Connect your employees to your customers across the channels they use most.
Automate and personalize business processes with prebuilt or customized apps.
Call, meet, message, and more—all in one app.
Connect people, tasks, tools, and more in a customizable app built for immersive collaboration.
Rely on our team of experts to help you get the most from your investment.
Find a cloud that’s flexible, secure, and dedicated to your organization.
Explore our complete portfolio of devices for individuals and conference rooms.
See what’s next for your full-featured call center.
Explore your options for communications innovation.
Take collaboration, both inside and out, to the next level.
Move at your pace with Avaya’s hybrid cloud options.
Deliver effortless experiences for customers and employees at every touchpoint.
Help your contact center run smoothly, no matter where your employees are.
Find an Authorized Avaya Channel Partner in your part of the world.
Build new, innovative communications solutions via Avaya’s open solution platforms.
See our partnerships with leading technology companies for unique and value-adding solutions.
Explore all of the partner types and programs available at Avaya
Sell the Avaya portfolio with benefits, incentives, lead gen, training, and marketing resources.
Transition customers to the cloud fast and on budget, supported by Avaya services and features.
Stay up to date on Avaya's latest news and solutions.
Get to know Avaya through our blogs. Insights on collaboration, customer experience, AI, digital.
Watch videos by topic or just browse what’s new. Interviews, solutions, how-to’s, more.
See inspiring ways companies are using Avaya solutions to change the world of work.
Look at what's new in our world—and how it benefits yours.
Engage with us in an immersive and interactive experience—on site, virtually, or a combo.
Listen in on conversations with tech innovators who are transforming the experience economy.
Learn about the privacy, compliance, and security inside Avaya solutions.
Review the terms and policies associated with Avaya software and services.
Access a full range of information and assistance for your Avaya solution.
For research and support, access our product documentation resources.
Meet Avaya experts at our events, webinars, expos, conferences and more.
In person or online, gain a full understanding of your Avaya solution and its capabilities.
Avaya Trust Center
Avaya collects only the information necessary to conduct business and we take robust measures to protect individuals' personal data.
Explore product privacy
Processing of Personal Data within Avaya Products
Security of Personal Data within Avaya Products
Avaya Products and Data Subject’s Rights
Personal Data Controls Within Avaya Products
Other Technology Features Within Avaya Products
Sharing of Personal Data
International Data Transfers
Privacy Statement Update Procedure
Interpretation of This Privacy Statement
Further Information and Contact Details of Avaya Privacy Officers
To conduct global business in this increasingly electronic economy, the collection and use of personal data is often necessary and desirable for businesses and individuals involved. It is Avaya's goal to balance the benefits of our and our enterprise customers' business with the right of individuals as regards their personal data. Therefore, Avaya respective products have certain technology features embedded that enable our enterprise customers to meet respective requirements prescribed by privacy laws. Moreover, Avaya is here to advise on the individual settings of respective systems and to work with its customers to make sure they can use the products in the most privacy-enhancing ways.
Our products may process a variety of personal data for specific needs—for example, collecting a name and a phone number in a phone directory to allow connection with the person later, or collecting the assigned user and IP address of a phone to route calls. We do our best to inform our customers about possible processing activities within our products and grant customers control over such data. Depending on the respective product, such personal data may include (but is not limited to) data subject’s name, contact information (e.g., company, title/position, email address, phone number, physical address), connection data (e.g., IP address, operating system, internet service provider, browser, GPS/location data), communication data (e.g., presence, video usage—screen sharing, the recipient/caller ID, the recipient/caller phone number, duration/time/date of calls, recorded voicemails, saved contacts), network information (e.g., other phone network participants’ calling activities), troubleshooting data (e.g., log files) and metadata derived thereof. Details of personal data categories collected by Avaya products are captured in the respective Solution Privacy Fact Sheet—see section Personal Data Controls Within Avaya Products for more information.
The categories of data subjects affected by the processing of personal data result from customers’ individual usage of products provided by Avaya. They typically include, but are not limited to, employees, agents, advisors, and customers (individuals) of Avaya corporate customers.
