Privacy Policy

Avalution’s Privacy Policy


The purpose of this policy is to describe the treatment of client or prospect information provided to or accessed by Avalution Consulting (“Avalution”) employees and/or those working on behalf of Avalution such as contractors, consultants, and vendors.


This privacy policy applies to information gathered or accessed by Avalution in the process of delivering services and solutions to clients.

The Use of Client Information by Avalution

Avalution is granted access to private, sensitive and/or non-public client information through the normal course of business.  Access to this information is important to the ability of Avalution to deliver effective, customized and valued services to clients.  Avalution will not use the information obtained or accessed through the normal course of delivering services for purposes other than those agreed to with the client in the statement of work or at the time of collection.  Avalution does not disclose client information to third parties unless necessary for the delivery of services listed in a statement of work or contract as required by law or regulatory requirements, in which case Avalution would require the explicit consent of the client to do so.  No client information shall be collected that is not needed for the delivery of services. Any inquiries or complaints in regards to this policy should be directed to [email protected].

Collection and Use of Marketing Information by Avalution

In addition to client information collected as part of delivery of services and solutions, Avalution may also collect marketing data from both clients and prospects for use in delivery of sales and marketing. This information is limited to the individual’s name, title, company name, address, e-mail, and phone number. This information will be used solely for marketing purposes and will not be directly shared with third-parties. It is possible that this information may be stored in third-party systems that are used to enable marketing communications; access to this information, however, will be restricted to Avalution employees.

This information will be collected in accordance with local statutory regulations and will be transparent about the nature, purpose, and extent of processing operations associated with the data. Persons who voluntarily supply their contact information to Avalution may receive future communications. Persons who wish to amend or update their details or who do not wish to receive further correspondence may contact Avalution and ask that their details to be changed or to be removed.


Avalution uses cookies for two purposes:

  • To facilitate delivery of functionality in our web-based Catalyst software.
  • To enhance the user experience during visits to our corporate web site.

These cookies do not proactively monitor user activity and are designed solely to improve the use and functionality of Catalyst and our web site. Some cookies may be “persistent” in nature in order to deliver a more responsive browsing experience. Anonymous, aggregated cookie data may be used for the purpose of usage analysis, quality control and improvement of user experience. You will be notified (and can prevent the use) of cookies during the initiation of your first session, and can subsequently modify or disable cookie functionality by accessing your browser preferences.

Retention of Personal Information

Avalution retains the information collected from clients and web site users for as long as the information is relevant to the executive of business contracts or for other business purposes, or until the user requests that we remove the data.

Catalyst Data retention and data destruction policies

  1. Backups for US Main disaster recovery are set up using active-passive cloud replication. A master/slave database cluster writes data in real time to a backup cluster in an alternate AWS zone. Alerts are set up to notify us immediately if the replication cluster is out of sync with the primary cluster.
  2. Backups for non-US disaster recovery purposes are stored in an encrypted Amazon S3 container for up to one year. Upon termination of a Catalyst contract, client data is removed within 24 hours. Backups are run hourly, and are controlled by a script run from our servers. An alert is set up to notify us if an hour has gone by and a backup was not performed.
  3. Destruction of unused Amazon hardware is performed by Amazon.
  4. Backups stored on AWS are retained for 1 year; after one year, Amazon’s service is configured to destroy the backups.

Information Security and Integrity

The security, integrity and confidentiality of non-public information are extremely important to Avalution. Avalution has implemented technical, administrative and physical security measures that are designed to protect such information from unauthorized access, disclosure, use and modification.  Access to information is limited to those employees, contractors, consultants, and vendors that need to access the information to perform their duties.  All employees are required to sign a non-disclosure agreement to work at Avalution.  Consultants, contractors and vendors that perform work on behalf of Avalution are required to enter into a non-disclosure agreement and are expected to adhere to this policy and any others governing the actions of Avalution’s employees.

Avalution’s need to collect, maintain, use, or disseminate personal information about individuals is limited to use in delivering services to clients or marketing/sales services to prospects.  Personal information will not be collected that is not needed and agreed to for these purposes.  Avalution personnel and third parties that perform work on behalf of Avalution have a responsibility to protect an individual’s privacy when collecting, maintaining, using or disseminating personal information about an individual.

Avalution’s Privacy Program

To support the privacy policy, Avalution has implemented and maintains a Privacy Program.  The following sections describe the Privacy Program.

Privacy Program Roles and Responsibilities

Program Sponsor – Provides sponsorship and oversight to the Privacy Program.  The sponsor is a senior-level manager and responsible for reviewing and validating all program activities, strategy options and organizational changes that may affect the privacy program.

Program Coordinator – Provides day-to-day management for the Privacy Program.  The coordinator is responsible for approving program activities and strategy options.  The coordinator also requests resources to enable successful implementation and maintenance of program activities.

Avalution Employees – Responsible for understanding their role in the Privacy Program and familiarity with this policy and program details.

Consultants, Contractors and Vendors delivering services on behalf of Avalution – Responsible for understanding their role in the Privacy Program and familiarity with this policy and program details.  Avalution expects all third parties performing work on behalf of Avalution to adhere to this Privacy Policy and Avalution’s Privacy Program.

Agents of Avalution Consulting

Any party acting as an agent of Avalution Consulting will be required to adhere to the same principles and policies set forth in this document.

Privacy Program Activities

Analysis of Information Needs

The Privacy Program will identify what information and personal information must be protected in alignment with this Privacy Policy and any applicable legal obligations.

Privacy Risk Identification and Assessment

Avalution will implement and maintain procedures to identify and assess risks to information security and integrity. Avalution will identify and monitor the locations where sensitive information is stored. The risk identification and assessment will include the identification of sources of risk, impact of the risk and potential mitigation strategies. The risk identification and assessment will be conducted on all new projects with the potential to impact privacy risks.

There are several reasonable and foreseeable internal and external risks to the security and integrity of personal information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of the security and confidentiality of personal and confidential information.  These risks may include, but are not limited to:

  • Unauthorized access of personal information by individuals not approved for access
  • Compromised system security
  • Interception of data during transmission
  • Loss of data integrity
  • Physical loss of data
  • Poor audit trails
  • Unauthorized access of personal information by employees
  • Unauthorized transfer of personal information to third parties or employees not approved for access
  • Unauthorized transfer of personal information by third parties

The management and control of privacy risks shall be accomplished by 1) the development of policies, procedures, and standards which address identified privacy risks; 2) the development of training opportunities and informational materials to assist in the implementation of these policies, procedures and standards; and 3) monitoring, auditing and otherwise evaluating business areas for compliance with privacy policies, procedures, and standards.

Implementation of Client Information Security and Integrity Procedures and Controls

Avalution implements and maintains digital and physical security procedures and safeguards to restrict access to sensitive information to only those people that need access to perform their duties.  Please be aware that despite Avalution’s best efforts, no security measures are perfect or impenetrable.  Any employee, consultant, contractor, or vendor that becomes aware of any breach of information security and integrity will immediately notify the Avalution Managing Consultant or Director for the project.  The Avalution Managing Consultant or Director will then take action to mitigate the potential for further breaches and take the necessary steps to notify the client and resolve the situation.

Review of Client Information Security and Integrity Procedures and Controls

From time to time, Avalution will review security procedures to consider appropriate new technology and methods.  These periodic reviews will include an assessment of the applicable risks to information security and integrity including the identification of the sources and impacts of identified risks. Any unacceptable risks will be documented and corrective actions will be identified and implemented within a reasonable amount of time.  In addition, the review of privacy procedures implemented by third parties working on behalf of Avalution will be conducted on a regular basis to ensure compliance to Avalution’s privacy policy.

Training and Awareness

Avalution employees and consultants, contractors and vendors working on behalf of Avalution will be made aware of and trained in the procedures used to protect information security and integrity.  Changes to this privacy policy and procedures to protect information are documented and made available to the relevant parties.

EU-US Privacy Shield Compliance

Avalution complies with the EU-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries. Avalution has certified that it adheres to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability. If there is any conflict between the policies in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit

In compliance with the EU-US Privacy Shield Principles, Avalution commits to resolve complaints about your privacy and our collection or use of your personal information. European Union individuals with inquiries or complaints regarding this privacy policy should first contact our Support team at [email protected].

Avalution has further committed to refer unresolved privacy complaints under the EU-US Privacy Shield Principles BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit for more information and to file a complaint. Finally, as a last resort and in limited situations, EU individuals may seek redress from the Privacy Shield Panel, a binding arbitration mechanism.

United States Governing Authority

The United States Federal Trade Commission (FTC) is the enforcement authority with jurisdiction over this compliance with the Privacy Shield.

GDPR Compliance

While Avalution protects personal information in the same way as all confidential information we store, many of our clients are concerned about compliance with GDPR. Avalution is compliant with GDPR. Below are some details of specific compliance measures:

  • Avalution maintains a registry of personal information that is collected and stored in Catalyst and maintains a list of processing activities associated with this data.
  • Security controls (described in the following section) are validated and attested to via an independent SOC 2 compliance audit.
  • Avalution has established data processing agreements with sub-processors of our data.
  • Avalution has established data destruction processes to support the ‘right to be forgotten’
  • Data Protection Impact Assessments are performed prior to major system changes.
  • Avalution has established data retention policies for deleted data.
  • Although cookies are used to manage user sessions, Avalution does not use cookies to proactively monitor end-user activity within the EU.
  • Catalyst does not collect or store any information other than the information provided by the client or explicitly stipulated in the business contract.

Transfers Abroad

Data collected at our EU data centers is not transferred outside of the EU. However, if a transfer was necessary (e.g., a company wishing to move its data to the US) it would be governed by the Privacy Shield agreement in place between the United States and European Union. Avalution is self-certified Privacy Shield registrant with the US Department of Commerce. If Privacy Shield is invalided, Avalution will determine additional remedies to regulate data transfers between the EU and US.

EU Data Subject Rights

Avalution recognizes the rights of EU residents when collecting, storing and processing their personal information. In cases where the collection of this information is required in performance of contracted services, the terms of the contract may supersede the individual’s right to privacy. However, in instances where the collection of data is not bound by a contract, the data subject’s rights will be enforced:

  • Avalution will be transparent about the purpose, nature and scope of data processing at the time of data collection.
  • Avalution will obtain explicit and uncoerced consent from the data subject to collect their information.
  • Avalution will not share the data subject’s information with third-parties without their consent.
  • Avalution will maintain records of how the data subject’s information has been used for processing.
  • Avalution will, upon verified request from the data subject, make available to them all of their personal information that has been collected and stored.
  • Avalution will, upon verified request from the data subject, correct any data that is inaccurate.
  • Avalution will, upon verified request from the data subject, delete all of their personal information that has been collected and stored.
  • Avalution will, upon verified request from the data subject, allow them to request limit the extent to which their data is processed.

EU data subjects concerned about their rights under GDPR may contact Avalution for additional information.


Any data subjects concerned about their rights may contact Avalution for additional information.