AIR360 - SaaS General Terms and Conditions and Data Processing Agreement
Those Terms & Conditions, together with the separate Order Form signed online by the Customer and all the Contractual Documents set out below (together, the “Agreement”), describe the terms and conditions between Customer (as stated in the Order Form) and Air360, Inc. (“Air360”) governing access and use of Access and use to Air360 Products and Services. Air360 and Customer may individually be referred to as a “party” and collectively the “parties”. This Agreement is in effect as of the date that the Customer signs up for any Service online or submits a signed Order Form that references this Agreement (the “Commencement Date”).
Access and use to Air360 Products and Services are offered to Customer subject to Customer’s acceptance of all the provisions of the Agreement including the Air 360 Order Form signed online by Customer and all other applicable terms and conditions, operating rules, policies and procedures that are communicated from time to time on or through the Services
BY ACCEPTING THIS AGREEMENT, EITHER BY CLICKING A BOX INDICATING YOUR ACCEPTANCE, USING OUR SERVICES, OR EXECUTING THIS AGREEMENT OR AN ORDER FORM THAT REFERENCES THIS AGREEMENT OR RELATES TO THE SERVICES, YOU AGREE TO THE TERMS OF THIS AGREEMENT, INCLUDING ALL TERMS INCORPORATED BY REFERENCE. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS, YOU MUST NOT ACCEPT THIS AGREEMENT AND MAY NOT USE THE SERVICES.
Schedule 1 - General Terms and Conditions
0. DEFINITIONS
“Authorized User” means a person described in section 3 below.
“Contract Period” means depending on the subscription period selected by Customer in the Order Form, (1) either a period of one (01) month, (2) either a period of twelve (12) months or (3) a period of twenty-four (24) months, starting all with the Commencement Date.
“End User” means any user of any Websites.
“Intellectual Property Rights” means all forms of intellectual property rights including without limitation, copyrights, patents, circuit layout (topography) rights, designs, rights in databases, trade names, trademarks, all registered or non-registered, incl. applications and/or remainders thereto as well as intellectual property rights in conceptual solutions, methodologies, ideas, processes, methods, tools and know-how and entitlement to make any application for formal (or otherwise enhanced) rights of any such nature and whether existing now or in the future and throughout the world for the full term applicable to the respective intellectual property right or, if applicable, in perpetuity.
“Licensed Session” means the base unit that the Software processes. Licensed Session refers to data of one user of one Website tracked and captured by the Software from her/his connexion to the Website until her/his disconnection. Each Licensed Session expires after 30 minutes of inactivity of any End User meaning that the Software does not detect any kind of mouse event, keyboard event, including scroll, that would demonstrate relevant End User’s activity.
“Onboarding” means standard setting services of Air360 Product within the limit of (i) 6 hours of two Air360 experts (one account manager and one growth specialist) and (ii) one Customer’s website case study.
“Purpose” shall be as described in section 1.2 below.
“Renewal Period(s)” shall be as described in section 11 below.
“Software” means all instructions or code used to operate the Services or the Integrator service whether object or source code.
“Services” means the Air360 Product(s) and Air360 Online platform services provided by Air360 to Customer under this Agreement as provided. For avoidance of doubt, Services do not include any integrator services and/or other similar service which may interface or inter-connect with the Air360 Online platform service.
“Team Support” means assistance provided by Air360 by email and or by phone within the scope provided in Air360 Order Form.
“Technical Set Up” means the platform account set up and pixels generation as well as the assistance in the Air360 tracking pixel installation on the Customer’s Websites, along with initial control that the data is properly collected by the Air360 platform.
“Term” means the Term and any Renewal Period as defined in section 11 of the Agreement.
“Websites”: as listed in the Order Form signed by the Customer.
1. SERVICES – LICENSE
1.1 Air360 shall, during the Term, provide the Services subject to the Agreement.
1.2 The Services are provided by Air360 to the Customer for the study, capture and systematic computational analysis of End Users experiences and actions on Customer’s website(s) which includes access to Air360 platform. For avoidance of doubt, Services exclude any profiling purpose.
1.3 Subject to the Customer paying the fees set out in Air360 Order Form, in accordance with section 2 below and the other terms and conditions of this Agreement, Air360 hereby grants to the Customer, from the Commencement Date and for the Term, a non-exclusive, non-transferable right to use the Services. This right of use is limited to Authorized Users.
1.4 The Customer may freely download, copy and retain the results generated by the Customer’s use of the Services for the Purpose and subject to the terms and conditions of this Agreement.
2. PAYMENT OF FEES
2.1 The Service Fee (as specified in Air360 Order Form shall be due and payable by the Customer on the Commencement Date and in advance of the use of the Services.
2.2 All fees may be subject to increase annually in accordance with the French Syntec Index. Fee variations shall take effect on anniversaries of the Commencement Date.
2.3 The Service Fee (as specified in Order Form but subject to variation in accordance with section 2.2 above) shall be due, monthly or annually and payable on the commencement of each Contract Period.
2.4 All fees are exclusive of VAT or other sales tax (if applicable) which are payable by the Customer.
2.5 If Customer has reached the maximum number of Sessions specified in the Order Form, it may subscribe for additional bucket fees as stated in the Order Form. Continued use of the Services for the current Contract Period is contingent upon the Customer paying the additional fees for the additional Sessions.