Avaya may only access certain personal data in the regular course of business (e.g., by fulfilling the agreement/ customer’s instructions, for the purposes communicated to the corporate customer or data subjects, as permitted by applicable law, etc.) while providing requested products and services.
Avaya will retain and use personal data as required to accomplish the purposes for which it was collected or as necessary to resolve disputes, enforce contracts and/or comply with our legal obligations. Respective Avaya products provide customers (i.e., data controllers) with certain technical measures to decide for how long personal data should be retained within the product.
Processing of personal data may include using, storing, recording, transferring, adapting, summarizing, amending, sharing, anonymizing, and destroying personal data as necessary under the circumstances or as otherwise required by applicable law.
Data security is a top priority for Avaya, just as it is for Avaya customers. Avaya has highly-skilled professionals to help ensure processing of information and personal data under its custody and responsibility is protected, whether related to Avaya's remote maintenance services, our cloud offerings or to any other solutions where Avaya processes data. Avaya has implemented and will maintain technical and organizational security measures that are appropriate with respect to the nature of personal data, which is collected and processed by its products. All personal data in transit and stored will be protected by using, for instance, encryption and/or access-control measures; personal data will be stored in different locations by using different protocols. Exact technical details are provided in respective Solution Privacy Fact Sheets.
Data privacy laws (in particular, General Data Protection Regulation (the GDPR)), as well as often containing security and accountability principles that require data controllers to consider all aspects of their data processing activities, also empower individuals with some rights over the storage and use of their data. Data subjects can require data controllers to grant them rights, such as: right of access, erasure, portability, and rectification over their personal data. The ability to effectively process and address these rights needs to be considered by the data controller, who must assess if any changes are required to policies, business processes and supporting systems.
The purpose of the information provided below is to describe the functional capabilities of Avaya products, relative to individual rights prescribed by certain data privacy laws, such as GDPR, and to inform how Avaya products may help our customer to comply with respective requirements. Below we will focus on explaining these rights under GDPR. These rights will have certain variances under other privacy laws.
The right of access typically provides for various obligations, including confirmation from a data controller as to what personal data is being processed about them, to whom it is being disclosed or transferred and whether the personal data is subject to automatic decision making. Under GDPR, a data controller must provide a copy of the personal data held and processed by it to the data subject in electronic form and has up to one month to comply with the request (unless the requests are complex or numerous, in which case the deadline is extended to no more than three months in total). In servicing the individual’s right, the data controller must verify the identity of the person making the request, and, if the request is made electronically, should provide the information in a commonly used electronic format. Compliance to this part of GDPR requires the ability to find an individual’s personal data across all information within the respective product.
Under GDPR an individual has the right of rectification, meaning the individual is entitled to request to have their personal data rectified if it is inaccurate or incomplete. A data controller has up to one month to comply with the request or show cause for denial (unless the requests are complex or numerous, in which case the deadline is extended to three months).
GDPR offers the right to data portability for an individual. This right allows the data subject to obtain and reuse their personal data for their own purposes across different services. In effect, this right means that the individual has the right to access and transfer personal data from one data controller to another without being obstructed due to technical limitations claimed by a data controller. This right arises on personal data that the data subject has provided to the data controller. To service the individual’s right, the data controller must provide the personal data in a structured, commonly used and machine-readable form, such as.CSV files (although GDPR does not prescribe the format). Compliance to this part of GDPR may require the ability to find and copy an individual’s personal data across all information systems and deliver a copy to the individual.
The right to erasure, also known as the right to be forgotten, enables an individual to request the deletion or removal of personal data where there is no lawful reason for its continued processing or where the data subject withdraws his/her consent. The organization can refuse to comply with a request for erasure where the personal data is processed to comply with a legal obligation or for other public interest reasons, such as to exercise the right of freedom of expression and information. As such, the right to erasure does not provide an absolute right to be forgotten. Compliance to this part of GDPR may require the ability to find and delete an individual’s personal data across all information systems.
A data controller is obligated to have a legal basis for the personal data they collect and process. For information systems that have the capability to track or record communications or transactions, an individual may have the right (depending upon the legal basis for the tracking or recording) to give or withhold consent at any time. Compliance to this part of GDPR will in some instances require the ability to gain consent as a legal basis prior to personal data collection. Therefore, certain Avaya products may provide the ability to customize the user experience for the purpose of obtaining informed and freely given consent.
