Privacy Within Our Products

Avaya collects only the information necessary to conduct business and we take robust measures to protect individuals' personal data.

We have prepared this general Privacy Statement to disclose common privacy practices related to the products being offered by Avaya LLC or its respective worldwide affiliate/subsidiary (Avaya). Additional information on the processing of personal data (i.e., data that identifies or may be used to identify an individual) within Avaya products may be disclosed in the respective Solution Privacy Fact Sheet, in the product description documentation, or in the privacy notice provided prior to personal data collection, as applicable. Regarding general privacy practices at Avaya, please review our Global Privacy Policy and Binding Corporate Rules.

Processing of Personal Data within Avaya Products

To conduct global business in this increasingly electronic economy, the collection and use of personal data is often necessary and desirable for businesses and individuals involved. It is Avaya's goal to balance the benefits of our and our enterprise customers' business with the right of individuals as regards their personal data. Therefore, Avaya respective products have certain technology features embedded that enable our enterprise customers to meet respective requirements prescribed by privacy laws. Moreover, Avaya is here to advise on the individual settings of respective systems and to work with its customers to make sure they can use the products in the most privacy-enhancing ways.

What type of personal data may be processed by Avaya products?

Our products may process a variety of personal data for specific needs—for example, collecting a name and a phone number in a phone directory to allow connection with the person later, or collecting the assigned user and IP address of a phone to route calls. We do our best to inform our customers about possible processing activities within our products and grant customers control over such data. Depending on the respective product, such personal data may include (but is not limited to) data subject’s name, contact information (e.g., company, title/position, email address, phone number, physical address), connection data (e.g., IP address, operating system, internet service provider, browser, GPS/location data), communication data (e.g., presence, video usage—screen sharing, the recipient/caller ID, the recipient/caller phone number, duration/time/date of calls, recorded voicemails, saved contacts), network information (e.g., other phone network participants’ calling activities), troubleshooting data (e.g., log files) and metadata derived thereof. Details of personal data categories collected by Avaya products are captured in the respective Solution Privacy Fact Sheet—see section Personal Data Controls Within Avaya Products for more information.

What categories of data subjects may be in scope?

The categories of data subjects affected by the processing of personal data result from customers’ individual usage of products provided by Avaya. They typically include, but are not limited to, employees, agents, advisors, and customers (individuals) of Avaya corporate customers.

Will Avaya have access to personal data processed within Avaya products?

Avaya may only access certain personal data in the regular course of business (e.g., by fulfilling the agreement/ customer’s instructions, for the purposes communicated to the corporate customer or data subjects, as permitted by applicable law, etc.) while providing requested products and services.

For how long may personal data be retained by Avaya and/or by Avaya products?

Avaya will retain and use personal data as required to accomplish the purposes for which it was collected or as necessary to resolve disputes, enforce contracts and/or comply with our legal obligations. Respective Avaya products provide customers (i.e., data controllers) with certain technical measures to decide for how long personal data should be retained within the product.

In what way may personal data be processed by Avaya products?

Processing of personal data may include using, storing, recording, transferring, adapting, summarizing, amending, sharing, anonymizing, and destroying personal data as necessary under the circumstances or as otherwise required by applicable law.

Security of Personal Data within Avaya Products

Data security is a top priority for Avaya, just as it is for Avaya customers. Avaya has highly-skilled professionals to help ensure processing of information and personal data under its custody and responsibility is protected, whether related to Avaya's remote maintenance services, our cloud offerings or to any other solutions where Avaya processes data. Avaya has implemented and will maintain technical and organizational security measures that are appropriate with respect to the nature of personal data, which is collected and processed by its products. All personal data in transit and stored will be protected by using, for instance, encryption and/or access-control measures; personal data will be stored in different locations by using different protocols. Exact technical details are provided in respective Solution Privacy Fact Sheets.

Avaya Products and Data Subject’s Rights

Data privacy laws (in particular, General Data Protection Regulation (the GDPR)), as well as often containing security and accountability principles that require data controllers to consider all aspects of their data processing activities, also empower individuals with some rights over the storage and use of their data. Data subjects can require data controllers to grant them rights, such as: right of access, erasure, portability, and rectification over their personal data. The ability to effectively process and address these rights needs to be considered by the data controller, who must assess if any changes are required to policies, business processes and supporting systems.

