AIRFOLD DATA PROCESSING ADDENDUM

Effective Date: May 6, 2025

This Data Processing Addendum (“DPA”) is made between Airfold, Inc., a Delaware corporation with offices at 640 Mystic Ave, Somerville, MA 02145, USA (“Airfold”), and the Customer identified in the Order Form.

This DPA is incorporated into and made subject to the Airfold Terms of Service between Airfold and Customer, or to any other written agreement between Airfold and Customer, that governs Customer’s use of the Services (as defined below) ( the “Agreement”).

BACKGROUND

Airfold provides a data analytics platform-as-a-service solution (“Services”) to the Customer under the Agreement. In connection with the Services, Airfold processes certain personal data in respect of which Customer or any Customer Affiliate may be a data controller under the Data Protection Laws.

Customer and Airfold have agreed to enter into this DPA in order to establish their respective responsibilities under the Data Protection Laws. All capitalized terms used in this DPA but not otherwise defined have the meaning ascribed to them in the Agreement.

1. DEFINITIONS

1.1 For purposes of this DPA, the following initially capitalized words have the following meanings:

  • “Adequate Country” means a country or territory that is recognized under applicable Data Protection Laws from time to time as providing adequate protection for personal data.

  • “Affiliate” means any person, partnership, joint venture, corporation, or other form of venture or enterprise, domestic or foreign, including subsidiaries, which directly or indirectly Control, are Controlled by, or are under common Control with a party. “Control” means the possession, directly or indirectly, of the power to direct or cause the direction of the management and operating policies of the entity in respect of which the determination is being made, through the ownership of voting securities, by contract, or otherwise.

  • “Applicable Data Protection Laws” means European Data Protection Laws and the California Privacy Act of 2018, as amended by the California Privacy Rights Act (California Civil Code §§ 1798.100 et seq) (“CCPA”) as the same may be amended, superseded, or replaced.

  • “Authorized Affiliate” means an Affiliate of Customer who has not signed an Order Form but acts as a controller or processor for the Customer Personal Data processed by Airfold pursuant to the Agreement, for so long as such entity remains a Customer Affiliate.

  • “Controller” (or “Business” under CCPA) means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

  • “Customer Personal Data” means any Personal Data processed by Airfold on behalf of Customer as a service provider or processor (as applicable) in connection with the Services, as more particularly described in Section 3.6 of this DPA.

  • “Data Privacy Framework” means the EU-U.S. Data Privacy Framework, the UK-U.S. extension to the EU-U.S. Data Privacy Framework, and the Swiss-US Data Privacy Framework as set forth by the U.S. Department of Commerce.

  • “Data Protection Laws” means all applicable laws relating to data protection and privacy including without limitation: (i) EU General Data Protection Regulation 2016/679 (“GDPR”); (ii) the California Consumer Privacy Act (” CCPA”); and the United Kingdom GDPR (“UK GDPR”), in each case, as amended, superseded, or replaced from time to time.

  • “Data Subject” means an identified or identifiable natural person who is the subject of Personal Data.

  • “EEA” means the European Economic Area, which constitutes the member states of the European Union and Norway, Iceland, and Liechtenstein, as well as, for the purposes of this DPA, Switzerland and the United Kingdom.

  • “European Data Protection Laws” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector, as amended by Directive 2009/136/EC (” e-Privacy Directive”); (iii) any applicable national implementations of (i) and (ii); (iv) the Swiss Federal Data Protection Act of 19 June 1992 and its Ordinance; and (v) in respect of the United Kingdom (“UK”), the UK GDPR, and ( vi) any applicable national legislation that replaces or converts in domestic law the GDPR, e-Privacy Directive, or any other law relating to data and privacy.

  • “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

  • “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.

  • “Process” or “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

  • “Processor” (or “Service Provider” under CCPA) means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller.

  • “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses as adopted by the EU Commission by means of the Implementing Decision EU 2021/914 of June 4, 2021 found at https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en.

  • “Sub-processor” means any Processor engaged by Airfold to process Customer Personal Data.

  • “Supervisory Authority” means an independent public authority which is established by a Member State pursuant to Article 51 of the GDPR.

  • “UK Addendum” means the international data transfer addendum to the SCCs issued by the Information Commissioner for Parties making a transfer of personal data from the United Kingdom to any other country which is not deemed adequate under Article 46 of the UK GDPR.

  • “UK GDPR” means the GDPR, as implemented by Section 3 of the United Kingdom’s European Union (Withdrawal) Act of 2018 and supplemented by the Data Protection Act of 2018.

2. SCOPE AND APPLICABILITY OF THIS DPA

This DPA applies where and only to the extent that Airfold processes Customer Personal Data on behalf of Customer as a Processor (or, with respect to the CCPA, as a Service Provider) in the course of providing the Services.

3. ROLES AND SCOPE OF PROCESSING

3.1 Role of the Parties

As between Airfold and Customer, Airfold shall process Customer Personal Data only as a Processor (or sub-processor) acting on behalf of Customer and, with respect to CCPA, as a Service Provider, in each case, regardless of whether Customer acts as a Controller or as a Processor on behalf of a third-party controller with respect to Customer Personal Data.

3.2 Scope of Processing

Airfold certifies that it will not (i) “sell” or “share” Customer Personal Data; (ii) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Customer and Airfold or for any purpose other than as permitted under the Agreement (including this DPA) or for purposes otherwise agreed in writing or permitted by the CCPA; or (iii) combine Customer Personal Data with Personal Data that Airfold collects or receives from another person. Airfold and Customer acknowledge and agree that the disclosure of Customer Personal Data by Customer to Airfold does not constitute a “sale.” Customer agrees that Airfold may de-identify or aggregate Customer Personal Data in the course of providing the Service to Customer.

3.3 Customer Instructions

Airfold will only process the Customer Personal Data in order to provide the Services and will act only in accordance with the Agreement and Customer’s written instructions. The Agreement, this DPA, and Customer’s use of the Airfold Platform’s features and functionality are Customer’s written instructions to Airfold in relation to the processing of Customer Personal Data.

If Applicable Data Protection Laws require Airfold to process Customer Personal Data other than pursuant to Customer’s instructions, Airfold will notify Customer prior to processing (unless prohibited from so doing by applicable law).

Airfold will immediately inform Customer if, in Airfold’s opinion, any instructions provided by Customer infringe the GDPR or other applicable Data Protection Laws.

3.4 Customer Responsibilities

Customer is responsible for the lawfulness of Customer Personal Data processing under or in connection with the Services. Customer shall:

(i) have provided, and will continue to provide, all notices and have obtained, and will continue to obtain, all consents, permissions, and rights necessary under Applicable Data Protection Laws for Airfold to lawfully process Customer Personal Data for the purposes contemplated by the Agreement (including this DPA);

(ii) make appropriate use of the Services to ensure a level of security appropriate to the particular content of the Customer Personal Data, such as pseudonymizing and backing-up Customer Personal Data;

(iii) have complied with all Applicable Data Protection Laws applicable to the collection of Customer Personal Data and the transfer of such Customer Personal Data to Airfold and its Sub-processors; and

(iv) ensure its processing instructions comply with applicable laws (including Applicable Data Protection Laws).

Where applicable, Customer shall be responsible for any communications, notifications, assistance, and/or authorizations that may be required in connection with any third-party controllers for whom Customer acts as a processor (and Airfold a sub-processor).

