benefits, leave, and accommodations. | Provide services. | Shared | The duration of the employment relationship and to meet our regulatory obligations. |
4. OUR PERSONAL INFORMATION HANDLING PRACTICES IN 2023
We have set out below categories of personal information about California residents we have collected and disclosed for a business purpose in the preceding 12 months. The table is followed by a description of the purposes for which we collected personal information.
Category of personal information or sensitive personal information with reference to CCPA definitions | Categories of third parties personal information was disclosed to | Business or commercial purpose for disclosure |
Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers. | Our service providers including our CRM service provider, cloud services and data warehousing providers, data analytics providers, logging and log management services, HR and recruiting software providers, benefits providers, security services, communication and productivity software and services, social networks, Avalara affiliates and subsidiaries, partners, to third parties subject to compelled disclosures, and to payment processors. | We may share your data with service providers and vendors to perform services on our behalf, including to organize data, maintain the security of our systems and networks, manage our employee base and provide benefits, better understand our customers, prospective customers, and employees, marketing, and advertising. To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes. To Vista, our private equity sponsor, and its affiliates, including Vista Consulting Group (US), for administration, research, database development, workforce analytics and business operation purposes. To our partners, to provide integrations that enable our services to interconnect with third party software and to support our mutual customers. We may also share your data with our partners to co-sponsor events that you choose to attend. To our payment processor, to manage credit card processing. To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also share your data with third parties to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also share your personal information with third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company. |
Any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information, but excluding publicly available information that is lawfully made available to the general public from federal, state, or local government records. (The categories of personal information described in the California Customer Records Act (Cal. Civ. Code § 1798.80(e)) Specifically, name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, or other financial information, medical information, or health insurance information. | Our service providers including our CRM service provider, cloud services and data warehousing providers, data analytics providers, logging and log management services, HR and recruiting software providers, benefits providers, security services, communication and productivity software and services, social networks, Avalara affiliates and subsidiaries, partners, to third parties subject to compelled disclosures, and to payment processors. | We may share your data with service providers and vendors to perform services on our behalf, including to organize data, maintain the security of our systems and networks, manage our employee base and provide benefits, better understand our customers, prospective customers, and employees, marketing, and advertising. To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes. To Vista, our private equity sponsor, and its affiliates, including Vista Consulting Group (US), for administration, research, database development, workforce analytics and business operation purposes. To our partners, to provide integrations that enable our services to interconnect with third party software and to support our mutual customers. We may also share your data with our partners to co-sponsor events that you choose to attend. To our payment processor, to manage credit card processing. To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also share your data with third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also share your personal information with third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company. |
Characteristics of protected classifications under California or federal law. Specifically, gender, marital status, race/ethnicity, gender identity, disability, requests for family care leave, medical leave, pregnancy disability leave, military and veteran status, and age if 40 years or older. | Our service providers, including our CRM service provider, cloud services and data warehousing providers, data analytics providers, logging and log management services, HR and recruiting software providers, benefits providers, security services, communication and productivity software and services, social networks, Avalara affiliates and subsidiaries, partners, third parties subject to compelled disclosures, and payment processors. | We may share your data with service providers and vendors to perform services on our behalf, including to organize data, manage our employee base and provide benefits, and better understand our employees. To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes. To Vista, our private equity sponsor, and its affiliates, including Vista Consulting Group (US), for administration, research, database development, workforce analytics and business operation purposes. To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also share your data with third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also share your personal information with third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company. |
Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. Specifically, records of products or services purchased including those purchased by employees as work-related expenses. | Our service providers including our CRM service provider, cloud services and data warehousing providers, data analytics providers, logging and log management services, HR and recruiting software providers, benefits providers, security services, communication and productivity software and services, social networks, Avalara affiliates and subsidiaries, partners, to third parties subject to compelled disclosures, and to payment processors. | We may share your data with service providers and vendors to perform services on our behalf, including to organize data, maintain the security of our systems and networks, manage our employee base and provide benefits, better understand our customers, prospective customers, and employees, marketing, and advertising. To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes. To Vista, our private equity sponsor, and its affiliates, including Vista Consulting Group (US), for administration, research, database development, workforce analytics and business operation purposes. To our partners, to provide integrations that enable our services to interconnect with third party software and to support our mutual customers. We may also share your data with our partners to co-sponsor events that you choose to attend. To our payment processor, to manage credit card processing. To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also share your data with third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also share your personal information with third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company. |
Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website application, or advertisement. Specifically, browsing history, search history, and information regarding a consumer’s interaction with an internet website application or advertisement. | Our service providers including our CRM service provider, cloud services and data warehousing providers, data analytics providers, logging and log management services, HR and recruiting software providers, benefits providers, security services, communication and productivity software and services, social networks, Avalara affiliates and subsidiaries, partners, to third parties subject to compelled disclosures, and to payment processors. | We may share your data with service providers and vendors to perform services on our behalf, including to organize data, maintain the security of our systems and networks, manage our employee base and provide benefits, better understand our customers, prospective customers, and employees, marketing, and advertising. To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes. To Vista, our private equity sponsor, and its affiliates, including Vista Consulting Group (US), for administration, research, database development, workforce analytics and business operation purposes. To our partners, to provide integrations that enable our services to interconnect with third party software and to support our mutual customers. We may also share your data with our partners to co-sponsor events that you choose to attend. To our payment processor, to manage credit card processing. To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also share your data with third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also share your personal information with third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company. |
Geolocation data. Specifically, location information based on IP addresses | Our service providers including our CRM service provider, cloud services and data warehousing providers, data analytics providers, logging and log management services, HR and recruiting software providers, benefits providers, security services, communication and productivity software and services, social networks, Avalara affiliates and subsidiaries, partners, to third parties subject to compelled disclosures, and to payment processors. | We may share your data with service providers and vendors to perform services on our behalf, including to organize data, maintain the security of our systems and networks, manage our employee base and provide benefits, better understand our customers, prospective customers, and employees, marketing, and advertising. To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes. To Vista, our private equity sponsor, and its affiliates, including Vista Consulting Group (US), for administration, research, database development, workforce analytics and business operation purposes. To our partners, to provide integrations that enable our services to interconnect with third party software and to support our mutual customers. We may also share your data with our partners to co-sponsor events that you choose to attend. To our payment processor, to manage credit card processing. To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also share your data with third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also share your personal information with third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company. |
Audio, electronic, visual, thermal, olfactory, or similar information. Specifically, data relating to Avalara employees’ use of computers, software, networks, communications devices, and other similar systems that we or our affiliates own or make available to you; or you connect to or use for the purposes of providing services to us or our affiliates; and information relating to your activities on our or our affiliates' premises. | Our service providers including our CRM service provider, cloud services and data warehousing providers, data analytics providers, logging and log management services, HR and recruiting software providers, benefits providers, security services, communication and productivity software and services, social networks, Avalara affiliates and subsidiaries, partners, to third parties subject to compelled disclosures, and to payment processors. | We may share your data with service providers and vendors to perform services on our behalf, including to organize data, maintain the security of our systems and networks, manage our employee base and provide benefits, better understand our customers, prospective customers, and employees, marketing, and advertising. To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes. To Vista, our private equity sponsor, and its affiliates, including Vista Consulting Group (US), for administration, research, database development, workforce analytics and business operation purposes. To our partners, to provide integrations that enable our services to interconnect with third party software and to support our mutual customers. We may also share your data with our partners to co-sponsor events that you choose to attend. To our payment processor, to manage credit card processing. To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also share your data with third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also share your personal information with third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company. |
Professional or Employment related information. Specifically, job information, compensation, benefits, contact information, work history. | Our service providers including our CRM service provider, cloud services and data warehousing providers, data analytics providers, logging and log management services, HR and recruiting software providers, benefits providers, security services, communication and productivity software and services, social networks, Avalara affiliates and subsidiaries, partners, to third parties subject to compelled disclosures, and to payment processors. | We may share your data with service providers and vendors to perform services on our behalf, including to organize data, maintain the security of our systems and networks, manage our employee base and provide benefits, better understand our customers, prospective customers, and employees, marketing, and advertising. To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes. To Vista, our private equity sponsor, and its affiliates, including Vista Consulting Group (US), for administration, research, database development, workforce analytics and business operation purposes. To our partners, to provide integrations that enable our services to interconnect with third party software and to support our mutual customers. We may also share your data with our partners to co-sponsor events that you choose to attend. To our payment processor, to manage credit card processing. To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also share your data with third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also share your personal information with third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company. |
Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99). Specifically, education history. | Our service providers including our CRM service provider, cloud services and data warehousing providers, data analytics providers, logging and log management services, HR and recruiting software providers, benefits providers, security services, communication and productivity software and services, social networks, Avalara affiliates and subsidiaries, partners, to third parties subject to compelled disclosures, and to payment processors. | We may share your data with service providers and vendors to perform services on our behalf, including to organize data, manage our employee base and provide benefits, better understand our customers, prospective customers, and employees, marketing, and advertising. To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes. To Vista, our private equity sponsor, and its affiliates, including Vista Consulting Group (US), for administration, research, database development, workforce analytics and business operation purposes. To our partners, to provide integrations that enable our services to interconnect with third party software and to support our mutual customers. We may also share your data with our partners to co-sponsor events that you choose to attend. To our payment processor, to manage credit card processing. To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also share your data with third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also share your personal information with third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company. |
