The Avast Software group (collectively referred to as “Avast” or “we”), processes personal data as a controller. The aim of this privacy notice is to provide information about the relevant processing operations, which apply to natural persons with whom we cooperate over the course of our business. This privacy notice sets forth:
· General business relationships;
· Resellers and Distributors;
· Public Relations (“PR”);
· Other Non-Business Partners;
· Data Sources, Sharing, Storage and Transfers; and
· Obligatory statement.
Keep in mind that if you disclose to us personal data of employees or any other natural persons acting on your behalf or in cooperation with you, you have to inform them Avast will process their personal data in accordance with this notice.
· General Business Relationships
If your company or you directly (in case that you are a sole proprietor) contract with Avast in order to provide Avast with your products or services, it is necessary for Avast to process certain information in order for Avast and you to manage the business relationship, facilitate communication in order to ensure that the business relationship is supported, achieves its aims, to exercise the rights and obligations, respectively), and to deal with any potential issues, including disputes.
The relevant data subjects to whom the personal data processed by Avast relate, include employees and representatives of Avast’s business partner, or, in case that you are a sole proprietor, of you personally. The data processed by Avast for these purposes includes contact names, title (position), business address, contact information (email addresses and phone numbers), and other information relevant to the performance of our contract, which may vary depending on the contract, such as, payment information, applicable rates, or discounts.
We process this data to enter into and perform our contract with you and to provision our products and services to the end users.
In order to sell its business-oriented products and services, Avast partners with resellers and distributors. If you are Avast’s reseller or a distributor, the following applies to you.
· Resellers and Distributors
In addition to the data use described above, resellers or distributors have access to and have their information recorded in our databases. You provide your personal data to us when you register as our partner through the Avast Partner Portal.
Each reseller or distributor is assigned a unique number. The information stored in our databases with respect to each reseller or distributor includes general identification and contact information we collect about our business partners in general (as described above), information about payments, your credit with Avast (credit volume, available credit, etc.), applicable discounts, and preferences concerning newsletter subscriptions and Partner Locator participation (see below). Through our databases, we can also identify which license IDs relating to our products have been provided or sold by which reseller or distributor to sell. We also collect each registered and activated end user license key.
Avast has put in place a Partner Locator functionality, which allows our customers to find an Avast reseller or distributor near them. The information published in Partner Locator includes business name and address and contact details, such as phone number and/or email contact. Participation in the Partner Locator is voluntary, and your data will not be published through Partner Locator if you have not granted your consent to such publication.
We send our resellers and distributors newsletters, which inform them of our new products and opportunities for reselling.
· Public Relations and Other Non-Business Communications
Over the course of carrying out its activities, Avast, like any other business, communicates with various parties outside of its business relationships. To that end, it utilizes contact information of relevant persons. In some instances, such contact information may represent personal data of employees or representatives of these persons, such as names, titles (work positions), work (business) addresses, emails or phone numbers of these employees or representatives. The same applies to the situations in which these individuals operate individually, for instance, if they are freelancers or sole proprietors.
When we communicate with you as a result of public relations and other non-business activities, such as educational and other non-profit institutions, we process your data only as necessary to fulfill the communication to you, to provide the necessary information and organize events and to promote, and improve our activities and events). Specific information about how we use your personal data is below.
· Public Relations
Avast conducts activities in the area of public relations and associated external communications, through communication with journalists, media and other external communications concerning Avast activities or other events which are relevant or important to our company. If we process your personal data for these purposes, we will use it to communicate with you in your capacity as a journalist or member or a representative of another media outlet. As part of this communication, we may contact you for the purposes of providing you with press releases, official statements or other similar information or in connection with organizing and holding press events.
· Other Non-Business Communications
We conduct our other non-business communications for the purposes of organizing, carrying out, supporting and promoting our non-profit activities, supporting education and raising awareness about cybersecurity and privacy issues.
In this respect, we may use your personal data in order to contact you in connection with organizing and performing various types of events concerning these issues, such as workshops, seminars, panels or other educational or awareness-raising activities. We will contact you for this purpose if you are a member of a group or organization which concerns itself with these issues, an expert in the field or, a state authority which has granted its support to our activities, or, as the case may be, a school representative.
The sources of your personal data, including your contact information, other than the ones described below, may also include state authorities which have granted their support to our activities.
· Data Sources, Sharing, Storage and Transfers
The source of the personal data described above is usually our communication with your company (organization) or directly with you, or publically available sources, such as websites, if your company (organization) or you published this data.