3.5 Customer Affiliates

Airfold’s obligations set forth in this DPA shall also extend to Authorized Affiliates, subject to the following conditions:

3.5.1 Customer shall be responsible for Authorized Affiliates’ compliance with this DPA. Any and all acts and/or omissions by an Authorized Affiliate with respect to this DPA shall be deemed the acts and/or omissions of Customer; and

3.5.2 Authorized Affiliates shall not bring a claim directly against Airfold. If an Authorized Affiliate seeks to assert a legal demand, action, suit, claim, proceeding, or otherwise against Airfold (an “Authorized Affiliate Claim”): (i) Customer must bring such Authorized Affiliate Claim directly against Airfold on behalf of such Authorized Affiliate, unless Applicable Data Protection Laws require the Authorized Affiliate be a party to such claim; and (ii) all Authorized Affiliate Claims shall be considered claims made by Customer and shall be subject to any liability restrictions set forth in the Agreement, including damages disclaimer and any aggregate limitation of liability.

3.6 Details of Processing

Details of processing by Airfold are set forth below:

3.6.1 Subject Matter of Processing: Customer Personal Data that Customer elects to transfer to Airfold to be processed for the provision, receipt, and/or use of the applicable Services as set forth in the Agreement.

3.6.2 Frequency and Duration of Processing: For the duration of the Services or for so long as Customer grants Airfold access to process the Customer Personal Data, as applicable. Notwithstanding expiration or termination of the applicable Order Form or the Agreement, Airfold shall continue to process Customer Personal Data until such Customer Personal Data is deleted or Customer removes Airfold’s access to process such Customer Personal Data. The period for which Customer Personal Data will be retained and the criteria used to determine that period shall be determined by Customer during the term of the Agreement. Upon termination or expiration of the Agreement, Customer may retrieve or delete all Customer Personal Data as set forth in the Agreement. Any Customer Personal Data not deleted by Customer shall be deleted by Airfold promptly upon the later of (i) expiration or termination of the Agreement and (ii) expiration of any post-termination “retrieval period” set forth in the Agreement.

3.6.3 Nature of Processing: Customer Personal Data that Customer elects to transfer to Airfold to be processed for the provision, receipt, and/or use of the applicable Services as set forth in the Agreement.

3.6.4 Purpose of Processing: The operation, support, use, or provisioning of the Services as set out in the Agreement and compliance with applicable laws.

3.6.5 Categories of Data Subjects: Categories of data subjects are as determined by Customer. Includes natural persons whose Personal Data Customer elects to transfer to Airfold for processing for the provision, receipt, and/or use of the applicable Services as set forth in the Agreement. These may include but are not limited to: (i) prospects, customers, business partners, and vendors of Customer (who are natural persons); (ii) employees or contact persons of Customer’s prospects, customers, business partners, and vendors; and/or (iii) employees, agents, advisors, freelancers of Customer (who are natural persons).

3.6.6 Type of Personal Data: Type of Personal Data is as determined by Customer subject to such restrictions as may be set forth in the Agreement. Includes Personal Data types that are included in data that Customer transfers to Airfold for processing for the provision, receipt, and/or use of the applicable Services as set forth in the Agreement. These may include but are not limited to: (i) name, address, title, contact details; (ii) credit card details, account details, payment information; (iii) employer, job title, geographic location, area of responsibility; and/or (iv) IP addresses, usage data, cookie data, location data.

4. AIRFOLD OBLIGATIONS

4.1 Appropriate Technical and Organizational Measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, Airfold will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data in Airfold’s possession or under its control. Such measures include security measures equal to or better than those specified in Annex B below.

Customer has reviewed Airfold’s security program and acknowledges that it is designed to ensure a level of security appropriate to the risk. Customer further acknowledges that it is responsible for its configuration of the Airfold Platform and for using features and functionality of the Services to ensure a level of security appropriate to the risks presented by the processing.

4.2 Access by Airfold Personnel

Airfold will ensure that its personnel have access to Customer Personal Data only as necessary to perform the Services in accordance with the Agreement and this DPA, and that any persons whom it authorizes to have access to the Customer Personal Data are under written obligations of confidentiality.

4.3 Personal Data Breaches

Taking into account the nature of the processing and the information available to Airfold:

4.3.1 Airfold shall notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data;

4.3.2 Such notification will, to the extent known by Airfold: (i) describe the nature of the Personal Data Breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned; (ii) communicate the name and contact details of the data protection officer or other contact where more information can be obtained; (iii) describe the likely consequences of the Personal Data Breach; and (iv) describe the measures taken or proposed to be taken by the Airfold to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects;

4.3.3 Where, and in so far as, it is not possible to provide all the information at the same time, the initial notification shall contain the information then available and further information shall be provided as it becomes available subsequently; and

4.3.4 Airfold shall cooperate with Customer and take such reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.

4.4 Deletion or Return of Personal Data

Airfold will return Personal Data to Customer by permitting Customer to export Personal Data from the Airfold Platform at any time during provision of the Services, using the Airfold Platform’s then existing features and functionality. Customer may delete Customer Data at any time. Airfold will delete Customer’s data (and any data remaining on such environments) within 30 days of termination or expiration of the Agreement, and other Personal Data retained by Airfold (if any).

Airfold is not obligated to delete copies of Personal Data retained in automated backup copies generated by Airfold, which Airfold will retain for up to, and delete within, 14 months from their creation. Such backup copies will remain subject to this DPA and the Agreement until they are destroyed.

4.5 Assistance

Taking into account the nature of processing and the information available to Airfold, Airfold will assist Customer when reasonably requested in relation to Customer’s obligations under Data Protection Laws with respect to:

4.5.1 data protection impact assessments (as such term is defined in the GDPR);

4.5.2 notifications to the Supervisory Authority under Data Protection Laws and/or communications to Data Subjects by Customer in response to any Personal Data Breach; and

4.5.3 Customer’s compliance with its obligations under the GDPR with respect to the security of processing, to the extent that such assistance does not constitute legal advice.

4.6 Data Subject Requests

Taking into account the nature of the processing, Airfold will assist Customer by appropriate technical and organizational measures, insofar as this is possible, to respond to data subjects’ requests to exercise their rights under Chapter III of the GDPR or other applicable Data Protection Laws. Airfold will promptly notify Customer of requests received by Airfold, unless otherwise required by applicable law.

Customer may make changes to Personal Data processed with the Airfold Platform using the features and functionality of the Airfold Platform. Airfold will not make changes to such data except as agreed in writing with Customer. If and to the extent that Customer is unable to respond to a data subject request by using features and functionality of the Airfold Platform and a response to the data subject is required by Data Protection Laws, Airfold will, upon written request by Customer, reasonably assist Customer in responding to the request.

4.7 Records of Processing Activities

Airfold will maintain records of its processing activities as required by Article 30.2 of the GDPR and make such records available to the applicable supervisory authority upon request.

5. SUB-PROCESSING

5.1 Disclosure and Transfer of Personal Data

Airfold will not disclose or transfer Personal Data to any third party without the prior written permission of Customer, except (i) as specifically stated in the Agreement or this DPA, or (ii) where such disclosure or transfer is required by any applicable law, regulation, or public authority.

