Effective Date: May 6, 2025This Data Processing Addendum (“DPA”) is made between Airfold, Inc., a Delaware corporation with offices at 640 Mystic
Ave, Somerville, MA 02145, USA (“Airfold”), and the Customer identified in the Order Form.This DPA is incorporated into and made subject to the Airfold Terms of Service between Airfold and Customer, or to any
other written agreement between Airfold and Customer, that governs Customer’s use of the Services (as defined below) (
the “Agreement”).
Airfold provides a data analytics platform-as-a-service solution (“Services”) to the Customer under the Agreement. In
connection with the Services, Airfold processes certain personal data in respect of which Customer or any Customer
Affiliate may be a data controller under the Data Protection Laws.Customer and Airfold have agreed to enter into this DPA in order to establish their respective responsibilities under
the Data Protection Laws. All capitalized terms used in this DPA but not otherwise defined have the meaning ascribed to
them in the Agreement.
1.1 For purposes of this DPA, the following initially capitalized words have the following meanings:
“Adequate Country” means a country or territory that is recognized under applicable Data Protection Laws from time
to time as providing adequate protection for personal data.
“Affiliate” means any person, partnership, joint venture, corporation, or other form of venture or enterprise,
domestic or foreign, including subsidiaries, which directly or indirectly Control, are Controlled by, or are under
common Control with a party. “Control” means the possession, directly or indirectly, of the power to direct or cause
the direction of the management and operating policies of the entity in respect of which the determination is being
made, through the ownership of voting securities, by contract, or otherwise.
“Applicable Data Protection Laws” means European Data Protection Laws and the California Privacy Act of 2018, as
amended by the California Privacy Rights Act (California Civil Code §§ 1798.100 et seq) (“CCPA”) as the same may be
amended, superseded, or replaced.
“Authorized Affiliate” means an Affiliate of Customer who has not signed an Order Form but acts as a controller or
processor for the Customer Personal Data processed by Airfold pursuant to the Agreement, for so long as such entity
remains a Customer Affiliate.
“Controller” (or “Business” under CCPA) means the natural or legal person, public authority, agency, or other
body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
“Customer Personal Data” means any Personal Data processed by Airfold on behalf of Customer as a service provider
or processor (as applicable) in connection with the Services, as more particularly described in Section 3.6 of this
DPA.
“Data Privacy Framework” means the EU-U.S. Data Privacy Framework, the UK-U.S. extension to the EU-U.S. Data
Privacy Framework, and the Swiss-US Data Privacy Framework as set forth by the U.S. Department of Commerce.
“Data Protection Laws” means all applicable laws relating to data protection and privacy including without
limitation: (i) EU General Data Protection Regulation 2016/679 (“GDPR”); (ii) the California Consumer Privacy Act (”
CCPA”); and the United Kingdom GDPR (“UK GDPR”), in each case, as amended, superseded, or replaced from time to time.
“Data Subject” means an identified or identifiable natural person who is the subject of Personal Data.
“EEA” means the European Economic Area, which constitutes the member states of the European Union and Norway,
Iceland, and Liechtenstein, as well as, for the purposes of this DPA, Switzerland and the United Kingdom.
“European Data Protection Laws” means: (i) Regulation 2016/679 of the European Parliament and of the Council on
the protection of natural persons with regard to the processing of personal data and on the free movement of such
data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal
data and the protection of privacy in the electronic communications sector, as amended by Directive 2009/136/EC (”
e-Privacy Directive”); (iii) any applicable national implementations of (i) and (ii); (iv) the Swiss Federal Data
Protection Act of 19 June 1992 and its Ordinance; and (v) in respect of the United Kingdom (“UK”), the UK GDPR, and (
vi) any applicable national legislation that replaces or converts in domestic law the GDPR, e-Privacy Directive, or
any other law relating to data and privacy.
“Personal Data” means any information relating to an identified or identifiable natural person; an identifiable
natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such
as a name, an identification number, location data, an online identifier, or to one or more factors specific to the
physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss,
alteration, unauthorized disclosure of, or access to Customer Personal Data.