In addition, to the extent customer, in its use of products provided by Avaya, does not have the ability to address the data subject request, Avaya may upon customer’s request and in accordance with contractual arrangements with such customer, be able to assist customer in responding to the data subject request, to the extent Avaya is legally permitted to do so and the response to such data subject request is required under applicable data protection laws and regulations.
When developing business processes around data subjects under applicable privacy laws, it is useful to consider the lifecycle of personal data in the business.
From the lifecycle diagram above, you can determine the key aspects that must be considered in the development of a business’s privacy compliance processes and procedures:
In evaluating the questions noted above and developing company compliance processes, it is important that all IT systems, including Avaya systems, be considered. Within the scope of respective Avaya product, personal data may be involved in almost all transactions of the system including voice and video calls, conferences, and text messages. This information will be stored in multiple places including recordings, databases, system logs, directories, histories, and backups.
Avaya products collect personal data for specific needs—for example, collecting a name and a phone number in a phone directory to allow connection with the person at a later date, or collecting the assigned user and IP address of a phone to route calls. Some information may be saved in system logs for future diagnostic or audit purposes. When the information is no longer needed, these logs may be destroyed. System backups may also capture some personal data to the extent it exists in the data being backed up. For this reason, both the active system data and backups must be considered when assessing personal data in Avaya products. Exact details of personal data collected by Avaya products are captured in the respective Solution Privacy Fact Sheet.
Avaya products incorporate multiple capabilities to support the data lifecycle and compliance with privacy laws (such as GDPR). Some of the different types of capabilities are described below.
Encryption at rest secures the content of a file or database in a manner that makes it unusable by anyone who does not have proper authorization. Some Avaya products have options to support encryption, while others do not. For those that do not, compensating controls can be put in place (see “Access controls” below.) Encryption in transit needs to be applied to all data communication in the systems. Most Avaya products support TLS1.2 with the latest encryption (AES256 for confidentiality and SHA-2 for hashing, and digital signatures for authentication).
Some Avaya products support the development of interactive menus where customers can be prompted and provide feedback. In many cases, these menus can be used to acquire the consent needed to collect and use personal data and for the technology to be used in the most privacy-enhancing way.
Most Avaya products provide access controls that can be used to limit the ability of individuals or systems to access collected data. A variety of access controls may be provided as follows:
Passwords – Passwords are used to gain access to the product. These can be defined by the system or linked to a larger, corporate directory. When system passwords are used, password policy controls are provided such as complexity rules, lockouts on failed attempts, required change intervals, etc.
Audit logs, especially security audit logs, are also a key part of managing compliance. Audit logs record system activity and can be used to identify possible problems or cyber-attacks.
Avaya products are meant to be general purpose and can be configured and integrated into a customer’s overall business information processing architecture. It is expected that Avaya products and non-Avaya equipment work together to perform overall information processing for the business. It is also common to use certain Avaya products to execute information processing scripts that have been written or customized by the customer or other agents.
Access the white paper Personal Data Controls for Enabling GDPR Compliance Programs for more information.
Our products may have multiple technology features (e.g., voice, video, analytics, licensing tools, etc.) enabled. The foregoing has been grouped into the following categories (the list below does not represent an exhaustive number of all technology features, which may be embedded into respective Avaya products, and is provided for information purposes only) that help to understand how such technology features may be associated with privacy and for what purposes Avaya may use such information. Additional information about the technology features embedded into Avaya’s products may be provided in respective contract and related documentation, such as the Solution Privacy Fact Sheet, the Product Description Documentation, or in the notice provided prior to the collection of personal data.
Respective Avaya products are capable of automatically collecting and storing a whole range of information (e.g., audio, video data). This information may include (but is not limited to) user’s current presence, video usage, screen sharing, IP address, the recipient ID, the recipient phone number, the caller ID, the caller phone number, duration of calls, time of calls, date of calls, recorded voice box messages (including ID, phone number, time and date), saved contacts, network information (e.g., showing other phone network participants’ calling activities) and other log information. The possibility to permanently delete such data as well as the network information about data subject’s (calling/communicating) behavior may be limited, depending on user’s access rights and the overall access right management by the customer (data controller) or network provider.