A consumer’s social security, driver’s license, state identification card, or passport number. | Our service providers including our CRM service provider, cloud services and data warehousing providers, data analytics providers, logging and log management services, HR and recruiting software providers, benefits providers, security services, communication and productivity software and services, social networks, Avalara affiliates and subsidiaries, partners, to third parties subject to compelled disclosures, and to payment processors. | We may share your data with service providers and vendors to perform services on our behalf, including to organize data, manage our employee base and provide benefits, better understand our customers, prospective customers, and employees, marketing, and advertising. To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes. To Vista, our private equity sponsor, and its affiliates, including Vista Consulting Group (US), for administration, research, database development, workforce analytics and business operation purposes. To our partners, to provide integrations that enable our services to interconnect with third party software and to support our mutual customers. We may also share your data with our partners to co-sponsor events that you choose to attend. To our payment processor, to manage credit card processing. To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also share your data with third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also share your personal information with third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company. |
A consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account. Specifically, account log-in, credentials allowing access to an account. | Our service providers including our CRM service provider, cloud services and data warehousing providers, data analytics providers, logging and log management services, HR and recruiting software providers, benefits providers, security services, communication and productivity software and services, social networks, Avalara affiliates and subsidiaries, partners, to third parties subject to compelled disclosures, and to payment processors. | We may share your data with service providers and vendors to perform services on our behalf, including to organize data, manage our employee base and provide benefits, better understand our customers, prospective customers, and employees, marketing, and advertising. To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes. To Vista, our private equity sponsor, and its affiliates, including Vista Consulting Group (US), for administration, research, database development, workforce analytics and business operation purposes. To our partners, to provide integrations that enable our services to interconnect with third party software and to support our mutual customers. We may also share your data with our partners to co-sponsor events that you choose to attend. To our payment processor, to manage credit card processing. To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also share your data with third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also share your personal information with third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company. |
A consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership. Specifically, racial or ethnic origin. | Our service providers including our CRM service provider, cloud services and data warehousing providers, data analytics providers, logging and log management services, HR and recruiting software providers, benefits providers, security services, communication and productivity software and services, social networks, Avalara affiliates and subsidiaries, partners, to third parties subject to compelled disclosures, and to payment processors. | We may share your data with service providers and vendors to perform services on our behalf, including to organize data, manage our employee base and provide benefits, better understand our customers, prospective customers, and employees, marketing, and advertising. To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes. To Vista, our private equity sponsor, and its affiliates, including Vista Consulting Group (US), for administration, research, database development, workforce analytics and business operation purposes. To our partners, to provide integrations that enable our services to interconnect with third party software and to support our mutual customers. We may also share your data with our partners to co-sponsor events that you choose to attend. To our payment processor, to manage credit card processing. To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also share your data with third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also share your personal information with third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company. |
The contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication. Specifically, email messages of Avalara employees. | Our service providers including our CRM service provider, cloud services and data warehousing providers, data analytics providers, logging and log management services, HR and recruiting software providers, benefits providers, security services, communication and productivity software and services, Avalara affiliates and subsidiaries, and to third parties subject to compelled disclosures. | We may share your data with service providers and vendors to perform services on our behalf, including to organize data, maintain the security of our systems and networks, manage our employee base and provide benefits, better understand our customers, prospective customers, and employees. To our subsidiaries and affiliates (those entities under common control), to provide services, such as technical operations and account management purposes. To Vista, our private equity sponsor, and its affiliates, including Vista Consulting Group (US), for administration, research, database development, workforce analytics and business operation purposes. To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also share your data with third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also share your personal information with third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company. |
Personal information collected and analyzed concerning a consumer’s health. Specifically, health information related to receiving employee benefits, leaves, and accommodations. | Our service providers including our CRM service provider, cloud services and data warehousing providers, data analytics providers, logging and log management services, HR and recruiting software providers, benefits providers, security services, communication and productivity software and services, social networks, Avalara affiliates and subsidiaries, partners, to third parties subject to compelled disclosures, and to payment processors. | We may share your data with service providers and vendors to perform services on our behalf, including to organize data, manage our employee base and provide benefits, better understand our customers, prospective customers, and employees, marketing, and advertising. To our subsidiaries and affiliates (those entities under common control), to provide services, such as customer support, marketing, technical operations, and account management purposes. To Vista, our private equity sponsor, and its affiliates, including Vista Consulting Group (US), for administration, research, database development, workforce analytics and business operation purposes. To our partners, to provide integrations that enable our services to interconnect with third party software and to support our mutual customers. We may also share your data with our partners to co-sponsor events that you choose to attend. To our payment processor, to manage credit card processing. To relevant governmental authorities if required by law or to comply with a judicial proceeding, court order, or valid legal process. We may also share your data with third parties, to protect our rights and property, our agents, employees, partners and customers, including to prevent or stop an attack on our systems or network or to prevent spam or attempts to defraud our users. We may also share your personal information with third parties to disclose your data in connection with or during the negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving the sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company. |
Business or Commercial Purpose for Collecting Personal Information. Avalara uses the personal information that it collects to provide and improve services, authenticate for service access, detect and prevent fraud, security, troubleshoot, plan and host events, communicate with you, provide materials you request, including white paper downloads, provide chat functionality on our website, to follow up with you upon your registrations for online seminars or in-person events, understand your preferences to enhance your experience and send you relevant information about us, our affiliates, and partners.
