Vivantio
Pricing
Compare
ToursLoginGet a demo
IT Service Management

Enterprise ITSM without the overhead

Full ITIL, CMDB, AI Assist and multi-department ESM. Delivered by a dedicated consultant in weeks, not months.

  • Full ITIL, incident, change, problem
  • CMDB included, not tier-gated
  • Live in 3–4 weeks, every time
Explore ITSM
Other key solutions
Customer ServiceAI-enabled support at scaleEnterprise Service MgmtOne platform, all departments
By team / industry
TechnologyMSPs and IT service providersISVsEmbed service managementHuman ResourcesPeople services and onboardingFacilitiesSpace, maintenance and estatesFinance & LegalCompliance-led workflowsGRCPolicy, risk and audit
Vivantio AI

AI across your whole service operation

Assist agents in the moment, deflect with smart self-service, and turn service data into insight, not a chatbot bolted on.

For customersAI AssistFor agentsAI EnrichFor managersAI Optimize
Explore all Vivantio AI
Service Management
ITSM / ITILIncident, problem & changeAsset Management & CMDBVisibility of your estateAsset DiscoveryFind & map automaticallyKnowledge ManagementAnswers that scaleService CatalogStructured request formsService Level ManagementSLAs tracked, breaches caught
Automate & Configure
AutomationTrigger work, end to endWorkflowStages, routing & approvalsCustomizationForms, fields & layoutsPersonalized WorkspaceRight info, right timeDigital Self ServiceDeflect tickets, delight usersBusiness Intelligence & ReportingDashboards from your dataCRMContext on every customer
Latest integrations
JiraSalesforceWhatsAppBambooHRMicrosoft IntuneHubSpot
All integrationsDiscover all features
Learn
BlogITIL Resource LibraryBest PracticesIT Service ManagementCustomer Service ManagementEnterprise Service Management
Insights
Case StudiesVideosWebinarsWhitepapersReports
Featured guide

The Buyer's Guide to Service Management Software

Get the guide
Vivantio
By need
IT Service ManagementCustomer ServiceEnterprise Service Management
By team / industry
Technology & Service ProvidersSoftware Vendors (ISVs)Human ResourcesFacilitiesFinance & LegalGovernance, Risk & Compliance
Vivantio AI
AI Assist for customersAI Enrich for agentsAI Optimize for managersAll Vivantio AI →
Service Management
ITSM / ITILAsset Management & CMDBAsset DiscoveryKnowledge ManagementService CatalogService Level Management
Automate & Configure
AutomationWorkflowCustomizationPersonalized WorkspaceDigital Self ServiceBusiness Intelligence & ReportingCRM
More
All integrationsDiscover all features
Pricing
Learn
BlogITIL Resource LibraryBest Practices
Insights
Case StudiesVideosWebinarsWhitepapersReports
Compare
Get a demoTake a self-guided tour

Contents

  1. Preamble
  2. 1. Definitions
  3. 2. Data Processing Details
  4. 3. Processing of Customer Personal Data
  5. 4. Personnel and Sub-Processors
  6. 5. Transfers
  7. 6. Security and Breach Notification
  8. 7. Assistance
  9. 8. Deletion or Return of Data
  10. 9. Information Requests and Audits
  11. 10. Liability
  12. Annex 1 — Sub-Processor List
  13. Annex 2 — Security Measures
← All agreements
Legal

Data Processing Addendum

Last revised: 01 June 2026

Preamble

This Data Processing Addendum (this "Addendum") is incorporated into and forms part of the Vivantio Master Contract for the Supply of Service Agreement ("Agreement") between Customer and the Vivantio contracting entity identified in the Agreement ("Company") and governs the Processing of Personal Data in connection with the Services. Except as expressly modified by this Addendum, the terms of the Agreement remain in full force and effect. In the event of any conflict between the Agreement and this Addendum, the terms of this Addendum will prevail. For clarity, this Addendum takes effect from the effective date of the Agreement and continues until the later of the termination of the Agreement or the completion of the Company's Processing of Customer Personal Data under the Agreement.