Avast, as a general rule, does not share personal data with any third parties. There may, however, be specific situations when your information, including potentially your personal data, could be published by Avast, but only if you have consented to it (for instance, as a distributor, reseller or a representative of a reseller or distributor in the Partner Locator Portal). At the same time, “third parties” do not include (i) other companies within the Avast group, (ii) Avast’s processors, (iii) service providers, if this is necessary in order to perform our contract with you or them, or (iv) legal, financial or other expert advisor or counsel, and Avast may, as the situation or nature of your relationship with Avast requires, share your personal data with these entities.
If we are obligated to do so by law or where we are defending our rights and legitimate interests, for instance, in case of potential legal claims, we may have to share your personal data with third parties, such as the relevant state authorities or courts.
We will store your personal data for as long as they are relevant to Avast. Where the processing of your personal data is based on consent, we will erase your personal data without undue delay after you have withdrawn it, unless we need those personal data for other legitimate reasons.
Due to the fact that Avast operates as a global business, your personal data may be transferred to countries outside of the European Economic Area, which have different legal rules concerning protection of your personal data. That being said, our data collection and management practices do not vary by location. We follow the same data protection standards as are granted to residents of the European Union with respect to all personal data in our possession.
As regards our general approach to transfers of personal data outside of the European Economic Area, regardless of whether data is being transferred to another Avast entity or a party that is not a member of our group, Avast puts in place appropriate and suitable safeguards, such as standardized contracts approved by the European Commission, which legally bind the receiving party to adhere to a high level of protection, and to ensure that your data remains safe and secure at all times and that your rights are protected.
· Obligatory Statement
You can exercise your rights by sending an email with the words “PRIVACY REQUEST” in its subject line to email@example.com. You may also send paper mail to Avast Software s.r.o., Pikrtova 1737/1a, 140 00, Prague 4, Czech Republic. Please write "Attention: PRIVACY" in the address. Avast has appointed a Data Protection Officer whom you can contact by sending an email to firstname.lastname@example.org.
DATA PROTECTION TERMS
The partner agreeing to these terms (“Partner”), and Avast Software s.r.o., company ID 02176475, registered in the Commercial Register maintained by the Municipal Court in Prague, file no. C 216540, having its principal office at Enterprise Office Center, Pikrtova 1737/1a, 140 00 Prague 4, Czech Republic (“Avast”) and its subsidiaries and/or affiliates (Avast together with such subsidiaries and affiliates, collectively, “Avast Affiliates” or individually “Avast Affiliate”) have entered into an agreement under which Avast has agreed to provide Software or Service (collectively the “Services” or “Solutions”) and related technical support to Partner as a reseller and supplier of the Services (the “Agreement”).
If you are accepting these Data Protection Terms on behalf of Partner, you warrant that: (a) you have full legal authority to bind Partner to these Data Protection Terms; (b) you have read and understand these Data Protection Terms; and (c) you agree, on behalf of Partner, to these Data Protection Terms. If you do not have the legal authority to bind Partner, please do not accept these Data Protection Terms.
These Data Protection Terms, including its appendices (the “Terms”) will be effective and replace any previously applicable data processing terms as from the Terms Effective Date (as defined below). These Terms supplement the Agreement, while, at the same time, as regards the area of collection, processing and other use of personal data (as this term is defined in Section 2 hereof) within the Services, the provisions of these Terms shall prevail over the provisions of the Agreement or, as the case may be, shall supersede those provisions of the Agreement which concern the processing of personal data. Other provisions of the Agreement shall remain unaffected hereby. No provision hereof may be interpreted as limiting the rights of Avast under the Agreement in any manner. Replace this text with content of your own.
1.1. These Terms govern the processing and security of personal data processed within the Services under the Agreement between Avast and Partner.
1.2. Taking into account the complexity of the relationship between Avast, Partner and End Users (as defined by General Conditions of the Agreement) during the provision of Services the purpose of these Terms is to determine clearly the responsibilities and duties of Avast and Partner and to cover all aspects of personal data processing based on the Agreement.
1.3. To avoid any doubts Partner is a controller of Partner’s End Users’ data processed on the basis of Partner’s relationship with End User, especially regarding the purchase of and payment for the Services, as well as personal data processed for Partner’s own marketing and other commercial purposes.
2.1. Agreement – means the agreement to provide Services and related technical support to Partner as a reseller and supplier of Services including (if not explicitly stated otherwise) under Partner Agreement Special Conditions (the “Special Conditions”) and the Partner Agreement General Conditions (the “General Conditions”) published on the Vendor Portal (as they may be amended from time to time in accordance with their terms).