Avalara collects such information from the following categories of sources:
- Directly from You. Avalara may collect personal information when you: inquire about one of our services or purchase our services; send an email to Avalara or start a live chat with us; interact with our website, products or services; register for an event or seminar; download content like white papers; create an account with us; and use our mobile services.
- Cookies and Other Technologies. Avalara and its affiliates and trusted third parties may use cookies or other technologies to collect data about your device and activity on our website.
- Third Parties, including Service Providers. Avalara may also collect personal data from other sources, including third parties from whom we have purchased data, and we may combine this data with data we already have about you. For example, we may collect personal data from:
- Partners. Avalara may engage in joint marketing activities or event sponsorships with our third-party partners and we may collect personal data about you from these activities. We also allow partners to provide referrals to Avalara of individuals who may be interested in learning more about Avalara’s services.
- Service Providers. Avalara may also engage with third party service providers who help us understand how our customers are using Avalara’s services.
5. COMMITMENT REGARDING DEIDENTIFIED INFORMATION
If we process deidentified information, we will maintain the information in a deidentified form and not attempt to reidentify the information, except that we may attempt to reidentify the information solely for the purpose of determining whether the deidentification processes used satisfy legal requirements.
6. AUTHORIZED AGENT
You can designate an authorized agent to make a request under the CCPA on your behalf if:
- The authorized agent is a natural person or a business entity and the agent provides proof that you gave the agent signed permission to submit the request; and
- You directly confirm with Avalara that you provided the authorized agent with permission to submit the request.
If you use an authorized agent to submit a request to exercise your right to know, correct or your right to request deletion, please provide any information Avalara requests to verify your identity. The information that Avalara asks you to provide to verify your identity will depend on your prior interactions with us and the sensitivity of the personal information at issue.
If you provide an authorized agent with power of attorney pursuant to Probate Code sections 4121 to 4130, it may not be necessary to perform these steps and we will respond to any request from such authorized agent in accordance with the CCPA.
7. CONTACT FOR MORE INFORMATION
If you have any questions or comments about this notice and policy, the ways in which we collect and use your personal information, your choices and rights regarding such use, please do not hesitate to contact us at:
Email address: dataprivacy@avalara.com
Postal address: Avalara, Inc., Attention: General Counsel, 255 S. King Street, Suite 1200, Seattle, WA 98104
Data Subject Rights
Effective March 14th 2024
DownloadTable of Contents
- Right of access: You have the right to obtain from Avalara confirmation as to whether your personal data is being processed, and, where that is the case, to request access to your personal data. The access information includes – inter alia – the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipients to whom the personal data have been or will be disclosed.
You have the right to obtain a copy of the personal data undergoing processing. Subject to applicable law, we may charge a reasonable fee for copies, based on administrative costs. - Right to rectification: You have the right to obtain from Avalara the rectification of inaccurate personal data concerning you. Depending on the purposes of the processing, you may have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
- Right to erasure (to be forgotten): You have the right to ask Avalara to erase your personal data.
- Right to restriction of processing: You have the right to request restriction of processing of your personal data, in which case, it would be marked and processed by Avalara only for certain purposes.
- Right to data portability: You have the right to receive the personal data that you have provided to Avalara in a structured, commonly used and machine-readable format and you have the right to transmit the personal data to another entity without hindrance from us.
- Right to object: You may have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data by Avalara, and we can be required to no longer process your personal data. If you have a right to object and you exercise this right, your personal data will no longer be processed for such purposes by Avalara. Exercising this right will not incur any cost. Such a right to object may not exist, in particular, if the processing of your personal data is necessary to take steps prior to entering into a contract or to perform a contract already concluded.
Retention and Deletion of Personal Data
EEA and United Kingdom Recruitment Notice
India Recruitment Notice
Privacy Notice
Effective May 28th 2024
DownloadTable of Contents
Personal Data Collected
Avalara collects personal data directly from you, for instance when you inquire about one of Avalara’s Services or send an email to Avalara, or from your interactions with our website, products or Services. Details include:
Cookies and Other Technologies. When you navigate our website, we may use cookies or other technologies to collect data about your device and activity on our website. For more information about the Cookies and Other Technologies we use, the data we collect and your choices, please click here.
Avalara may also collect personal data from other sources, including third parties from whom we have purchased data, and we may combine this data with data we already have about you. For example, we may collect personal data from:
How We Use Your Personal Data
Communicating with you. Avalara’s website allows you to download white papers, fill out forms for more details about our Services, and to engage with us via our chat functionality. You can also register to attend online seminars or in-person events. We use this information to provide you with the material you requested, to follow up with you about your interest in the Services, or to register you for the event you request. We may also use personal data to understand you and your preferences so that we may enhance your experience and send you information about Avalara, our affiliates, and our partners, such as information about promotions or events.
Advertising. We may use data collected via cookies and other technologies to manage our advertising on other sites or to provide you offers or advertisements, including for third-party services, based upon your browsing activities and interests. For more details, please click here.
- Contract. When you or your company enter into an agreement with us, we will process your data to fulfill the terms of our contract.