1. Definitions

In this Addendum, the following words and expressions have the following meanings:

"Customer Personal Data" means Personal Data Processed by the Company as Processor on behalf of Customer pursuant to the performance of the Services and as described in Section 2.2.

"Controller", "Processor", "Data Subject", "Personal Data", "Processing", and "Supervisory Authority" all have the meanings given to those terms in Data Protection Laws (and related terms such as "Process", "Processes" and "Processed" shall have corresponding meanings).

"Data Protection Laws" means all applicable laws and regulations relating to data protection and privacy as applicable to the parties and/or to the Processing of Personal Data under the Agreement, including without limitation, United States data protection and privacy laws, including the California Consumer Privacy Act, Cal. Civ., (the "CCPA"), the EU General Data Protection Regulation 2016/679 ("EU GDPR"); the EU GDPR in such form as incorporated into the laws of the United Kingdom ("UK GDPR" and together with the EU GDPR "GDPR"); the UK Data Protection Act 2018; the Swiss Federal Act on Data Protection of 25 September 2020 ("Swiss FADP"); and any associated implementing legislation and regulations, in each case, as in force and applicable, and as amended, supplemented or replaced from time to time.

"EU Standard Contractual Clauses" means the Annex to the European Commission's decision of 4 June 2021 on Standard Contractual Clauses for the transfer of personal data to third countries which do not ensure an adequate level of data protection pursuant to the EU GDPR, with "Module 2" or "Module 3" selected (as appropriate), which covers transfers of Personal Data to a Processor.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to Customer Personal Data.

"Services" means the services provided by the Company pursuant to the Agreement.

"Sub-Processor" means any vendor, supplier or subcontractor of the Company authorized to Process Customer Personal Data on behalf of the Company.

"UK International Data Transfer Addendum" means the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022 (as it is revised under its Section 18) to facilitate the international transfer of Personal Data in compliance with the UK GDPR.

2. Data Processing Details and Compliance

The Parties acknowledge that in respect of Customer Personal Data, the Company is a Processor Processing Personal Data on behalf of Customer as Controller. Each Party shall comply with its obligations under Data Protection Laws as relates to Customer Personal Data.

Details of Customer Personal Data Processed by the Company under the Agreement are as follows:

Subject Matter, Nature and Purpose of Processing. The Company's provision of the Services under the Agreement.

Duration of Processing. Processing of Customer Personal Data by the Company shall be for the term of the Agreement and in accordance with the Company's retention obligations under the Agreement and this Addendum.

Personal Data in Scope. Customer may submit Personal Data to the Company's platform, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to: first and last name; title; position; employer; contact information (company, email, phone, physical business address); ID data; professional life data; personal life data; connection data; and localization data.

Category of Data Subjects. Customer may submit Personal Data to the Company's platform, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to, Personal Data relating to the following categories of data subjects: prospects, customers, business partners and vendors of Customer (who are natural persons); employees or contact persons of Customer's prospects, customers, business partners and vendors; employees, agents, advisors, freelancers of Customer (who are natural persons); and Customer's users authorized by Customer to use the Services.

The Company shall be an independent Controller and Business with respect to its Processing of Personal Data in connection with: the execution and administration of the Agreement (including contact details of Customer personnel/representatives); the Company's creation and maintenance of User accounts on the Company platforms; and the processing of Personal Data and platform usage data for analytics and improvement of the Company products and services. The parties agree that the Personal Data described under this Section 2.3 does not form part of Customer Personal Data.

