ToursLoginGet a demo
IT Service Management

Enterprise ITSM without the overhead

Full ITIL, CMDB, AI Assist and multi-department ESM — delivered by a dedicated consultant in weeks, not months.

  • Full ITIL — incident, change, problem
  • CMDB included, not tier-gated
  • Live in 3–4 weeks, every time
Explore ITSM
Other key solutions
Customer ServiceAI-enabled support at scaleEnterprise Service MgmtOne platform, all departments
By team / industry
TechnologyMSPs and IT service providersISVsEmbed service managementHuman ResourcesPeople services and onboardingFacilitiesSpace, maintenance and estatesFinance & LegalCompliance-led workflowsGRCPolicy, risk and audit
Vivantio AI

AI across your whole service operation

Assist agents in the moment, deflect with smart self-service, and turn service data into insight — not a chatbot bolted on.

For customersAI AssistFor agentsAI EnrichFor managersAI Optimize
Explore all Vivantio AI
Service Management
ITSM / ITILIncident, problem & changeAsset Management & CMDBVisibility of your estateAsset DiscoveryFind & map automaticallyKnowledge ManagementAnswers that scaleService CatalogStructured request formsService Level ManagementSLAs tracked, breaches caught
Automate & Configure
AutomationTrigger work, end to endWorkflowStages, routing & approvalsCustomizationForms, fields & layoutsPersonalized WorkspaceRight info, right timeDigital Self ServiceDeflect tickets, delight usersBusiness Intelligence & ReportingDashboards from your dataCRMContext on every customer
Latest integrations
JiraSalesforceWhatsAppBambooHRMicrosoft IntuneHubSpot
All integrations Discover all features
Learn
Blog ITIL Resource Library Best Practices IT Service Management Customer Service Management Enterprise Service Management
Insights
Case Studies Videos Webinars Whitepapers Reports
Featured guide

The Buyer's Guide to Service Management Software

Get the guide
Legal

Data Processing Addendum

Last updated:

Parties

Supplier: Vivantio Limited (registered in England, company number 4952363) and Vivantio, Inc.

Client: The entity identified in the Order Form.

Definitions

In this Data Processing Addendum ("DPA"), the following terms have the meanings set out below:

Client Data
All data submitted by or on behalf of the Client to the Services, including any Personal Data.
Controller
Has the meaning set out in the Data Protection Laws and Regulations.
Data Protection Laws and Regulations
All applicable laws and regulations relating to the processing, privacy, and use of Personal Data, including where applicable the GDPR and the UK GDPR.
Data Subject
Has the meaning set out in the Data Protection Laws and Regulations.
GDPR
Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation), and where applicable the UK version retained in domestic law pursuant to the European Union (Withdrawal) Act 2018.
Losses
All losses, liabilities, damages, costs, and expenses.
Personal Data
Has the meaning set out in the Data Protection Laws and Regulations.
Processing / Process
Has the meaning set out in the Data Protection Laws and Regulations.
Processor
Has the meaning set out in the Data Protection Laws and Regulations.
Supervisory Authority
Has the meaning set out in the Data Protection Laws and Regulations.

Background

This DPA forms part of the contract agreement between the Supplier and the Client, together with the Standard Terms and Conditions.

This DPA may be updated by the Supplier from time to time. Material changes shall be notified to the Client in writing.

1. Processing of Personal Data

1.1 Roles of the Parties

The Client is the Controller and the Supplier is the Processor.

1.2 Client's Processing of Personal Data

The Client shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. The Client bears responsibility for the accuracy, quality, and legality of Personal Data and the means by which it acquired the Personal Data.

1.3 Supplier's Processing of Personal Data

The Supplier shall treat Personal Data as Confidential Information and shall only Process Personal Data on behalf of and in accordance with the Client's documented instructions for the following purposes:

  • Processing in accordance with the Agreement and applicable Order Forms;
  • Processing initiated by Authorised Users in their use of the Services; and
  • Processing to comply with other documented reasonable instructions provided by the Client.

1.4 Details of Processing

The subject-matter, nature, purpose, and duration of Processing, as well as the types of Personal Data and categories of Data Subjects, are as specified in Schedule 1 of this DPA.