Customer consents to Airfold’s use of sub-processors to provide aspects of the Services, and to Airfold’s disclosure and provision of Personal Data to those sub-processors. Airfold publishes a list of its then-current sub-processors at https://airfold.co/legal/subprocessors (“Sub-Processor List”). Airfold will require its sub-processors to comply with terms that are substantially no less protective of Personal Data than those imposed on Airfold in this Agreement (to the extent applicable to the services provided by the sub-processor). Airfold will be liable for any breach of its obligations under this Agreement that is caused by an act, error, or omission of a sub-processor.

5.3 Authorization of New Sub-Processors

Airfold may authorize new sub-processors, provided that:

5.3.1 Airfold will update the Sub-Processor List on its website at least thirty (30) days prior to any such authorization of a new sub-processor;

5.3.2 Airfold will provide to the Agreement a mechanism to subscribe for updates to the Sub-Processor List; and

5.3.3 The authorization of any new sub-processor shall be subject to Section 5.4 (Objections to New Sub-Processors) below.

5.4 Objections to New Sub-Processors

If Customer objects to the authorization of any future sub-processor on reasonable data protection grounds within 30 days of notification of the proposed authorization, and if Airfold is unable to provide an alternative or workaround to avoid processing of Personal Data by the objected to sub-processor within a reasonable period of time, not to exceed 30 days from receipt of the objection (the “Correction Period”), then, at any time within expiration of the Correction Period, Customer may elect to terminate the processing of Personal Data under affected Order Forms to the Agreement without penalty, by written notice to Airfold to that effect.

If Customer terminates any such Order Form in accordance with the foregoing, then Airfold will refund to Customer a pro-rata amount of any affected Services fees prepaid to Airfold and applicable to the unutilized portion of the Subscription Term for terminated Services.

6. AUDIT AND RECORDS

6.1 Provision of Information

Airfold will make available to Customer such information in Airfold’s possession or control as Customer may reasonably request with a view to demonstrating Airfold’s compliance with the obligations of data processors under the Data Protection Laws in relation to its processing of Personal Data.

6.2 Audit Right

Customer may exercise its right of audit under the Data Protection Laws through Airfold providing:

6.2.1 an attestation or certification issued by a qualified independent security assessor; and

6.2.2 the executive summary of Airfold’s most recent penetration tests, which will include remedial actions taken or to be taken by Airfold.

In the event that Customer wishes to conduct its own audit, Airfold will allow for and contribute to audits, including inspections, conducted by Customer or a third-party auditor mandated by Customer, provided that Customer gives Airfold reasonable notice of such audit and such audit is conducted during normal business hours, in a manner that does not interfere with Airfold’s normal business operations and subject to Airfold’s security and confidentiality requirements. For clarity, such audit shall be limited to the Customer Personal Data processed by Airfold. Customer is responsible for any and all costs and fees related to an audit.

Before the commencement of an audit, Customer and Airfold shall mutually agree upon the scope, timing, and duration of the audit. Customer shall promptly notify Airfold of any non-compliance discovered during the course of an audit. Customer may use a third party to conduct the audit, provided that any such third party auditor enters into a non-disclosure agreement with Airfold containing confidentiality provisions substantially similar to those set forth in the Agreement to protect Airfold’s proprietary information. Audits may only occur during Airfold’s normal business hours and no more often than once per year, unless such frequency is requested by a regulatory authority.

7. DATA TRANSFERS

This Section 7 applies to any processing by Airfold or its sub-processors of any Personal Data subject to the GDPR.

7.1 Data Transfers Outside of the EEA

To the extent any processing by Airfold of Personal Data takes place in any country outside the European Economic Area (“EEA”) (other than exclusively in an Adequate Country), the parties agree that the Standard Contractual Clauses will apply in respect of that processing; Airfold will comply with the obligations of the ‘data importer’ in the Standard Contractual Clauses and Customer will comply with the obligations of ‘data exporter’. In this respect, Customer and Airfold agree that the Standard Contractual Clauses are incorporated into and made subject to this DPA by this reference.

7.2 Processing by Sub-Processors

Customer acknowledges that the provision of the Services under the Agreement may require the processing of Personal Data by sub-processors in countries outside the EEA from time to time.

7.3 Data Transfers to Sub-Processors Outside of the EEA

If, in the performance of this DPA, Airfold transfers any Personal Data to a sub-processor (including any Airfold Affiliate that acts as a sub-processor) where such sub-processor will process Personal Data outside the EEA (other than exclusively in an Adequate Country), then Airfold will in advance of any such transfer ensure that a mechanism to achieve adequacy in respect of that processing is in place, such as:

7.3.1 the requirement for Airfold to execute or procure that the sub-processor executes the Standard Contractual Clauses;

7.3.2 the requirement for the sub-processor to be certified under the Data Privacy Framework; and/or

7.3.3 the existence of any other specifically approved safeguard for data transfers (as recognized under the applicable European Data Protection Laws) and/or a European Commission finding of adequacy.

7.4 Standard Contractual Clauses

The following terms will apply to the Standard Contractual Clauses:

7.4.1 Module Two (controller to processor) will apply where Customer is a controller and Module Three (processor to processor) will apply where Customer is a processor;

7.4.2 in Clause 7, the optional docking clause will apply;

7.4.3 in Clause 9, Option 2 (general authorization) will apply, and the specified time period for prior notice of sub-processor changes shall be 30 days;

7.4.4 in Clause 11, the optional language will not apply;

7.4.5 in Annex I, Part A of the Standard Contractual Clauses: Data exporter: Customer Data importer: Airfold Contact details are as set forth in the Agreement.

7.4.6 in Annex I, Part B of the Standard Contractual Clauses: The description of the transfer is as set out at Section 3.6 of this DPA.

7.4.7 in Annex I, Part C of the Standard Contractual Clauses: The competent supervisory authority is the supervisory authority of the data exporter.

7.4.8 in Annex II of the Standard Contractual Clauses: The technical and organizational measures are set forth in Annex B of this DPA.

7.4.9 Airfold will provide a copy of its agreements with any sub-processor it appoints if requested by Customer, which may be redacted to remove confidential information not relevant to the Standard Contractual Clauses.

7.5 UK Transfers

For transfers of UK Personal Data, the UK Addendum is incorporated into this DPA and applies to transfers from the UK in addition to the Standard Contractual Clauses.

7.6 Data Privacy Framework

Airfold participates in and certifies compliance with the Data Privacy Framework. Customer and Airfold acknowledge and agree that transfers of Customer Personal Data from the EEA, Switzerland, or the UK to the United States pursuant to the Data Privacy Framework shall not be a Restricted Transfer.

Airfold will notify Customer if its Data Privacy Framework certification lapses or is otherwise invalidated, in which case any transfers of Personal Data by Customer from the EEA, Switzerland, and/or the UK to Airfold in the United States shall immediately be deemed a Restricted Transfer and the provisions of Sections 7.1-7.5 shall apply, as applicable.

8. LIMITATION OF LIABILITY

Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Authorized Affiliates and Airfold, whether in contract, tort, or under any other theory of liability, is subject to the ‘Limitations and Exclusions of Liability’ (or its equivalent) section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.

For the avoidance of doubt, Airfold’s and its Affiliates’ total liability for all claims from Customer and all of its Authorized Affiliates arising out of or related to the Agreement and all DPAs will apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement, including by Customer and all Authorized Affiliates, and, in particular, will not be understood to apply individually and severally to Customer and/or to any Authorized Affiliate that is a contractual party to any such DPA.