2.6 In the event of overdue payment(s) by Customer within the contractual time limits of all or part of the sums due to Air360 under the Agreement, (i) any unpaid sum shall automatically produce late interest from day to day until the date of full payment of Air360 debt in principal, interest, costs and accessories, at a rate equal to FIVE (5) times the legal interest rate, without the need for a reminder and without prejudice to the damages that Air360 may seek judicially; (ii) a fixed indemnity for collection costs, the amount of which is fixed in Article D.441-5 of French Commercial Code (i.e. Euros 40.00) shall be payable by operation of law.
2.7 For the avoidance of doubt, one-off fees for additional services, training and consultancy services would be, if any, subject to separate agreement and invoicing.
3. AUTHORIZED USERS
3.1 The Services may only be used by Authorized Users.
3.2 An Authorized User is a person employed by the Customer and selected by Customer and whose name and title etc. have been notified by Customer to Air360 which shall send the login procedure and password access to each Authorized User.
3.3 The Customer undertakes at its own expense and risk to ensure that the Authorized User(s) comply with the terms of this Agreement at all times including without limitation notifying Air360 when an Authorized User ceases to be an employee of the Customer and/or ceases to be authorized by the Customer.
3.4 In relation to the Authorized Users, the Customer undertakes that each Authorized User shall keep a secure password for her or his use of the Services and that each Authorized User shall keep his or her password confidential. In the event that a password is stolen or otherwise disclosed by an Authorized User to any other person, the Customer undertakes to notify Air360 immediately.
4. USE OF THE SERVICES
4.1 The Services have been developed solely to capture, study and perform/systematic computational analysis of End Users experiences and actions on Customer’s website(s). The Services were not originated or developed to derive a medical or psychological opinion or diagnosis, neither profiling of any End User of Customer’s website(s).
4.2 The Customer agrees and acknowledges that it remains solely responsible for application and use of the Services and the purpose of the use of the Services in a manner which is not illegally discriminatory or otherwise in contravention of any applicable data protection/privacy or other applicable law.
4.3 The results and analytics resulting from the use of Services are dependent upon the end users of Customer’s website(s), and Air360 makes no representation or warranty as to the accuracy or completeness of the data collected or consequently any assessment generated in connection with the Services or through the use and operation of the Services. Air360 does not warrant that the Services will meet the Customer’s specific requirements or that the application of the Services will be uninterrupted or error free, or that any errors or deficiencies can be corrected. Air360 is not responsible for any delays, delivery failures, or any other loss or damage resulting from the transfer of data over communications networks and facilities, including the internet, and the Customer acknowledges that the Services may be subject to limitations, delays and other problems inherent in the use of such communications facilities. The warranties set forth in this Agreement and Air360’ liability hereunder, to the extent not already excluded in this Agreement, are expressly conditioned upon the Customer’s proper use and supervision of the Services and the Customer’s compliance with all applicable laws, rules and regulations, and all provisions of this Agreement.
5. TERMS OF LICENSE
5.1 The license granted in the Agreement may not be transferred, sub-licensed or assigned to or used by any third party or for the benefit of such third party whatsoever.
5.2 The Customer shall not during the Term develop or have developed any system directly or indirectly based on or derived from the Services.
5.3 The Customer shall have no right (except as expressly permitted in this Agreement or as may be allowed by any applicable law which is incapable of exclusion by agreement between the parties) to: (i) decompile, disassemble, reverse engineer or create derivative works from, frame, mirror, republish, download, display, transmit or otherwise modify or distribute all or any portion of the Services in any form or media or by any means nor; or (ii) brewers compile, decompile, reverse engineer or otherwise reduce the software to human-readable form, except as may be permitted hereunder that for the avoidance of doubt, this shall not prevent the Customer from accumulating reports and analysis generated by the Services.
6. INTELLECTUAL PROPERTY RIGHTS
6.1 The Customer hereby acknowledges that as between Air360 and the Customer, all Intellectual Property Rights in the Services shall be owned by Air360. This acknowledgement does not apply to any materials provided by the Customer for the purpose of tailoring of reports and results generated by the Services or for any other purpose.
6.2 On expiry or termination of the Agreement, the Customer may retain completed charts, results and reports, however the Customer acknowledges and agrees that such retention shall be in accordance with applicable law (including, without limitation, applicable data protection/privacy laws).
The Customer’s use of personal data shall conform to the Data Agreement and applicable data protection/privacy laws and the Customer agrees to fully indemnify and hold Air360 harmless against any costs or damages incurred by Air360 from third parties as a result of any alleged or claimed misuse of personal data by or permitted by the Customer.
6.3 Air360 warrants that it has the right to grant the license set out in this Agreement. This warranty does not apply to any materials provided by the Customer for the purpose of tailoring of reports and results generated by the Services or for any other purpose.
6.4 All rights not expressly granted to the Customer are expressly reserved by Air360. Except as expressly provided herein nothing contained in this Agreement shall be construed as conferring any rights directly or by implication, estoppel or otherwise to or under any of Air360 copyrights, trademarks, trade secrets or other Intellectual Property Rights. This Agreement shall not, in any event, be construed as the assignment of any rights in the Services or any copies or parts thereof. The Customer shall not use, reproduce, sub-licence, distribute or dispose of the Services in whole or in part except as expressly permitted under this Agreement.