2.2. Data subjects – has the meaning given thereto in the GDPR (as defined below);
2.3. EEA – means the European Economic Area.
2.4. Effective date – means the date on which the Partner agreed to these Terms;
2.5. End User Personal Data – means the personal data of Partner’s End Users or Partner’s client’s End Users, such as name, email address, physical address, phone number, and credit card number, being collected and processed by the Partner; this does not include Services Data.
2.6. GDPR and other European Data Protection Legislation – means (i) prior to May 25, 2018, the Directive 95/46/EC of the European Parliament and of the Council, on the protection of individuals with regard to the processing of personal data and on the free movement of such data, as amended, (ii) on and after May 25, 2018, the Regulation (EU) 2016/679 of the European Parliament and of the Council, the General Data Protection Regulation (the “GDPR”), (iii) Directive 2002/58/EC of the European Parliament and of the Council, concerning the processing of personal data and the protection of privacy in the electronic communications sector (the ePrivacy Directive), as amended, (iv) all national data protection legislation implementing or supplementing the legal instruments listed under (i) through (iii) above, and (v) any and all legal instruments amending or replacing the legal instruments listed under (i) through (iv) above.
2.7. Non-European Data Protection Legislation – means legal regulation governing the area of protection of privacy and/or personal data applicable to the Parties other than the GDPR and other European Data Protection Legislation.
2.8. Notice – has the meaning given thereto in the Partner Agreement General Conditions;
2.9. Parties or, individually, Party – means parties or party hereto, i.e., Avast, any Avast Affiliate and Partner;
2.10. Partner – means a natural or legal person purchasing or distributing Avast’s Services subject to conditions of the Agreement (referred to as Company, Participant or other as may be in the Agreement, General Conditions or Special Conditions).
2.11. Partner’s End Users – means natural persons who have purchased a Services from the Partner;
2.12. Personal data – has the meaning given thereto in the GDPR (as defined above).
2.13. Services Data – product data such as that connected with the functionality and performance of the Services which cannot be used to identify an individual and device data such as RAM, screen size and resolution, CPU(s), operating system, firewalls, network connection which cannot be used to identify an individual, and collective product and device data that are processed by Avast in order to provide Services in accordance with the Agreement.
2.14. Capitalized terms not defined by these Terms have the meanings given by the Partner Agreement General Conditions, Special Conditions or the Orders.
3. Scope of European data protection legislation
3.1. The parties acknowledge and agree that the GDPR will apply to the processing of End User Personal Data if, for example:
3.1.1. the processing is carried out in the context of the activities of an establishment of Partner or End Users in the territory of the EEA; and/or
3.1.2. the End User Personal Data is personal data relating to data subjects who are in the EEA and the processing relates to the offering to them of goods or services in the EEA or the monitoring of their behavior in the EEA.
3.2. The parties acknowledge and agree that Non-European Data Protection Legislation may also apply to the processing of End User Personal Data.
3.3. Except to the extent these Terms state otherwise, the Terms will apply irrespective of whether the GDPR or Non-European Data Protection Legislation applies to the processing of Personal Data.
4. Scope of processing
4.1. Subject matter, nature and purpose of the processing under these Terms:
- Based on the Orders made by Partner, Avast provides and makes available the Services to the Partner pursuant to the Agreement, so that the Partner may provide the Services to the End Users. Partner will process End User Personal Data to the extent necessary to make available and provide the Services to End Users.
4.2. Categories of data:
- End User Personal Data related to the End Users provided to the Partner in connection with the order, purchase and use of the Services by the End Users.
- Services Data
Partner processes End Users’ Personal Data (e.g. identification, contact, and billing). Avast processes Services Data.
4.3. Categories of data subjects:
4.4. Avast will process Services Data as specified by EULA (End User License Agreement) and Partner’s or Partner’s End Users’ use of Services.
4.5. Avast is fully responsible for the processing of Services Data and Partner is fully responsible for the processing of End User Personal Data.
4.6. If Partner acts as a processor of a third-party controller, Partner warrants to Avast that Partner’s actions with respect to processing personal data, including its appointment of Avast as provider of the Services, have been authorized by the relevant controller.
4.7. If Non-European Data Protection Legislation applies to either party’s processing of personal data, the parties acknowledge and agree that the relevant party will comply with any obligations applicable to it under that legislation with respect to the processing of that personal data.
5. Third Party Contractors
5.1. Both Parties mutually authorize each other to engage other third parties to carry out processing operations on their behalf (“Contractors”). Partner specifically authorizes Avast’s engagement of Avast Affiliates as Contractors. Other Avast’s Contractors comprise providers of e-commerce solutions, cloud solutions, technical support, and analytics tools, and other providers of services consisting in processing of data, including, as the case may be, personal data.
5.2. Both Parties will inform each other of any intended changes concerning the addition or replacement of Contractors that may have a substantial impact on the processing of End User Personal Data. Parties are entitled to object to such changes if there are serious and documented doubts about the Contractor’s ability to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject.
5.3. Contractors are obliged to confidentiality by a contract (NDA) as well as all persons authorized to process the personal data on their behalf.
5.4. Where Avast or Partner engage another contractor for carrying out specific processing activities relating to End User Personal Data on its behalf, the same obligations as set out in these Terms shall be imposed on that other contractor by way of a contract. Avast or Partner remain fully liable for all obligations subcontracted to, and all acts and omissions of, their contractors.
6. Data Subject Rights; Data Export
6.2. Access; Rectification; Restricted Processing; Portability. Partner will ensure compliance with the rights to access, rectify, portability, and restrict processing of personal data and to export personal data as regards End User Personal Data collected and processed by Partner. During the effectiveness of the Agreement, Avast will, in a manner consistent with the functionality of the Services, assist Partner in ensuring compliance with the rights to access, rectify, portability, and restrict processing of personal data and to export personal data.
6.3. Data Subject Requests. During the effectiveness of the Agreement, if Avast receives any request from a Partner’s End User in relation to his/her personal data, Avast will advise the data subject to submit their request to Partner and Partner will be responsible for responding to any such request including, where necessary, by using the functionality of the Services.
6.4. Avast Data Subject Request Assistance. Partner agrees that Avast will (taking into account the nature of the processing of End User’s personal data) assist Partner in fulfilling any obligation to respond to requests by End Users, including if applicable Partner’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR, especially by providing necessary information and support as regards the functionality of Services.
7. Impact Assessments and Consultations
7.1. Avast and Partner will (taking into account the nature of the processing and the information available to each of them within the scope of the Agreement and these Terms) help and assist each other in ensuring compliance with any obligations in respect of data protection impact assessments and prior consultation pursuant to Articles 35 and 36 of the GDPR, by:
7.1.1. providing the security safeguards (as defined in Appendix 1 of these Terms); and
7.1.2. providing the information and assistance contained in the Agreement and these Terms.
8. Data transfers and location
8.1. Avast will not transfer any End User Personal Data (if available to Avast) to any third party but Avast Affiliates and Contractors as defined in Section 5. This does not affect Avast’s right to process and transfer Services Data – at its own discretion – in compliance with applicable law.
8.2. Avast may, subject to applicable law and as applicable in accordance with Section 3, store and process the relevant Services Data anywhere Avast, its Affiliates or its Contractors maintain facilities provided that appropriate safeguards under Articles 45-49 of the GDPR are in place.
8.3. If the storage and/or processing of End User Personal Data involves transfers of End User Personal Data out of the EEA (“Third Countries”), and the European Data Protection Legislation applies to the transfers of such data, Parties will ensure compliance with any obligations in respect of transfers to Third Countries and will provide appropriate safeguards pursuant to Articles 45-49 of the GDPR.
9. Data retention
9.1. Avast and Partner process personal data for the duration of provisioning Services to End Users, and further for the time necessary to comply with contractual and legal obligations or to protect legitimate interests of any of the Parties or the End Users (esp. when personal data is necessary for billing or defense of rights during the statutes of limitation).
9.2. Should these Terms cease to exist for any reason and/or the provision of services relating to processing ends, the Parties undertake to agree on the transition of processing and services related to processing being carried out on the basis of or in connection with these Terms. This does not apply if Avast and/or Partner has legitimate grounds to further process personal data due to contractual obligations, legal obligations or legitimate interests (esp. when personal data is necessary for billing or defense of rights during the statutes of limitation).
10. Security incidents
10.1. Security Incident means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, End User Personal Data on systems managed by or otherwise controlled by Avast and/or Partner. “Security Incidents” will not include unsuccessful attempts or activities that do not compromise the security of personal data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other similar network attacks on firewalls or networked systems which do not compromise the safety and security of personal data.