The purpose of the information provided below is to describe the functional capabilities of Avaya products, relative to individual rights prescribed by certain data privacy laws, such as GDPR, and to inform how Avaya products may help our customer to comply with respective requirements. Below we will focus on explaining these rights under GDPR. These rights will have certain variances under other privacy laws.

The right of access

The right of access typically provides for various obligations, including confirmation from a data controller as to what personal data is being processed about them, to whom it is being disclosed or transferred and whether the personal data is subject to automatic decision making. Under GDPR, a data controller must provide a copy of the personal data held and processed by it to the data subject in electronic form and has up to one month to comply with the request (unless the requests are complex or numerous, in which case the deadline is extended to no more than three months in total). In servicing the individual’s right, the data controller must verify the identity of the person making the request, and, if the request is made electronically, should provide the information in a commonly used electronic format. Compliance to this part of GDPR requires the ability to find an individual’s personal data across all information within the respective product.

The right of rectification

Under GDPR an individual has the right of rectification, meaning the individual is entitled to request to have their personal data rectified if it is inaccurate or incomplete. A data controller has up to one month to comply with the request or show cause for denial (unless the requests are complex or numerous, in which case the deadline is extended to three months).

The right to data portability

GDPR offers the right to data portability for an individual. This right allows the data subject to obtain and reuse their personal data for their own purposes across different services. In effect, this right means that the individual has the right to access and transfer personal data from one data controller to another without being obstructed due to technical limitations claimed by a data controller. This right arises on personal data that the data subject has provided to the data controller. To service the individual’s right, the data controller must provide the personal data in a structured, commonly used and machine-readable form, such as.CSV files (although GDPR does not prescribe the format). Compliance to this part of GDPR may require the ability to find and copy an individual’s personal data across all information systems and deliver a copy to the individual.

The right to erasure

The right to erasure, also known as the right to be forgotten, enables an individual to request the deletion or removal of personal data where there is no lawful reason for its continued processing or where the data subject withdraws his/her consent. The organization can refuse to comply with a request for erasure where the personal data is processed to comply with a legal obligation or for other public interest reasons, such as to exercise the right of freedom of expression and information. As such, the right to erasure does not provide an absolute right to be forgotten. Compliance to this part of GDPR may require the ability to find and delete an individual’s personal data across all information systems.

The obligation to have a lawful basis to process personal data

A data controller is obligated to have a legal basis for the personal data they collect and process. For information systems that have the capability to track or record communications or transactions, an individual may have the right (depending upon the legal basis for the tracking or recording) to give or withhold consent at any time. Compliance to this part of GDPR will in some instances require the ability to gain consent as a legal basis prior to personal data collection. Therefore, certain Avaya products may provide the ability to customize the user experience for the purpose of obtaining informed and freely given consent.

In addition, to the extent customer, in its use of products provided by Avaya, does not have the ability to address the data subject request, Avaya may upon customer’s request and in accordance with contractual arrangements with such customer, be able to assist customer in responding to the data subject request, to the extent Avaya is legally permitted to do so and the response to such data subject request is required under applicable data protection laws and regulations.

Personal Data Controls Within Avaya Products

When developing business processes around data subjects under applicable privacy laws, it is useful to consider the lifecycle of personal data in the business.

Icon Description automatically generated with medium confidence 

From the lifecycle diagram above, you can determine the key aspects that must be considered in the development of a business’s privacy compliance processes and procedures:

  • What is the use of the personal data collected?
  • How is personal data collected and where is it stored?
  • What is the legal basis for processing the personal data?
  • How is consent to collect and process the personal data obtained, if required?
  • How is the personal data accessed for the defined usage?
  • How is unauthorized access to the personal data prevented?
  • How and when will the personal data be transferred out of your control?
  • How and when is the collected personal data destroyed, deleted, or returned?

In evaluating the questions noted above and developing company compliance processes, it is important that all IT systems, including Avaya systems, be considered. Within the scope of respective Avaya product, personal data may be involved in almost all transactions of the system including voice and video calls, conferences, and text messages. This information will be stored in multiple places including recordings, databases, system logs, directories, histories, and backups.

Personal data collection

Avaya products collect personal data for specific needs—for example, collecting a name and a phone number in a phone directory to allow connection with the person at a later date, or collecting the assigned user and IP address of a phone to route calls. Some information may be saved in system logs for future diagnostic or audit purposes. When the information is no longer needed, these logs may be destroyed. System backups may also capture some personal data to the extent it exists in the data being backed up. For this reason, both the active system data and backups must be considered when assessing personal data in Avaya products. Exact details of personal data collected by Avaya products are captured in the respective Solution Privacy Fact Sheet.