3. Processing of Customer Personal Data

Customer represents and warrants that, in connection with its use of the Services, transfer of Customer Personal Data to the Company and provision of instructions to the Company as Processor of Customer Personal Data: (a) Customer has provided or will provide all necessary notices to all Data Subjects of Customer Personal Data as required under Data Protection Laws; (b) Customer has received all necessary permissions, consents, or approvals and otherwise secured a valid legal basis of Processing to facilitate the Company's Processing of Customer Personal Data in accordance with the terms of the Agreement and Data Protection Laws; (c) the Company's Processing of Customer Personal Data in accordance with Customer's instructions will not cause the Company to violate any applicable law; and (d) Customer shall have responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired such data. To the extent permitted by applicable law, Customer shall indemnify and keep the Company indemnified on demand from and against all damages, liabilities, demands, costs, expenses, claims, actions and proceedings (including legal and other professional fees and expenses, fines, penalties and loss of profit) suffered or incurred by the Company arising out of or in connection with any breach of this Section 3.1 by Customer.

The Company shall Process Customer Personal Data in accordance with Customer's prior written instructions agreed between the Parties (including as set out in the Agreement) unless the Company is required to otherwise Process Customer Personal Data by applicable laws. The Company is hereby instructed to Process Customer Personal Data for the purposes of providing the Services. Where the Company is required by applicable laws to Process Customer Personal Data other than in accordance with Customer's instructions, prior to any such Processing and to the extent permitted by applicable laws, the Company shall notify Customer in writing of that legal requirement prior to Processing Customer Personal Data.

With respect to the Processing of Customer Personal Data that is subject to the CCPA, the Company shall further not: (a) retain, use, or disclose Customer Personal Data outside of the direct business relationship between the Parties; (b) "sell" or "share" (as such terms are defined under applicable Data Protection Laws) Customer Personal Data; or (c) combine Customer Personal Data with Personal Data that the Company receives from or on behalf of any other person or entity, or collects from its own interactions with Data Subjects, except as permitted by applicable Data Protection Laws.

The Company shall promptly inform Customer if, in its reasonable opinion, an instruction from Customer under this Addendum infringes Data Protection Laws. The Company shall be entitled to suspend the relevant Processing of Customer Personal Data (other than storing and securing the affected data) until Customer has confirmed or modified the instruction to ensure compliance with Data Protection Laws.

4. Company Personnel and Sub-Processors

The Company shall ensure that all Company personnel authorized to Process Customer Personal Data are either subject to binding written contractual obligations or statutory obligations to keep Customer Personal Data confidential.

Customer authorizes the Company to engage the Sub-Processors included in the Sub-Processor list set out in Annex 1 ("Sub-Processor List"). Where the Company intends to engage any additional Sub-Processor not already approved on the Sub-Processor List, prior to engaging the Sub-Processor, the Company shall notify Customer of the proposed engagement of the Sub-Processor giving Customer the opportunity to object. Customer shall be entitled to make a written objection to the proposed engagement (with respect to confidentiality and data protection compliance concerns) within 20 days of the Company providing notice to Customer under this Section. If no objection is received within the timeframe under this Section, Customer is deemed to have authorized the engagement of such Sub-Processor.

Where Customer raises a reasonable objection to the use of a proposed Sub-Processor in accordance with this Section, the Company may at its option: (i) use reasonable endeavours to remedy the situation giving rise to the reasonable objection; or (ii) propose an alternative Sub-Processor to conduct the relevant Processing. If the Company is unable to remedy the situation or propose an alternative Sub-Processor within thirty (30) days from receipt of Customer's objection (or such other period as the Parties may agree in writing), either Party may terminate the Agreement or the applicable Services schedule or order form without penalty by providing written notice to the other Party, but only to the extent the affected Services cannot be provided without the objected-to Sub-Processor. Termination shall not relieve Customer of its payment obligation under the Agreement.

The Company shall ensure that prior to permitting any Sub-Processor to Process Customer Personal Data, the Sub-Processor has entered into a binding written agreement with the Company that imposes obligations substantially equivalent to the obligations imposed on the Company as a Processor under this Addendum. The Company shall remain fully liable to Customer for the performance of the Sub-Processor's data protection obligations concerning Customer Personal Data in the event the Sub-Processor fails to fulfil those obligations.

