Data Processing Agreement
Last Updated: 10 June 2021
This Data Processing Agreement (“DPA“) is entered into by the applicable Aerobotics® contracting entity to the agreement for the order for services (defined below), as updated and amended from time to time, as well as the Aerobotics terms of service (collectively the “principal agreement”) namely “Aerobotics”, the “processor”, “we” or “us”) and the entity or person agreeing to the principal agreement and this DPA, namely the “controller” or “you”) and governs the processing of personal data by Aerobotics on your behalf as agreed between us in the principal agreement. This DPA is hereby incorporated into the principal agreement and Aerobotics terms of service. In the event of any conflict between the principal agreement, the provisions of the following shall prevail: (a) regulations set out in applicable data privacy laws; (b) this DPA; (c) the principal agreement. Except as specifically amended in this DPA, the principal agreement remains unchanged and in full force and effect.
1. Background and purpose
1.1. The controller has contracted with Aerobotics for Aerobotics to perform certain services in accordance with the principal agreement, which imply the processing of controller personal data by Aerobotics.
1.2. The parties seek to implement a Data Processing Agreement that complies with the requirements of applicable data protection laws. This DPA applies when Aerobotics processes personal data on the controller’s behalf when it provides certain of its services to the controller, subject to applicable data protection laws to achieve the controller’s purposes as set out in the principal agreement.
1.3. This DPA adds supplementary requirements to the principal agreement.
2. Commencement and duration
2.1. This DPA will come into effect on the Effective Date of the principal agreement.
2.2. Aerobotics will process the controller personal data until the principal agreement expires or terminates, unless the controller instructs it to do otherwise, or it returns or destroys the controller personal data (at the controller’s choice).
3. Processing of controller personal data
3.1. Details of data processing:
3.1.1. Subject matter: The subject matter of the data processing under this DPA is controller personal data.
3.1.2. Duration: As between Aerobotics and you, the duration of the processing under this DPA is determined by the principal agreement.
3.1.3. Purpose: The purpose of the processing under this DPA is the provision of the services initiated by you from time to time.
3.1.4. Nature of the processing: analytics, research and development, storage, reporting and such other services as described in the principal agreement and initiated by the controller from time to time.
3.1.5. Type of controller personal data: controller personal data uploaded and provided when using the services under your online account with Aeroview and/or through integration with your own internal systems.
3.1.6. Data subjects: controller’s customers, agents, employees, and suppliers.
3.2. More details of the processing of controller personal data are set out and referenced in the principal agreement.
3.3. Aerobotics shall:
3.3.1. comply with all applicable data protection laws in the processing of controller personal data;
3.3.2. not process controller personal data other than in accordance with the controller’s documented instructions and only to the extent that the services relating to the processing activities requires it to;
3.3.3. inform the controller if it reasonably believes that any of its legal obligations requires a specific processing activity beyond the scope of controller’s instructions and get explicit permission from the controller before carrying out that activity;
3.3.4. implement the controller’s documented instructions where a data subject has revoked consent;
3.3.5. immediately tell you if we believe that any instruction infringes applicable data protection laws; and
3.3.6. take reasonable steps to ensure the reliability of any personnel or subcontractor or contractor who may have access to the controller personal data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant controller personal data, as strictly necessary for the purposes of the principal agreement, and to comply with applicable data privacy laws in the context of that individual’s duties to the processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4.1. Aerobotics shall not appoint (or disclose any controller personal data to) any subprocessor unless required for the service or authorized to by the controller. Aerobotics will respect the conditions for downstream processor authorization in terms of applicable data protection laws, including by keeping the controller informed of any change to any subprocessor role or status. Aerobotics will enter into a written agreement with any subprocessor to govern processing by a subprocessor in the same way as this DPA.
4.2. Aerobotics will:
4.2.1. ensure that the subprocessor is bound by data protection obligations compatible with those of the processor under this DPA;
4.2.2. impose the obligation to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of applicable data protection laws.
4.3. The controller may ensure that Aerobotics has complied with the obligations that the controller has imposed on them in conformity with this DPA by requesting that Aerobotics audit a subprocessor; or providing confirmation that such an audit has occurred.