6.5 The Customer hereby acknowledges that, in addition to Intellectual Property Rights, the Services contain know-how and trade secrets which required a significant investment of time and resources by Air360 and are a valuable asset of Air360 and that any misappropriation or unauthorised disclosure of such know-how and trade secrets would irreparably harm Air360 in which event Air360 shall be entitled to equitable relief including, without limitation, injunctive relief in addition to any other remedies available at law.
7. SERVICES HELPDESK AND SUPPORT
7.1 Air360 will provide representatives to deal with queries as to the use of the Services from the Customer’s nominated representatives via e-mail and, if necessary, by telephone from 07.00-16.00 Monday – Friday European CET time, normal French public holidays excluded (“the Normal Working Week”).
7.2 Air360 will monitor the Services to ensure system stability, resilience and performance.
7.3 The Services are a Software as a Service or “SaaS” and updates to generic functionality will be implemented from time to time at no extra cost on a scheduled basis.
7.4 Air360 makes all reasonable efforts to deliver a functional Service and substantially compliant with its documentation but does not guarantee an error or “bug” free service. If Customer notices a non-compliance issue, Customer must notify Air360 as soon as possible and Air360 undertakes to make every reasonable effort to remedy the non-compliance issue, as this is Customer’s only recourse.
7.5 This Agreement shall not require Air360 to (a) update the Services or (b) provide any new version of any Air360 Product or (c) update any tailored assessment content or other element of the Services even if generic assessment content or other elements may be updated or (d) remedy any defect or other technical fault to the Customer’s software or infrastructure or that of any Integrator or other third party or lack of access to the communications network. Air360 is not responsible for any delays, delivery failures, or any other loss or damage resulting from the transfer of data over communications networks and facilities, including the internet, and the Customer acknowledges that the Services may be subject to limitations, delays and other problems inherent in the use of such communications facilities.
8. CONFIDENTIAL INFORMATION
In this clause “Confidential Information” means the Services, user manuals and any information of either party which is commercially sensitive, is not in the public domain and is gained as a result of entering into this Agreement. During the Term and for five (5) years thereafter, both parties will keep confidential the Confidential Information of the other gained as a result of this Agreement and shall use it only for the purposes set out in this Agreement.
However, the following information shall be excluded from the scope of Confidential Information, provided that the party receiving the disclosure can substantiate the basis for such exclusion in writing:
(a). Information that was already in the possession of the disclosed party at the time of disclosure;
(b). Information legitimately obtained from another third party not having an obligation of confidentiality after the disclosure;
(c). Information that was independently obtained or created after receiving the disclosure, regardless of the information disclosed by the other party;
(d). Information that was already public knowledge at the time of disclosure; or
(e). Information that has become public knowledge due to reasons beyond the control of the disclosed party after receiving the disclosure.
9. REPRESENTATIONS AND WARRANTIES, LIABILITIES
9.1.1 Air360 will defend the Customer against any claim or, at Air360’ option, settle any claim alleging that the Customer’s use of the Services in accordance with this Agreement infringes any Intellectual Property Rights of a third party. This is subject to the limitations and other provisions of this clause 10 and to the following conditions (a) the Customer shall notify Air360 promptly of such claim, (b) the Customer will keep confidential any information concerning such claim unless otherwise agreed in writing with Air360, (c) the Customer allows Air360 to conduct the defence of the claim, including selection of counsel, course of action and all related settlement obligations and (d) at Air360’ expense, the Customer provides Air360 with such assistance as Air360 may reasonably request. For the avoidance of doubt, this obligation to defend shall not apply to any part of the Services which have been supplied by or modified by the Customer.
9.1.2 If such a claim is made or, in the reasonable opinion of Air360, is likely to be made against the Customer, Air360 may, at its sole option and expense (a) procure for the Customer the right to continue to use the Services and/or the Air360 Product(s) or (b)modify the Services so as to cease the infringement or (c) replace the Services with a non-infringing alternative PROVIDED THAT, as to (b) and (c), any modified or replacement product shall comply with the warranties set out herein and the rights of the Customer in respect of such modified or replacement product shall be the same as set out in this Agreement from the date of the modification or replacement or (d) terminate this Agreement immediately by notice in writing to the Customer and refund the Fees paid by the Customer as at the date of termination less a reasonable sum in respect of training received by the Customer and in respect of the Customer’s use of the Services to the date of termination.
9.2 Limitations. Air360 shall have no obligation under clause above: (i) if Customer is using Services outside the scope of Customer’s Order Form, is in material breach of this Agreement or in violation of applicable law; or (ii) for any Claim resulting or arising from: (a) any combination, operation or use of a Service with any other products, services, items, or technology, including third-party provider not recommended or provided by Air360; (b) use for a purpose or in a manner for which the Service was not designed, or use after Air360 notifies Customer to cease such use due to a possible or pending claim; (c) any modification to Services performed by any person other than Air360 or its authorized representatives; (d) any modification to the Service made by Air360 pursuant to instructions, designs, specifications or any other information provided to Air360 by or on behalf of Customer; (e) use of any previous version of a Service when an upgrade or newer iteration of the Service made available by Air360 would have avoided the infringement; (f) services provided by Customer (including claims seeking damages based on any revenue or value Customer derives from Customer’s services); or (g) any data or information that Customer or a third party records on or utilizes in connection with the Services.
