AIRE PLATFORM DATA PROCESSING AGREEMENT
This Data Processing Agreement regulates the processing of any Customer Personal Data by Aire No-Code Ltd. (“AIRE” or the “Company”).
With respect to provisions regarding the processing of Customer Personal Data, in the event of a conflict between the Terms and Conditions and this Agreement, the provisions of this Agreement shall control.
1. Definitions
For the purpose of this Agreement, the capitalized terms shall have the meaning set out in the EU General Data Protection Regulation (2016/679) (“GDPR”).
“Services” shall mean the provision of the Aire Platfrom, Aire Services and Corteza Cloud, as defined in the Terms & Conditions.
2. Term
The duration of such processing of any Personal Data shall be for the period during which the Parties perform their applicable obligations under the Agreement.
3. Data Protection Laws Compliance
Each Party shall comply with all applicable laws relating to privacy and data protection, including the EU General Data Protection Regulation (2016/679), and any amending or replacement legislation from time to time (collectively and individually, “Data Protection Laws”).
4. AIRE as Data Processor, for and on behalf of the Customer
During the provision of the Services, AIRE may access certain Personal Data under the responsibility of the Customer during the performance of the services, in particular (but without limitation), the data set out in the Exhibit below (“Customer Personal Data”) relating to the indicated persons (“Data Subjects”). Under applicable privacy regulations, the Customer is responsible for their data and is what is known under privacy regulation as the “Data Controller”. The Customer appoints AIRE as a data processor of Customer Personal Data, to process Customer Personal Data on the Customer’s behalf, for the purpose of providing the Service.
5. Rights and Responsibilities of the Customer as Data Controller
As established in the GDPR, the Customer as Data Controller shall:
- Implement appropriate technical and organizational measures to ensure and be able to demonstrate that the processing is carried out in accordance with applicable legislation.
- Adopt appropriate data protection policies applicable to the use of the AIRE Services.
- Ensure that the Data Protection Officer or, in his / her absence, the Privacy Officer is involved in an adequate and timely manner in all matters relating to the protection of Customer Personal Data.
- Keep a record of processing activities in the case of processing Customer Personal Data that may pose a risk to the rights and freedoms of the data subject and/or in a non-occasional manner, or which involves the processing of special categories of data and/or data relating to convictions and infractions.
- Make available to the interested parties the essential aspects of this agreement, at the request of the Data Processor.
- Respond to the legal rights established by applicable law on the protection of Customer Personal Data and comply with the stipulations indicated in clause 5 even if these were originally addressed to the Data Processor.
Legal basis. The Customer warrants that it has all the appropriate legal basis (including when relevant, informed consents from data subjects whose personal data are submitted to AIRE by the Customer) for the processing of Customer Personal Data in the manner envisaged in the Services or otherwise described herein. The Customer will indemnify and keep AIRE harmless from all claims, damages and losses we may suffer relating to or arising out of the processing of third-party personal data submitted by Customer to AIRE’s systems during the course of the provision of the Service.
Prohibited data. In all events, it is forbidden to submit to AIRE or upload to the Service any data that contains sensitive data (according to applicable Privacy Law) that relates to identifiable persons such as: any person’s racial origin, membership in a trade union, religion, ideology and sexual life, or health data or data relative to the commission of criminal offences or proceedings and associated penalties or fines.
6. Rights and Responsibilities of AIRE as Data Processor
AIRE will perform all its obligations Data Processor under the Privacy Regulation and , in particular, shall:
- Process Customer Personal Data only on the basis of documented instructions from the Customer (which includes the configuration of the Service and all functionalities used by the Customer in the Service, such as messaging), including transfers of Customer Personal Data to a third country or international organization, unless otherwise required to do so under Union law or applicable Member State law; In such case, the Data Processor will inform the Data Controller of that legal requirement prior to the processing, unless otherwise prohibited by such law or in the public interest.
- Ensure that the persons authorised to process Customer Personal Data have undertaken to respect confidentiality or are subject to an obligation of confidentiality of a statutory nature.
- Take all appropriate technical and organisational measures to ensure a level of safety appropriate to the risk of processing.
- Assist the Data Controller, taking into account the nature of the processing, through appropriate technical and organisational measures, whenever possible, so that it can comply with its obligation to respond to requests for the exercise of the rights of the data subjects.