9. GENERAL

9.1 This DPA is without prejudice to the rights and obligations of the parties under the Agreement which will continue to have full force and effect. In the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA will prevail insofar as the subject matter concerns the processing of Personal Data. In the event of any conflict between the terms of this DPA and the Standard Contractual Clauses then, only insofar as the Standard Contractual Clauses apply, the Standard Contractual Clauses will prevail.

9.2 Customer and Airfold each agree that the dispute resolution provisions of the Agreement (including governing law and venue) apply to this DPA.

9.3 This DPA will be governed by and construed in accordance with the governing law of the Agreement, and any disputes will be resolved in accordance with the dispute resolution mechanisms in the Agreement.

ANNEX A - LIST OF PARTIES

Data exporter(s): Customer Entity as described in the Agreement (‘Customer’)

  • Name: Customer
  • Address: The Address is as set out in the Agreement
  • Contact person’s name, position and contact details: The Contact Details are as set out in the Agreement
  • Activities relevant to the data transferred under these Clauses: As set out in the Agreement between the parties.
  • Role (controller/processor): Controller

Data importer(s):

  • Name: Airfold, Inc.
  • Address: 640 Mystic Ave, Somerville, MA 02145, USA
  • Contact person’s name, position and contact details: Data Protection Officer, privacy@airfold.co
  • Activities relevant to the data transferred under these Clauses: As set out in the Agreement between the parties.
  • Role (controller/processor): Processor

ANNEX B - TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

The Data Importer currently abides by the security standards in this Annex B. The Data Importer may update or modify these security standards from time to time provided such updates and modifications will not result in a degradation of the overall security of the Services during the term of the applicable Services Agreement.

Hosting Infrastructure

Infrastructure. The Data Importer hosts its services in geographically distributed, secure data centers operated by Google Cloud (GCP), Amazon Web Services (AWS), or Microsoft Azure.

Redundancy. The services are replicated across multiple data centers within a geographic region to eliminate single points of failure using an active/passive configuration in order to minimize the impact of environmental risks.

Monitoring. The services are protected by automated monitoring which is designed to detect a variety of failure conditions and which will, when appropriate, trigger failover mechanisms.

Backups. Backups are performed on a regular basis and stored in a secondary site within the same geographic region.

Business Continuity. The Data Importer replicates its service and data over multiple data centers within a geographic region (when made available by Data Importers infrastructure as a service providers) to protect against loss of service or data. The Data Importer conducts periodic tests of failover and data backup procedures to ensure readiness for business continuity and disaster recovery.

Networks & Transmission

Network Data Transmission. Interactions between users, administrators, and Data Importer modules are done using the Secure Socket Layer (SSL) or Transport Layer Security (TLS) standard cryptographic protocols.

Network Security. The Data Importer employs multiple layers of DOS protection, Intrusion Detection, Rate Limiting, and other network security services from both its hosting providers and third-party providers.

Encryption Technologies. The Data Importer makes HTTPS encryption (also referred to as SSL or TLS connection) available.

Access Controls

Access Procedures. Only authorized employees are allowed access to these restricted components and all access is approved by an employee’s manager and service owner. Only a small number of individuals are approved to access the restricted components.

Access Mechanisms. Access to the Data Importer’s production service and build infrastructure occurs only over a secured channel and requires two-factor authentication.

Data Protection

In Transit. Interactions between users, administrators, and Airfold modules are done using the Secure Socket Layer ( SSL) or Transport Layer Security (TLS) standard cryptographic protocols.

At Rest. The Data Importer uses cryptographic hashing and encryption mechanisms to protect sensitive information such as cryptographic keys and application secrets.

Redundancy. The Data Importer stores data in a multi-tenant environment within the Data Importer’s hosted infrastructure. The data and service are replicated across multiple hosted data centers within the same geographic region.

Data Isolation. The Data Importer logically isolates the Data Exporter’s data, and the Data Exporter has a large degree of control over the specific data stored in the Service.

Data Deletion. The Data Importer provides to the Data Exporter a mechanism that can be used to delete the Data Exporter’s data.

Software Code Review. The Data Importer employs a code review process to improve the security of the code used to provide the Services. All changes to the service are reviewed and approved by a senior engineer other than the author of the change.

Automated testing. Each software build is subjected to a comprehensive suite of automated tests.

Security Scan. The Data Importer employs a third party to scan the Service for security vulnerabilities on a periodic basis.

Staff Conduct and Security

Staff Conduct. The Data Importer personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, usage, compliance, and professional standards.

Background Checks. The Data Importer conducts reasonably appropriate background checks as legally permissible and in accordance with applicable local labor law and statutory regulations.

Subprocessor Security. Prior to onboarding sub-processors that will handle any data provided by a Data Exporter, the Data Importer conducts an assessment of the security and privacy practices of the sub-processor to help ensure that the sub-processor provides a level of security and data protection controls appropriate to their access to data and the scope of the services they are engaged to provide.

ANNEX C - DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

Data subjects are end users, or individuals purporting to be end users, of the Customer Applications, or other data subjects with respect to whom Customer elects to collect their personal data, and Customer’s and Customer Affiliate members’, and its and their service providers, employees, consultants, agents, and representatives authorized by Customer to use the Services.

Categories of personal data transferred

Email addresses or unique identification methods depending on the authentication method selected by Customer, and any other personal data that the Customer uploads to the Airfold platform with the purpose of querying or analyzing it.

Sensitive data transferred (if applicable) and applied restrictions or safeguards

None, unless Customer chooses to process sensitive data through the Services. If Customer does process sensitive data, Customer is responsible for ensuring appropriate safeguards are in place, including those described in the Agreement and this DPA.

The frequency of the transfer

Continuous

Nature of the processing

The processing will comprise the following: Airfold provides a data analytics platform, which Customer may use to develop and integrate data products and applications. The Airfold Platform is not an application in itself; the Customer will need to write its own code to enable interoperability between the Airfold Platform and Customer applications, and to determine how to use the Airfold Platform within the Customer’s architecture. Airfold is responsible only for the Airfold Platform. Airfold is not responsible for the Customer’s networks, systems, or applications (collectively, ” Customer Systems”), the means by which the Customer chooses to integrate the Airfold Platform into the Customer Systems, or the security and data protection measures that the Customer applies to the Customer Systems.

The Airfold Platform acts as a backend for data querying via Customer defined queries and APIs that then need to be integrated into Customer applications. Airfold has minimal control over the nature and scope of the personal data that Customer chooses to process using the Airfold Platform, minimal insight into the identity of the Customer’s users, and no role in the means by which Customer obtains personal data of Customer’s users or Customer’s decision-making as to the purpose for which the personal data is processed.

Purpose(s) of the data transfer and further processing

The purpose of the data processing is the provision of the Airfold Services to the Customer and the performance of the Airfold’s obligations under the Agreement.

The period for which the personal data will be retained

The duration of the data processing under this DPA is until the termination or expiration of the Agreement in accordance with its terms.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

The subject matter, nature and duration of the Processing of Personal Data by (Sub) Processors, if applicable, shall be as outlined above.

ANNEX D - COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13 of the Standard Contractual Clauses:

For data transfers from the EEA, the competent supervisory authority will be determined based on the location of the Data Exporter in the EEA.

For data transfers from the UK, the competent supervisory authority is the UK Information Commissioner’s Office.

For data transfers from Switzerland, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.

Copyright © 2025 Airfold, Inc. All rights reserved.