“Process” or “Processing” means any operation or set of operations which is performed on Personal Data or on
sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring,
storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or
otherwise making available, alignment or combination, restriction, erasure, or destruction.
“Processor” (or “Service Provider” under CCPA) means a natural or legal person, public authority, agency, or
other body which processes Personal Data on behalf of the Controller.
“Sub-processor” means any Processor engaged by Airfold to process Customer Personal Data.
“Supervisory Authority” means an independent public authority which is established by a Member State pursuant to
Article 51 of the GDPR.
“UK Addendum” means the international data transfer addendum to the SCCs issued by the Information Commissioner
for Parties making a transfer of personal data from the United Kingdom to any other country which is not deemed
adequate under Article 46 of the UK GDPR.
“UK GDPR” means the GDPR, as implemented by Section 3 of the United Kingdom’s European Union (Withdrawal) Act of
2018 and supplemented by the Data Protection Act of 2018.
This DPA applies where and only to the extent that Airfold processes Customer Personal Data on behalf of Customer as a
Processor (or, with respect to the CCPA, as a Service Provider) in the course of providing the Services.
As between Airfold and Customer, Airfold shall process Customer Personal Data only as a Processor (or sub-processor)
acting on behalf of Customer and, with respect to CCPA, as a Service Provider, in each case, regardless of whether
Customer acts as a Controller or as a Processor on behalf of a third-party controller with respect to Customer Personal
Data.
Airfold certifies that it will not (i) “sell” or “share” Customer Personal Data; (ii) retain, use, or disclose Customer
Personal Data outside of the direct business relationship between Customer and Airfold or for any purpose other than as
permitted under the Agreement (including this DPA) or for purposes otherwise agreed in writing or permitted by the CCPA;
or (iii) combine Customer Personal Data with Personal Data that Airfold collects or receives from another person.
Airfold and Customer acknowledge and agree that the disclosure of Customer Personal Data by Customer to Airfold does not
constitute a “sale.” Customer agrees that Airfold may de-identify or aggregate Customer Personal Data in the course of
providing the Service to Customer.
Airfold will only process the Customer Personal Data in order to provide the Services and will act only in accordance
with the Agreement and Customer’s written instructions. The Agreement, this DPA, and Customer’s use of the Airfold
Platform’s features and functionality are Customer’s written instructions to Airfold in relation to the processing of
Customer Personal Data.If Applicable Data Protection Laws require Airfold to process Customer Personal Data other than pursuant to Customer’s
instructions, Airfold will notify Customer prior to processing (unless prohibited from so doing by applicable law).Airfold will immediately inform Customer if, in Airfold’s opinion, any instructions provided by Customer infringe the
GDPR or other applicable Data Protection Laws.
Customer is responsible for the lawfulness of Customer Personal Data processing under or in connection with the
Services. Customer shall:(i) have provided, and will continue to provide, all notices and have obtained, and will continue to obtain, all
consents, permissions, and rights necessary under Applicable Data Protection Laws for Airfold to lawfully process
Customer Personal Data for the purposes contemplated by the Agreement (including this DPA);(ii) make appropriate use of the Services to ensure a level of security appropriate to the particular content of the
Customer Personal Data, such as pseudonymizing and backing-up Customer Personal Data;(iii) have complied with all Applicable Data Protection Laws applicable to the collection of Customer Personal Data and
the transfer of such Customer Personal Data to Airfold and its Sub-processors; and(iv) ensure its processing instructions comply with applicable laws (including Applicable Data Protection Laws).Where applicable, Customer shall be responsible for any communications, notifications, assistance, and/or authorizations
that may be required in connection with any third-party controllers for whom Customer acts as a processor (and Airfold a
sub-processor).
