Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between Low Entropy Group ("Processor") and the individual or entity using AirJelly ("Controller") and forms part of the Terms and Conditions.

This DPA reflects the parties' agreement with respect to the processing of personal data in connection with AirJelly. It is intended to meet the requirements of Article 28 of the EU General Data Protection Regulation (GDPR) and equivalent data protection legislation in other jurisdictions.

For the purposes of this DPA, "personal data," "data subject," "processing," "controller," and "processor" have the meanings given in applicable data protection law.

The Processor shall:

• Process personal data only on documented instructions from the Controller (including as set out in these Terms), unless required to do so by applicable law
• Ensure that authorized personnel processing personal data are subject to appropriate confidentiality obligations
• Implement appropriate technical and organizational security measures in accordance with Article 32 GDPR
• Not engage sub-processors without prior general or specific written authorization from the Controller, and impose equivalent data protection obligations on any sub-processors
• Assist the Controller in responding to data subject rights requests to the extent technically feasible
• Assist the Controller in meeting its obligations under Articles 32–36 GDPR (security, breach notification, DPIAs)
• Delete or return all personal data to the Controller upon termination of the service, unless retention is required by applicable law
• Provide the Controller with all information necessary to demonstrate compliance with this DPA and permit audits or inspections conducted by the Controller or an authorized auditor

The Controller shall:

• Ensure it has a lawful basis for processing personal data under applicable data protection law before instructing the Processor
• Provide clear and complete processing instructions to the Processor
• Ensure that any personal data provided to the Processor is accurate and up to date
• Comply with all applicable data protection laws in connection with its use of AirJelly
• Maintain appropriate records of processing activities under its responsibility

The Processor implements the following technical and organizational measures to protect personal data:

• Encryption — all data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256
• Access controls — strict role-based access controls and multi-factor authentication for internal systems
• Data minimization — screen context data is processed transiently and not persistently stored on Processor servers
• Vulnerability management — regular security assessments and prompt remediation of identified vulnerabilities
• Incident response — documented procedures for detecting, reporting, and responding to data breaches
• Employee training — all personnel with access to personal data receive regular data protection training

Where the Processor transfers personal data to countries outside the European Economic Area (EEA) or the United Kingdom that do not benefit from an adequacy decision, the Processor will ensure that such transfers are subject to appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) as approved by the European Commission
• Binding Corporate Rules (where applicable)
• Other transfer mechanisms recognized under applicable data protection law

Details of applicable transfer mechanisms are available upon written request to privacy@airjelly.ai.

In the event of a personal data breach, the Processor shall:

• Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the breach
• Provide the Controller with sufficient information to enable it to meet any notification obligations to supervisory authorities and data subjects
• Cooperate with the Controller to investigate, mitigate, and remediate the breach

Notification will be provided to the contact email associated with the Controller's account.

The Processor will provide reasonable assistance to the Controller in responding to data subject rights requests (access, rectification, erasure, portability, objection, restriction). Where technically feasible, the Processor will:

• Provide tools or documentation enabling the Controller to extract, correct, or delete personal data
• Respond to Controller requests within 5 business days

The Controller remains responsible for assessing and responding to data subject requests under applicable law.

The Controller may, upon reasonable notice (no less than 30 days, except where a regulator or law requires otherwise), conduct audits or inspections to verify the Processor's compliance with this DPA. Such audits shall be:

• Conducted during normal business hours
• Limited to information directly relevant to the processing of the Controller's personal data
• Carried out at the Controller's expense unless a material non-compliance is identified

The Processor may provide audit reports prepared by independent third parties as an alternative to on-site audits where appropriate.

Upon termination of the agreement between the parties:

• The Processor will, at the Controller's choice, return or delete all personal data processed on the Controller's behalf
• The Processor will delete or anonymize personal data within 90 days of receiving the Controller's written instruction or upon account deletion
• Backups containing personal data will be deleted within the next scheduled backup rotation cycle
• The Processor may retain personal data to the extent required by applicable law, in which case the Processor will notify the Controller of such requirement

This DPA is governed by the laws applicable to the Terms and Conditions. In the event of any conflict between this DPA and the Terms and Conditions with respect to personal data processing, this DPA shall prevail.

For questions or to exercise rights under this DPA:

Low Entropy Group Email: privacy@airjelly.ai Website: airjelly.ai