AIRFOLD DATA PROCESSING ADDENDUM

Effective Date: May 6, 2025

This Data Processing Addendum (“DPA”) is made between Airfold, Inc., a Delaware corporation with offices at 640 Mystic Ave, Somerville, MA 02145, USA (“Airfold”), and the Customer identified in the Order Form.

This DPA is incorporated into and made subject to the Airfold Terms of Service between Airfold and Customer, or to any other written agreement between Airfold and Customer, that governs Customer’s use of the Services (as defined below) ( the “Agreement”).

BACKGROUND

Airfold provides a data analytics platform-as-a-service solution (“Services”) to the Customer under the Agreement. In connection with the Services, Airfold processes certain personal data in respect of which Customer or any Customer Affiliate may be a data controller under the Data Protection Laws.

Customer and Airfold have agreed to enter into this DPA in order to establish their respective responsibilities under the Data Protection Laws. All capitalized terms used in this DPA but not otherwise defined have the meaning ascribed to them in the Agreement.

1. DEFINITIONS

1.1 For purposes of this DPA, the following initially capitalized words have the following meanings:

  • “Adequate Country” means a country or territory that is recognized under applicable Data Protection Laws from time to time as providing adequate protection for personal data.

  • “Affiliate” means any person, partnership, joint venture, corporation, or other form of venture or enterprise, domestic or foreign, including subsidiaries, which directly or indirectly Control, are Controlled by, or are under common Control with a party. “Control” means the possession, directly or indirectly, of the power to direct or cause the direction of the management and operating policies of the entity in respect of which the determination is being made, through the ownership of voting securities, by contract, or otherwise.

  • “Applicable Data Protection Laws” means European Data Protection Laws and the California Privacy Act of 2018, as amended by the California Privacy Rights Act (California Civil Code §§ 1798.100 et seq) (“CCPA”) as the same may be amended, superseded, or replaced.

  • “Authorized Affiliate” means an Affiliate of Customer who has not signed an Order Form but acts as a controller or processor for the Customer Personal Data processed by Airfold pursuant to the Agreement, for so long as such entity remains a Customer Affiliate.

  • “Controller” (or “Business” under CCPA) means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

  • “Customer Personal Data” means any Personal Data processed by Airfold on behalf of Customer as a service provider or processor (as applicable) in connection with the Services, as more particularly described in Section 3.6 of this DPA.

  • “Data Privacy Framework” means the EU-U.S. Data Privacy Framework, the UK-U.S. extension to the EU-U.S. Data Privacy Framework, and the Swiss-US Data Privacy Framework as set forth by the U.S. Department of Commerce.

  • “Data Protection Laws” means all applicable laws relating to data protection and privacy including without limitation: (i) EU General Data Protection Regulation 2016/679 (“GDPR”); (ii) the California Consumer Privacy Act (” CCPA”); and the United Kingdom GDPR (“UK GDPR”), in each case, as amended, superseded, or replaced from time to time.

  • “Data Subject” means an identified or identifiable natural person who is the subject of Personal Data.

  • “EEA” means the European Economic Area, which constitutes the member states of the European Union and Norway, Iceland, and Liechtenstein, as well as, for the purposes of this DPA, Switzerland and the United Kingdom.

  • “European Data Protection Laws” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector, as amended by Directive 2009/136/EC (” e-Privacy Directive”); (iii) any applicable national implementations of (i) and (ii); (iv) the Swiss Federal Data Protection Act of 19 June 1992 and its Ordinance; and (v) in respect of the United Kingdom (“UK”), the UK GDPR, and ( vi) any applicable national legislation that replaces or converts in domestic law the GDPR, e-Privacy Directive, or any other law relating to data and privacy.

  • “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

  • “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.

  • “Process” or “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

  • “Processor” (or “Service Provider” under CCPA) means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller.

  • “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses as adopted by the EU Commission by means of the Implementing Decision EU 2021/914 of June 4, 2021 found at https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en.

  • “Sub-processor” means any Processor engaged by Airfold to process Customer Personal Data.

  • “Supervisory Authority” means an independent public authority which is established by a Member State pursuant to Article 51 of the GDPR.

  • “UK Addendum” means the international data transfer addendum to the SCCs issued by the Information Commissioner for Parties making a transfer of personal data from the United Kingdom to any other country which is not deemed adequate under Article 46 of the UK GDPR.

  • “UK GDPR” means the GDPR, as implemented by Section 3 of the United Kingdom’s European Union (Withdrawal) Act of 2018 and supplemented by the Data Protection Act of 2018.

2. SCOPE AND APPLICABILITY OF THIS DPA

This DPA applies where and only to the extent that Airfold processes Customer Personal Data on behalf of Customer as a Processor (or, with respect to the CCPA, as a Service Provider) in the course of providing the Services.

3. ROLES AND SCOPE OF PROCESSING

3.1 Role of the Parties

As between Airfold and Customer, Airfold shall process Customer Personal Data only as a Processor (or sub-processor) acting on behalf of Customer and, with respect to CCPA, as a Service Provider, in each case, regardless of whether Customer acts as a Controller or as a Processor on behalf of a third-party controller with respect to Customer Personal Data.

3.2 Scope of Processing

Airfold certifies that it will not (i) “sell” or “share” Customer Personal Data; (ii) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Customer and Airfold or for any purpose other than as permitted under the Agreement (including this DPA) or for purposes otherwise agreed in writing or permitted by the CCPA; or (iii) combine Customer Personal Data with Personal Data that Airfold collects or receives from another person. Airfold and Customer acknowledge and agree that the disclosure of Customer Personal Data by Customer to Airfold does not constitute a “sale.” Customer agrees that Airfold may de-identify or aggregate Customer Personal Data in the course of providing the Service to Customer.

3.3 Customer Instructions

Airfold will only process the Customer Personal Data in order to provide the Services and will act only in accordance with the Agreement and Customer’s written instructions. The Agreement, this DPA, and Customer’s use of the Airfold Platform’s features and functionality are Customer’s written instructions to Airfold in relation to the processing of Customer Personal Data.

If Applicable Data Protection Laws require Airfold to process Customer Personal Data other than pursuant to Customer’s instructions, Airfold will notify Customer prior to processing (unless prohibited from so doing by applicable law).

Airfold will immediately inform Customer if, in Airfold’s opinion, any instructions provided by Customer infringe the GDPR or other applicable Data Protection Laws.

3.4 Customer Responsibilities

Customer is responsible for the lawfulness of Customer Personal Data processing under or in connection with the Services. Customer shall:

(i) have provided, and will continue to provide, all notices and have obtained, and will continue to obtain, all consents, permissions, and rights necessary under Applicable Data Protection Laws for Airfold to lawfully process Customer Personal Data for the purposes contemplated by the Agreement (including this DPA);

(ii) make appropriate use of the Services to ensure a level of security appropriate to the particular content of the Customer Personal Data, such as pseudonymizing and backing-up Customer Personal Data;

(iii) have complied with all Applicable Data Protection Laws applicable to the collection of Customer Personal Data and the transfer of such Customer Personal Data to Airfold and its Sub-processors; and

(iv) ensure its processing instructions comply with applicable laws (including Applicable Data Protection Laws).

Where applicable, Customer shall be responsible for any communications, notifications, assistance, and/or authorizations that may be required in connection with any third-party controllers for whom Customer acts as a processor (and Airfold a sub-processor).

3.5 Customer Affiliates

Airfold’s obligations set forth in this DPA shall also extend to Authorized Affiliates, subject to the following conditions:

3.5.1 Customer shall be responsible for Authorized Affiliates’ compliance with this DPA. Any and all acts and/or omissions by an Authorized Affiliate with respect to this DPA shall be deemed the acts and/or omissions of Customer; and

3.5.2 Authorized Affiliates shall not bring a claim directly against Airfold. If an Authorized Affiliate seeks to assert a legal demand, action, suit, claim, proceeding, or otherwise against Airfold (an “Authorized Affiliate Claim”): (i) Customer must bring such Authorized Affiliate Claim directly against Airfold on behalf of such Authorized Affiliate, unless Applicable Data Protection Laws require the Authorized Affiliate be a party to such claim; and (ii) all Authorized Affiliate Claims shall be considered claims made by Customer and shall be subject to any liability restrictions set forth in the Agreement, including damages disclaimer and any aggregate limitation of liability.

3.6 Details of Processing

Details of processing by Airfold are set forth below:

3.6.1 Subject Matter of Processing: Customer Personal Data that Customer elects to transfer to Airfold to be processed for the provision, receipt, and/or use of the applicable Services as set forth in the Agreement.

3.6.2 Frequency and Duration of Processing: For the duration of the Services or for so long as Customer grants Airfold access to process the Customer Personal Data, as applicable. Notwithstanding expiration or termination of the applicable Order Form or the Agreement, Airfold shall continue to process Customer Personal Data until such Customer Personal Data is deleted or Customer removes Airfold’s access to process such Customer Personal Data. The period for which Customer Personal Data will be retained and the criteria used to determine that period shall be determined by Customer during the term of the Agreement. Upon termination or expiration of the Agreement, Customer may retrieve or delete all Customer Personal Data as set forth in the Agreement. Any Customer Personal Data not deleted by Customer shall be deleted by Airfold promptly upon the later of (i) expiration or termination of the Agreement and (ii) expiration of any post-termination “retrieval period” set forth in the Agreement.

3.6.3 Nature of Processing: Customer Personal Data that Customer elects to transfer to Airfold to be processed for the provision, receipt, and/or use of the applicable Services as set forth in the Agreement.

3.6.4 Purpose of Processing: The operation, support, use, or provisioning of the Services as set out in the Agreement and compliance with applicable laws.

3.6.5 Categories of Data Subjects: Categories of data subjects are as determined by Customer. Includes natural persons whose Personal Data Customer elects to transfer to Airfold for processing for the provision, receipt, and/or use of the applicable Services as set forth in the Agreement. These may include but are not limited to: (i) prospects, customers, business partners, and vendors of Customer (who are natural persons); (ii) employees or contact persons of Customer’s prospects, customers, business partners, and vendors; and/or (iii) employees, agents, advisors, freelancers of Customer (who are natural persons).

3.6.6 Type of Personal Data: Type of Personal Data is as determined by Customer subject to such restrictions as may be set forth in the Agreement. Includes Personal Data types that are included in data that Customer transfers to Airfold for processing for the provision, receipt, and/or use of the applicable Services as set forth in the Agreement. These may include but are not limited to: (i) name, address, title, contact details; (ii) credit card details, account details, payment information; (iii) employer, job title, geographic location, area of responsibility; and/or (iv) IP addresses, usage data, cookie data, location data.

4. AIRFOLD OBLIGATIONS

4.1 Appropriate Technical and Organizational Measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, Airfold will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data in Airfold’s possession or under its control. Such measures include security measures equal to or better than those specified in Annex B below.

Customer has reviewed Airfold’s security program and acknowledges that it is designed to ensure a level of security appropriate to the risk. Customer further acknowledges that it is responsible for its configuration of the Airfold Platform and for using features and functionality of the Services to ensure a level of security appropriate to the risks presented by the processing.

4.2 Access by Airfold Personnel

Airfold will ensure that its personnel have access to Customer Personal Data only as necessary to perform the Services in accordance with the Agreement and this DPA, and that any persons whom it authorizes to have access to the Customer Personal Data are under written obligations of confidentiality.

4.3 Personal Data Breaches

Taking into account the nature of the processing and the information available to Airfold:

4.3.1 Airfold shall notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data;

4.3.2 Such notification will, to the extent known by Airfold: (i) describe the nature of the Personal Data Breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned; (ii) communicate the name and contact details of the data protection officer or other contact where more information can be obtained; (iii) describe the likely consequences of the Personal Data Breach; and (iv) describe the measures taken or proposed to be taken by the Airfold to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects;

4.3.3 Where, and in so far as, it is not possible to provide all the information at the same time, the initial notification shall contain the information then available and further information shall be provided as it becomes available subsequently; and

4.3.4 Airfold shall cooperate with Customer and take such reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.

4.4 Deletion or Return of Personal Data

Airfold will return Personal Data to Customer by permitting Customer to export Personal Data from the Airfold Platform at any time during provision of the Services, using the Airfold Platform’s then existing features and functionality. Customer may delete Customer Data at any time. Airfold will delete Customer’s data (and any data remaining on such environments) within 30 days of termination or expiration of the Agreement, and other Personal Data retained by Airfold (if any).

Airfold is not obligated to delete copies of Personal Data retained in automated backup copies generated by Airfold, which Airfold will retain for up to, and delete within, 14 months from their creation. Such backup copies will remain subject to this DPA and the Agreement until they are destroyed.

4.5 Assistance

Taking into account the nature of processing and the information available to Airfold, Airfold will assist Customer when reasonably requested in relation to Customer’s obligations under Data Protection Laws with respect to:

4.5.1 data protection impact assessments (as such term is defined in the GDPR);

4.5.2 notifications to the Supervisory Authority under Data Protection Laws and/or communications to Data Subjects by Customer in response to any Personal Data Breach; and

4.5.3 Customer’s compliance with its obligations under the GDPR with respect to the security of processing, to the extent that such assistance does not constitute legal advice.

4.6 Data Subject Requests

Taking into account the nature of the processing, Airfold will assist Customer by appropriate technical and organizational measures, insofar as this is possible, to respond to data subjects’ requests to exercise their rights under Chapter III of the GDPR or other applicable Data Protection Laws. Airfold will promptly notify Customer of requests received by Airfold, unless otherwise required by applicable law.

Customer may make changes to Personal Data processed with the Airfold Platform using the features and functionality of the Airfold Platform. Airfold will not make changes to such data except as agreed in writing with Customer. If and to the extent that Customer is unable to respond to a data subject request by using features and functionality of the Airfold Platform and a response to the data subject is required by Data Protection Laws, Airfold will, upon written request by Customer, reasonably assist Customer in responding to the request.

4.7 Records of Processing Activities

Airfold will maintain records of its processing activities as required by Article 30.2 of the GDPR and make such records available to the applicable supervisory authority upon request.

5. SUB-PROCESSING

5.1 Disclosure and Transfer of Personal Data

Airfold will not disclose or transfer Personal Data to any third party without the prior written permission of Customer, except (i) as specifically stated in the Agreement or this DPA, or (ii) where such disclosure or transfer is required by any applicable law, regulation, or public authority.