Supporting the personal data lifecycle

Avaya products incorporate multiple capabilities to support the data lifecycle and compliance with privacy laws (such as GDPR). Some of the different types of capabilities are described below.

Encryption

Encryption at rest secures the content of a file or database in a manner that makes it unusable by anyone who does not have proper authorization. Some Avaya products have options to support encryption, while others do not. For those that do not, compensating controls can be put in place (see “Access controls” below.) Encryption in transit needs to be applied to all data communication in the systems. Most Avaya products support TLS1.2 with the latest encryption (AES256 for confidentiality and SHA-2 for hashing, and digital signatures for authentication).

Menus

Some Avaya products support the development of interactive menus where customers can be prompted and provide feedback. In many cases, these menus can be used to acquire the consent needed to collect and use personal data and for the technology to be used in the most privacy-enhancing way.

Access controls

Most Avaya products provide access controls that can be used to limit the ability of individuals or systems to access collected data. A variety of access controls may be provided as follows:

  • Passwords – Passwords are used to gain access to the product. These can be defined by the system or linked to a larger, corporate directory. When system passwords are used, password policy controls are provided such as complexity rules, lockouts on failed attempts, required change intervals, etc.

  • Multi-Factor Authentication – Certain Avaya products support multi-factor authentication. Access is forbidden unless the configured type and number of authentications are provided. This is typically configured to be a password and special authentication card.
  • Role Based Access Control – RBAC allows for the system to grant fine-tuned capabilities to each log-in that has been assigned to a role to manage what they can access and change in the system.
  • Certificates – Avaya products leverage X.509 certificates that are used to secure the communication exchange between two different system elements ensuring that the communication is authentic and confidential. Communications exchange can be further protected by requiring each communication element to mutually authenticate the other side before exchanging information. Mutual authentication requires certificates to be generated and installed on each communication element. Certificates can be generated directly by the system, by the enterprises certification generation facilities, or by third-party public entities.
  • Filesystem Access Controls – File access controls restrict ownership, and the type of information access granted to individual accounts within the operating system of the product. These controls should be configured to adhere to the security principle of least privilege.
  • Network Access Control Lists – Access control lists restrict network connections according to predefined allow and deny lists kept local to the system.

Audit logs

Audit logs, especially security audit logs, are also a key part of managing compliance. Audit logs record system activity and can be used to identify possible problems or cyber-attacks.

Customer specific customizations

Avaya products are meant to be general purpose and can be configured and integrated into a customer’s overall business information processing architecture. It is expected that Avaya products and non-Avaya equipment work together to perform overall information processing for the business. It is also common to use certain Avaya products to execute information processing scripts that have been written or customized by the customer or other agents.

Access the white paper Personal Data Controls for Enabling GDPR Compliance Programs for more information.

Other Technology Features Within Avaya Products

Our products may have multiple technology features (e.g., voice, video, analytics, licensing tools, etc.) enabled. The foregoing has been grouped into the following categories (the list below does not represent an exhaustive number of all technology features, which may be embedded into respective Avaya products, and is provided for information purposes only) that help to understand how such technology features may be associated with privacy and for what purposes Avaya may use such information. Additional information about the technology features embedded into Avaya’s products may be provided in respective contract and related documentation, such as the Solution Privacy Fact Sheet, the Product Description Documentation, or in the notice provided prior to the collection of personal data.

Voice and video recordings

Respective Avaya products are capable of automatically collecting and storing a whole range of information (e.g., audio, video data). This information may include (but is not limited to) user’s current presence, video usage, screen sharing, IP address, the recipient ID, the recipient phone number, the caller ID, the caller phone number, duration of calls, time of calls, date of calls, recorded voice box messages (including ID, phone number, time and date), saved contacts, network information (e.g., showing other phone network participants’ calling activities) and other log information. The possibility to permanently delete such data as well as the network information about data subject’s (calling/communicating) behavior may be limited, depending on user’s access rights and the overall access right management by the customer (data controller) or network provider.

Licensing tools

Certain Avaya products may include tools that gather information about when and on what hardware the software is installed. Avaya uses such information to keep track of whether the installation is in accordance with licenses purchased by its customers.

Telecommunications diagnostic tools

Avaya may collect and process information about the use of our products including the circumstances of telecommunication such as dialed numbers or start and end times of phone calls (sometimes referred to as metadata). We use such personal data to fulfil the contractual obligations we have towards our customers, to protect our IT systems against threats and misuse, and to comply with our legal obligations.