5. Transfers

With respect to the Company's Processing of Customer Personal Data subject to the GDPR and Swiss FADP, to the extent an appropriate transfer safeguard is required under Data Protection Laws:

(a) EU GDPR. For Customer Personal Data subject to the EU GDPR, the Parties agree to comply with the provisions of the EU Standard Contractual Clauses ("EU SCCs") which are incorporated into this Addendum by reference and modified as follows: (i) Annex I of the EU SCCs — details of the parties will include Customer (as data exporter) and the Company (as data importer), contact information will be as provided by the Parties from time to time, description of the transfers shall be completed with the corresponding details as set out in Section 2.2 of this Addendum, transfers are "continuous" and the competent supervisory authority is determined in accordance with Clause 13 of the EU SCCs; (ii) Annex II to the EU SCCs — the technical and organizational measures shall be completed with the relevant information as set out in Annex 2 of this Addendum; (iii) Clause 7 (Docking Clause), which is optional, is included; (iv) Clause 9 (Sub-processors) — option 1 shall apply and the time period for notification of a proposed Sub-Processor will be as set out in Section 4.2 of this Addendum; (v) Clause 11 (Redress) contains an optional clause which is excluded; (vi) Clause 13 (Supervision) — the option applicable to the relevant data transfers under this Addendum is selected; (vii) Clause 17 (Governing law) shall be the laws of Ireland; (viii) Clause 18 (Choice of forum and jurisdiction) is amended so that the courts that have jurisdiction are the courts of Ireland.

(b) Swiss FADP. For Customer Personal Data subject to the Swiss FADP, the Parties agree to comply with the provisions of the EU SCCs as set out and modified by Section 5.1(a) of this Addendum and as further amended as follows: (i) the term "Member State" according to Clause 18(c) of the EU SCCs shall not be interpreted in such a way that data subjects in Switzerland are excluded from exercising their rights, if any, at their place of habitual residence; (ii) any references to EU legislation, EU authorities and the EU Member States in the EU SCCs are amended to reflect corresponding Switzerland legislation, Switzerland authorities and Switzerland as appropriate; (iii) the Supervisory Authority selected for the purposes of Clause 13 (Supervision) of the EU SCCs is the Swiss Federal Data Protection and Information Commissioner (FDPIC); and (iv) Clause 17 (Governing law) of the EU SCCs shall refer to the law of Switzerland as the governing law and Clause 18 (Choice of forum and jurisdiction) shall refer to the Swiss courts as the proper forum and jurisdiction for disputes and legal proceedings arising.

(c) UK GDPR. For Customer Personal Data subject to the UK GDPR, the Parties agree to comply with the provisions of the UK International Data Transfer Addendum ("UK IDTA") which are incorporated into this Addendum by reference and modified as follows: (i) the date to be included in Table 1 of the UK IDTA is the effective date of this Addendum; (ii) for Table 1 and Table 3 of the UK IDTA, the parties' details, description of the transfer and technical and organizational measures are completed with the relevant information referenced in Section 5.1(a) of this Addendum; (iii) for Table 2 of the UK IDTA, information about the version of the EU Standard Contractual Clauses, modules and selected clauses which the UK IDTA is appended to shall reference the EU Controller to Processor Standard Contractual Clauses as modified by Section 5.1(a) of this Addendum; (iv) for Table 4 of the UK IDTA, both the Importer and the Exporter may end the UK IDTA in accordance with its terms; and (v) Part 2 (Mandatory Clauses) of the UK IDTA shall be deemed completed with the following provision: "Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the UK Information Commissioner's Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses".

6. Security and Personal Data Breach Notification

The Company shall implement and maintain appropriate technical and organizational measures in relation to the Processing of Customer Personal Data to ensure a level of security appropriate to the risks which may occur as a result of Processing Customer Personal Data, and in particular the risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data, including as set out in Annex 2.

The Company shall notify Customer without undue delay on becoming aware of a Personal Data Breach and provide Customer with details of the Personal Data Breach as required under Data Protection Laws. To the extent available, the details of the Personal Data Breach provided shall include:

  • the nature of the Personal Data Breach, including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Customer Personal Data records concerned;
  • the name and contact details of the data protection officer or other contact point where more information can be obtained;
  • a description of the likely consequences of the Personal Data Breach; and
  • a description of the remedial actions taken or proposed to be taken to mitigate the effects and minimize any damage resulting from the Personal Data Breach.

7. Assistance

At Customer's written request (taking into account the nature of Processing and the information available to the Company), the Company shall provide Customer with reasonable assistance, at Customer's cost:

  • using appropriate technical and organizational measures, in complying with any requests received from Data Subjects of Customer Personal Data exercising Data Subject rights under Data Protection Laws;
  • to enable Customer to conduct data protection impact assessments and consultations with a Supervisory Authority, where Customer is required to do so under Data Protection Laws, to the extent Customer does not otherwise have access to the relevant information;
  • to assist Customer in complying with its obligation to implement and maintain appropriate technical and organizational security measures to protect Customer Personal Data in line with Section 6; and
  • to assist Customer in complying with its obligation to notify a Personal Data Breach to competent authorities and/or affected Data Subjects, where Customer is required to do so under Data Protection Laws.

8. Deletion or Return of Data

The Company will delete (or, at the election of Customer, return before such deletion, in a format reasonably determined by the Company, provided that any expenses associated with such transfer are agreed between the Parties in advance) all Customer Personal Data in the possession or control of the Company, within thirty (30) business days after the termination of the Agreement, unless retention is permitted under applicable law, or as otherwise agreed in writing with Customer.

9. Information Requests and Audits

The Company shall, on reasonable request from Customer, make available to Customer all information necessary to demonstrate the Company's compliance with its obligations under this Addendum. The Company shall allow for audits (including inspections), at Customer's cost, conducted by Customer or a designated independent auditor agreed between the Parties, for the purpose of demonstrating the Company's compliance with its obligations under this Addendum. For the avoidance of doubt such audits shall be limited to once per calendar year except as required by a Supervisory Authority and the scope of any audit will be limited to the Company's policies, procedures, systems and controls relevant to the Processing of Customer Personal Data.

The Company's obligations under Section 9.1 of this Addendum are subject to Customer:

  • giving the Company reasonable prior notice of such information requests, audits and/or inspections being required by Customer, provided that such notice shall be no less than 20 business days, except where a shorter period is required by a Supervisory Authority;
  • ensuring that all information obtained or generated by Customer or the auditor(s) in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure to a Supervisory Authority or as otherwise required by applicable laws); and
  • ensuring that such audit or inspection is undertaken during normal business hours, with, so far as reasonably practicable, minimal disruption to the Company's business and the business of other customers of the Company.

10. Liability

Customer acknowledges that the Company is reliant on Customer for direction as to the extent to which the Company is entitled to Process Customer Personal Data on behalf of Customer in the provision of the Services. Consequently the Company will not be liable under the Agreement or this Addendum for any claim arising from any action or omission, to the extent that such action or omission resulted directly from Customer's instructions or from Customer's failure to comply with its obligations under applicable Data Protection Laws.

Notwithstanding any provisions to the contrary included in this Addendum, each Party's liability under or in connection with this Addendum will be limited in accordance with the liability provisions of the Agreement.