- Legitimate interest. We have a legitimate interest in protecting the safety and security of our Services, operating and improving the Services, supporting our customers, marketing and promoting the Services, and protecting our interests.
- Consent. In some cases, you will give us consent to use your data for a specific purpose.
- Legal obligation. We may be required to process your data to comply with a legal obligation.
Why We Share Personal Data
How to Manage Your Personal Data
California Privacy Rights
International Transfers of Personal Data
Data Controller
Monitoring of Incoming Emails
Changes to this Privacy Notice
Contact Us
Effective March 27th 2024 to May 28th 2024
DownloadTable of Contents
Personal Data Collected
Avalara collects personal data directly from you, for instance when you inquire about one of Avalara’s Services or send an email to Avalara, or from your interactions with our website, products or Services. Details include:
Cookies and Other Technologies. When you navigate our website, we may use cookies or other technologies to collect data about your device and activity on our website. For more information about the Cookies and Other Technologies we use, the data we collect and your choices, please click here.
Avalara may also collect personal data from other sources, including third parties from whom we have purchased data, and we may combine this data with data we already have about you. For example, we may collect personal data from:
How We Use Your Personal Data
Communicating with you. Avalara’s website allows you to download white papers, fill out forms for more details about our Services, and to engage with us via our chat functionality. You can also register to attend online seminars or in-person events. We use this information to provide you with the material you requested, to follow up with you about your interest in the Services, or to register you for the event you request. We may also use personal data to understand you and your preferences so that we may enhance your experience and send you information about Avalara, our affiliates, and our partners, such as information about promotions or events.
Advertising. We may use data collected via cookies and other technologies to manage our advertising on other sites or to provide you offers or advertisements, including for third-party services, based upon your browsing activities and interests. For more details, please click here.
- Contract. When you or your company enter into an agreement with us, we will process your data to fulfill the terms of our contract.
- Legitimate interest. We have a legitimate interest in protecting the safety and security of our Services, operating and improving the Services, supporting our customers, marketing and promoting the Services, and protecting our interests.
- Consent. In some cases, you will give us consent to use your data for a specific purpose.
- Legal obligation. We may be required to process your data to comply with a legal obligation.
Why We Share Personal Data
How to Manage Your Personal Data
California Privacy Rights
International Transfers of Personal Data
Data Controller
Monitoring of Incoming Emails
Changes to this Privacy Notice
Contact Us
Effective February 14th 2023 to March 27th 2024
DownloadTable of Contents
Personal Data Collected
Avalara collects personal data directly from you, for instance when you inquire about one of Avalara’s Services or send an email to Avalara, or from your interactions with our website, products or Services. Details include:
Cookies and Other Technologies. When you navigate our website, we may use cookies or other technologies to collect data about your device and activity on our website. For more information about the Cookies and Other Technologies we use, the data we collect and your choices, please click here.
Avalara may also collect personal data from other sources, including third parties from whom we have purchased data, and we may combine this data with data we already have about you. For example, we may collect personal data from:
How We Use Your Personal Data
Communicating with you. Avalara’s website allows you to download white papers, fill out forms for more details about our Services, and to engage with us via our chat functionality. You can also register to attend online seminars or in-person events. We use this information to provide you with the material you requested, to follow up with you about your interest in the Services, or to register you for the event you request. We may also use personal data to understand you and your preferences so that we may enhance your experience and send you information about Avalara, our affiliates, and our partners, such as information about promotions or events.
Advertising. We may use data collected via cookies and other technologies to manage our advertising on other sites or to provide you offers or advertisements, including for third-party services, based upon your browsing activities and interests. For more details, please click here.
- Contract. When you or your company enter into an agreement with us, we will process your data to fulfill the terms of our contract.
- Legitimate interest. We have a legitimate interest in protecting the safety and security of our Services, operating and improving the Services, supporting our customers, marketing and promoting the Services, and protecting our interests.
- Consent. In some cases, you will give us consent to use your data for a specific purpose.
- Legal obligation. We may be required to process your data to comply with a legal obligation.