Usage metering tools

Respective Avaya products have usage metering and analytics capabilities embedded. Such tools provide accurate tracking of customer usage of the product and also provide the capacity for analyzing the customer’s usage patterns and generating usage reports required for billing purposes.

Cookies and analytics tools

To improve effectiveness, performance, functionality and usability of our products Avaya may rely on third-party analytics service providers (including, but not limiting to, Google LLC. See more information about privacy practices within Google technologies and how individuals can express their choices regarding privacy to automatically collect and generate aggregated user data. For web-based products it may be possible to block or delete cookies by changing browser settings (as described under the heading "How Can You Control Cookies?" in our Cookie Statement). For installation on a device product (i.e., software) there may be an option to manually (on a corporate account or user basis) disable analytics under settings of the respective product.

Cloud services

Certain Avaya products are provided over the internet, hence Avaya users’ personal data is stored on data centers located globally and may be outside their country of residence. Such storage and a model for enabling simple, very convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) is referred to as a cloud service. Avaya’s cloud products are built on flexible architectures that support unparalleled compatibility and world-class interoperability with a clear focus on the reliability, security and needs of our customers. When Avaya acts for a customer in its capacity as the provider of a cloud content management and file sharing platform, Avaya may not have regular access to personal data of its customer except if providing maintenance or other services requested by the customer.

Sharing of Personal Data

Within Avaya 

Personal data processed by Avaya products may be shared within Avaya affiliates/subsidiaries for the purpose of delivering/supporting/maintaining the products. To ensure such transfers of personal data within Avaya affiliates/subsidiaries are safeguarded legally, Avaya complies with applicable legislation on international data transfers and has implemented the appropriate safeguards to enable such transfers (for more information, please refer to our Binding Corporate Rules).

With External Sub-processors

Avaya will only appoint external sub-processors that provide sufficient guarantees in respect of the commitments made by Avaya to its customers. Such sub-processors will be able to provide appropriate technical and organizational measures that will govern their use of the personal data to which they will have access in accordance with the terms of the contract or other legally binding document Avaya has with a respective customer.

Specific Disclosure Rules

Avaya may also disclose certain personal data to third parties in other special instances, including:

  • As required to do so by law, such as to comply with a court order or similar legal process

  • When we believe in good faith that disclosure is necessary to protect our rights, your safety or the safety of others or defend against legal claims
  • For the purposes of prevention of fraud or other crime
  • In connection with or during negotiation of any merger, acquisition, sale of all or a portion of our assets, financing, liquidation, reorganization
  • In anonymized form which can no longer be used to identify data subjects

International Data Transfers

While providing/supporting/maintaining products Avaya may need to transfer personal data around the world over public or private networks. As such, personal data transfers may naturally include territories outside respective countries, including outside the European Economic Area (EEA), United Kingdom (UK) or Switzerland (CH), where data protection requirements may differ and be less comprehensive. The transfers of personal data between respective Avaya affiliates/subsidiaries are governed by our Binding Corporate Rules. If Avaya needs to transfer personal data originating from the EEA, UK or CH to third party sub-processors (i.e., Avaya’s sub-contractors that are not Avaya affiliates/subsidiaries) located in countries outside the EEA, UK, or CH that have not received a binding adequacy decision by the competent body, such transfers shall be subject to the terms of the applicable Standard Contractual Clauses, or other appropriate transfer mechanisms that provide an adequate level of protection in compliance with applicable privacy laws.

Privacy Statement Update Procedure

We reserve the right to amend or change this Privacy Statement at any time, so please review it frequently. If we change this Privacy Statement, we will post the revised version with an updated revision date.

Interpretation of This Privacy Statement

Any interpretation of this Privacy Statement will be done by the Avaya Global Privacy Officer. This Privacy Statement does not create or confer upon any individual any rights or impose upon Avaya any obligations outside of, or in addition to, any rights or obligations imposed by the privacy laws applicable to such individual's personal data. Should there be, in a specific case, any inconsistency between this Privacy Statement and such privacy laws, this Privacy Statement shall be interpreted to comply with such privacy laws.

Further Information and Contact Details of Avaya Privacy Office

If you have any questions about this Privacy Statement or concerns about how we manage your personal data, please contact the Avaya Privacy Office.

 

Revised March 2023

AvayaTop