9.3 Except as may be stated specifically in this Agreement the Customer accepts responsibility for the selection of the Services to achieve its intended results and as being suitable for use in its IT environment. For example, Air360 shall not be responsible for inability to use the Services due to lack of internet connectivity, any virus check or firewall of the Customer, the Customer’s employees or sub-licensees. Aside from Sections 9.1.1 – 9.3, any and all representations and warranties, whether express or implied, statutory or otherwise are excluded to the extent permitted by applicable law.
9.4 Customer will defend and indemnify Dust from and against any losses, liabilities, damages, demands, suits, causes of action, judgments, costs or expenses (including court costs and reasonable attorneys’ fees) arising out of or relating to (1) Customer’s use of the Service in a manner that infringes the Intellectual Property Rights of any third party (excluding any infringement claim for which Air360 is responsible under Section 9.1); (2) Customer’s violation of law or privacy rights attributable to Customer Data; (3) Air360’s processing of Customer Data, except to the extent Air360’s processing is in breach of this Agreement; and (4) any claim relating to Customer Data that engages the responsibility of Customer.
10. LIMITATION OF LIABILITY
10.1 Liability. For all claims of either party to the other for damages under or in connection with this Agreement, whatever the legal basis (including tort) may be, the following shall apply:
Unlimited Liability. Nothing herein shall exclude or limit liability for: (i) death or personal injury resulting from negligence; (ii) fraud or fraudulent misrepresentation; or (iii) misappropriation or infringement of Air360’s Intellectual Property Rights; (iv) timely fulfillment of payment obligations; or (v) any other liability that cannot be excluded by mandatory laws.
Limitations. Neither party shall be liable for: (i) loss of profit, income or revenue; (ii) loss of use of systems or networks; (iii) loss of goodwill or reputation; (iv) loss of, corruption or damage to data, software or media; (v) recovery or reinstallation of data or programs; or (vi) special, indirect or consequential loss or damage.
Prevention and Mitigation. Customer undertakes (i) that they have technical measures and processes in place to prevent and mitigate damages in line with Customer’s business and data protection requirements; (ii) that they perform or adhere to access to regular backups of Customer data; (iii) that they monitor the availability and performance of their systems during the performance of Services; (iii) that they will promptly react to messages and notices received by Air360; and (iv) that they will promptly inform Air360 of any identified issue to Air360.
10.2 Liability Cap. EXCEPT FOR FEES PAYABLE, LIMITATIONS, AND DIRECT DAMAGES RESULTING FROM A WILLFUL BREACH OF CONFIDENTIALITY, INTELLECTUAL PROPERTY, OR PERSONAL DATA PROTECTION OBLIGATIONS UNDER THIS AGREEMENT, EACH PARTY'S TOTAL LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT (INCLUDING WARRANTY CLAIMS), REGARDLESS OF THE FORUM AND REGARDLESS OF WHETHER ANY ACTION OR CLAIM IS BASED ON CONTRACT, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE, WILL NOT EXCEED 100% OF THE ANNUAL FEES PAID AND/OR PAYABLE BY CUSTOMER TO AIR360 DURING THE CONTRACT PERIOD IN WHICH THE EVENT GIVING RISE TO THE CLAIM. MULTIPLE CLAIMS WILL NOT ENLARGE THIS LIMIT. THIS CAP APPLIES ONLY TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW.
10.3 EACH PROVISION OF THIS AGREEMENT THAT PROVIDES FOR A LIMITATION OF LIABILITY, DISCLAIMER OF WARRANTIES, OR EXCLUSION OF DAMAGES IS TO ALLOCATE THE RISKS OF THIS AGREEMENT BETWEEN THE PARTIES. THIS ALLOCATION IS REFLECTED IN THE PRICING OFFERED BY AIR360 TO CUSTOMER AND IS AN ESSENTIAL ELEMENT OF THE BASIS OF THE BARGAIN BETWEEN THE PARTIES. EACH OF THESE PROVISIONS IS SEVERABLE AND INDEPENDENT OF ALL OTHER PROVISIONS OF THIS AGREEMENT.
11. RENEWAL AND TERMINATION
11.1 On expiration of the Contract period, this Agreement shall continue for either
(1) one-month additional periods if the Customer has selected a monthly Contract Period in the Order Form, or
(2) additional periods of one year if the Customer has selected a yearly or a bi-yearly Contract Period in the Order Form, unless either party gives notice in writing, including by email, to the other to terminate, delivered at least sixty (60) days prior to the end of the current Contract Period,
together the “Renewal Periods”, and for so long as Customer maintains an active subscription to the Services as stated in the Order Form or until this Agreement is otherwise terminated in accordance with the terms herein.
11.2 Without prejudice of any mandatory law, this Agreement may be terminated immediately, in whole or in part, without any notice or demand, if either party falls under any of the following:
(a). In the event of a material breach of any of the provisions set forth herein;
(b). In the event of a breach of any of the provisions set forth herein and such breach either cannot be remedied or has not been remedied within thirty (30) days of written notice by the other party;
(c). If it becomes or may become insolvent, or if any of its notes or checks are or may become dishonoured;
(d). If a third party files a petition for seizure, provisional seizure, provisional disposition, or auction, or receives a disposition for delinquent payment of taxes and public dues;
(e). If it receives a petition for commencement of bankruptcy proceedings, civil rehabilitation proceedings, corporate reorganization proceedings, or special liquidation, or files such a petition on its own behalf; or
(f). In the event of any other circumstances similar to those described in the preceding items.