Customer consents to Airfold’s use of sub-processors to provide aspects of the Services, and to Airfold’s disclosure and provision of Personal Data to those sub-processors. Airfold publishes a list of its then-current sub-processors at https://airfold.co/legal/subprocessors (“Sub-Processor List”). Airfold will require its sub-processors to comply with terms that are substantially no less protective of Personal Data than those imposed on Airfold in this Agreement (to the extent applicable to the services provided by the sub-processor). Airfold will be liable for any breach of its obligations under this Agreement that is caused by an act, error, or omission of a sub-processor.

5.3 Authorization of New Sub-Processors

Airfold may authorize new sub-processors, provided that:

5.3.1 Airfold will update the Sub-Processor List on its website at least thirty (30) days prior to any such authorization of a new sub-processor;

5.3.2 Airfold will provide to the Agreement a mechanism to subscribe for updates to the Sub-Processor List; and

5.3.3 The authorization of any new sub-processor shall be subject to Section 5.4 (Objections to New Sub-Processors) below.

5.4 Objections to New Sub-Processors

If Customer objects to the authorization of any future sub-processor on reasonable data protection grounds within 30 days of notification of the proposed authorization, and if Airfold is unable to provide an alternative or workaround to avoid processing of Personal Data by the objected to sub-processor within a reasonable period of time, not to exceed 30 days from receipt of the objection (the “Correction Period”), then, at any time within expiration of the Correction Period, Customer may elect to terminate the processing of Personal Data under affected Order Forms to the Agreement without penalty, by written notice to Airfold to that effect.

If Customer terminates any such Order Form in accordance with the foregoing, then Airfold will refund to Customer a pro-rata amount of any affected Services fees prepaid to Airfold and applicable to the unutilized portion of the Subscription Term for terminated Services.

6. AUDIT AND RECORDS

6.1 Provision of Information

Airfold will make available to Customer such information in Airfold’s possession or control as Customer may reasonably request with a view to demonstrating Airfold’s compliance with the obligations of data processors under the Data Protection Laws in relation to its processing of Personal Data.

6.2 Audit Right

Customer may exercise its right of audit under the Data Protection Laws through Airfold providing:

6.2.1 an attestation or certification issued by a qualified independent security assessor; and

6.2.2 the executive summary of Airfold’s most recent penetration tests, which will include remedial actions taken or to be taken by Airfold.

In the event that Customer wishes to conduct its own audit, Airfold will allow for and contribute to audits, including inspections, conducted by Customer or a third-party auditor mandated by Customer, provided that Customer gives Airfold reasonable notice of such audit and such audit is conducted during normal business hours, in a manner that does not interfere with Airfold’s normal business operations and subject to Airfold’s security and confidentiality requirements. For clarity, such audit shall be limited to the Customer Personal Data processed by Airfold. Customer is responsible for any and all costs and fees related to an audit.

Before the commencement of an audit, Customer and Airfold shall mutually agree upon the scope, timing, and duration of the audit. Customer shall promptly notify Airfold of any non-compliance discovered during the course of an audit. Customer may use a third party to conduct the audit, provided that any such third party auditor enters into a non-disclosure agreement with Airfold containing confidentiality provisions substantially similar to those set forth in the Agreement to protect Airfold’s proprietary information. Audits may only occur during Airfold’s normal business hours and no more often than once per year, unless such frequency is requested by a regulatory authority.

7. DATA TRANSFERS

This Section 7 applies to any processing by Airfold or its sub-processors of any Personal Data subject to the GDPR.

7.1 Data Transfers Outside of the EEA

To the extent any processing by Airfold of Personal Data takes place in any country outside the European Economic Area (“EEA”) (other than exclusively in an Adequate Country), the parties agree that the Standard Contractual Clauses will apply in respect of that processing; Airfold will comply with the obligations of the ‘data importer’ in the Standard Contractual Clauses and Customer will comply with the obligations of ‘data exporter’. In this respect, Customer and Airfold agree that the Standard Contractual Clauses are incorporated into and made subject to this DPA by this reference.

7.2 Processing by Sub-Processors

Customer acknowledges that the provision of the Services under the Agreement may require the processing of Personal Data by sub-processors in countries outside the EEA from time to time.

7.3 Data Transfers to Sub-Processors Outside of the EEA

If, in the performance of this DPA, Airfold transfers any Personal Data to a sub-processor (including any Airfold Affiliate that acts as a sub-processor) where such sub-processor will process Personal Data outside the EEA (other than exclusively in an Adequate Country), then Airfold will in advance of any such transfer ensure that a mechanism to achieve adequacy in respect of that processing is in place, such as:

7.3.1 the requirement for Airfold to execute or procure that the sub-processor executes the Standard Contractual Clauses;

7.3.2 the requirement for the sub-processor to be certified under the Data Privacy Framework; and/or

7.3.3 the existence of any other specifically approved safeguard for data transfers (as recognized under the applicable European Data Protection Laws) and/or a European Commission finding of adequacy.

7.4 Standard Contractual Clauses

The following terms will apply to the Standard Contractual Clauses:

7.4.1 Module Two (controller to processor) will apply where Customer is a controller and Module Three (processor to processor) will apply where Customer is a processor;

7.4.2 in Clause 7, the optional docking clause will apply;

7.4.3 in Clause 9, Option 2 (general authorization) will apply, and the specified time period for prior notice of sub-processor changes shall be 30 days;

7.4.4 in Clause 11, the optional language will not apply;

7.4.5 in Annex I, Part A of the Standard Contractual Clauses: Data exporter: Customer Data importer: Airfold Contact details are as set forth in the Agreement.

7.4.6 in Annex I, Part B of the Standard Contractual Clauses: The description of the transfer is as set out at Section 3.6 of this DPA.

7.4.7 in Annex I, Part C of the Standard Contractual Clauses: The competent supervisory authority is the supervisory authority of the data exporter.

7.4.8 in Annex II of the Standard Contractual Clauses: The technical and organizational measures are set forth in Annex B of this DPA.

7.4.9 Airfold will provide a copy of its agreements with any sub-processor it appoints if requested by Customer, which may be redacted to remove confidential information not relevant to the Standard Contractual Clauses.

7.5 UK Transfers

For transfers of UK Personal Data, the UK Addendum is incorporated into this DPA and applies to transfers from the UK in addition to the Standard Contractual Clauses.

7.6 Data Privacy Framework

Airfold participates in and certifies compliance with the Data Privacy Framework. Customer and Airfold acknowledge and agree that transfers of Customer Personal Data from the EEA, Switzerland, or the UK to the United States pursuant to the Data Privacy Framework shall not be a Restricted Transfer.

Airfold will notify Customer if its Data Privacy Framework certification lapses or is otherwise invalidated, in which case any transfers of Personal Data by Customer from the EEA, Switzerland, and/or the UK to Airfold in the United States shall immediately be deemed a Restricted Transfer and the provisions of Sections 7.1-7.5 shall apply, as applicable.

8. LIMITATION OF LIABILITY

Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Authorized Affiliates and Airfold, whether in contract, tort, or under any other theory of liability, is subject to the ‘Limitations and Exclusions of Liability’ (or its equivalent) section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.

For the avoidance of doubt, Airfold’s and its Affiliates’ total liability for all claims from Customer and all of its Authorized Affiliates arising out of or related to the Agreement and all DPAs will apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement, including by Customer and all Authorized Affiliates, and, in particular, will not be understood to apply individually and severally to Customer and/or to any Authorized Affiliate that is a contractual party to any such DPA.

