DATA PROCESSING ADDENDUM

DEFINITIONS

1. Agreement refers to the Master Service Agreement between AirMason and the Controller, including any and all schedules, exhibits, and annexes thereto.
2. Controller refers to the client of AirMason who determines the purposes and means of Processing of Personal Data.
3. Data Subject means any identified or identifiable natural person who is the subject of the Personal Data.
4. GDPR means the General Data Protection Regulation (Regulation (EU) 2016/679).
5. Personal Data means any information relating to a Data Subject that Controller provides to Processor under the Agreement, which is protected under the Data Protection Laws.
6. Processing means any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
7. Processor refers to AirMason, a company that Processes Personal Data on behalf of the Controller.
8. Data Protection Laws means all laws and regulations, including laws and regulations of the European Union, the European Economic Area, their member states, Switzerland, the United Kingdom, and the United States and its states, applicable to the Processing of Personal Data under the Agreement.
9. Subprocessor means any third-party appointed by or on behalf of Processor to Process Personal Data on behalf of the Controller.
10. Service refers to the provision by AirMason of its employee handbook creation platform that allows Controller to create, distribute, and manage digital employee handbooks. The Service includes but is not limited to the storage and processing of personal data related to Controller's employees, the ability to send automated reminders to employees for handbook signing, integration with Controller's existing HRIS systems, Single Sign-On (SSO) capabilities, and any other functionalities or services provided by AirMason under the Agreement.

ROLES AND RESPONSIBILITIES

1. Data Controller: The Controller (the client of AirMason) determines the purposes and means of the Processing of Personal Data in connection with the use of the Service. The Controller is responsible for ensuring that the Personal Data it provides or directs to be provided to AirMason for Processing in connection with the Service is collected and transferred in compliance with applicable laws, including securing necessary permissions and consents where required.
2. Data Processor: AirMason, as a Data Processor, Processes Personal Data on behalf of the Controller in accordance with the terms of the Agreement and this DPA, and will follow the Controller's instructions unless such instructions are not technically feasible, violate any applicable laws, or are not in alignment with the terms of the Agreement or this DPA.
3. Data Subjects: Data Subjects are the identified or identifiable natural persons to whom the Personal Data pertains. These may include, for example, the Controller's employees or users, to whom AirMason may send automated reminders for handbook signing or provide other services as instructed by the Controller.
4. Subprocessors: AirMason may engage Subprocessors to provide certain parts of the Service. AirMason will enter into written agreements with each Subprocessor that imposes data protection obligations to ensure a level of security appropriate to the risk associated with the Processing of Personal Data.
5. Prohibited Data: The Controller shall not transfer or provide to AirMason any Personal Data that falls under special categories of data as defined by the GDPR or other applicable laws unless expressly agreed to in writing by AirMason. Such data may include, but is not limited to, sensitive Personal Data relating to racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health or condition, sexual orientation, or criminal offences ("Prohibited Data"). AirMason is not designed to Process Prohibited Data and assumes no responsibility for such data provided by the Controller.

DATA PROCESSING DETAILS

1. Purpose: AirMason shall Process Personal Data solely for the purpose of providing the Services stipulated in the Agreement, and for no other purpose, unless other purposes are expressly agreed upon in writing by the Parties.
2. Processing Instructions: AirMason will only Process Personal Data in accordance with the Controller’s documented instructions. The Controller’s initial instructions to AirMason for the Processing of Personal Data are to perform the Services in accordance with the Agreement.
3. Security Measures: AirMason shall implement appropriate technical and organizational measures to protect the Personal Data, taking into account the state of technology, the costs of implementation, the nature, scope, context, and purposes of Processing, as well as the risk to the rights and freedoms of natural persons.
4. Confidentiality: AirMason shall ensure that persons authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5. Assistance: AirMason shall, taking into account the nature of the Processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights.

SECURITY

1. Processor shall take all measures required pursuant to Article 32 of the GDPR. Processor will implement and maintain appropriate technical and organizational measures to protect the personal data against unauthorized or unlawfol processing and against accidental loss, destruction, damage, theft, alteration, or disclosure. These measures shall be appropriate to the harm which might resolt from any unauthorized or unlawfol processing, accidental loss, destruction, damage or theft of the personal data and having regard to the nature of the personal data which is to be protected. Such measures may include, as appropriate:
   • Pseudonymization and encryption of personal data
   • Ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
   • Ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
   • Process for regolarly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing
2. Processor has implemented security measures which include, but are not limited to, secure data transfer, data segregation, firewall protections, system monitoring, logging and alerting, intrusion detection and prevention, vulnerability management, and data encryption at rest and in transit. Furthermore, Processor has in place incident management processes and regularly carries out system backups.
3. In addition to its obligations under Article 32 of the GDPR, Processor commits to provide reasonable assistance to Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor.
4. Details about specific technical and organizational measures implemented by Processor may be further outlined in Annex 2 – Technical and Organizational Measures.

SUBPROCESSING

1. The Controller authorizes the Processor to engage sub-processors as necessary to deliver the Service, subject to the requirements in this Section. The Processor shall maintain an up-to-date list of its sub-processors, which is available forreview here.
2. The Processor shall enter into a written agreement with each sub-processor containing data protection obligations at least as protective as those in this Addendum, to the extent applicable to the nature of the Service provided by such sub-processor. In such cases, the Processor will ensure that such sub-processors are bound by obligations consistent with this Addendum and that they implement appropriate technical and organizational measures to comply with Data Protection Laws.
3. In the event of any proposed change in sub-processor, the Processor will notify the Controller at least 30 days in advance, allowing the Controller to object to such changes. If the Controller objects to the new sub-processor and the Processor chooses to retain that sub-processor, the Controller may terminate this Agreement by providing written notice to the Processor.
4. The Processor remains responsible at all times for the compliance of each sub-processor with the obligations of this Addendum and for any acts or omissions of the sub-processor that cause Processor to breach any of its obligations under this Addendum.

