Data Processing Addendum (DPA)

1. Definitions

Capitalized terms not defined here have the meaning in the Agreement. "Controller", "Processor", "Personal Data", and "Processing" have the meanings given in the GDPR/UK GDPR where applicable.

"Customer Personal Data" means Personal Data contained in Customer Data processed by AvairAI on behalf of Customer under the Agreement.

This DPA applies to Customer Data processing. It does not govern AvairAI's processing of AvairAI Prospect Database data, which is addressed in the Privacy Policy.

2. Roles

Customer is the Controller (or Business) of Customer Personal Data. AvairAI is a Processor (or Service Provider) processing Customer Personal Data on Customer's behalf.

Customer is responsible for determining the purposes and lawful bases for processing Customer Personal Data and for providing any required notices to data subjects.

3. Processing on Instructions

AvairAI will process Customer Personal Data only on documented instructions from Customer, including to provide the Services, unless required to do otherwise by law.

Customer instructs AvairAI to process Customer Personal Data to provide, secure, and maintain the Services, and as otherwise configured by Customer within the Services.

4. Confidentiality

AvairAI will ensure that persons authorized to process Customer Personal Data are bound by confidentiality obligations.

5. Security

AvairAI will implement appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

6. Subprocessors

Customer authorizes AvairAI to use subprocessors to provide the Services. The current list is maintained at https://www.avair.ai/subprocessors.

AvairAI will impose data protection obligations on subprocessors consistent with this DPA.

AvairAI will provide notice of material subprocessor changes where commercially reasonable (e.g., via the Subprocessors page), and Customer may object on reasonable grounds related to data protection.

7. Data Subject Requests (DSARs)

Taking into account the nature of processing, AvairAI will provide reasonable assistance to Customer to respond to data subject requests relating to Customer Personal Data, to the extent Customer cannot access the relevant information through the Services.

If AvairAI receives a data subject request relating to Customer Personal Data, AvairAI will direct the request to Customer where permitted.

8. Personal Data Breach Notification

AvairAI will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data and will provide information reasonably necessary to enable Customer to meet its breach notification obligations.

9. Deletion and Return

Upon termination of the Services, AvairAI will, at Customer's choice and subject to the Agreement, delete or return Customer Personal Data, except as required by law. Backups may be retained for a limited period consistent with AvairAI's backup policies, and will be protected and deleted in the ordinary course.

10. Audits

Upon reasonable notice and no more than once annually, Customer may audit AvairAI's compliance with this DPA through review of documentation or a mutually agreed audit mechanism, subject to confidentiality and reasonable limitations. Additional audits may be permitted if required by law or following a security incident affecting Customer Personal Data.

11. International Transfers (EU/UK)

To the extent Customer Personal Data is transferred from the EEA/Switzerland/UK to a country not recognized as providing adequate protection, the parties agree to rely on the following transfer mechanisms, as applicable:

• EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) ("EU SCCs"), Module Two (Controller-to-Processor), incorporated by reference and completed with Annexes in this DPA; and
• For UK transfers, either (a) the UK Addendum to the EU SCCs issued by the UK ICO, or (b) the UK International Data Transfer Agreement (IDTA), as applicable, incorporated by reference and completed with the Annexes in this DPA.

Annex 1 — Processing Details