AIRE PLATFORM DATA PROCESSING AGREEMENT 

This Data Processing Agreement regulates the processing of any Customer Personal Data by Aire No-Code Ltd. (“AIRE” or the “Company”). 

With respect to provisions regarding processing of Customer Personal Data, in the event of a conflict between the Terms and Conditions and this Agreement, the provisions of this Agreement shall control. 

Definitions

For the purpose of this Agreement, the capitalized terms shall have the meaning set out in the EU General Data Protection Regulation (2016/679) (“GDPR”).

Term

The duration of such processing of any Personal Data shall be for the period during which the Parties perform their applicable obligations under the Agreement.

Data Protection Laws Compliance

Each Party shall comply with all applicable laws relating to privacy and data protection, including the EU General Data Protection Regulation (2016/679), and any amending or replacement legislation from time to time (collectively and individually, “Data Protection Laws”). 

AIRE as Data Processor, for and on behalf of Customer 

During the provision of the Cloud Services, AIRE may access certain Personal Data under the responsibility of the Customer during the performance of the services, in particular (but without limitation), the data set out in the Exhibit below (“Customer Personal Data”) relating to the indicated persons (“Data Subjects”). Under applicable privacy regulations, Customer is responsible for its data and is what is known under privacy regulation as the “Data Controller”. Customer appoints AIRE as a data processor of Customer Personal Data, to process Customer Personal Data on Customer’s behalf, for the purpose of providing the Service.

Rights and responsibilities of the Customer as Data Controller

As established in the GDPR, the Customer as Data Controller shall:

    • Implement appropriate technical and organizational measures to ensure and be able to demonstrate that the processing is carried out in accordance with applicable legislation.
    • Adopt appropriate data protection policies applicable to the use of the AIRE Cloud Services.
    • Ensure that the Data Protection Officer or, in his / her absence, the Privacy Officer is involved in an adequate and timely manner in all matters relating to the protection of Customer Personal Data.
    • Keep a record of processing activities in the case of processing Customer Personal Data that may pose a risk to the rights and freedoms of the data subject and / or in a non-occasional manner, or which involves the processing of special categories of data and / or data relating to convictions and infractions.
    • Make available to the interested parties the essential aspects of this agreement, at the request of the Data Processor.
    • Respond to the legal rights established by applicable law on the protection of Customer Personal Data and comply with the stipulations indicated in clause 5 even if these were originally addressed to the Data Processor. 

Legal basis

Customer warrants that it has all the appropriate legal basis (including when relevant, informed consents from data subjects whose personal data are submitted to AIRE by Customer) for the processing of Customer Personal Data in the manner envisaged in the Cloud Services or otherwise described herein. Customer will indemnify and keep AIRE harmless from all claims, damages and losses we may suffer relating to or arising out of the processing of third-party personal data submitted by Customer to AIRE’s systems during the course of the provision of the Service.

Prohibited data

In all events, it is forbidden to submit to AIRE or upload to the Service any data that contains sensitive data (according to applicable Privacy Law) that relates to identifiable persons such as: any person’s racial origin, membership in a trade union, religion, ideology and sexual life, or health data or data relative to the commission of criminal offences or proceedings and associated penalties or fines.

Rights and responsibilities of AIRE as Data Processor

AIRE will perform all its obligations Data Processor under the Privacy Regulation, and in particular shall: 