Why We Share Personal Data
How to Manage Your Personal Data
California Privacy Rights
International Transfers of Personal Data
Data Controller
Monitoring of Incoming Emails
Changes to this Privacy Notice
Contact Us
Subprocessors
Effective April 20th 2024
DownloadTable of Contents
Date Added | Entity Name | Purpose | Entity Control |
February 24, 2020 | Adobe, Inc. | Tag management system | United States |
February 24, 2020 | Amazon Web Services, Inc. (AWS) | Cloud-based computing and data hosting services | United States |
February 24, 2020 | Atlassian Pty Ltd. | Cloud-based project management and collaboration software tools | Australia |
June 17, 2022 | BigID, Inc. | Data discovery and privacy compliance services | United States |
June 17, 2022 | Confluent, Inc. | Event data processing and real-time data pipeline engine | United States |
June 17, 2022 | Content Square, Inc. | Customer experience analytics service | United States |
November 1, 2023 | Cribl, Inc. | Cloud-based data observability platform | United States |
June 17, 2022 | Databricks, Inc. | Cloud-based data warehousing | United States |
February 24, 2020 | FullStory, Inc. | Customer experience analytics service | United States |
March 13, 2023 | Hex Technologies, Inc. | Application analytics service | United States |
September 3, 2021 | IDology, Inc. | Age verification service for Avalara Age Verification (an add-on feature to AvaTax for Beverage Alcohol) | United States |
February 24, 2020 | Microsoft Corporation | Cloud-based and on-premises office productivity tools and a business analytics service | United States |
February 10, 2022 | Mimecast North America, Inc. | Email security and archiving | United States |
April 3, 2020 | MongoDB, Inc. | General purpose database platform | United States |
April 20, 2024 | Monte Carlo Data, Inc. | Application analytics service | United States |
February 24, 2020 | Okta, Inc. | Cloud-based access management service | United States |
February 20, 2024 | OwnBackup Inc. | Data backup service | United States |
June 21, 2023 | Proofpoint, Inc. | Security tool | United States |
February 24, 2020 | Rapid 7 Ireland Limited | Log management and analytics service | United States |
February 24, 2020 | Salesforce.com, Inc. | Customer management platform | United States |
February 24, 2020 | Slack Technologies, Inc. | Communication and productivity software as a service and related technology | United States |
June 8, 2020 | Snowflake Inc. | Cloud-based data warehousing | United States |
February 24, 2020 | Splunk, Inc. | Real-time cloud monitoring service | United States |
February 24, 2020 | Sumo Logic, Inc. | Cloud-based logs and metrics management service | United States |
February 24, 2020 | Twilio, Inc. | Customer data infrastructure platform | United States |
September 17, 2020 | Uplevel, Inc. | Data analysis tool relating to Avalara team behavior to maximize effectiveness | United States |
Entity Name | Country |
---|---|
Avalara, Inc. | United States |
AFT France SAS | France |
AFT Italy S.r.L. | Italy |
Avalara FT Spain SL | Spain |
AFTC Fiscal Services UK Ltd | United Kingdom |
AFTC, Inc. | United States |
AvaFuel LLC | United States |
Avalara Brasil – Assessoria e Consultoria Tributária e Tecnológica Ltda | Brazil |
Avalara Canada ULC | Canada |
Avalara Client Trust | United States |
Avalara EU Holdings UK Limited | United Kingdom |
Avalara Europe Ltd | United Kingdom |
Avalara FT Poland | Polish |
Avalara Luxembourg S.a.r.l. | Luxembourg |
Avalara Technologies Private Limited | India |
EDIGrid Romania | Romania |
Impendulo ApS | Denmark |
Impendulo BV | Netherlands |
Impendulo Hellas Mon. Epe | Greece |
Impendulo Lda | Portugal |
Impendulo Limited | United Kingdom |
Impendulo Limited (CY) | Cyprus |
Impendulo Oy | Finland |
Impendulo SARL | France |
INPOSIA Solutions France | France |
INPOSIA Solutions GmbH | Germany |
INPOSIA Solutions Italia S.r.L. | Italy |
INPOSIA Turkey | Turkey |
Transaction Tax Consulting Group, LLC | United States |
Transaction Tax Resources, Inc. | United States |
VAT Applications NV | Belgium |
VAT House Services NV | Belgium |
Effective February 20th 2024 to April 20th 2024
DownloadTable of Contents
Date Added | Entity Name | Purpose | Entity Control |
February 24, 2020 | Adobe, Inc. | Tag management system | United States |
February 24, 2020 | Amazon Web Services, Inc. (AWS) | Cloud-based computing and data hosting services | United States |
February 24, 2020 | Atlassian Pty Ltd. | Cloud-based project management and collaboration software tools | Australia |
June 17, 2022 | BigID, Inc. | Data discovery and privacy compliance services | United States |
June 17, 2022 | Confluent, Inc. | Event data processing and real-time data pipeline engine | United States |
June 17, 2022 | Content Square, Inc. | Customer experience analytics service | United States |
November 1, 2023 | Cribl, Inc. | Cloud-based data observability platform | United States |
June 17, 2022 | Databricks, Inc. | Cloud-based data warehousing | United States |
February 24, 2020 | FullStory, Inc. | Customer experience analytics service | United States |