Airfold’s obligations set forth in this DPA shall also extend to Authorized Affiliates, subject to the following
conditions:3.5.1 Customer shall be responsible for Authorized Affiliates’ compliance with this DPA. Any and all acts and/or
omissions by an Authorized Affiliate with respect to this DPA shall be deemed the acts and/or omissions of Customer; and3.5.2 Authorized Affiliates shall not bring a claim directly against Airfold. If an Authorized Affiliate seeks to assert
a legal demand, action, suit, claim, proceeding, or otherwise against Airfold (an “Authorized Affiliate Claim”): (i)
Customer must bring such Authorized Affiliate Claim directly against Airfold on behalf of such Authorized Affiliate,
unless Applicable Data Protection Laws require the Authorized Affiliate be a party to such claim; and (ii) all
Authorized Affiliate Claims shall be considered claims made by Customer and shall be subject to any liability
restrictions set forth in the Agreement, including damages disclaimer and any aggregate limitation of liability.
Details of processing by Airfold are set forth below:3.6.1 Subject Matter of Processing: Customer Personal Data that Customer elects to transfer to Airfold to be
processed for the provision, receipt, and/or use of the applicable Services as set forth in the Agreement.3.6.2 Frequency and Duration of Processing: For the duration of the Services or for so long as Customer grants
Airfold access to process the Customer Personal Data, as applicable. Notwithstanding expiration or termination of the
applicable Order Form or the Agreement, Airfold shall continue to process Customer Personal Data until such Customer
Personal Data is deleted or Customer removes Airfold’s access to process such Customer Personal Data. The period for
which Customer Personal Data will be retained and the criteria used to determine that period shall be determined by
Customer during the term of the Agreement. Upon termination or expiration of the Agreement, Customer may retrieve or
delete all Customer Personal Data as set forth in the Agreement. Any Customer Personal Data not deleted by Customer
shall be deleted by Airfold promptly upon the later of (i) expiration or termination of the Agreement and (ii)
expiration of any post-termination “retrieval period” set forth in the Agreement.3.6.3 Nature of Processing: Customer Personal Data that Customer elects to transfer to Airfold to be processed for
the provision, receipt, and/or use of the applicable Services as set forth in the Agreement.3.6.4 Purpose of Processing: The operation, support, use, or provisioning of the Services as set out in the
Agreement and compliance with applicable laws.3.6.5 Categories of Data Subjects: Categories of data subjects are as determined by Customer. Includes natural
persons whose Personal Data Customer elects to transfer to Airfold for processing for the provision, receipt, and/or use
of the applicable Services as set forth in the Agreement. These may include but are not limited to:
(i) prospects, customers, business partners, and vendors of Customer (who are natural persons);
(ii) employees or contact persons of Customer’s prospects, customers, business partners, and vendors; and/or
(iii) employees, agents, advisors, freelancers of Customer (who are natural persons).3.6.6 Type of Personal Data: Type of Personal Data is as determined by Customer subject to such restrictions as may
be set forth in the Agreement. Includes Personal Data types that are included in data that Customer transfers to Airfold
for processing for the provision, receipt, and/or use of the applicable Services as set forth in the Agreement. These
may include but are not limited to:
(i) name, address, title, contact details;
(ii) credit card details, account details, payment information;
(iii) employer, job title, geographic location, area of responsibility; and/or
(iv) IP addresses, usage data, cookie data, location data.
4.1 Appropriate Technical and Organizational Measures
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of
processing, Airfold will implement appropriate technical and organizational measures to ensure a level of security
appropriate to the risks that are presented by the processing, in particular from accidental or unlawful destruction,
loss, alteration, unauthorized disclosure of, or access to Personal Data in Airfold’s possession or under its control.
Such measures include security measures equal to or better than those specified in Annex B below.Customer has reviewed Airfold’s security program and acknowledges that it is designed to ensure a level of security
appropriate to the risk. Customer further acknowledges that it is responsible for its configuration of the Airfold
Platform and for using features and functionality of the Services to ensure a level of security appropriate to the risks
presented by the processing.
Airfold will ensure that its personnel have access to Customer Personal Data only as necessary to perform the Services
in accordance with the Agreement and this DPA, and that any persons whom it authorizes to have access to the Customer
Personal Data are under written obligations of confidentiality.