11.4 In any case of expiration or termination of this Agreement all licences granted to the Customer to the Customer under this Agreement shall immediately terminate; and all use of the Services by the Customer shall immediately cease.
11.5 If a change of laws results in the Services or any part of them becoming (in the reasonable opinion of Air360) non-compliant with such laws, Air360 may immediately suspend the use of the Service in the relevant territory. During such suspension, Air360 will use all reasonable endeavours to find a reasonable solution.
12. GENERAL
12.1 Nothing in this Agreement shall create or be deemed to create a partnership or a relationship of principal and agent between the parties.
12.2 This Agreement constitutes the parties’ entire and only agreement in relation to the Services. The Customer agrees that in entering into this Agreement, the Customer has not relied on any representation which is not confirmed herein. Without limitation to the generality of this principle, the Customer’s standard terms forming part of a purchase order shall not apply unless there is specific agreement signed by authorised representatives of both parties.
12.3 Save as provided or agreed otherwise in the Agreement and afterwards in writing by the parties, all notices must be in writing.
12.4 The Customer may not assign all or part of its rights or obligations hereunder to any third party without Air360’ prior written consent.
12.5 Upon any termination of this agreement the rights, obligations and liabilities of the parties which shall have arisen or been incurred under this Agreement prior to termination shall survive such termination. Further, the provisions of each of the clauses and any provisions of this Agreement which expressly or impliedly provide for rights, obligations and liabilities following the termination of this Agreement, shall survive the termination of this Agreement.
12.6 This Agreement and any disputes or claims arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by the substantive laws of France, without reference to any conflict of law statutes, and excluding the United Nations Convention on the Contracts for the International Sale of Goods (1980). Any disputes arising out of or in connection with this Agreement that is not amicably settled, shall be submitted to the exclusive jurisdiction of the competent courts of Paris, France.
12.7 No failure or delay on the part of either party in exercising any right, or benefit under this Agreement shall operate as a waiver of such right or benefit.
12.8 If any part of this Agreement is finally adjudged to be invalid by a court of competent jurisdiction, the remaining parts of this Agreement shall remain in full force and effect. Furthermore, in lieu of that invalid part, there shall be automatically added to this Agreement a provision as similar in terms to that invalid part as may be possible, legal, valid and enforceable.
12.9 If either party is prevented, hindered or delayed from observing or performing its obligations under this Agreement by an act beyond its reasonable control (a "force majeure" event), the party so prevented from performance will give notice to the other party of the force majeure event and may suspend performance of its obligations except for payment for Annual Services Fees, while the force majeure event continues. If the force majeure event continues for a period exceeding ninety (90) days from the date of such suspension, either party may, on written notice to the other, terminate this Agreement forthwith. Upon termination of this Agreement the Customer will be liable to pay all outstanding charges accrued up to the date of termination, including Annual Services Fees.
Schedule 2 – Data Processing Agreement
This Data Processing Agreement is supplemental to an Agreement between the Controller and the Processor with effect from the Commencement Date and during the Term.
1. PARTIES
1.1 The Controller is the Customer whose contact details are listed in the order form.
1.2 The Processor is Air360 (Air360 Inc., 9 Marunouchi Kitaguchi Building 1-6-5, Marunouchi, Chiyoda-ku, Tokyo, Japan, privacy@air360.io)
2. OBLIGATIONS OF PROCESSOR
2.1 To comply with Applicable Laws.
2.2 To Process Personal Data only on the written instructions of the Controller that will comply with Information for Data Subjects including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by Applicable Laws to which the Processor is subject. In such a case the Processor shall inform the Controller of that legal requirement before Processing, unless Applicable Laws prohibit such information on grounds of public interest.
2.3 To Process the Personal Data in accordance with the Information for Data Subjects.
2.4 To ensure that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
2.5 To ensure that it has in place appropriate technical and organisational measures, in such a manner that Processing by the Processor will meet the requirements of Applicable Laws. Where European Data Protection Laws apply, the Processor will comply with Article 32 of GDPR.
2.6 The Processor may disclose the Personal Data to trusted third parties as listed in the sub-processors list (“Sub-Processors”), if any. The Processor will inform the Nominated Contact of the Controller of any intended changes concerning the addition or replacement of other Sub-Processors involved in the Processing of Personal Data thereby giving the Controller the opportunity to object to such changes. All such Sub-Processors will be subject to the same obligations as the Processor. However, the Processor remains fully responsible to the Controller for their compliance with the terms and conditions herein.
2.7 To assist the Controller in ensuring compliance with its obligations under the Applicable Laws with respect to Data Subject rights, security, breach notifications, impact assessments, Deletion or return of data and consultations with supervisory authorities or regulators. Otherwise, the Processor reserves the right to make a charge for reasonable costs incurred. In discussing any additional support hours which may be required, the parties will take account of whether the Controller has access to the Processor’s online tools and should therefore manage their data, including erasure from the live server.
2.8 Where European Data Protection laws apply, not to transfer any Personal Data outside of the European Economic Area (EEA) except to a third country which the European Commission considers has an adequate level of protection or as part of the services and the Controller or the Processor has provided appropriate safeguards in relation to the transfer and the Data Subject has enforceable rights and effective legal remedies.
2.9 To notify the nominated contact of the Controller without undue delay and in accordance with Applicable Laws on becoming aware of a Personal Data breach or potential breach by the Processor or any Sub-Processor.