10.2. Incident Notification. If Avast and/or Partner become aware of a Security Incident, they will: (a) notify the other contracting party of the Security Incident promptly and without undue delay after becoming aware of the Security Incident; and (b) promptly take reasonable steps to minimize harm and secure personal data.
10.3. Details of Data Incident. Notices made pursuant to this section will describe, to the extent possible, details of the Security Incident, including steps taken to mitigate the potential risks and steps Avast or Partner recommend to take to address the Security Incident.
10.4. Delivery of Notices. Notice(s) of any Security Incident(s) will be delivered to [email@example.com] or, at Avast and/or Partner discretion, by direct communication (for example, by phone call or an in-person meeting). Partner is solely responsible for ensuring that the contact details are current and valid.
10.5. Notices of Third Parties. Partner is solely responsible for: (a) complying with incident notification laws applicable to Partner and fulfilling any third-party notification obligations related to any Security Incident(s); and (b) notifying each End User affected by a Security Incident without undue delay.
10.6. No Acknowledgement of Fault by Avast. Avast notification of or response to a Security Incident under this section will not be construed as an acknowledgement by Avast of any fault or liability with respect to the Security Incident.
11. Use of Services
11.1. Partner is solely responsible for its and End Users’ use of the Services, including:
11.1.1. making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of End User Personal Data;
11.1.2. securing the account authentication credentials, systems and devices Partner and End Users use to access the Services;
11.1.3. backing up End User Personal Data;
12. Security of personal data
12.1. Avast security measures
12.1.1. Avast will implement and maintain within its Services technical and organizational measures to protect data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in Appendix 1 (the "Security Measures").
12.2. Partner security measures
12.2.1. Partner agrees that, without prejudice to Avast’s obligations under Section 12.1 (Avast security measures) and Section 10 (Security incidents) as between Partner and Avast:
- Avast has no obligation to protect End User Personal Data that Partner, or its End Users elect to store or transfer outside of Avast’s and its Contractors’ systems (for example, offline or on-premise storage).
13. Audits and compliance reviews
13.1. Audit Rights.
13.1.1. If the European Data Protection Legislation applies to the processing of End User Personal Data, Parties will ensure ongoing compliance with obligations set by the GDPR, including monitoring, regular reviews and improvements of the security safeguards and documentation.
13.1.2. In order to document their compliance, Parties may conduct internal or third-party audits (including inspections). As regards processing of End User Personal Data, Parties will assist each other and contribute to such audits by providing necessary documentation.
13.1.3. Parties may also conduct an audit to verify compliance with obligations under these Terms by reviewing available security documentation (which may also reflect the outcome of audits conducted by third party auditors).
13.2. Terms for audits and reviews.
13.2.1. Party requesting an audit must send any requests for audits or reviews of documentation to firstname.lastname@example.org.
13.2.2. Following the receipt of the request according to section 13.2.1, Parties will discuss and agree in advance on: (i) the reasonable date(s) of and security and confidentiality controls applicable to any review of the safeguards and/or security documentation; and (ii) the reasonable start date, scope and duration of and security and confidentiality controls applicable to any audit under this Section.
13.2.3. Party requested to conduct an audit may charge a fee (based on Party’s reasonable costs) for any review of the documentation and/or audit under this Section. Parties will provide each other with further details of any applicable fee, and the basis of its calculation, in advance of any such review or audit. Party requesting an audit will be responsible for any fees charged by any auditor appointed by that Party to execute any such audits.
13.2.4. Party requested to conduct an audit may object in writing to an auditor appointed by Party requesting an audit to conduct any audit under this Section if the auditor is, in Party’s reasonable opinion, not suitably qualified or independent, a competitor of Party requested to conduct an audit, or otherwise manifestly unsuitable. Any such objection will require the other Party to appoint another auditor or conduct the audit itself.
14. Third Party Beneficiary
14.1. Avast Software s.r.o. Notwithstanding anything to the contrary in the Agreement, where Avast Software s.r.o. is not a party to the Agreement, Avast Software s.r.o. will be a third party beneficiary of relevant rights under these Terms, including without limitation, Section 5.2 (Objection to Contractor Engagement), Section 7 (Impact assessments and Consultations) and Section 13 (Audits and Compliance Reviews).
14.2. Other Third Parties. Except as expressly provided herein and subject to Section 14.1, no one other than a party to the Agreement shall have any right to enforce any of these Terms. For the avoidance of doubt, this includes End Users, who shall not have any right to enforce these Terms.