March 13, 2023 | Hex Technologies, Inc. | Application analytics service | United States |
September 3, 2021 | IDology, Inc. | Age verification service for Avalara Age Verification (an add-on feature to AvaTax for Beverage Alcohol) | United States |
February 24, 2020 | Microsoft Corporation | Cloud-based and on-premises office productivity tools and a business analytics service | United States |
February 10, 2022 | Mimecast North America, Inc. | Email security and archiving | United States |
April 3, 2020 | MongoDB, Inc. | General purpose database platform | United States |
February 24, 2020 | Okta, Inc. | Cloud-based access management service | United States |
February 20, 2024 | OwnBackup Inc. | Data backup service | United States |
June 21, 2023 | Proofpoint, Inc. | Security tool | United States |
February 24, 2020 | Rapid 7 Ireland Limited | Log management and analytics service | United States |
February 24, 2020 | Salesforce.com, Inc. | Customer management platform | United States |
February 24, 2020 | Slack Technologies, Inc. | Communication and productivity software as a service and related technology | United States |
June 8, 2020 | Snowflake Inc. | Cloud-based data warehousing | United States |
February 24, 2020 | Splunk, Inc. | Real-time cloud monitoring service | United States |
February 24, 2020 | Sumo Logic, Inc. | Cloud-based logs and metrics management service | United States |
February 24, 2020 | Twilio, Inc. | Customer data infrastructure platform | United States |
September 17, 2020 | Uplevel, Inc. | Data analysis tool relating to Avalara team behavior to maximize effectiveness | United States |
Entity Name | Country |
---|---|
Avalara, Inc. | United States |
AFT France SAS | France |
AFT Italy S.r.L. | Italy |
Avalara FT Spain SL | Spain |
AFTC Fiscal Services UK Ltd | United Kingdom |
AFTC, Inc. | United States |
AvaFuel LLC | United States |
Avalara Brasil – Assessoria e Consultoria Tributária e Tecnológica Ltda | Brazil |
Avalara Canada ULC | Canada |
Avalara Client Trust | United States |
Avalara EU Holdings UK Limited | United Kingdom |
Avalara Europe Ltd | United Kingdom |
Avalara FT Poland | Polish |
Avalara Luxembourg S.a.r.l. | Luxembourg |
Avalara Technologies Private Limited | India |
EDIGrid Romania | Romania |
Impendulo ApS | Denmark |
Impendulo BV | Netherlands |
Impendulo Hellas Mon. Epe | Greece |
Impendulo Lda | Portugal |
Impendulo Limited | United Kingdom |
Impendulo Limited (CY) | Cyprus |
Impendulo Oy | Finland |
Impendulo SARL | France |
INPOSIA Solutions France | France |
INPOSIA Solutions GmbH | Germany |
INPOSIA Solutions Italia S.r.L. | Italy |
INPOSIA Turkey | Turkey |
Transaction Tax Consulting Group, LLC | United States |
Transaction Tax Resources, Inc. | United States |
VAT Applications NV | Belgium |
VAT House Services NV | Belgium |
Effective November 1st 2023 to February 20th 2024
DownloadTable of Contents
Date Added | Entity Name | Purpose | Entity Control |
February 24, 2020 | Adobe, Inc. | Tag management system | United States |
February 24, 2020 | Amazon Web Services, Inc. (AWS) | Cloud-based computing and data hosting services | United States |
February 24, 2020 | Atlassian Pty Ltd. | Cloud-based project management and collaboration software tools | Australia |
June 17, 2022 | BigID, Inc. | Data discovery and privacy compliance services | United States |
June 17, 2022 | Confluent, Inc. | Event data processing and real-time data pipeline engine | United States |
June 17, 2022 | Content Square, Inc. | Customer experience analytics service | United States |
November 1, 2023 | Cribl, Inc. | Cloud-based data observability platform | United States |
June 17, 2022 | Databricks, Inc. | Cloud-based data warehousing | United States |
February 24, 2020 | FullStory, Inc. | Customer experience analytics service | United States |
March 13, 2023 | Hex Technologies, Inc. | Application analytics service | United States |
September 3, 2021 | IDology, Inc. | Age verification service for Avalara Age Verification (an add-on feature to AvaTax for Beverage Alcohol) | United States |
February 24, 2020 | Microsoft Corporation | Cloud-based and on-premises office productivity tools and a business analytics service | United States |
February 10, 2022 | Mimecast North America, Inc. | Email security and archiving | United States |
April 3, 2020 | MongoDB, Inc. | General purpose database platform | United States |
February 24, 2020 | Okta, Inc. | Cloud-based access management service | United States |
June 21, 2023 | Proofpoint, Inc. | Security tool | United States |
February 24, 2020 | Rapid 7 Ireland Limited | Log management and analytics service | United States |
February 24, 2020 | Salesforce.com, Inc. | Customer management platform | United States |
February 24, 2020 | Slack Technologies, Inc. | Communication and productivity software as a service and related technology | United States |
June 8, 2020 | Snowflake Inc. | Cloud-based data warehousing | United States |
February 24, 2020 | Splunk, Inc. | Real-time cloud monitoring service | United States |
February 24, 2020 | Sumo Logic, Inc. | Cloud-based logs and metrics management service | United States |