2.10 At the written direction of the Controller, to Delete Personal Data and (at the cost of the Controller) to return Personal Data and copies thereof to the Controller on termination of the agreement unless required by Applicable Laws to store the Personal Data. Unless directed otherwise, anonymised Personal Data may be retained by Air360 subject to compliance with Article 89 of GDPR.
2.11 To maintain complete and accurate records and information to demonstrate its compliance with the Obligations of the Processor in this section 2 and allow for audits by the Controller or the Controller’s designated auditor.
2.12 Where the nominated contact of the Controller requests assistance in connection with Data Subject rights (including without limitation right of access, rectification, erasure, restriction of Processing and to object to Processing), the Processor shall co-operate to assist the Controller to comply with its obligations under Applicable Laws. All such requests for assistance should be directed to: legal@air360.io.
3. OBLIGATIONS OF CONTROLLER
3.1 To comply with Applicable Laws.
3.2 To ensure that it has in place appropriate technical and organisational measures, in such a manner that Processing will meet the requirements of Applicable Laws whilst the Personal Data is subject to Processing by the Controller or on behalf of the Controller by any third party. Where European Data Protection Laws apply, the Controller will comply with Article 32 of GDPR.
3.3 Where the Controller instructs the Processor to co-operate with third party application programme interface (“API”) suppliers, integrators or similar parties (“Third Parties”), such Third Parties are not Sub-Processors of the Processor, and the Processor does not control their Processing or guarantee their compliance with Applicable Laws. The Controller will enter into any agreement with such Third Parties for the Processing of Personal Data as may be required by Applicable Laws.
3.4 Where the Controller has access to the Processor’s online tools, the Controller will Delete Personal Data when it is no longer required. Where the Controller does not have such access, the Controller will direct the Processor to Delete or return the Personal Data to the Controller.
3.5 Subject to putting in place appropriate safeguards to ensure respect for data minimisation and security, the Processor may process the Personal Data for Research Purposes. If the Processor does not collect bio-data of Data Subjects, the Controller agrees to make it available to the Processor for Research Purposes subject to compliance by the Processor with all the obligations in this Agreement with respect to such bio-data.
3.6 The Controller acknowledges and agrees that (i) the Processing of any Personal Data provided by the Controller to the Processor has been and will continue to be carried out by or on behalf of the Controller in accordance with Applicable Laws and (ii) the Processing of any Personal Data provided by the Processor to the Controller will be carried out in accordance with the Information for Data Subjects.
3.7 To provide the Processor with accurate details as to the identity and contact details of the Controller and (if appropriate) Controller’s representative and (if appropriate) the contact details of the Controller’s Data Protection Officer and to notify the Processor as to any updates to such details. If the Controller fails to provide information as to the identity and contact details of the Controller, the Processor may inform Data Subjects that the Controller is the person, organisation or company that entered into the agreement for the supply of services.
3.8 To notify the Processor as to any Data Subject request where the Controller requests the support of the Processor within 7 days of receipt of such request and to give appropriate instructions to the Processor in a timely manner.
4. CONSIDERATION
The consideration for this Data Processing Agreement shall be as set out in the Agreement and the mutual obligations of the parties set out in this Data Processing Agreement.
5. LIABILITY
5.1 Nothing in this Data Processing Agreement shall limit or exclude liability which may not be limited or excluded by Applicable Laws.
5.2 Neither the Processor nor any Sub-Processor shall be liable (i) in case of Force Majeure, (ii) for indirect or unforeseeable damages (including loss of profits, anticipated savings or business opportunity).
6. SUBCONTRACTING BY THE PROCESSOR
6.1 The Processor undertakes not to subcontract to sub-Processors the performance of all or part of the Processing of Personal Data to another entity without the prior written and specific authorization of Controller.
6.2 In addition, the Processor undertakes to impose on any sub-Processor the same data protection obligations as those set out in the present Data Processing Agreement, by including these obligations in the agreement which will be concluded between the Processor and any authorized sub-Processor.
6.3 In particular, the agreement must include an obligation for the sub-Processor to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of the Applicable Data Protection Legislation. The Processor remains fully liable to Controller for the performance of the obligations of the sub-Processor.
6.4 For the avoidance of doubt, use of sub-Processors listed in Appendix 2 is deemed to be accepted; any changes to such list of sub-Processors will be subject to a new approval.
7. TRANSFER OF PERSONAL DATA
The Processor shall not transfer Personal Data outside the EEA or outside a third country which the European Commission considers has an adequate level of protection, without prior consent of Controller. In any event, the Parties shall comply with any requirement of Applicable Laws before accessing Personal Data from or transferring Personal Data to a country or area different from the country or area in which it was collected or otherwise Processed.
8. MEDIATION AND JURISDICTION
8.1 The Parties agree that if there is a dispute between a Data Subject and the Controller and that dispute is not amicably resolved, they will cooperate to offer the Data Subject the opportunity to refer the dispute to mediation by an independent person or, where applicable, by the Supervisor.
8.2 Paragraph 8.1 shall apply without prejudice to the Data Subject’s rights to seek remedies in a court in accordance with Applicable Laws.
9. TERMINATION OF THE DATA PROCESSING AGREEMENT
9.1 The parties agree that the termination of the Agreement at any time, in any circumstances and for whatever reason does not exempt them from the obligations and/or conditions under the Data Processing Agreement as regards the Processing of Personal Data.
9.2 Subject to a reasonable time interval to ensure that the Controller has made alternative arrangements for Processing the Controller’s Personal Data, and subject to these arrangements working satisfactorily, the Processor shall, insofar as it is practicable, Delete all copies of the Controller’s Personal Data held and Processed by the Processor.
9.3 If the Controller’s Personal Data, for reasons of practicality, cannot be so Deleted, the Processor shall take appropriate action to ensure that such Personal Data will not be further Processed, disclosed, or in any way used, other than by means of later Deletion should that become possible.
10. VARIATION OF THIS DATA PROCESSING AGREEMENT
If the instructions of the Controller are inconsistent with the established functionality of the Services, including Air360 online platform, the Parties undertake to negotiate in good faith an additional agreement to meet the Controller’s requirements by other means including reasonable fees based on current Air360 fee rates. Otherwise, the parties undertake not to vary or modify the terms of this Agreement, other than:
- to correct such deficiencies as may become apparent in this Agreement in relation to (i) the application to the Processing of Applicable Laws including European Data Protection Laws or their interpretation by the Member State to which the Controller is subject or
- any variation necessitated by any relevant subsidiary legislation, or by any amendment to European Data Protection Laws; or
- any variation to the Processing requirements of the Controller; or
- any other change necessitated by law.
11. DEFINITIONS
Applicable Laws: European Data Protection Laws or Other Applicable Laws, as the case may be.
Contract Year: each period of twelve (12) months, starting with either the Commencement Date or any renewal date.
Data Subject: a living, identified or identifiable person about whom Personal Information is held. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Delete: to delete or anonymise Personal Data so that it is no longer identifiable. Deleted and Deletion shall be construed accordingly.
European Data Protection Laws: (i) European Directive 95/46/EC and (ii) from 25 May 2018, GDPR which apply to (a) the Processing of Personal Data by a Controller or the Processor within the European Union and/or (b) the Processing of Data Subjects who are within the European Union by a Controller or Processor not established within the European Union where the Processing relates to offering goods or services to Data Subjects in the European Union or monitoring the behaviour of Data Subjects within the European Union.
European Economic Area: the European Union or the European Free Trade Area but excluding Switzerland.
EU SCC: European Standard Contractual Clauses, as approved by the Decision of the European Commission (EU) 2021/914 of 4 June 2021.
Force Majeure: where either party is prevented, hindered or delayed from observing or performing its obligations due to any act beyond their reasonable control.
GDPR: the General Data Protection Regulation (EU 2016/679) and any national implementing laws.
Information for Data Subjects: the privacy policy of Customer’s website(s) and for which the Customer is liable.
Member State: shall mean a state which is a member of the European Economic Area.
Nominated Contacts: As mentioned in Appendix 1.
Other Applicable Laws: data protection or privacy legislation which is applicable to the Controller and/or the Processing other than European Data Protection Laws.
Personal Data: any information relating to a Data Subject. Personal data refers both to data Processed on a computer and to certain kinds of manually Processed data, for example live assessment data during an assessment centre day and/or interview material.
Processing: any operation or set of operations performed on Personal Data or sets of Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or other making available, alignment or combination, erasure or destruction. Processed and Processing shall both be construed accordingly.
Research Data: Personal Data used for Research Purposes.
Research Purposes: monitoring, validation, statistical, benchmarking, product development, historical and management purposes.
Supervisor: the Data Protection Supervisory Authority, as defined in Article 28 of Directive, of the Member State in which the Controller is established. If the Controller is established in more than one Member State, it shall refer to the Data Protection Supervisory Authority for the Member State in which the Controller is acting for the purposes of this Agreement.
End
© Air360 - 2025
APPENDIX 1 – Description of the Processing
| Categories of Data Subjects | The following categories of data subjects are affected by this agreement: - customers - prospective customers - visitors |
|---|---|
| Categories of Personal Data | The following types of data are subject to this agreement: - Unique device identifier generated from the device including but not limited to Google Advertising ID (Google) - Platform (automatic) - Device (automatic) - OS major (automatic) - OS minor (automatic) - IP address (automatic) – used to infer country information. It is not stored on our servers - Install timestamp: it is the timestamp of the first event received from the website integrated with Air360, for that User - business events such as transactions made in the Website - progression events that are used to mark a User’s progress or movement in the Website - resource events such as the acquisition or spend of Website virtual currencies by the User - design events used to track User behavior in the Website, which can refer to any aspect of the Website’s design, including, but not limited to, level or character design, bonuses, social interactions, etc. - error events such as any errors encountered by the User while using the Website - custom fields that can contain any Website parameter defined by you |
| Nature of the Processing | Collection, recording, modification, structuring, storage, retrieval, consultation, disclosure, combination, comparison, restriction, erasure and communication. |
| Purpose(s) of the Processing | Air360 captures in-page interaction and micro-gesture to understand the how and why of customer behavior. Air360 helps companies make smarter decisions every step of the way. |
| Location of the Processing Operation(s) | - AWS and OVHcloud in the following countries Ireland and France depending on location(s) of Website(s) / end users - Air360 teams are based in France, Spain and Japan |
| Duration of the Processing Operations | During the Term of the Agreement |
