Effective Date: August 30, 2018
0.1 In accordance with section 4 of the Terms of Service or as the case may be on the basis of a superseding written Enterprise Services Agreement (each individually referred to as the “Agreement”), this Data Processing Addendum ("DPA") sets out the basis on which Airy processes Customer Personal Data (as defined below).
1.2 In the event of a conflict between any of the provisions of this DPA and the remaining provisions of the Agreement, the provisions of this DPA shall prevail.
2.1 Unless otherwise set out below, each capitalised term in this DPA shall have the meaning set out in the Agreement and the following capitalised terms used in this DPA shall be defined as follows:
(a) "Customer Personal Data" means the personal data described in ANNEX 1 and any other personal data that Airy processes on behalf of the Customer in connection with Airy's provision of the Service;
(b) "Data Protection Laws" means the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council ("GDPR") and all applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of Customer Personal Data;(c) "European Economic Area" or "EEA" means the Member States of the European Union together with Iceland, Norway, and Liechtenstein;
(d) "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Customer Personal Data;
(e) "Standard Contractual Clauses" means the Standard Contractual Clauses (processors) approved by European Commission Decision C(2010)593 or any subsequent version thereof released by the European Commission (which will automatically apply);(f) "Subprocessor" means any Processor engaged by Airy who agrees to receive from Airy Customer Personal Data; and
(g) the terms "personal data", "Controller", "
Processor", "Data Subject", "Process" and "
Supervisory Authority" shall have the same meaning as set out in the GDPR.
3.1 Instructions for Data Processing. Airy will only Process Customer Personal Data in accordance with (a) the Agreement, to the extent necessary to provide the Service to the Customer, and (b) the Customer's written instructions, unless Processing is required by European Union or Member State law to which Airy is subject, in which case Airy shall, to the extent permitted by applicable law, inform the Customer of that legal requirement before Processing that Customer Personal Data.
3.2 Processing outside the scope of this Agreement will require prior written agreement between the Customer and Airy on additional instructions for Processing.
3.3 Required consents. Where required by applicable Data Protection Laws, the Customer will ensure that it has obtained/will obtain all necessary consents for the Processing of Customer Personal Data by Airy in accordance with the Agreement.
4.1 Consent to Subprocessor Engagement. The Customer generally authorises the engagement of third parties as Subprocessors.
4.2 Information about Subprocessors. A list of Airy's Subprocessors is available at Subprocessors (the “Subprocessors List”) as may be updated by Airy from time to time in accordance with this DPA. Customer may receive notifications of new Sub-processors by e-mailing firstname.lastname@example.org with the subject “Subscribe”, and if a Customer contact subscribes, Airy shall provide the subscriber with notification of new Subprocessors before authorizing such new Subprocessor to process Customer Personal Data in connection with the provision of the applicable Services.
4.3 Requirements for Subprocessor Engagement. When engaging any Subprocessor, Airy will:
4.4 Opportunity to Object to new Subprocessors. Customer may reasonably object to the appointment of a new Subprocessor by notifying Airy promptly in writing within ten (10) business days after receipt of Airy’s notice in accordance with the mechanism set out in Section 4.2. Such notice shall require to provide documentary evidence that reasonably shows that the Subprocessor does not or cannot comply with the requirements in this DPA ("Objection"). If Airy does not remedy or provide a reasonable workaround for your Objection within a reasonable time, Customer may object to any new Subprocessor by terminating the Agreement immediately upon written notice to Airy, on condition that Customer provides such notice within 90 days of being informed of the engagement of the relevant Subprocessor in accordance with the mechanism set out in Section 4.2. This termination right is Customer’s sole and exclusive remedy if Customer objects to any new Subprocessor.
