Legal

Data Processing Addendum

Last updated: June 22, 2026Effective: June 22, 2026

This Data Processing Addendum ("DPA") applies when Avalon processes personal data on your behalf as a processor (encargado/operador). It forms part of our Terms of Service and reflects the requirements of the GDPR (including Article 28), the UK GDPR, Colombia's Ley 1581, and Brazil's LGPD. If you are a controller subject to these laws, this DPA governs that processing.

1.Introduction

This DPA supplements the Agreement between you (the "Customer", acting as controller) and Avalon (acting as processor) for the provision of the Service. It applies to the extent Avalon processes Personal Data that is subject to applicable Data Protection Laws on Customer's behalf.

2.Definitions

Capitalized terms not defined here have the meaning in the Agreement. "Data Protection Laws" means all privacy and data protection laws applicable to the processing, including the EU/UK GDPR, U.S. state privacy laws, Colombia's Ley 1581 de 2012 and Decreto 1377 de 2013, and Brazil's LGPD. "Personal Data", "controller", "processor", "data subject", and "processing" have the meanings given in the GDPR (and their equivalents under other Data Protection Laws, such as responsable and encargado).

3.Roles & scope of processing

Customer is the controller and Avalon is the processor of Customer Personal Data. The subject matter is the provision of the Service; the duration is the term of the Agreement plus the deletion period; the nature and purpose is hosting, ingesting, normalizing, analyzing, and presenting marketing data and generating reports and AI output. The types of data and categories of data subjects are those contained in Customer Data, typically business contacts and aggregated marketing performance data ingested from Connected Platforms.

4.Processing instructions

Avalon will process Customer Personal Data only on documented instructions from Customer, including those in the Agreement and as necessary to provide the Service, unless required by law (in which case Avalon will inform Customer unless legally prohibited). Avalon will inform Customer if, in its opinion, an instruction infringes Data Protection Laws.

5.Confidentiality of personnel

Avalon ensures that personnel authorized to process Customer Personal Data are bound by confidentiality obligations and are trained on their data-protection responsibilities, on a need-to-know basis.

6.Security measures

Avalon implements and maintains appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in our Security page. These include encryption in transit and at rest, multi-tenant isolation, access controls, logging and monitoring, and resilience and recovery procedures.

7.Subprocessors

Customer provides general authorization for Avalon to engage subprocessors to process Customer Personal Data. Avalon maintains a current list of subprocessors at /legal/subprocessors, imposes data-protection obligations on each subprocessor no less protective than this DPA, and remains responsible for their performance. Avalon will give notice of new subprocessors and a reasonable opportunity to object on legitimate data-protection grounds.

8.Assisting with data subject requests

Taking into account the nature of the processing, Avalon will assist Customer with appropriate technical and organizational measures, insofar as possible, to respond to data subject requests to exercise their rights. If Avalon receives a request directly from a data subject relating to Customer Personal Data, it will, where permitted, direct the data subject to Customer.

9.Personal data breach notification

Avalon will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to assist Customer in meeting its own notification obligations.

10.International transfers

Where processing involves transferring Personal Data across borders to a country without an adequacy decision, the parties rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses and the UK Addendum, the international-transfer mechanisms under Colombia's Decreto 1377, and Brazil's ANPD-approved Standard Contractual Clauses, which are incorporated into this DPA by reference and completed with the details in the Agreement and the subprocessor list.

11.Audits

Avalon will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Customer or an independent auditor it mandates, subject to reasonable confidentiality and security conditions. Avalon may satisfy audit requests by providing third-party certifications and reports (such as SOC 2) where available.

12.Return & deletion of data

On termination of the Service, and at Customer's choice, Avalon will delete or return Customer Personal Data, and delete existing copies, unless retention is required by law. Routine backups are deleted on their ordinary cycle.

13.Liability & order of precedence

Each party's liability under this DPA is subject to the limitations of liability in the Agreement. In the event of a conflict between this DPA and the rest of the Agreement on data protection, this DPA prevails; and the Standard Contractual Clauses prevail over this DPA where they apply.

14.How to execute this DPA

This DPA is incorporated into the Agreement by reference and applies automatically where Avalon acts as your processor. If your organization requires a countersigned copy or has specific regulatory requirements, contact legal@avaloncol.com or privacy@avaloncol.com.