Data Processing Agreement.

Processor processes personal data submitted by the Controller (the "Customer Data") solely to provide the AIR-Tools service: scans of Controller-authorised systems, AI-assisted compliance analysis, evidence storage, billing, and support. Processing starts on subscription activation and continues for the duration of the subscription, plus a 90-day post-cancellation export window.

Categories of data subjects: Controller's employees, contractors, and (incidentally) Controller's customers and suppliers whose data appears in scanned configurations, uploaded documents, or AI conversations. Categories of personal data: identification (names, emails), professional context (role, organisation), technical identifiers (IPs, user agents in audit logs), free-text content the Controller chooses to upload. Processing operations: storage, structured organisation, AI inference, scanning, retrieval, deletion. Special categories: not requested or expected — Controller agrees not to upload them outside what a feature explicitly supports. Fully anonymised or aggregated data that can no longer be traced back to a data subject is not personal data and falls outside this DPA.

Processor processes Customer Data only on Controller's documented instructions, including with respect to international transfers, unless required to do otherwise by EU or member-state law. The Terms of Service plus customer use of the service (configuration, settings, in-product actions) constitute the documented instructions. Processor will inform Controller if instructions appear to violate applicable data-protection law.

Personnel authorised to process Customer Data are bound by written confidentiality obligations and trained on data-protection responsibilities at hire and annually thereafter. Access is granted on least-privilege grounds and reviewed quarterly.

Processor implements appropriate technical and organisational measures: TLS 1.3 in transit and AES-256 at rest; row-level security per tenant tested in CI; column-level encryption for secrets and integration tokens; MFA-capable authentication via Supabase Auth; centralised application logging with 90-day retention; quarterly access review; documented SDLC including code review on every change, dependency scanning, static analysis, and an annual penetration test; backup with 35-day rolling retention and tested restores. The current measures are summarised on the transparency page; Processor will revise measures as the threat landscape and the state of the art evolve.

Controller authorises Processor's use of the sub-processors listed on the transparency page (Vercel, Supabase, OpenAI, Anthropic, Firecrawl, Brave Search, Stripe, Resend, Sentry, HubSpot). Processor will provide at least 30 days' notice before adding or replacing a sub-processor that processes Customer Data. Controller may object on reasonable data-protection grounds; if the parties cannot agree on an alternative within a reasonable period, Controller may terminate the affected service without penalty. Processor binds each sub-processor in writing to data-protection obligations equivalent to those in this DPA.

Operational storage is EU-only (Vercel and Supabase EU-Frankfurt). For sub-processors with US-based account data (currently OpenAI, Anthropic, Firecrawl, Brave Search, Resend, HubSpot, and possibly Sentry depending on org region), transfers are governed by the European Commission's Standard Contractual Clauses, Module 2 (controller-to-processor) and Module 3 (processor-to-processor) where applicable, in their currently approved form, plus the supplementary technical and organisational measures listed in clause 5. Where the sub-processor is certified under the EU-US Data Privacy Framework, that certification supplements the SCCs.

Processor provides reasonable technical assistance for the Controller to respond to requests from data subjects under Articles 12–22 GDPR (access, rectification, erasure, restriction, portability, objection, automated decision-making). The platform offers self-serve export and deletion of Controller data; for anything beyond that, mail privacy@air-tools.nl. We respond to such requests within 5 business days. Taking into account the nature of processing and the information available to it, Processor also provides the Controller with reasonable assistance for data protection impact assessments (Art. 35 GDPR) and any prior consultation of the supervisory authority (Art. 36).

Processor notifies Controller without undue delay, and in any event within 72 hours of becoming aware, of a personal-data breach affecting Customer Data. The notification includes: the nature of the breach, categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed. Processor maintains a documented incident-response runbook and runs an annual tabletop exercise. Processor cooperates with Controller's notification to supervisory authorities and affected data subjects where the Controller is the responsible party.

On reasonable written notice and no more than once per twelve-month period (more often if a breach occurs or law requires), Controller may audit Processor's compliance with this DPA. In the first instance Processor satisfies audit requests by providing the most recent third-party assessments (penetration test summary, security questionnaire response) and answers to specific written questions. On-site audits, where strictly required and not satisfied by documentation, are at the Controller's cost and scheduled to minimise operational disruption. Each party bears its own audit costs.

On termination of the subscription, Processor makes Customer Data available for export for 90 days, then deletes it from primary storage and rolls it out of backups within the next 35 days. On Controller's documented request earlier than the 90-day window, Processor deletes the data and confirms in writing. Backup deletion completes within the 35-day rolling window after the primary-storage deletion.

Liability under this DPA is governed by, and counts toward, the liability cap in the Terms of Service. Statutory liability for breaches of Art. 82 GDPR is unaffected to the extent law prohibits limitation.

Dutch law. Forum: the competent court of the Rechtbank Gelderland. The version of the SCCs incorporated by reference is the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 in its currently published form.

Privacy / DPA contact at AIR-Tools B.V.: privacy@air-tools.nl. We aim to respond within one business day.

If you need a counter-signed PDF of this DPA on the AIR-Tools letterhead for your records, mail privacy@air-tools.nl with your organisation's full legal name, registration number, and signing-authority email. We counter-sign within five business days. The contractual terms are the same as the version published here.