Certain Avaya products may include tools that gather information about when and on what hardware the software is installed. Avaya uses such information to keep track of whether the installation is in accordance with licenses purchased by its customers.
Avaya may collect and process information about the use of our products including the circumstances of telecommunication such as dialed numbers or start and end times of phone calls (sometimes referred to as metadata). We use such personal data to fulfil the contractual obligations we have towards our customers, to protect our IT systems against threats and misuse, and to comply with our legal obligations.
Respective Avaya products have usage metering and analytics capabilities embedded. Such tools provide accurate tracking of customer usage of the product and also provide the capacity for analyzing the customer’s usage patterns and generating usage reports required for billing purposes.
To improve effectiveness, performance, functionality and usability of our products Avaya may rely on third-party analytics service providers (including, but not limiting to, Google LLC. See more information about privacy practices within Google technologies and how individuals can express their choices regarding privacy to automatically collect and generate aggregated user data. For web-based products it may be possible to block or delete cookies by changing browser settings (as described under the heading "How Can You Control Cookies?" in our Cookie Statement). For installation on a device product (i.e., software) there may be an option to manually (on a corporate account or user basis) disable analytics under settings of the respective product.
Certain Avaya products are provided over the internet, hence Avaya users’ personal data is stored on data centers located globally and may be outside their country of residence. Such storage and a model for enabling simple, very convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) is referred to as a cloud service. Avaya’s cloud products are built on flexible architectures that support unparalleled compatibility and world-class interoperability with a clear focus on the reliability, security and needs of our customers. When Avaya acts for a customer in its capacity as the provider of a cloud content management and file sharing platform, Avaya may not have regular access to personal data of its customer except if providing maintenance or other services requested by the customer.
Personal data processed by Avaya products may be shared within Avaya affiliates/subsidiaries for the purpose of delivering/supporting/maintaining the products. To ensure such transfers of personal data within Avaya affiliates/subsidiaries are safeguarded legally, Avaya complies with applicable legislation on international data transfers and has implemented the appropriate safeguards to enable such transfers (for more information, please refer to our Binding Corporate Rules).
Avaya will only appoint external sub-processors that provide sufficient guarantees in respect of the commitments made by Avaya to its customers. Such sub-processors will be able to provide appropriate technical and organizational measures that will govern their use of the personal data to which they will have access in accordance with the terms of the contract or other legally binding document Avaya has with a respective customer.
Avaya may also disclose certain personal data to third parties in other special instances, including:
As required to do so by law, such as to comply with a court order or similar legal process
While providing/supporting/maintaining products Avaya may need to transfer personal data around the world over public or private networks. As such, personal data transfers may naturally include territories outside respective countries, including outside the European Economic Area (EEA), United Kingdom (UK) or Switzerland (CH), where data protection requirements may differ and be less comprehensive. The transfers of personal data between respective Avaya affiliates/subsidiaries are governed by our Binding Corporate Rules. If Avaya needs to transfer personal data originating from the EEA, UK or CH to third party sub-processors (i.e., Avaya’s sub-contractors that are not Avaya affiliates/subsidiaries) located in countries outside the EEA, UK, or CH that have not received a binding adequacy decision by the competent body, such transfers shall be subject to the terms of the applicable Standard Contractual Clauses, or other appropriate transfer mechanisms that provide an adequate level of protection in compliance with applicable privacy laws.
We reserve the right to amend or change this Privacy Statement at any time, so please review it frequently. If we change this Privacy Statement, we will post the revised version with an updated revision date.
Any interpretation of this Privacy Statement will be done by the Avaya Global Privacy Officer. This Privacy Statement does not create or confer upon any individual any rights or impose upon Avaya any obligations outside of, or in addition to, any rights or obligations imposed by the privacy laws applicable to such individual's personal data. Should there be, in a specific case, any inconsistency between this Privacy Statement and such privacy laws, this Privacy Statement shall be interpreted to comply with such privacy laws.
If you have any questions about this Privacy Statement or concerns about how we manage your personal data, please contact the Avaya Privacy Office.