15. Effect of these Terms
15.1. Notwithstanding anything to the contrary in the Agreement, to the extent of any conflict or inconsistency between these Terms and the remaining terms of the Agreement, these Terms shall prevail. Replace this text with content of your own.
Appendix 1: Security Measures
As from the Terms Effective Date, Avast will implement and maintain the Security Measures set out in this Appendix 1. Avast may update or modify such Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.
1. Data Transmission and Threat Management
Data Transmission. Individual Avast Affiliates are typically connected via high-speed private links to provide secure and fast data transfer between them. This is designed to prevent data from being read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media. Avast transfers data via Internet standard protocols.
External Attack Surface. Avast employs multiple layers of network devices and intrusion detection to protect its external attack surface. Avast considers potential attack vectors and incorporates appropriate purpose-built technologies into external facing systems.
Intrusion Detection. Intrusion detection is intended to provide insight into ongoing attack activities and provide adequate information to respond to incidents. Avast’s intrusion detection involves:
- 1. tightly controlling the size and make-up of Avast’s attack surface through preventative measures;
- 2. employing intelligent detection controls at data entry points; and
- 3. employing technologies that automatically remedy certain dangerous situations.
Vulnerability management. Avast conducts regular scanning of entire infrastructure to ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor supplied security patches.
Incident Response. Avast monitors a variety of communication channels for security incidents, and Avast’s security personnel will react promptly to known incidents.
Encryption Technologies. Avast uses HTTPS encryption (also referred to as SSL or TLS connection).
2. Site and Access Controls
(a) Site Controls.
On-site Data Center Security Operation. Avast maintains an on-site security operation responsible for all physical security functions.
Access Procedures for Avast Premises. Avast maintains formal access procedures for allowing physical access to its premises. The entrance into the premises requires electronic card key access. All entrants to the premises are required to identify themselves as well as show proof of identity. Only authorized employees, contractors and visitors are allowed entry.
On-site Security. Unauthorized activity and failed access attempts are logged by the access control system and investigated, as appropriate. Authorized access throughout the business operations is restricted based on the individual’s job responsibilities. CCTV cameras are in operation both inside and outside the premises. The positioning of the cameras has been designed to cover strategic areas including, among others, the perimeter, doors to the building, and elevator access. On-site personnel manage the CCTV monitoring, recording and control equipment. Secure cables throughout the data centers connect the CCTV equipment. Cameras record on site via digital video recorders 24 hours a day, 7 days a week. The surveillance records are retained for up to 30 days based on activity.
(b) Access Control.
Infrastructure Security Personnel. Avast has, and maintains, a security policy for its personnel, and requires security training as part of the training package for its personnel. Avast’s security personnel are responsible for the ongoing monitoring of Avast’s security infrastructure and responding to security incidents.
Access Control and Privilege Management. Partner’s administrators must authenticate themselves via a central authentication system or via a single sign on system in order to administer the Services.
Internal Data Access Processes and Practices - Avast’s internal data access processes are designed to prevent unauthorized persons and/or systems from gaining access to systems used to process personal data. Avast designs its systems to (i) only allow authorized persons to access data they are authorized to access; and (ii) ensure that personal data cannot be read, copied, altered or removed without authorization during processing, use and after recording. The systems are designed to detect any inappropriate access. Avast employs a centralized access management system to control personnel access to production servers, and only provides access to a limited number of authorized personnel. Avast requires the use of strong authentication to minimize the potential for unauthorized account use. The granting or modification of access rights is based on: the authorized personnel’s job responsibilities; job duty requirements necessary to perform authorized tasks; and a need to know basis.
3. Data Storage, Isolation and Logging
Avast stores data in a multi-tenant environment on Avast-owned or Avast-leased servers. The data and file system architecture are replicated between multiple geographically dispersed data centers. Avast also logically isolates the Partner’s data. Partner will be given control over specific data sharing policies. Those policies, in accordance with the functionality of the Services, will enable Partner to determine the product sharing settings applicable to Partner End Users for specific purposes. Partner may choose to make use of certain logging capability that Avast may make available via the Services.
4. Personnel Security
Avast personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards.
Personnel are required to execute a confidentiality agreement. Personnel are provided with security and data protection training.
5. Contractor Security
Before onboarding contractors, Avast conducts an assessment of the security and privacy practices of contractors to ensure contractors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. Once Avast has assessed the risks presented by the contractor, the contractor is required to enter into appropriate security, confidentiality and privacy contract terms.Replace this text with content of your own.