DATA SUBJECT RIGHTS

1. In accordance with Data Protection Laws, data subjects have certain rights with respect to their Personal Data. As part of its Service, AirMason provides the Controller with various self-service features, which may be used to assist it in connection with its obligations under Data Protection Laws pertaining to such rights.
2. These features enable the Controller to retrieve, correct, delete, or restrict the use of Customer Data, including but not limited to:
   • Retrieval of all Signature Data and Employee Contacts through .csv export
   • PDF export of Employee Handbooks
3. In view of the nature of the processing, AirMason shall provide reasonable assistance to the Controller, to the extent possible, to enable the Controller to comply with its data protection obligations with respect to data subject rights under Data Protection Laws.
4. If any request pertaining to data subject rights is made directly to AirMason, AirMason will not respond to such communication directly, except as necessary (e.g., to direct the data subject to contact the Controller) or as legally required, without prior authorization from the Controller.
5. If AirMason is required to respond to such a request and the Controller is identifiable from the request, AirMason will promptly notify the Controller and provide a copy of the request, unless legally prohibited from doing so.
6. Nothing in the Agreement, including this DPA, shall restrict or prevent AirMason from responding to any data subject or data protection authority requests concerning Personal Data for which AirMason is a controller.

DATA TRANSFERS

1. In connection with the provision of the Service, AirMason may store and process Personal Data in the United States, European Union, or Canada, in accordance with the customer's location and preferences.
2. For US-based customers, Personal Data will be stored and processed within US-based Google Cloud data centers, and no data is transferred outside the United States. For EU-based customers, Personal Data is stored and processed within the Brussels-based Google Cloud data center, and no data is transferred outside the EU. For Canadian customers who have specifically requested a single tenant VPC, Personal Data is stored and processed within Canadian-based data centers.
3. AirMason, in collaboration with Google Cloud's robust policies and mechanisms, ensures that the storage and processing of Personal Data complies with all applicable Data Protection Laws. In cases where Personal Data is transferred, it is limited to what is necessary to provide the Service. Access to Personal Data by AirMason's staff and subcontractors is limited to those who need to provide the Service.
4. Although AirMason does not directly implement specific mechanisms such as Standard Contractual Clauses or Privacy Shield certifications, the adherence to such policies is enforced by Google Cloud. AirMason will continue to adhere to all relevant data protection laws and ensure that Personal Data is stored and processed securely, and in compliance with the relevant laws.

DATA BREACH NOTIFICATION

AUDIT RIGHTS

RETURN OR DELETION OF DATA

Upon termination of the Services or upon a written request by the Customer, AirMason shall return or delete Customer Personal Data in its possession. AirMason undertakes the following steps to ensure the secure handling of the Customer's Personal Data:

1. Deletion After Termination: Following the termination of the Customer's contract, AirMason retains Customer Personal Data for a period of 90 days. During this period, the Customer can request a data export by email. After the lapse of this 90-day period, the Personal Data is automatically deleted.
2. Deletion Upon Request: Customers can request the deletion of their Personal Data at any time by sending an email to AirMason. We aim to comply with such deletion requests within 7 days.
3. Anonymization of Data: In cases where there is a soft delete (via the dashboard, under regular operations), AirMason may anonymize or de-identify Customer Personal Data rather than deleting it entirely. This is done to maintain the integrity of the data while ensuring that no personal identifiable information remains.
4. Data Deletion Procedures: AirMason uses a multi-step process to ensure the complete deletion of data. This includes the deletion of data from our live servers, followed by the deletion from our backup servers. Once deletion is completed, the Customer will receive an email notification confirming the deletion.
5. Exceptions: There are no exceptions to the data return or deletion policy except as required by applicable laws. In such cases, only the minimum necessary information is retained.

LIABILITY

1. The aggregate liability of each party and all of its Affiliates arising out of or related to this Data Processing Addendum (including the Standard Contractual Clauses, where applicable) shall be subject to the exclusions and limitations of liability set forth in each Service Level Agreement governing the relationship between the Customer and AirMason.
2. Any claims made against AirMason under or in connection with this Data Processing Addendum (including, where applicable, the Standard Contractual Clauses) shall be brought solely by the Customer entity that is a party to the Agreement.
3. This limitation of liability reflects the allocation of risk between the Parties and is an essential element of the bargain between the Parties.

TERM AND TERMINATION

1. Term: This DPA shall commence on the Effective Date and shall continue in effect until termination of the Agreement or until AirMason ceases to process Customer Data on behalf of the Customer, whichever is later.
2. Termination: This DPA shall terminate automatically upon termination or expiration of the Agreement in accordance with its terms. Any obligation imposed on AirMason under this DPA regarding the handling and protection of Customer Data shall survive termination or expiration of this DPA to the extent AirMason continues to possess or control such Customer Data.
3. Breach: In the event of a breach of the terms of this DPA by AirMason, the Customer may, without prejudice to any other rights or remedies and on giving at least fifteen (15) days written notice to AirMason, terminate this DPA and the Agreement if AirMason fails to cure such breach within the notice period.
4. Right to Terminate: AirMason reserves the right to terminate this DPA and the Agreement upon thirty (30) days written notice if the Customer is in breach of any term of this DPA and fails to cure such breach within the notice period.
5. Data After Termination: Upon termination or expiration of this DPA, AirMason will cease all processing of Customer Data and will, at the request of the Customer, return or delete Customer Data in its possession, in accordance with Section 10 of this DPA.