- Assist the Data Controller in ensuring that they comply with their obligations, taking into account the nature of the processing and the information that is available to the Data Processor.
- At the choice of the Data Controller, either destroy or return all Customer Personal Data once the processing services have been completed and destroy any existing copies unless the retention of Customer Personal Data is required under Union or applicable Member State law.
- Make available to the Data Controller all information necessary to demonstrate compliance with the obligations established in herein, as well as to allow and contribute to the performance of audits, including inspections, by the controller or other authorised auditors for the Data Controller.
- Process the Customer Personal Data in a way that ensures that the personnel in charge follow the instructions of the Data Controller (e.g. Service configuration).
- Ensure that the Data Protection Officer or, in his / her absence, the Privacy Officer is involved in an adequate and timely manner in all matters relating to the protection of Customer Personal Data.
- Adhere to a Code of Conduct that is approved by the Commission or other competent authority.
- Keep a record of processing activities in the case of processing Customer Personal Data that may pose a risk to the rights and freedoms of the data subject and/or in a non-occasional manner, or which involves the processing of special categories of data and/or data relating to convictions and infractions.
- Respond to the legal rights established by the GDPR and comply with the stipulations indicated in clause 5 even if these were originally addressed to the Data Processor.
7. Data Subjects’ Exercise of Their Rights
If the Data Subjects addresses a request or exercises any of the rights established in the General Data Protection Regulation, AIRE and the Customer agree to collaborate to provide the information requested and perform any required actions, without delay and, at the latest, within one month from receiving the request, which may be extended for a further two months if necessary, taking into account the complexity of the application and the number of applications.
Similarly, but in the event that the Data Controller and/or the Processor do/es not proceed with the request of the Data Subject, he/she shall inform the latter without delay, and no later than one month after receipt of the request, shall provide the Data Subject with the reasons why he/she/they has/ve not acted and inform the Data Subject of his right to file a complaint before a competent authority and to file a judicial appeal. The response to the Data Subject’s request shall be made in the same format as that used by the person concerned, unless he/she requests that it be done otherwise.
8. Subcontracting
As Data Processor, AIRE may provide access to a subcontractor processor to Customer Personal Data if we reasonably consider such access and processing necessary to the performance of the Services. In the event of such access and before the access takes place, AIRE shall ensure that an agreement with the third party is in place which is sufficient to require it to treat personal data in accordance with the applicable provisions of this Agreement and applicable. The Customer authorises AIRE to subcontract such processing in its name, the current sub-processors being those set out in the Exhibit below.
9. International Transfer of Data
AIRE shall not carry out any international transfer of data except with authorisation of the Customer, which may be provided through instructions and configuration of the Service. However, AIRE may transfer Customer Personal Data outside the EEA to its subprocessors indicated in the Exhibit below.
10. Security Breach of Customer Personal Data
Insofar as there exists an instruction from a competent supervisory authority, a development of a national legislation, in the event of a security breach of the Customer Personal Data, the Data Controller and/or Data Processor shall notify the competent supervisory authority of such breach without undue delay, and if possible, no later than 72 hours after it happened.
DPA Exhibit
In accordance with the provisions set out in herein and in the GDPR, the Data Processor shall process the type and category of Customer Personal Data provided by the Data Controller set out hereunder:
Data Subject | Category of Data |
Customer’s Authorized Users | Identification data |
Aire Platform usage data, Messaging data | |
Persons whose data is processed by Customer in the Aire Platform | Identification data, Contact data, Messaging data |
All other data relating to identified persons uploaded or captured by the Customer and stored in the Aire Platform |
Types of processing
Storage, selection, classification, filtering, transmission, modification, elimination.
Subcontractors
Entity | Service | Territory |
Paddle | Orders and Payments | UK – https://www.paddle.com/ |
Origoss | Devops | Hungary, EU – https://www.origoss.com |
Digital Ocean | PAAS cloud provider | EU, US – https://www.digitalocean.com |
Hetzner | PAAS cloud provider | Germany, US – https://www.hetzner.com/ |
OpenAI | LLM Provider | EU, US – https://openai.com/policies/eu-privacy-policy/ |
Gleap | Customer Service Chatbot Provider | Austria, EU – https://www.gleap.io |