1. Introduction
This Data Privacy Framework Notice (this “Notice”) applies to all personal information received by AvePoint, Inc. (including its controlled U.S. subsidiaries AvePoint Public Sector, Inc., AvePoint Holdings USA, LLC, and AvePoint Ventures, LLC) from residents of the European Union, the United Kingdom or Switzerland. In most cases, the data we receive will be in electronic form and relates to our customers. It may include personal information about our customers’ employees, business contacts, clients, and any other individuals with whom our customers have dealings. When we receive and process personal information provided to us by our customers, we do so as “data processors” acting on the instructions of our customers and/or the court system.
2. Definitions
1. Collectively, “Information” means “Personal Information” that (1) is transferred from the European Union and the United Kingdom or Switzerland to the United States; (2) is recorded in any form; (3) is about or pertains to a specific individual; and (4) can be linked to that individual; and/or Sensitive Personal Information.
2. With regard to information received by AvePoint from residents of the European Union and the United Kingdom, “Sensitive Personal Information” shall mean Personal Information that reveals race, ethnic origin, sexual orientation, political opinions, religious or philosophical beliefs, trade union membership, or that concerns an individual’s health.
3. With regard to information received by AvePoint from residents of Switzerland, “Sensitive Personal Information” shall mean Personal Information specifying medical or health conditions, personal sexuality, racial or ethnic origin, political opinions, religious, ideological or trade union-related views or activities, or information on social security measures or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings.
4. “Agent” is any third party that collects, uses, or stores Information in support of AvePoint engagements.
3. Data Privacy Framework Principles
Besides AvePoint’s compliance with the Standard Contractual Clauses into which AvePoint has entered with all of its affiliated companies worldwide, AvePoint complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce. AvePoint has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement (“EU-U.S. DPF Principles”) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. AvePoint has furthermore certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF). The EU-U.S. DPF Principles and the Swiss-U.S. Data Privacy Framework Principles are hereinafter referred to as “DPF Principles”.
If there is any conflict between the terms in this Notice and the DPF Principles, the DPF Principles shall govern. To learn more about the Data Privacy Framework program, and to view AvePoint’s certification, please visit https://www.dataprivacyframework.gov.
AvePoint’s execution of these DPF Principles may be limited in certain circumstances, in particular:
(a) where there is a conflicting or overriding legal obligation;
(b) to the extent expressly permitted by any applicable law, rule or regulation; or
(c) where AvePoint receives personal information as a “data processor” acting on the instructions of a customer. As AvePoint will be receiving personal information from the European Union and the United Kingdom and/or Switzerland in this case merely for processing, its principal obligations are limited to onward transfer, security, access, and enforcement.
AvePoint’s customer remains responsible for notice, choice, and data integrity.
Notice: AvePoint receives data to be processed and/or stored, the contents of which may, or may not be Information. Notice will be provided in clear language when individuals are first asked to provide Information to AvePoint, or as soon as practicable thereafter, and in any event before AvePoint uses such Information for a purpose other than that for which it was originally collected or processed by the transferring organization or discloses it for the first time to a third party.
Choice: Where AvePoint is the collector of Information and Choice is permissible, it will offer individuals the opportunity to choose (opt-out) whether their Information is:
(a) to be disclosed to a third party (unless that disclosure is allowed or required by contract), or
(b) to be used for a purpose that is not consistent with the purpose for which that Information was originally collected, or subsequently authorized by the individual.
AvePoint will provide individuals with reasonable mechanisms to exercise their choices.
Onward Transfers: In the event AvePoint transfers Information, it will obtain assurances from its Agents, prior to such transfer, that they will safeguard the Information in a manner consistent with this Notice. Every Agent utilized enters into a contractual relationship with AvePoint, which includes confidentiality and nondisclosure clauses, and provides the same level of commitment to and protections, as required by the DPF Principles. AvePoint remains responsible and liable under the Data Privacy Framework Principles if Agents that it engages to process the personal data on its behalf do so in a manner inconsistent with the Data Privacy Framework Principles, unless AvePoint can prove that it is not responsible for the event giving rise to the damage.
Security: AvePoint takes adequate and reasonable administrative, technical, and physical precautions to protect Information in its possession from loss, misuse and unauthorized access, disclosure, alteration, and destruction. AvePoint utilizes commercially accepted security equipment, techniques, and procedures to control, monitor and record access to any facility containing Information.
Data Integrity: AvePoint will use Information only in ways that are relevant and compatible with the purpose for which that information was collected or provided to AvePoint. AvePoint will take reasonable steps to ensure that all data collected, processed and/or stored is protected from destruction, corruption, or use in a manner inconsistent with the purpose for which it received the information.
Access: Upon request, and where permissible by law and purpose for which it possesses the Information, AvePoint will grant individuals reasonable access to Information that it holds about them. In addition, and where permissible, AvePoint will take reasonable steps to permit individuals to correct, amend, or delete information that is demonstrated to be inaccurate or incomplete, except where the burden or expense of providing access would be disproportionate to the risks of the individual’s privacy, or where the rights of another individual may be violated. A reasonable fee may be charged as compensation for our expenses incurred in accessing, changing, or deleting the personal information.
Enforcement: AvePoint will conduct compliance audits at least annually of its relevant privacy practices to verify adherence to this Notice and its Privacy Notice, available under Privacy Notice | AvePoint FFurther, AvePoint will conduct follow up investigations to verify that attestations and assertions regarding practices are true. Violations and/or complaints may be made to AvePoint via e-mail to Privacy@AvePoint.com and AvePoint engages in training to support implementation and compliance. Any employee that AvePoint determines is in violation of this Notice will be subject to disciplinary action.
Dispute Resolution: In compliance with the DPF Principles, AvePoint commits to resolve complaints about our collection or use of your personal information. European Union, United Kingdom and Swiss individuals with inquiries or complaints regarding our Data Privacy Framework Notice should first contact our General Counsel at the address given below. AvePoint will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Information in accordance with the principles contained in this Notice. For complaints that cannot be resolved between AvePoint and the complainant directly, AvePoint has chosen to cooperate with Data Protection Authorities (DPA) located in the European Union (or their authorized representatives) and the Swiss Federal Data Protection and Information Commissioner (“Commissioner”), respectively, and comply with the information and advice provided to it by an informal panel of DPAs and/or the Commissioner in relation to such unresolved complaints (as further described in the DPF Principles). If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please visit http://ec.europa.eu/justice/data-protection/bodies/index_en.htm, where you can find the relevant DPA and/or Commissioner contacts for more information or to file a complaint. The use of this process will be free of charge for any European Union, United Kingdom, or Swiss individual. As further explained in the DPF Principles, a binding arbitration option will also be made available to you in order to address residual complaints not resolved by any other means. AvePoint is subject to the enforcement powers of the U.S. Federal Trade Commission (FTC).
4. Contact Information
Please refer all questions or comments regarding this Notice to:
AvePoint, Inc.
Office of the General Counsel
901 East Byrd Street, Suite 900, Richmond, VA 23219
Privacy@AvePoint.com
This Data Privacy Framework Notice is available at Data Privacy Framework Notice | AvePoint
5. Changes To This Data Privacy Framework Notice
This Notice may be amended from time to time to remain consistent with the requirements of the DPF Principles and other applicable laws.
The effective date of this Data Privacy Framework Notice is June 27, 2024.