1.5 Sub-Processors

The Supplier will not permit any processing of the Client's Personal Data by any agent, subcontractor, or other third party that the Client has not been made aware of via this DPA, without written authorization from the Client. The Supplier's current sub-processors are listed in Schedule 1.

2. Rights of Data Subjects

2.1 Data Subject Requests

The Supplier shall, to the extent legally permitted, promptly notify the Client if the Supplier receives a request from a Data Subject to exercise the Data Subject's right of access, right to rectification, restriction of Processing, erasure ("right to be forgotten"), data portability, object to the Processing, or its right not to be subject to an automated individual decision making ("Data Subject Request").

Taking into account the nature of the Processing, the Supplier shall assist the Client by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Client's obligation to respond to a Data Subject Request under Data Protection Laws and Regulations.

3. Supplier's Personnel

3.1 Confidentiality

The Supplier shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements.

3.2 Reliability

The Supplier shall take commercially reasonable steps to ensure the reliability of any Supplier personnel engaged in the Processing of Client Data.

3.3 Limitation of Access

The Supplier shall ensure that Supplier's access to Personal Data is limited to those personnel performing Services in accordance with the Agreement.

4. Security

4.1 Controls for the Protection of Client Data

The Supplier shall maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Client Data), confidentiality and integrity of Client Data.

The Supplier will not materially decrease the overall security of the Services during a subscription term.

4.2 Audits

The Supplier shall, on reasonable notice, allow for and contribute to audits, including inspections, by the Client or an auditor mandated by the Client in relation to the Processing of Personal Data by the Supplier.

5. Client Data Incident Management and Notification

5.1 Incident Response

The Supplier maintains security incident management policies and procedures and shall notify the Client without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Client Data transmitted, stored or otherwise Processed by the Supplier or its Sub-Processors of which the Supplier becomes aware ("Client Data Incident").

These obligations do not apply to incidents caused by the Client or the Client's users.

6. Return and Deletion of Client Data

6.1 Data Handling Upon Termination

The Supplier shall return Client Data to the Client at the termination of the Agreement or, where not technically feasible, delete Client Data in an appropriate manner and provide the Client with certification of such deletion within a reasonable time following the Client's request.

7. European Specific Provisions

7.1 GDPR

The Supplier will Process Personal Data in accordance with the GDPR requirements directly applicable to the Supplier's provision of its Services.

7.2 Data Protection Impact Assessment

Upon the Client's request, the Supplier shall provide the Client with reasonable cooperation and assistance needed to fulfil the Client's obligation under the GDPR to carry out a data protection impact assessment related to the Client's use of the Services, to the extent the Client does not otherwise have access to the relevant information.

7.3 Transfer Mechanisms for Data Transfers

The Supplier will not transfer Client Data from the UK or the EEA to countries which are not deemed to provide an adequate level of data protection without ensuring that such transfers are subject to appropriate safeguards, including the use of Standard Contractual Clauses (SCCs) as approved by the European Commission or the UK Information Commissioner's Office.

Where data is transferred to US-based data centers, such transfers are subject to Standard Contractual Clauses or other lawful transfer mechanisms.

Schedule 1 – Details of Processing

Nature and Purpose of Processing

Processing is necessary to perform the Services as described in the Agreement and Documentation, including providing the Vivantio platform and associated support services.

Duration of Processing

Subject to Section 6 of the DPA, the Supplier will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.

Categories of Data Subjects

Personal Data may relate to the following categories of Data Subjects:

  • Prospects, customers, and business partners of the Client;
  • Vendors and suppliers of the Client;
  • Employees and contractors of the Client; and
  • Authorised Users of the Services.

Type of Personal Data

Categories of Personal Data may include:

  • Names, titles, and contact information (email, phone, address);
  • Identity data (usernames, account credentials);
  • Professional and organisational information;
  • Connection data and usage logs; and
  • Localisation data.

Sub-Processors

The Supplier uses the following authorised sub-processors in connection with the provision of the Services:

Sub-Processor Purpose Location
Microsoft Azure Infrastructure as a Service (IaaS) — cloud hosting EU / UK / US
Redstor Online backup solutions UK
Managed 24/7 First line support services UK
DataDog Monitoring and observability tools US
UserPilot Product usage statistics and onboarding US