Taking into account the nature of the processing and the information available to Airfold:4.3.1 Airfold shall notify Customer without undue delay after becoming aware of a Personal Data Breach affecting
Customer Personal Data;4.3.2 Such notification will, to the extent known by Airfold: (i) describe the nature of the Personal Data Breach
including where possible, the categories and approximate number of data subjects concerned and the categories and
approximate number of Personal Data records concerned; (ii) communicate the name and contact details of the data
protection officer or other contact where more information can be obtained; (iii) describe the likely consequences of
the Personal Data Breach; and (iv) describe the measures taken or proposed to be taken by the Airfold to address the
Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects;4.3.3 Where, and in so far as, it is not possible to provide all the information at the same time, the initial
notification shall contain the information then available and further information shall be provided as it becomes
available subsequently; and4.3.4 Airfold shall cooperate with Customer and take such reasonable commercial steps as are directed by Customer to
assist in the investigation, mitigation, and remediation of each such Personal Data Breach.
Airfold will return Personal Data to Customer by permitting Customer to export Personal Data from the Airfold Platform
at any time during provision of the Services, using the Airfold Platform’s then existing features and functionality.
Customer may delete Customer Data at any time. Airfold will delete Customer’s data (and any data remaining on such
environments) within 30 days of termination or expiration of the Agreement, and other Personal Data retained by
Airfold (if any).Airfold is not obligated to delete copies of Personal Data retained in automated backup copies generated by Airfold,
which Airfold will retain for up to, and delete within, 14 months from their creation. Such backup copies will remain
subject to this DPA and the Agreement until they are destroyed.
Taking into account the nature of processing and the information available to Airfold, Airfold will assist Customer when
reasonably requested in relation to Customer’s obligations under Data Protection Laws with respect to:4.5.1 data protection impact assessments (as such term is defined in the GDPR);4.5.2 notifications to the Supervisory Authority under Data Protection Laws and/or communications to Data Subjects by
Customer in response to any Personal Data Breach; and4.5.3 Customer’s compliance with its obligations under the GDPR with respect to the security of processing, to the
extent that such assistance does not constitute legal advice.
Taking into account the nature of the processing, Airfold will assist Customer by appropriate technical and
organizational measures, insofar as this is possible, to respond to data subjects’ requests to exercise their rights
under Chapter III of the GDPR or other applicable Data Protection Laws. Airfold will promptly notify Customer of
requests received by Airfold, unless otherwise required by applicable law.Customer may make changes to Personal Data processed with the Airfold Platform using the features and functionality of
the Airfold Platform. Airfold will not make changes to such data except as agreed in writing with Customer. If and to
the extent that Customer is unable to respond to a data subject request by using features and functionality of the
Airfold Platform and a response to the data subject is required by Data Protection Laws, Airfold will, upon written
request by Customer, reasonably assist Customer in responding to the request.
Airfold will maintain records of its processing activities as required by Article 30.2 of the GDPR and make such records
available to the applicable supervisory authority upon request.
Airfold will not disclose or transfer Personal Data to any third party without the prior written permission of Customer,
except (i) as specifically stated in the Agreement or this DPA, or (ii) where such disclosure or transfer is required by
any applicable law, regulation, or public authority.
Customer consents to Airfold’s use of sub-processors to provide aspects of the Services, and to Airfold’s disclosure and
provision of Personal Data to those sub-processors. Airfold publishes a list of its then-current sub-processors
at https://airfold.co/legal/subprocessors (“Sub-Processor List”). Airfold will
require its sub-processors to comply with terms that are substantially no less protective of Personal Data than those
imposed on Airfold in this Agreement (to the extent applicable to the services provided by the sub-processor). Airfold
will be liable for any breach of its obligations under this Agreement that is caused by an act, error, or omission of a
sub-processor.
Airfold may authorize new sub-processors, provided that:5.3.1 Airfold will update the Sub-Processor List on its website at least thirty (30) days prior to any such
authorization of a new sub-processor;5.3.2 Airfold will provide to the Agreement a mechanism to subscribe for updates to the Sub-Processor List; and5.3.3 The authorization of any new sub-processor shall be subject to Section 5.4 (Objections to New Sub-Processors)
below.