4.5 Transfers of Personal Data Outside the EEA. To the extent that the Processing of Customer Personal Data by Airy involves the export of such Personal Data to a country or territory outside the EEA, such transfer shall be to a third party:
5.1 Airy Security Obligations. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Airy shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk including, where applicable by virtue of Article 28(3)(c) of the GDPR, and as appropriate, the measures referred to in Article 32(1) of the GDPR. Without limiting the generality of the foregoing, Airy shall put in place and maintain the technical and organisational measures set out in ANNEX 2.
5.2 Security Audits. The Customer may, upon reasonable notice, audit (by itself or using independent third party auditors) Airy's compliance with the security measures set out in this DPA (including the technical and organisational measures as set out in ANNEX 2), including by conducting audits of Airy's (and Suprocessors') data processing facilities. Upon request by the Customer, Airy shall make available all information reasonably necessary to demonstrate compliance with this DPA.
5.3 Security Incident Notification. If Airy or any Subprocessor becomes aware of a Security Incident, Airy will (a) notify the Customer of the Security Incident within 72 hours, (b) investigate the Security Incident and provide such reasonable assistance to the Customer (and any law enforcement or regulatory official) as required to investigate the Security Incident, and (c) take steps to remedy any non-compliance with this DPA.
5.4 Airy Employees and Personnel. Airy shall treat the Customer Personal Data as the Confidential Information of the Customer, and shall ensure that:
6.1 Data Subject Requests. Save as required (or where prohibited) under applicable law, Airy shall notify the Customer of any request received by Airy or any Subprocessor from a Data Subject in respect of their personal data included in the Customer Personal Data, and shall not respond to the Data Subject.
6.2 Airy shall, where possible, assist the Customer with ensuring its compliance under applicable Data Protection Laws, and in particular shall:
6.3 Government Disclosure. Airy shall notify the Customer of any request for the disclosure of Customer Personal Data by a governmental or regulatory body or law enforcement authority (including any data protection supervisory authority) unless otherwise prohibited by law or a legally binding order of such body or agency.
6.4 Data Subject Rights. Where applicable, and taking into account the nature of the Processing, Airy shall use all reasonable endeavors to assist the Customer by implementing any other appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising Data Subject rights laid down in the GDPR.
To the extent required under applicable Data Protection Laws, Airy shall provide reasonable assistance to the Customer with any data protection impact assessments and with any prior consultations to any Supervisory Authority of the Customer, in each case solely in relation to Processing of Customer Personal Data and taking into account the nature of the Processing and information available to Airy.
8.1 Deletion of data. Subject to 8.2 and 8.3 below, Airy shall, within 90 (ninety) days of the date of termination of the Agreement:
8.2 Subject to section 8.3 below, the Customer may in its absolute discretion notify Airy in writing within 30 (thirty) days of the date of termination of the Agreement to require Airy to delete and procure the deletion of all copies of Customer Personal Data Processed by Airy. Airy shall, within 90 (ninety) days of the date of termination of the Agreement:
8.3 Airy and its Subprocessors may retain Customer Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that Airy shall ensure the confidentiality of all such Customer Personal Data and shall ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.
This ANNEX 1 includes certain details of the processing of Customer Personal Data as required by Article 28(3) of the GDPR.
The subject matter and the duration of the Processing of the Customer Personal Data are set out in the Agreement including this DPA.
The Customer Personal Data will be subject to the following basic Processing activities: transmitting, collecting, storing, and analyzing data in order to provide the Service to the Customer, and any other activities related to the provision of the Service or as specified in the Agreement.
The types of Customer Personal Data processed include:
The categories of Data Subject to whom the Customer Personal Data relates concern are set out in the Agreement including this DPA
The obligations and rights of the Customer are as set out in the Agreement including this DPA.
1. Airy maintains internal policies and procedures, or procures that its Subprocessors do so, which are designed to:
2. Airy will, and will use reasonable efforts to procure that its Subprocessors conduct periodic reviews of the security of their network and the adequacy of their information security program as measured against industry security standards and its policies and procedures.
3. Airy will, and will use reasonable efforts to procure that its Subprocessors periodically evaluate the security of their network and associated services to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews.