Last Updated: September 29, 2025
About This Agreement
This Data Processing Agreement (“DPA”) forms part of every Avontus Software End User License Agreement between Avontus Software (including Avontus Software Ltd, 31 High Street Back, Ely, Cambs, CB7 4WH, United Kingdom, and Avontus Software Corporation, 2162 Spring Stuebner Rd, Suite 140, Box 5003, Spring, TX 77389, United States) and its customers.
This DPA applies automatically whenever Avontus processes Personal Data on behalf of a customer subject to the UK General Data Protection Regulation (UK GDPR) or the EU General Data Protection Regulation (EU GDPR), without the need for a separate signature.
By entering into any Avontus End User License Agreement, you also agree to this DPA.
This DPA applies to all Avontus products and services, including ScaffoldIQ, Quantify, Avontus Designer, Avontus Viewer, and Handset Designer.
1. Subject Matter and Duration
This DPA governs Avontus’s processing of Personal Data on behalf of the Customer (the “Controller”) in connection with the services described in the applicable End User License Agreement (“EULA”). Processing shall continue for the duration of the applicable EULA, unless otherwise required by law.
2. Nature and Purpose of Processing
Avontus processes Personal Data provided by the Controller (“Customer Data”) as necessary to:
- Provide, maintain, and support Avontus products and services;
- Host and store Customer Data;
- Perform analytics to improve services (in aggregated and anonymized form);
- Provide technical support and respond to service requests; and
- Comply with legal and regulatory obligations.
3. Types of Personal Data and Categories of Data Subjects
- Personal Data: names, email addresses, user IDs, job titles, signatures, photos, inspection or job data, and any other data entered by the Customer or its users.
- Data Subjects: Customer’s employees, contractors, site personnel, and other individuals whose Personal Data is input by the Customer.
4. Controller Responsibilities
The Customer determines the purposes and means of processing and is responsible for compliance with applicable data protection laws. The Customer ensures it has obtained all necessary consents or lawful bases for Avontus to process Personal Data under this DPA.
5. Processor Obligations
Avontus shall:
- Process only on instructions: Process Personal Data only on documented instructions from the Customer, including with respect to cross-border transfers, unless required by law (in which case Avontus shall notify the Customer unless prohibited by law).
- Confidentiality: Ensure personnel authorized to process Personal Data are bound by confidentiality obligations.
- Security: Implement appropriate technical and organizational measures to protect Personal Data, including:
- Role-based access controls and authentication (including MFA)
- Encryption at rest and in transit
- Regular backups and secure storage
- Security monitoring and intrusion detection
- Incident response and breach notification
- Employee security training and confidentiality agreements
- Periodic penetration testing and vulnerability assessments
- Assistance: Assist the Customer with data subject requests, impact assessments, and breach notifications as required by law.
- Breach Notification: Notify the Customer without undue delay after becoming aware of a Personal Data Breach.
- Deletion/Return: Upon termination, delete or return Personal Data at the Customer’s direction, unless retention is required by law.
- Audits: Make available information necessary to demonstrate compliance and allow audits once per year upon 30 days’ written notice.
6. Subprocessors
The Customer authorizes Avontus to use the following subprocessors to support the delivery of its products and services:
| Subprocessor | Purpose | Location |
|---|---|---|
| Microsoft Corporation (Azure) | Cloud hosting, database services, email, and document storage | Global / United States |
| Pipedrive | Customer relationship management and sales pipeline tracking | European Union |
| Atlassian Pty Ltd (Jira, Confluence) | Support ticketing and documentation | United States / EU |
Avontus may engage additional subprocessors as needed and will update this list by revising this page and updating the “Last Updated” date. The Customer may object in writing within 30 days of any change; if unresolved, the Customer may terminate the affected services.
7. International Data Transfers
Where Avontus transfers Personal Data outside the UK or EEA to a country not subject to an adequacy decision:
- Transfers from the EEA are governed by the EU Standard Contractual Clauses (SCCs) (Module 2 – Controller to Processor);
- Transfers from the UK incorporate the UK Addendum to the SCCs issued by the UK Information Commissioner’s Office.
These clauses are incorporated by reference and prevail in the event of conflict.
8. Data Subject Rights
Avontus shall promptly forward any request received from a data subject to the Customer and shall not respond except on the Customer’s documented instructions.
9. Liability
Each party’s liability under this DPA is subject to the limitations and exclusions set forth in the applicable EULA.
10. Term and Termination
This DPA remains in effect for as long as Avontus processes Personal Data on behalf of the Customer. Upon termination, Avontus shall delete or return Personal Data as required under Section 5 and applicable law.
11. Contact Information
For privacy or data protection inquiries under this DPA, please contact: Email: accounting@avontus.com
12. Miscellaneous
In the event of conflict between this DPA and the EULA, this DPA controls with respect to data protection matters. This DPA is governed by the same law and jurisdiction as the applicable EULA.