If Customer objects to the authorization of any future sub-processor on reasonable data protection grounds within 30
days of notification of the proposed authorization, and if Airfold is unable to provide an alternative or workaround to
avoid processing of Personal Data by the objected to sub-processor within a reasonable period of time, not to exceed 30
days from receipt of the objection (the “Correction Period”), then, at any time within expiration of the Correction
Period, Customer may elect to terminate the processing of Personal Data under affected Order Forms to the Agreement
without penalty, by written notice to Airfold to that effect.If Customer terminates any such Order Form in accordance with the foregoing, then Airfold will refund to Customer a
pro-rata amount of any affected Services fees prepaid to Airfold and applicable to the unutilized portion of the
Subscription Term for terminated Services.
Airfold will make available to Customer such information in Airfold’s possession or control as Customer may reasonably
request with a view to demonstrating Airfold’s compliance with the obligations of data processors under the Data
Protection Laws in relation to its processing of Personal Data.
Customer may exercise its right of audit under the Data Protection Laws through Airfold providing:6.2.1 an attestation or certification issued by a qualified independent security assessor; and6.2.2 the executive summary of Airfold’s most recent penetration tests, which will include remedial actions taken or to
be taken by Airfold.In the event that Customer wishes to conduct its own audit, Airfold will allow for and contribute to audits, including
inspections, conducted by Customer or a third-party auditor mandated by Customer, provided that Customer gives Airfold
reasonable notice of such audit and such audit is conducted during normal business hours, in a manner that does not
interfere with Airfold’s normal business operations and subject to Airfold’s security and confidentiality requirements.
For clarity, such audit shall be limited to the Customer Personal Data processed by Airfold. Customer is responsible for
any and all costs and fees related to an audit.Before the commencement of an audit, Customer and Airfold shall mutually agree upon the scope, timing, and duration of
the audit. Customer shall promptly notify Airfold of any non-compliance discovered during the course of an audit.
Customer may use a third party to conduct the audit, provided that any such third party auditor enters into a
non-disclosure agreement with Airfold containing confidentiality provisions substantially similar to those set forth in
the Agreement to protect Airfold’s proprietary information. Audits may only occur during Airfold’s normal business hours
and no more often than once per year, unless such frequency is requested by a regulatory authority.
To the extent any processing by Airfold of Personal Data takes place in any country outside the European Economic
Area (“EEA”) (other than exclusively in an Adequate Country), the parties agree that the Standard Contractual Clauses
will apply in respect of that processing; Airfold will comply with the obligations of the ‘data importer’ in the
Standard Contractual Clauses and Customer will comply with the obligations of ‘data exporter’. In this respect, Customer
and Airfold agree that the Standard Contractual Clauses are incorporated into and made subject to this DPA by this
reference.
Customer acknowledges that the provision of the Services under the Agreement may require the processing of Personal Data
by sub-processors in countries outside the EEA from time to time.
7.3 Data Transfers to Sub-Processors Outside of the EEA
If, in the performance of this DPA, Airfold transfers any Personal Data to a sub-processor (including any Airfold
Affiliate that acts as a sub-processor) where such sub-processor will process Personal Data outside the EEA (other than
exclusively in an Adequate Country), then Airfold will in advance of any such transfer ensure that a mechanism to
achieve adequacy in respect of that processing is in place, such as:7.3.1 the requirement for Airfold to execute or procure that the sub-processor executes the Standard Contractual
Clauses;7.3.2 the requirement for the sub-processor to be certified under the Data Privacy Framework; and/or7.3.3 the existence of any other specifically approved safeguard for data transfers (as recognized under the applicable
European Data Protection Laws) and/or a European Commission finding of adequacy.
The following terms will apply to the Standard Contractual Clauses:7.4.1 Module Two (controller to processor) will apply where Customer is a controller and Module Three (processor to
processor) will apply where Customer is a processor;7.4.2 in Clause 7, the optional docking clause will apply;7.4.3 in Clause 9, Option 2 (general authorization) will apply, and the specified time period for prior notice of
sub-processor changes shall be 30 days;7.4.4 in Clause 11, the optional language will not apply;7.4.5 in Annex I, Part A of the Standard Contractual Clauses:
Data exporter: Customer Data importer: Airfold Contact details are as set forth in the Agreement.7.4.6 in Annex I, Part B of the Standard Contractual Clauses:
The description of the transfer is as set out at Section 3.6 of this DPA.7.4.7 in Annex I, Part C of the Standard Contractual Clauses:
The competent supervisory authority is the supervisory authority of the data exporter.7.4.8 in Annex II of the Standard Contractual Clauses:
The technical and organizational measures are set forth in Annex B of this DPA.7.4.9 Airfold will provide a copy of its agreements with any sub-processor it appoints if requested by Customer, which
may be redacted to remove confidential information not relevant to the Standard Contractual Clauses.