    • Process Customer Personal Data only on the basis of documented instructions from the Customer (which includes the configuration of the Service and all functionalities used by the Customer in the Service, such as messaging), including transfers of Customer Personal Data to a third country or international organization, unless otherwise required to do so under Union law or applicable Member State law; In such case, the Data Processor will inform the Data Controller of that legal requirement prior to the processing, unless otherwise prohibited by such law or in the public interest.
    • Ensure that the persons authorised to process Customer Personal Data have undertaken to respect confidentiality or are subject to an obligation of confidentiality of a statutory nature. 
    • Take all appropriate technical and organisational measures to ensure a level of safety appropriate to the risk of processing.
    • Assist the Data Controller, taking into account the nature of the processing, through appropriate technical and organisational measures, whenever possible, so that it can comply with its obligation to respond to requests for the exercise of the rights of the data subjects. 
    • Assist the Data Controller in ensuring that they comply with their obligations, taking into account the nature of the processing and the information that is available to the Data Processor.
    • At the choice of the Data Controller, either destroy or return all Customer Personal Data once the processing services have been completed and destroy any existing copies unless the retention of Customer Personal Data is required under Union or applicable Member State law. 
    • Make available to the Data Controller all information necessary to demonstrate compliance with the obligations established in herein, as well as to allow and contribute to the performance of audits, including inspections, by the controller or other authorised auditors for the Data Controller.
    • Process the Customer Personal Data in a way that ensures that the personnel in charge follow the instructions of the Data Controller (e.g. Service configuration).
    • Ensure that the Data Protection Officer or, in his / her absence, the Privacy Officer is involved in an adequate and timely manner in all matters relating to the protection of Customer Personal Data. 
    • Adhere to a Code of Conduct that is approved by the Commission or other competent authority. 
    • Keep a record of processing activities in the case of processing Customer Personal Data that may pose a risk to the rights and freedoms of the data subject and / or in a non-occasional manner, or which involves the processing of special categories of data and / or data relating to convictions and infractions. 
    • Respond to the legal rights established by the GDPR and comply with the stipulations indicated in clause 5 even if these were originally addressed to the Data Processor. 

Data subjects’ exercise of their rights

If the Data Subjects addresses a request or exercises any of the rights established in the General Data Protection Regulation, AIRE and the Customer agree to collaborate to provide the information requested and perform any required actions, without delay and, at the latest, within one month from receiving the request, which may be extended for a further two months if necessary, taking into account the complexity of the application and the number of applications. 

Similarly, but in the event that the Data Controller and / or the Processor do/es not proceed with the request of the Data Subject, he/she shall inform the latter without delay, and no later than one month after receipt of the request, shall provide the Data Subject with the reasons why he/she/they has/ve not acted and inform the Data Subject of his right to file a complaint before a competent authority and to file a judicial appeal. The response to the Data Subject’s request shall be made in the same format as that used by the person concerned, unless he/she requests that it be done otherwise.

Subcontracting 

As Data Processor, AIRE may provide access to a subcontractor processor to Customer Personal Data if we reasonably consider such access and processing necessary to the performance of the Cloud Services. In the event of such access and before the access takes place, AIRE shall ensure that an agreement with the third party is in place which is sufficient to require it to treat personal data in accordance with the applicable provisions of this Agreement and applicable. Customer authorises AIRE to subcontract such processing in its name, the current sub-processors being those set out in the Exhibit below.

International transfer of data

AIRE shall not carry out any international transfer of data except with authorisation of Customer, which may be provided through instructions and configuration of the Service. However, AIRE may transfer Customer Personal Data outside the EEA to its subprocessors indicated in the Exhibit below.

Security breach of the Customer Personal Data

Insofar as there exists an instruction from a competent supervisory authority, a development of a national legislation, in the event of a security breach of the Customer Personal Data, the Data Controller and/or Data Processor shall notify the competent supervisory authority of such breach without undue delay, and if possible, no later than 72 hours after it happened. 

DPA Exhibit 

In accordance with the provisions set out in herein and in the GDPR, the Data Processor shall process the type and category of Customer Personal Data provided by the Data Controller set out hereunder: 

Data Subject

Category of Data

Customer’s Authorized Users

Identification data

Aire Platform usage data, Messaging data  

Persons whose data is processed by Customer in the Aire Platform

Identification data,  Contact data, Messaging data

All other data relating to identified persons uploaded or captured by the Customer and stored in the Aire Platform 

Types of processing 

Storage, selection, classification, filtering, transmission, modification, elimination. 

Subcontractors 

Entity

Service

Territory

Paddle

Orders and Payments  

UK https://www.paddle.com/legal/privacy

Adfinis 

SLA support on PAAS

Switzerland – https://adfinis.com/en/privacypolicy/

Hetzner

PAAS cloud provider

Germany, US https://www.hetzner.com/legal/privacy-policy/