5. Controller’s warranties and responsibilities
5.1. You warrant that you have all necessary rights to provide the controller personal data to Aerobotics for the processing to be performed in relation to the services related to the processing activities; and one or more lawful grounds set out in applicable data protection laws support the lawfulness of the processing.
5.2. You will determine the scope, purposes and manner by which Aerobotics may access or process the controller personal data, to the extent that the principal agreement does not adequately describe the Aerobotics’ processing activities.
5.3. To the extent that applicable data protection laws requires, you are responsible for:
5.3.1. obtaining any necessary data subject consent to the processing and maintaining a record of such consent;
5.3.2. making sure that certain designated personnel within your organization attend to receiving and responding to requests Aerobotics receives from data subjects relating to controller personal data; and
5.3.3. notifying Aerobotics of controller’s intended response to a data subject request relating to the access to or the rectification, erasure, restriction, portability, blocking or deletion of controller personal data that Aerobotics processes and authorizing Aerobotics to fulfill such responses on behalf of controller.
6. Assistance to controller
6.1. Aerobotics will assist the controller and has implemented and will maintain appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the controller’s obligations, as reasonably understood by Aerobotics, to respond to requests to exercise data subject rights under the applicable data protection laws.
6.2. Aerobotics shall:
6.2.1. promptly notify the controller if it receives a request from a data subject under any applicable data protection law in respect of Aerobotics personal data; and
6.2.2. ensure that it does not respond to that request except on the controller’s documented instructions or as required by applicable data protection laws to which Aerobotics is subject, in which case Aerobotics shall to the extent permitted by applicable data protection laws inform the controller of that legal requirement before Aerobotics responds to the request.
6.3. Aerobotics will help the controller to fulfil its obligations to respond to requests by data subjects exercising their rights, its obligations regarding security of processing; and its other controller obligations under applicable data protection laws. Aerobotics will make available all information necessary to show compliance with the legal rules that apply to it and to the controller on request.
7.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Aerobotics shall, in relation to controller personal data, implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR and applicable data privacy laws. In assessing the appropriate level of security, Aerobotics shall take account in particular of the risks that are presented by processing, in particular from any personal data security incident.
7.2. Aerobotics will develop (or has already developed) and continue to develop an information security program to:
7.2.1. secure processed controller personal data against data breaches, leaks or other incidents where an unauthorised party could gain access to it;
7.2.2. identify risks to the security of its equipment, premises, systems, networks and other means of processing personal data; and
7.2.3. minimize security risks, including through risk assessments and regular testing.
7.3. Aerobotics will allow for and contribute to audits (including inspections) by the controller or another auditor that they mandate. Aerobotics will immediately inform the controller if they think the instruction to allow for and contribute to audits breaks the law.
7.4. Aerobotics will evaluate the implemented security measures on an on-going basis to maintain compliance with the requirements set out in applicable data protection laws, taking into account the changing requirements and improvements which may be available to security measures.
7.5. The Parties will negotiate an amendment to the principal agreement in good faith where one is necessary to execute a controller’s instruction to Aerobotics to improve security measures as may be required by changes in applicable data protection laws from time to time.
8.1. The controller may audit Aerobotics’ operations related to the controller personal data or have a third party who has entered into a proper confidentiality agreement with Aerobotics do so on their behalf, provided that:
8.1.1. it gives at least a 30-days notice to Aerobotics; and
8.1.2. the relevant supervisory authority of competent jurisdiction does not require otherwise.
8.2. Aerobotics will cooperate with these audits and give the controller’s auditors reasonable access to any premises and devices involved with the processing of the controller personal data.
8.3. Aerobotics will provide the controller or the controller’s auditors with access to any information relating to the personal data processing as the controller may reasonably be required to check Aerobotics’ compliance with this DPA or any applicable data protection laws.
9. Incident management
9.1. Aerobotics shall notify the controller without undue delay upon becoming aware of a personal data incident without any delay, provided that the personal data incident has a material impact on controller personal data that is the subject of the principal agreement.