For transfers of UK Personal Data, the UK Addendum is incorporated into this DPA and applies to transfers from the UK in
addition to the Standard Contractual Clauses.
Airfold participates in and certifies compliance with the Data Privacy Framework. Customer and Airfold acknowledge and
agree that transfers of Customer Personal Data from the EEA, Switzerland, or the UK to the United States pursuant to the
Data Privacy Framework shall not be a Restricted Transfer.Airfold will notify Customer if its Data Privacy Framework certification lapses or is otherwise invalidated, in which
case any transfers of Personal Data by Customer from the EEA, Switzerland, and/or the UK to Airfold in the United States
shall immediately be deemed a Restricted Transfer and the provisions of Sections 7.1-7.5 shall apply, as applicable.
Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this
DPA, and all DPAs between Authorized Affiliates and Airfold, whether in contract, tort, or under any other theory of
liability, is subject to the ‘Limitations and Exclusions of Liability’ (or its equivalent) section of the Agreement, and
any reference in such section to the liability of a party means the aggregate liability of that party and all of its
Affiliates under the Agreement and all DPAs together.For the avoidance of doubt, Airfold’s and its Affiliates’ total liability for all claims from Customer and all of its
Authorized Affiliates arising out of or related to the Agreement and all DPAs will apply in the aggregate for all claims
under both the Agreement and all DPAs established under the Agreement, including by Customer and all Authorized
Affiliates, and, in particular, will not be understood to apply individually and severally to Customer and/or to any
Authorized Affiliate that is a contractual party to any such DPA.
9.1 This DPA is without prejudice to the rights and obligations of the parties under the Agreement which will continue
to have full force and effect. In the event of any conflict between the terms of this DPA and the terms of the
Agreement, the terms of this DPA will prevail insofar as the subject matter concerns the processing of Personal Data. In
the event of any conflict between the terms of this DPA and the Standard Contractual Clauses then, only insofar as the
Standard Contractual Clauses apply, the Standard Contractual Clauses will prevail.9.2 Customer and Airfold each agree that the dispute resolution provisions of the Agreement (including governing law and
venue) apply to this DPA.9.3 This DPA will be governed by and construed in accordance with the governing law of the Agreement, and any disputes
will be resolved in accordance with the dispute resolution mechanisms in the Agreement.
ANNEX B - TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
The Data Importer currently abides by the security standards in this Annex B. The Data Importer may update or modify
these security standards from time to time provided such updates and modifications will not result in a degradation of
the overall security of the Services during the term of the applicable Services Agreement.
Infrastructure. The Data Importer hosts its services in geographically distributed, secure data centers operated by
Google Cloud (GCP), Amazon Web Services (AWS), or Microsoft Azure.Redundancy. The services are replicated across multiple data centers within a geographic region to eliminate single
points of failure using an active/passive configuration in order to minimize the impact of environmental risks.Monitoring. The services are protected by automated monitoring which is designed to detect a variety of failure
conditions and which will, when appropriate, trigger failover mechanisms.Backups. Backups are performed on a regular basis and stored in a secondary site within the same geographic region.Business Continuity. The Data Importer replicates its service and data over multiple data centers within a
geographic region (when made available by Data Importers infrastructure as a service providers) to protect against loss
of service or data. The Data Importer conducts periodic tests of failover and data backup procedures to ensure readiness
for business continuity and disaster recovery.
Network Data Transmission. Interactions between users, administrators, and Data Importer modules are done using the
Secure Socket Layer (SSL) or Transport Layer Security (TLS) standard cryptographic protocols.Network Security. The Data Importer employs multiple layers of DOS protection, Intrusion Detection, Rate Limiting,
and other network security services from both its hosting providers and third-party providers.Encryption Technologies. The Data Importer makes HTTPS encryption (also referred to as SSL or TLS connection)
available.