9. GENERAL

9.1 This DPA is without prejudice to the rights and obligations of the parties under the Agreement which will continue to have full force and effect. In the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA will prevail insofar as the subject matter concerns the processing of Personal Data. In the event of any conflict between the terms of this DPA and the Standard Contractual Clauses then, only insofar as the Standard Contractual Clauses apply, the Standard Contractual Clauses will prevail.

9.2 Customer and Airfold each agree that the dispute resolution provisions of the Agreement (including governing law and venue) apply to this DPA.

9.3 This DPA will be governed by and construed in accordance with the governing law of the Agreement, and any disputes will be resolved in accordance with the dispute resolution mechanisms in the Agreement.

ANNEX A - LIST OF PARTIES

Data exporter(s): Customer Entity as described in the Agreement (‘Customer’)

  • Name: Customer
  • Address: The Address is as set out in the Agreement
  • Contact person’s name, position and contact details: The Contact Details are as set out in the Agreement
  • Activities relevant to the data transferred under these Clauses: As set out in the Agreement between the parties.
  • Role (controller/processor): Controller

Data importer(s):

  • Name: Airfold, Inc.
  • Address: 640 Mystic Ave, Somerville, MA 02145, USA
  • Contact person’s name, position and contact details: Data Protection Officer, privacy@airfold.co
  • Activities relevant to the data transferred under these Clauses: As set out in the Agreement between the parties.
  • Role (controller/processor): Processor

ANNEX B - TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

The Data Importer currently abides by the security standards in this Annex B. The Data Importer may update or modify these security standards from time to time provided such updates and modifications will not result in a degradation of the overall security of the Services during the term of the applicable Services Agreement.

Hosting Infrastructure

Infrastructure. The Data Importer hosts its services in geographically distributed, secure data centers operated by Google Cloud (GCP), Amazon Web Services (AWS), or Microsoft Azure.

Redundancy. The services are replicated across multiple data centers within a geographic region to eliminate single points of failure using an active/passive configuration in order to minimize the impact of environmental risks.

Monitoring. The services are protected by automated monitoring which is designed to detect a variety of failure conditions and which will, when appropriate, trigger failover mechanisms.

Backups. Backups are performed on a regular basis and stored in a secondary site within the same geographic region.

Business Continuity. The Data Importer replicates its service and data over multiple data centers within a geographic region (when made available by Data Importers infrastructure as a service providers) to protect against loss of service or data. The Data Importer conducts periodic tests of failover and data backup procedures to ensure readiness for business continuity and disaster recovery.

Networks & Transmission

Network Data Transmission. Interactions between users, administrators, and Data Importer modules are done using the Secure Socket Layer (SSL) or Transport Layer Security (TLS) standard cryptographic protocols.

Network Security. The Data Importer employs multiple layers of DOS protection, Intrusion Detection, Rate Limiting, and other network security services from both its hosting providers and third-party providers.

Encryption Technologies. The Data Importer makes HTTPS encryption (also referred to as SSL or TLS connection) available.

Access Controls

Access Procedures. Only authorized employees are allowed access to these restricted components and all access is approved by an employee’s manager and service owner. Only a small number of individuals are approved to access the restricted components.

Access Mechanisms. Access to the Data Importer’s production service and build infrastructure occurs only over a secured channel and requires two-factor authentication.

Data Protection

In Transit. Interactions between users, administrators, and Airfold modules are done using the Secure Socket Layer ( SSL) or Transport Layer Security (TLS) standard cryptographic protocols.

At Rest. The Data Importer uses cryptographic hashing and encryption mechanisms to protect sensitive information such as cryptographic keys and application secrets.

Redundancy. The Data Importer stores data in a multi-tenant environment within the Data Importer’s hosted infrastructure. The data and service are replicated across multiple hosted data centers within the same geographic region.

Data Isolation. The Data Importer logically isolates the Data Exporter’s data, and the Data Exporter has a large degree of control over the specific data stored in the Service.

Data Deletion. The Data Importer provides to the Data Exporter a mechanism that can be used to delete the Data Exporter’s data.

Software Code Review. The Data Importer employs a code review process to improve the security of the code used to provide the Services. All changes to the service are reviewed and approved by a senior engineer other than the author of the change.

Automated testing. Each software build is subjected to a comprehensive suite of automated tests.

Security Scan. The Data Importer employs a third party to scan the Service for security vulnerabilities on a periodic basis.

Staff Conduct and Security

Staff Conduct. The Data Importer personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, usage, compliance, and professional standards.

Background Checks. The Data Importer conducts reasonably appropriate background checks as legally permissible and in accordance with applicable local labor law and statutory regulations.

Subprocessor Security. Prior to onboarding sub-processors that will handle any data provided by a Data Exporter, the Data Importer conducts an assessment of the security and privacy practices of the sub-processor to help ensure that the sub-processor provides a level of security and data protection controls appropriate to their access to data and the scope of the services they are engaged to provide.

ANNEX C - DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

Data subjects are end users, or individuals purporting to be end users, of the Customer Applications, or other data subjects with respect to whom Customer elects to collect their personal data, and Customer’s and Customer Affiliate members’, and its and their service providers, employees, consultants, agents, and representatives authorized by Customer to use the Services.

Categories of personal data transferred

Email addresses or unique identification methods depending on the authentication method selected by Customer, and any other personal data that the Customer uploads to the Airfold platform with the purpose of querying or analyzing it.

Sensitive data transferred (if applicable) and applied restrictions or safeguards

None, unless Customer chooses to process sensitive data through the Services. If Customer does process sensitive data, Customer is responsible for ensuring appropriate safeguards are in place, including those described in the Agreement and this DPA.

The frequency of the transfer

Continuous

Nature of the processing

The processing will comprise the following: Airfold provides a data analytics platform, which Customer may use to develop and integrate data products and applications. The Airfold Platform is not an application in itself; the Customer will need to write its own code to enable interoperability between the Airfold Platform and Customer applications, and to determine how to use the Airfold Platform within the Customer’s architecture. Airfold is responsible only for the Airfold Platform. Airfold is not responsible for the Customer’s networks, systems, or applications (collectively, ” Customer Systems”), the means by which the Customer chooses to integrate the Airfold Platform into the Customer Systems, or the security and data protection measures that the Customer applies to the Customer Systems.

The Airfold Platform acts as a backend for data querying via Customer defined queries and APIs that then need to be integrated into Customer applications. Airfold has minimal control over the nature and scope of the personal data that Customer chooses to process using the Airfold Platform, minimal insight into the identity of the Customer’s users, and no role in the means by which Customer obtains personal data of Customer’s users or Customer’s decision-making as to the purpose for which the personal data is processed.

Purpose(s) of the data transfer and further processing

The purpose of the data processing is the provision of the Airfold Services to the Customer and the performance of the Airfold’s obligations under the Agreement.

The period for which the personal data will be retained

The duration of the data processing under this DPA is until the termination or expiration of the Agreement in accordance with its terms.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

The subject matter, nature and duration of the Processing of Personal Data by (Sub) Processors, if applicable, shall be as outlined above.

ANNEX D - COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13 of the Standard Contractual Clauses:

For data transfers from the EEA, the competent supervisory authority will be determined based on the location of the Data Exporter in the EEA.

For data transfers from the UK, the competent supervisory authority is the UK Information Commissioner’s Office.

For data transfers from Switzerland, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.

Copyright © 2025 Airfold, Inc. All rights reserved.