Data Processing Addendum (US)

Last Updated: 1 December 2018

Use of the services provided by Aerofiler Inc. (“Aerofiler”) may involve sending personal data to Aerofiler, which is located in the United States.

This Data Processing Addendum (“DPA”) is only applies to you if you are located in the European Union (“EU”) or Switzerland, or your process personal data of individuals resident in the EU or Switzerland. If this DPA applies to you, then to the extent that Aerofiler processes Personal Data as your processor, the terms of this DPA supplement any agreement you have with Aerofiler under which Aerofiler provides you with services (“Services”), such as the Terms of Service located at https://www.aerofiler.com/terms (“Applicable Terms”).

If there is a conflict between this DPA and the Applicable Terms, this DPA will prevail with respect to that conflict.

Terms

Aerofiler and you agree as follows:

1. Definitions

For the purposes of this DPA, the following terms have the following meanings:

GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679).

Controller”, “processor”, “data subject”, “personal data”, “personal data breach” and “processing” shall have the same meanings as in the GDPR and “processed” and “process” shall be interpreted in accordance with the definition of “processing”.

Personal Data” means any personal data provided by you to Aerofiler in connection with your use of the Services under the Applicable Terms.

2. Data Processing

2.1. Aerofiler will:
(a) only process Personal Data in accordance with the Applicable Terms or your written instructions;
(b) implement appropriate technical and organisational measures to protect the Personal Data;
(c) assist you by appropriate technical and organisational measures insofar as this is possible (taking into account the nature of the processing) to enable you to fulfill any obligations to respond to requests for the exercise of data subject rights by a data subject under GDPR;
(d) assist you in ensuring compliance with your obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of the processing and the information available to Aerofiler;
(e) on termination of the Applicable Terms, delete the Personal Data as soon as reasonably practicable and within a maximum period of 180 days unless applicable law requires or permits further storage, provided however that Aerofiler may keep the Personal Data if necessary to provide other Services set forth in the Applicable Terms;
(f) make available to you all information that is reasonably necessary to demonstrate Aerofiler’s compliance with its legal obligations as a Data Processor under Article 28 of the GDPR; and
(g) respond to any written audit questions submitted to it by you, provided that you will not exercise this right more than once per year. Aerofiler will also provide you with copies of any audit reports conducted by independent third party auditors relating to the security and data processing practices of Aerofiler relevant to the Personal Data. Such audit reports are Aerofiler’s confidential information and you will not disclose such reports to any third party without Aerofiler’s prior written consent.

2.2. You agree that Aerofiler may subcontract its data processing obligations under this DPA to a sub-processor, but only by way of a written agreement with the sub-processor which imposes obligations on the sub-processor no less onerous than as are imposed on Aerofiler under this DPA. Where the sub-processor fails to fulfil such obligations, Aerofiler shall remain fully liable to you for the performance of that sub-processor’s obligations. You hereby authorize Aerofiler to engage the Aerofiler Inc. (and its affiliates) and any entities listed on the Subprocessor List at https://www.aerofiler.com/legal/subprocessors as its sub-processors. Aerofiler shall notify you of any additional sub-processors by posting them at the foregoing URL. If you reasonably object to any such additional sub-processor, you may inform Aerofiler in writing of the reasons for your objections. If you object to such additional subprocessors and Aerofiler does not cease using them to process the Personal Data, you should stop using the Services and providing the Personal Data to Aerofiler.

2.3. Aerofiler will notify you without undue delay of the discovery by Aerofiler of any actual Personal Data Breach involving the Personal Data. Such notice shall include, at the time of notification or as soon as practicable after notification, a description of the nature of the breach, anticipated consequences of the breach and any actual or proposed remedies for mitigating the possible adverse effects of the breach.