Access Procedures. Only authorized employees are allowed access to these restricted components and all access is
approved by an employee’s manager and service owner. Only a small number of individuals are approved to access the
restricted components.Access Mechanisms. Access to the Data Importer’s production service and build infrastructure occurs only over a
secured channel and requires two-factor authentication.
In Transit. Interactions between users, administrators, and Airfold modules are done using the Secure Socket Layer (
SSL) or Transport Layer Security (TLS) standard cryptographic protocols.At Rest. The Data Importer uses cryptographic hashing and encryption mechanisms to protect sensitive information
such as cryptographic keys and application secrets.Redundancy. The Data Importer stores data in a multi-tenant environment within the Data Importer’s hosted
infrastructure. The data and service are replicated across multiple hosted data centers within the same geographic
region.Data Isolation. The Data Importer logically isolates the Data Exporter’s data, and the Data Exporter has a large
degree of control over the specific data stored in the Service.Data Deletion. The Data Importer provides to the Data Exporter a mechanism that can be used to delete the Data
Exporter’s data.Software Code Review. The Data Importer employs a code review process to improve the security of the code used to
provide the Services. All changes to the service are reviewed and approved by a senior engineer other than the author of
the change.Automated testing. Each software build is subjected to a comprehensive suite of automated tests.Security Scan. The Data Importer employs a third party to scan the Service for security vulnerabilities on a
periodic basis.
Staff Conduct. The Data Importer personnel are required to conduct themselves in a manner consistent with the
company’s guidelines regarding confidentiality, business ethics, usage, compliance, and professional standards.Background Checks. The Data Importer conducts reasonably appropriate background checks as legally permissible and in
accordance with applicable local labor law and statutory regulations.Subprocessor Security. Prior to onboarding sub-processors that will handle any data provided by a Data Exporter, the
Data Importer conducts an assessment of the security and privacy practices of the sub-processor to help ensure that the
sub-processor provides a level of security and data protection controls appropriate to their access to data and the
scope of the services they are engaged to provide.
Categories of data subjects whose personal data is transferred
Data subjects are end users, or individuals purporting to be end users, of the Customer Applications, or other data
subjects with respect to whom Customer elects to collect their personal data, and Customer’s and Customer Affiliate
members’, and its and their service providers, employees, consultants, agents, and representatives authorized by
Customer to use the Services.
Email addresses or unique identification methods depending on the authentication method selected by Customer, and any
other personal data that the Customer uploads to the Airfold platform with the purpose of querying or analyzing it.
Sensitive data transferred (if applicable) and applied restrictions or safeguards
None, unless Customer chooses to process sensitive data through the Services. If Customer does process sensitive data,
Customer is responsible for ensuring appropriate safeguards are in place, including those described in the Agreement and
this DPA.
The processing will comprise the following: Airfold provides a data analytics platform, which Customer may use to
develop and integrate data products and applications. The Airfold Platform is not an application in itself; the Customer
will need to write its own code to enable interoperability between the Airfold Platform and Customer applications, and
to determine how to use the Airfold Platform within the Customer’s architecture. Airfold is responsible only for the
Airfold Platform. Airfold is not responsible for the Customer’s networks, systems, or applications (collectively, ”
Customer Systems”), the means by which the Customer chooses to integrate the Airfold Platform into the Customer Systems,
or the security and data protection measures that the Customer applies to the Customer Systems.The Airfold Platform acts as a backend for data querying via Customer defined queries and APIs that then need to be
integrated into Customer applications. Airfold has minimal control over the nature and scope of the personal data that
Customer chooses to process using the Airfold Platform, minimal insight into the identity of the Customer’s users, and
no role in the means by which Customer obtains personal data of Customer’s users or Customer’s decision-making as to the
purpose for which the personal data is processed.
Purpose(s) of the data transfer and further processing
The purpose of the data processing is the provision of the Airfold Services to the Customer and the performance of the
Airfold’s obligations under the Agreement.