February 24, 2020 | Twilio, Inc. | Customer data infrastructure platform | United States |
September 17, 2020 | Uplevel, Inc. | Data analysis tool relating to Avalara team behavior to maximize effectiveness | United States |
Entity Name | Country |
---|---|
Avalara, Inc. | United States |
AFT France SAS | France |
AFT Italy S.r.L. | Italy |
Avalara FT Spain SL | Spain |
AFTC Fiscal Services UK Ltd | United Kingdom |
AFTC, Inc. | United States |
AvaFuel LLC | United States |
Avalara Brasil – Assessoria e Consultoria Tributária e Tecnológica Ltda | Brazil |
Avalara Canada ULC | Canada |
Avalara Client Trust | United States |
Avalara EU Holdings UK Limited | United Kingdom |
Avalara Europe Ltd | United Kingdom |
Avalara FT Poland | Polish |
Avalara Luxembourg S.a.r.l. | Luxembourg |
Avalara Technologies Private Limited | India |
EDIGrid Romania | Romania |
Impendulo ApS | Denmark |
Impendulo BV | Netherlands |
Impendulo Hellas Mon. Epe | Greece |
Impendulo Lda | Portugal |
Impendulo Limited | United Kingdom |
Impendulo Limited (CY) | Cyprus |
Impendulo Oy | Finland |
Impendulo SARL | France |
INPOSIA Solutions France | France |
INPOSIA Solutions GmbH | Germany |
INPOSIA Solutions Italia S.r.L. | Italy |
INPOSIA Turkey | Turkey |
Transaction Tax Consulting Group, LLC | United States |
Transaction Tax Resources, Inc. | United States |
VAT Applications NV | Belgium |
VAT House Services NV | Belgium |
Effective October 26th 2023 to November 1st 2023
DownloadTable of Contents
Date Added | Entity Name | Purpose | Entity Control |
February 24, 2020 | Adobe, Inc. | Tag management system | United States |
February 24, 2020 | Amazon Web Services, Inc. (AWS) | Cloud-based computing and data hosting services | United States |
February 24, 2020 | Atlassian Pty Ltd. | Cloud-based project management and collaboration software tools | Australia |
June 17, 2022 | BigID, Inc. | Data discovery and privacy compliance services | United States |
June 17, 2022 | Confluent, Inc. | Event data processing and real-time data pipeline engine | United States |
June 17, 2022 | Content Square, Inc. | Customer experience analytics service | United States |
June 17, 2022 | Databricks, Inc. | Cloud-based data warehousing | United States |
February 24, 2020 | FullStory, Inc. | Customer experience analytics service | United States |
March 13, 2023 | Hex Technologies, Inc. | Application analytics service | United States |
September 3, 2021 | IDology, Inc. | Age verification service for Avalara Age Verification (an add-on feature to AvaTax for Beverage Alcohol) | United States |
February 24, 2020 | Microsoft Corporation | Cloud-based and on-premises office productivity tools and a business analytics service | United States |
February 10, 2022 | Mimecast North America, Inc. | Email security and archiving | United States |
April 3, 2020 | MongoDB, Inc. | General purpose database platform | United States |
February 24, 2020 | Okta, Inc. | Cloud-based access management service | United States |
June 21, 2023 | Proofpoint, Inc. | Security tool | United States |
February 24, 2020 | Rapid 7 Ireland Limited | Log management and analytics service | United States |
February 24, 2020 | Salesforce.com, Inc. | Customer management platform | United States |
February 24, 2020 | Slack Technologies, Inc. | Communication and productivity software as a service and related technology | United States |
June 8, 2020 | Snowflake Inc. | Cloud-based data warehousing | United States |
February 24, 2020 | Splunk, Inc. | Real-time cloud monitoring service | United States |
February 24, 2020 | Sumo Logic, Inc. | Cloud-based logs and metrics management service | United States |
February 24, 2020 | Twilio, Inc. | Customer data infrastructure platform | United States |
September 17, 2020 | Uplevel, Inc. | Data analysis tool relating to Avalara team behavior to maximize effectiveness | United States |
Entity Name | Country |
---|---|
Avalara, Inc. | United States |
AFT France SAS | France |
AFT Italy S.r.L. | Italy |
Avalara FT Spain SL | Spain |
AFTC Fiscal Services UK Ltd | United Kingdom |
AFTC, Inc. | United States |
AvaFuel LLC | United States |
Avalara Brasil – Assessoria e Consultoria Tributária e Tecnológica Ltda | Brazil |
Avalara Canada ULC | Canada |
Avalara Client Trust | United States |
Avalara EU Holdings UK Limited | United Kingdom |
Avalara Europe Ltd | United Kingdom |
Avalara FT Poland | Polish |
Avalara Luxembourg S.a.r.l. | Luxembourg |
Avalara Technologies Private Limited | India |
EDIGrid Romania | Romania |
Impendulo ApS | Denmark |
Impendulo BV | Netherlands |
Impendulo Hellas Mon. Epe | Greece |
Impendulo Lda | Portugal |
Impendulo Limited | United Kingdom |
Impendulo Limited (CY) | Cyprus |
Impendulo Oy | Finland |
Impendulo SARL | France |
INPOSIA Solutions France | France |
INPOSIA Solutions GmbH | Germany |
INPOSIA Solutions Italia S.r.L. | Italy |
INPOSIA Turkey | Turkey |
Transaction Tax Consulting Group, LLC | United States |
Transaction Tax Resources, Inc. | United States |
VAT Applications NV | Belgium |
VAT House Services NV | Belgium |