Annex 1 — Sub-Processor List

Sub-ProcessorDescription of Processing ActivitiesCountry LocationPrivacy Policy
Microsoft AzureInfrastructure as a Service for the Vivantio PlatformCanada, US, UK and EUPrivacy Policy
Managed 24/7Outsourced first line support servicesUKPrivacy Policy
DataDogMonitoring tools and systems for the Vivantio PlatformUSPrivacy Policy
UserPilotProduct usage statistics and engagement functionality within the Vivantio productUSPrivacy Policy
RedstorOnline backup solutionsUS, UKPrivacy Policy

Annex 2 — Technical and Organizational Security Measures

1. Certification Basis

The technical and organizational measures described in this Annex are implemented and maintained by Vivantio (the "Company") in connection with the processing of Customer Personal Data under the Data Processing Addendum to which this Annex is appended.

The Company's information security programme is independently assured through the following certifications and reports, which are maintained on a continuous basis:

ISO/IEC 27001 Certification — The Company holds a current ISO 27001 certification covering the design, operation and continual improvement of its Information Security Management System (ISMS).

SOC 2 Type 2 Assertion Report — The Company produces a SOC 2 report addressing the Trust Services Criteria relevant to the security, availability, and confidentiality of the Vivantio platform. The report is prepared in accordance with the AICPA's AT-C Section 205 attestation standards. Current reports are available to Customers on request and under a non-disclosure agreement.

Where measures are delivered in part through the Company's infrastructure providers (Microsoft Azure), the Company relies on those providers' own ISO 27001 certifications and SOC 2 Type II reports, copies of which are available from the respective providers' compliance portals. The Company's own controls operate at the application and operational layers above that infrastructure.

2. Specific Technical and Organizational Measures

The following measures are implemented by the Company as part of its ISMS and are within the scope of the ISO 27001 certification and SOC 2 report referenced above. Where a measure is partially or wholly delivered by an infrastructure sub-processor, this is noted.