9.2. Aerobotics will:
9.2.1. follow the controller’s instructions regarding the personal data incident;
9.2.2. allow the controller to perform a thorough investigation into the personal data incident, formulate a correct response and take suitable additional steps in respect of that response; and
9.2.3. provide the controller with sufficient information to allow the controller to meet any obligations to report or inform data subjects of the personal data Incident under the applicable data protection laws.
9.3. Aerobotics shall cooperate with the controller and take reasonable commercial steps as directed by the controller to assist in the investigation, mitigation and remediation of each such personal data incident.
9.4. Aerobotics will have incident response plans in place at all times which enable them to promptly respond to the controller about a personal data incident and will implement such plans without undue delay after becoming aware of any such incident, where such incident is reasonably likely to require a data breach notification by the controller under applicable data protection laws.
9.5. Aerobotics will address any incident notifications to the controller’s data protection or information officer whose contact details must be provided to us and should contain:
9.5.1. a description of the nature of the personal data Incident, including where possible the categories and approximate number of data subjects and personal data records concerned;
9.5.2. the name and contact details of its data protection or information officer or another contact point where the controller can obtain more information;
9.5.3. a description of the likely consequences of the personal data Incident; and
9.5.4. a description of the measures Aerobotics has taken or proposes to take to address such incident including, measures to mitigate its possible adverse effects where appropriate.
9.6. Aerobotics shall provide reasonable assistance to the controller with any data protection impact assessments, and prior consultations with data privacy authorities, which the controller reasonably considers to be required applicable data protection laws.
10. Deletion or return of controller personal data
10.1. Aerobotics will, to the extent possible:
10.1.1. delete or return all the controller personal data to the controller, at the controller’s choice;
10.1.2. delete all existing copies unless the law requires it to continue to store those copies; and
10.1.3. notify all third parties supporting its own personal data processing, when Aerobotics has finished providing services related to the processing; this DPA and/or the principal agreement terminates; or Aerobotics has otherwise fulfilled all purposes agreed in the context of the principal agreement.
10.2. Aerobotics will provide the controller with a written confirmation of destruction at the controller’s request and follow the controller’s instructions about what to do with backups and archived copies of the personal data on deletion of or where return of the personal data is impossible for any reason.
11. Data transfers
11.1. Aerobotics will not transfer controller personal data from the controller’s applicable region(s) except as necessary to provide the services initiated by the controller, or as necessary to comply with the law or binding order of a governmental body. If the standard contractual clauses apply, nothing in this section varies or modifies the standard contractual clauses.
11.2. The standard contractual clauses apply to controller personal data that is transferred outside the EEA, either directly or via onward transfer, to any country not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the GDPR). The standard contractual clauses will not apply to controller personal data that is not transferred, either directly or via onward transfer, outside the EEA. Notwithstanding the foregoing, the standard contractual clauses (or obligations the same as those under the standard contractual clauses) will not apply if Aerobotics has adopted binding corporate rules for processors or an alternative recognized compliance standard for the lawful transfer of personal data outside the EEA.
12. Data sharing
12.1. Each Party is responsible for the secure transfer of any data they share with the other Party and each must take appropriate technical and organisational measures to make sure that they transfer data securely.
13. Processing of personal data In third countries
13.1. The controller will, with Aerobotics’ cooperation and assistance, assess whether each intended transfer of personal data to a third country meets the following requirements:
13.1.1. the level of protection of the third country meets the level that applicable data protection laws require; and
13.1.2. the laws of the third country enable Aerobotics to comply with applicable data protection laws.
13.2. If the intended transfer does not meet these requirements, the parties will take supplementary measures to ensure a level of protection equivalent to the protection that applicable data protection laws provide and implement any guidance from the relevant supervisory authority to determine those measures.
14. Relationship management
14.1. Both parties will appoint a data protection officer or other contact point, primarily responsible for the management of the processing of personal data and implementing adequate security measures as set out in this DPA and will communicate the details of such persons to one another when concluding the principal agreement.