| Subject matter, nature and duration of sub processings | - AWS: Hosting of Personal Data. Processing of Personal Data. Data collection and DNS management. During the Term of the Agreement. - OVHcloud: Hosting of Personal Data. Processing of Personal Data. Data collection. During the Term of the Agreement. |
APPENDIX 2 – Competent Supervisory Authority
| Supervisory Authority | Commission Nationale Informatique et Liberté (https://www.cnil.fr/en/home) except otherwise notified by the Controller |
|---|
APPENDIX 3 - Technical and organisational measures including technical and organisational measures to ensure the security of the data
| Measure Type | Details |
|---|---|
| Measures of pseudonymisation and encryption of personal data | - All our APIs & web interface can only be accessed via HTTPS and encrypted by TLS and with access controlled by secret API key - All external HTTP communications are protected by TLS 1.2 as a minimum. - At rest, on a case-by-case basis, we use AES |
| Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services | - We use SSH keys and 2FA is enforced on all our systems - All links outside of the company network are protected by SSL/TLS, SSH or equivalent - All system-to-system and system-to-human links inside the company network are protected by SSL/TLS, SSH or equivalent. - We enforce START TLS on our mail systems - We have implemented SPF and DKIM on our mail systems - We have implemented DMARC and have set the policy to quarantine or higher |
| Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident | - Security policies in place: information security policy, incident response plan, data breach policy, Business Continuity and Disaster Recovery Plan policy (BCDR) - Annual updates to test the incident response plan and BCDR policy - Backups are tested annually for integrity - Backups are stored encrypted |
| Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing | - Annual penetration tests - Annual security training for all the employees - Acknowledgement of the Information Security Policy and code of Conduct by all the employees - Annual review of all the internal policies - Annual risk assessment exercise done to identify and mitigate the risks in the company in terms of data & information security - Annual testing of the main policies (incident response plan and BCDR plan) |
| Measures for user identification and authorisation | - 2FA enabled on all the systems that allow it - Identification of “super administrators” employees, in charge of granting and removing the accesses and reviewing access rights twice a year - User access review performed twice a year - Accesses are provided using the role-based rules and least privilege principle - No use of generic accounts |
| Measures for the protection of data during transmission | - All external HTTP communications are protected by TLS 1.2 as a minimum |
| Measures for the protection of data during storage | - Firewalls in place - Anti-virus set up by default on all the computers and laptops |
| Measures for ensuring physical security of locations at which personal data are processed | - CCTV - Entrance controlled by badges - There is a software that controls who access when and how - There are different zones depending of the access level: a DMZ for visitors and a protected zone where only employees can access or visitors always guided by an employee |
| Measures for ensuring events logging | - We use Datadog to ensure events logging - Usage and access logs are kept for audit purposes and used by our IT, account and billing teams - The log data is used as a feed for alerting and monitoring |
| Measures for ensuring system configuration, including default configuration | - Documents written to describe the standard configurations for infrastructure systems, servers, workstations and laptops - Procedures in place to ensure configurations for infrastructure systems, servers, workstations and laptops (deployment checklists…) |
| Measures for internal IT and IT security governance and management | - Measures for internal IT and IT security governance and management of existing policies for different processes - Compliance Team - Security Team |
| Measures for certification/assurance of processes and products | - Risk assessment is conducted annually - All internal policies are reviewed annually |
| Measures for ensuring data minimisation | - We process data according to GDPR principles - Air360 takes a privacy-by-default approach minimizing the risk of capturing sensitive or personal data - Air360 doesn’t collect any personal or sensitive data by default |
| Measures for ensuring data quality | - Regular checks with automated testing are performed to make sure the data is consistent with data observability. - Backups are stored encrypted |
| Measures for ensuring limited data retention | - Data retention policy according GDPR - Policies in AWS and database automatic rules are automatically applied to remove unused events and databases - Regular reviews are conducted |
| Measures for ensuring accountability | - We take a data protection by design and by default approach - We have a designated DPO - We conduct regular risk assessments |
| Measures for allowing data portability and ensuring erasure | - Individual rights privacy policy written and reviewed annually - Procedures in place to answer the personal data requests coming from any individual (the customer care team is in charge of answering such requests with the support of the Legal & Compliance Department, training of the Customer Care team to answer all types of requests) |
APPENDIX 4 – AUTHORIZED SUB-PROCESSORS
| Identification and contact details of the sub-Processor | Contact Point | Details of the services provided |
|---|---|---|
| Amazon Web Services Inc 410 Terry Avenue North Seattle, WA 98109 United States (Data Hosted in Europe) | Phone number: +1-206-266-1000 Address: aws-EU-privacy@amazon.com | Services provided: Data collection and DNS management. The provider is using further sub-processors as per the following list: https://aws.amazon.com/compliance/sub-processors/ The provider is maintaining technical and organizational data security measures of its own, as further described in the data protection addendum: https://docs.aws.amazon.com/whitepapers/latest/navigating-gdpr-compliance/aws-data-processing-addendum-dpa.html |
| OVHcloud Roubaix, 2 Rue Kellermann, France | Phone number: +353 (0) 1 691 72 83 | Services provided: Data collection The provider may use further sub-processors as per the following list: https://storage.gra.cloud.ovh.net/v1/AUTH_325761a587c64897acbfe9a4a726e838/contracts/30c4ab8-OVH_Sub_processors-IE-2.0.pdf The provider is maintaining technical and organizational data security measures of its own, as further described in the data processing terms: https://storage.gra.cloud.ovh.net/v1/AUTH_325761a587c64897acbfe9a4a726e838/contracts/5cec77c-OVH_Data_Protection_Agreement-IE-6.2.pdf |