Measure CategoryDescription of Measures Implemented
Encryption at RestAES-256 encryption is applied to all Customer Personal Data stored on the Vivantio platform. Database-level encryption is enforced across all production environments. Encryption key management is handled via the key management services of the underlying infrastructure providers (Microsoft Azure).
Encryption in TransitAll Customer Personal Data transmitted to or from the Vivantio platform is encrypted using TLS 1.2 or TLS 1.3. Unencrypted HTTP connections are rejected. Internal service-to-service communication within the platform is encrypted in transit.
PseudonymisationWhere technically feasible and proportionate, the Company applies pseudonymisation techniques to data used in non-production environments (e.g. development, testing) to reduce exposure of Customer Personal Data.
Access Control & User AuthenticationAccess to Customer Personal Data is restricted on a role-based, least-privilege basis. Multi-factor authentication (MFA) is enforced for all personnel with access to production systems and Customer Personal Data. Privileged access is subject to additional controls and periodic review. User access is reviewed at least quarterly and revoked promptly upon role change or departure.
Confidentiality of PersonnelAll Company personnel with access to Customer Personal Data are subject to binding confidentiality obligations as a condition of employment or engagement. Data protection awareness training is conducted at onboarding and on an annual basis.
Physical SecurityThe Company does not operate its own data centre facilities. Customer Personal Data is hosted on infrastructure provided by Microsoft Azure which maintain ISO 27001 certification and SOC 2 Type II reports covering physical security controls, including access controls, CCTV monitoring, and environmental protections. Company personnel do not have physical access to the underlying hardware.
Network SecurityThe Company employs network segmentation, firewall controls, and intrusion detection/prevention systems to protect the Vivantio platform. Production environments are logically separated from non-production environments. External-facing systems are protected by web application firewalls (WAF).
Availability, Resilience & Business ContinuityThe Vivantio platform is architected for high availability with redundant infrastructure across multiple availability zones via Microsoft Azure. Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) are defined and tested as part of the Company's business continuity and disaster recovery programme.
Backup & Data RecoveryCustomer Personal Data is backed up on a regular automated schedule. Backups are encrypted and stored in geographically separated locations. Restoration procedures are tested periodically to verify recoverability. Online backup solutions are provided by Redstor (as listed in Annex 1).
Logging & MonitoringThe Company maintains comprehensive audit logs of access events, administrative actions, authentication attempts, and data export activity. Logs are retained in accordance with the Company's log retention policy and monitored by the Company's infrastructure monitoring tooling (DataDog, as listed in Annex 1). Alerts are configured for anomalous or suspicious activity.
Vulnerability Management & Patch ManagementThe Company operates a vulnerability management programme covering regular vulnerability scanning of the Vivantio platform and supporting infrastructure. Security patches are assessed and applied in accordance with a risk-based patching policy, with critical patches applied within defined timescales. Penetration testing is conducted at least annually by a qualified third party.
Incident Response & Personal Data Breach ManagementThe Company maintains a documented incident response procedure, including a Personal Data Breach response process aligned to the notification obligations in Section 6 of this Addendum. The procedure covers identification, containment, investigation, notification, and post-incident review. The procedure is tested periodically.
Secure Development & Change ManagementThe Company follows secure development lifecycle (SDLC) practices, including security requirements definition, code review, and pre-release testing. Changes to the Vivantio platform are managed through a formal change management process. Security considerations are assessed as part of significant changes.
System Configuration & HardeningProduction systems are configured in accordance with hardening standards. Default credentials and unnecessary services are disabled. Configuration baselines are maintained and reviewed periodically.
Data MinimisationThe Company's platform is designed to process only the Customer Personal Data necessary for the provision of the Services. Customers are responsible for determining the categories and volume of data submitted to the platform. The Company does not enrich or combine Customer Personal Data with data from other sources for its own purposes.
Data Retention & ErasureCustomer Personal Data is retained only for the duration necessary to provide the Services and as set out in the Agreement and this Addendum. Automated deletion capabilities are available within the platform. Following termination of the Agreement, Customer Personal Data is deleted within the timescales set out in Section 8 of this Addendum. Anonymised or aggregated data that cannot identify any individual may be retained beyond this period.
Data PortabilityThe Company provides mechanisms for Customers to export Customer Personal Data from the platform in a structured, machine-readable format, including in accordance with the Company's obligations under the EU Data Act Addendum (where applicable).
Accountability & GovernanceThe Company maintains a documented information security policy, data protection policy, and associated procedures. These are reviewed at least annually. The Company has appointed a designated point of contact for data protection matters. Data protection obligations are embedded in supplier and sub-processor agreements as set out in this Addendum.
Sub-Processor SecurityPrior to engagement, Sub-Processors are assessed for their data protection and security posture. Sub-Processors are contractually required to implement technical and organizational measures at least equivalent to those set out in this Annex. Sub-Processor compliance is reviewed periodically.

3. Review and Updates

The measures described in this Annex are reviewed at least annually as part of the Company's ISMS management review process and updated to reflect material changes to the Company's security posture, technology, or risk environment. The Company will notify Customers of any material reduction in the level of security described in this Annex.

Customers may request a copy of the Company's current ISO 27001 certificate and SOC 2 report at any time by contacting the Company's data protection contact, subject to the execution of a non-disclosure agreement where required.

Vivantio

Flexible software.
Focused service.

ISO 27001, SOC 2, HIPAA, Cyber Essentials Plus certifications
Solutions
IT Service ManagementCustomer ServiceEnterprise ServiceTechnology & MSPsSoftware VendorsHuman ResourcesFacilitiesFinance & LegalGRC
Platform
All featuresAIAutomationITSM & ITILSelf-service portalAsset managementReporting & BIIntegrationsPricing
Resources
Product toursCompareBlogCase studiesVideosWebinars
Company
About usWhy VivantioNews & awardsContactBook a demo →
Legal
Privacy policyTerms & conditionsData processingMaster services agreementSecurityAccessibility
© 2026 Vivantio · All rights reserved
PrivacyTermsContact