15. Liability and indemnity
15.1. Each party indemnifies the other and holds them harmless against all claims, actions, third party claims, losses, damages and expenses that the other Party incurs arising out of a breach of this DPA or applicable data protection laws by the indemnifying Party, provided that:
15.1.1. each Party provides the other with a notice of the claim promptly after receiving it;
15.1.2. the indemnified party gives the indemnifying party the right to control the defense;
15.1.3. the indemnified party will provide the indemnifying party with reasonable assistance as necessary; and
15.1.4. the indemnified party will avoid admission of liability.
16.1. Each Party must keep this DPA and information it receives about the other Party and its business in connection with this DPA (“confidential information”) confidential and must not use or disclose that confidential information without the prior written consent of the other Party except to the extent that: (a) disclosure is required by law; (b) the relevant information is already in the public domain.
16.2. Aerobotics will treat all personal data as confidential and will inform all of our personnel and approved sub processors engaged in processing the personal data of its confidential nature.
16.3. Aerobotics will ensure that our personnel authorized to process the controller’s personal data have committed themselves to confidentiality, such as by signing a confidentiality agreement or are under an appropriate statutory obligation or other relevant obligation of confidentiality.
16.4. Aerobotics’ confidentiality obligations under this DPA will survive its termination or expiration.
17.1. Governing law. This DPA is governed by the laws of the country specified in the relevant provisions of the principal agreement.
17.2. Dispute resolution. Any disputes arising from or in connection with this DPA will be brought exclusively before the competent court of the jurisdiction specified in the relevant provisions of the principal agreement.
17.3. The principal agreement’s terms remain in full force and effect except as modified in this DPA.
18.1. “applicable data protection laws” means the data protection or privacy laws of any country in which Aerobotics personal data is processed by the processor and/ or Aerobotics, including but not limited to:
18.1.1. California Consumer Privacy Act (“CCPA”);
18.1.2. EU General Data Protection Regulation 2016/679 (“GDPR”);
18.1.3. South African Protection of Personal Information Act 4 of 2013, as amended or supplemented from time to time (“POPIA”); and
18.1.4. any national implementing laws, ePrivacy laws; and other related laws agreed between the parties in writing;
18.2. “controller” means the company or person who determines the purpose and means of processing personal data alone or in conjunction with others;
18.3. “controller’s documented instructions” means the principal agreement and any other relevant written agreements between the parties, unless the Parties agree otherwise in writing;
18.4. “controller personal data” means any and all personal data processed by the processor on behalf of the controller and pursuant to or in connection with the principal agreement;
18.5. “data transfer” means:
18.5.1. a transfer of controller personal data from the controller to Aerobotics; or
18.5.2. an onward transfer of controller personal data from the processor to a sub-contracted processor, or between two establishments of a processor, in each case, where such transfer would be prohibited by applicable data protection laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of applicable data protection laws);
18.6. “personal data incident” means:
18.6.1. a complaint or a request regarding the exercise of a data subject’s rights under applicable data protection laws;
18.6.2. an investigation into or personal data seizure by government officials, or a specific indication that such an investigation or seizure is imminent;
18.6.3. any unauthorized, accidental or otherwise unlawful personal data processing;
18.6.4. any breach of security or confidentiality in terms of this DPA leading to confirmed or possible risks to the personal data; or
18.6.5. where implementing any instruction from the controller would violate any applicable laws to which the controller or processor are subject, in the opinion of processor;
18.7. “personnel” means any director, employee, or other person who works (permanently or temporarily) under either party’s supervision; or person who renders services to either party for the purpose of their obligations under this DPA as their agent, consultant, contractor, or other representative;
18.8. “processor” is Aerobotics, as specified above and means the person who processes personal data on the controller’s behalf in terms of the principle agreement;
18.9. “subprocessor” means any person appointed by or on behalf of the Processor to process personal data on behalf of Aerobotics in connection with the principle agreement.
18.10. Terms used in this DPA that have meanings ascribed to them in applicable data protection laws, including ‘data subject’, ‘processing’, ‘personal data’, ‘controller’ and ‘processor’, carry the meanings set out under those laws to the extent that this DPA does not define them.
18.11. Capitalized and undefined terms not otherwise defined in this DPA shall have the meaning the principal agreement gives to them.