DATA PROccesing AGREEMENT

LAST UPDATED : DEC 2025

Air Lift — Data Processing Agreement (DPA)
Air Lift

Data Processing Agreement (DPA)

Last Updated: August 2024

Preamble & Parties

This Data Processing Agreement (“DPA”) forms part of the agreement between the customer identified in the applicable order, subscription, or master services agreement (“Customer”, “Controller”) and Air Lift Inc., a company operating the Air Lift platform (“Air Lift”, “Processor”), collectively the “Parties”.

This DPA reflects the Parties’ agreement with respect to the processing of Personal Data in connection with Customer’s use of the Air Lift platform and related services (the “Services”). Capitalized terms not defined here have the meanings given in the main agreement between the Parties (the “Agreement”).

1. Definitions

Applicable Data Protection Laws means all laws, regulations, and rules relating to privacy and data protection applicable to the processing under this DPA, including as applicable the EU/UK GDPR, Swiss FADP, and US state privacy laws.

Personal Data means any information relating to an identified or identifiable natural person processed by Air Lift on behalf of Customer under the Agreement.

Process/Processing has the meaning set out in Applicable Data Protection Laws.

Sub-processor means any processor engaged by Air Lift to assist in fulfilling its obligations with respect to providing the Services and that processes Personal Data.

Supervisory Authority means the competent data protection authority in the EEA/UK/Switzerland, as applicable.

2. Scope, Role & Instructions

  1. Roles. Customer is the Controller (or a Processor acting on behalf of a Controller) and appoints Air Lift as Processor to process Personal Data as necessary to provide the Services.
  2. Instructions. Air Lift will process Personal Data only on documented instructions from Customer, including as set forth in the Agreement, this DPA, Customer’s configuration and use of the Services, and as required by law. Where legally permitted, Air Lift will inform Customer if an instruction infringes Applicable Data Protection Laws.
  3. Customer Responsibilities. Customer is responsible for the lawfulness of Personal Data and obtaining all necessary notices and consents, and for its configuration and use of the Services.

3. Confidentiality

Air Lift ensures that persons authorized to process Personal Data are subject to appropriate confidentiality obligations and receive appropriate training on data protection and security.

4. Security Measures

Air Lift implements and maintains appropriate technical and organizational measures designed to protect Personal Data as described in Annex II (the “Security Measures”). Customer is responsible for reviewing the information made available by Air Lift relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and obligations.

5. Sub-processors

  1. Authorization. Customer hereby provides general written authorization for Air Lift to engage Sub-processors to process Personal Data in connection with the Services.
  2. Sub-processor Obligations. Air Lift will enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those in this DPA and remains responsible for each Sub-processor’s performance.
  3. List & Updates. A current list of Sub-processors is maintained by Air Lift (see Annex III). Air Lift will provide notice of new Sub-processors, and Customer may object on reasonable data protection grounds within a reasonable period after notice. If Customer objects, the Parties will work in good faith to find a commercially reasonable solution; if none is found, Customer may suspend or terminate the affected Services without penalty.

6. International Data Transfers

  1. Mechanisms. To the extent Air Lift processes Personal Data subject to the EU/UK/Swiss data transfer restrictions outside the EEA/UK/Switzerland, the Parties agree the following transfer mechanisms apply, as applicable and to the extent permitted by law:
    • EU Standard Contractual Clauses. The European Commission’s Standard Contractual Clauses for controllers to processors (Module 2) and/or processors to processors (Module 3), as applicable, as set out in Commission Implementing Decision (EU) 2021/914 (“SCCs”), are incorporated by reference with the details completed by Annex I and the Security Measures in Annex II. Where the SCCs conflict with this DPA, the SCCs prevail.
    • UK Addendum. For transfers subject to UK law, the International Data Transfer Addendum (IDTA/Addendum B) issued by the UK ICO is incorporated by reference and supplements the SCCs.
    • Swiss Addendum. For transfers subject to Swiss law, references in the SCCs to the GDPR are deemed references to the Swiss FADP where appropriate.
  2. Alternative Safeguards. If another valid transfer mechanism (e.g., adequacy decision or certification) becomes available and is used by Air Lift, that mechanism may be used instead of the SCCs.

7. Data Subject Requests

Taking into account the nature of the processing, Air Lift shall assist Customer by appropriate technical and organizational measures, insofar as possible, to fulfill Customer’s obligations to respond to requests to exercise data subject rights under Applicable Data Protection Laws. If Air Lift receives a request directly from a data subject relating to the Personal Data for which Customer is the Controller, Air Lift will promptly notify Customer and not respond except on documented instructions or as required by law.

8. Personal Data Breach

Air Lift will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed by Air Lift under this DPA and will provide information reasonably necessary to enable Customer to meet its legal obligations.

9. Audit & Compliance

On Customer’s reasonable request, Air Lift will make available information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits conducted by Customer or an auditor mandated by Customer, provided that: (a) audits occur no more than once annually unless required by a Supervisory Authority or following a confirmed Personal Data Breach; (b) audits are conducted during normal business hours, on reasonable notice, and in a manner that does not interfere with business operations; and (c) Customer signs reasonable confidentiality undertakings. Evidence may include independent third-party reports, certificates, and summaries of security controls.

10. Return & Deletion

Upon termination or expiry of the Agreement, upon Customer’s written request, Air Lift will delete or return all Personal Data processed on behalf of Customer, except where retention is required by law or permitted under Applicable Data Protection Laws. Where deletion is not feasible, Air Lift will continue to protect Personal Data in accordance with this DPA and limit further processing to the purposes that require retention.

11. Assistance, DPIAs & Consultations

Taking into account the nature of processing and the information available to Air Lift, Air Lift will provide reasonable assistance to Customer with data protection impact assessments and prior consultations with Supervisory Authorities related to Customer’s use of the Services, in each case solely to the extent required by Applicable Data Protection Laws.

12. Liability & Precedence

Each Party’s liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement. In the event of any conflict between this DPA and the Agreement, this DPA prevails to the extent of the conflict with respect to the processing of Personal Data. In the event of any conflict between this DPA and the SCCs, the SCCs prevail.

13. Term & Termination

This DPA becomes effective on the date Customer first uses the Services or otherwise accepts the Agreement and remains in force for as long as Air Lift processes Personal Data on behalf of Customer under the Agreement.

How to Obtain a Signed Copy

If you require a signed DPA via email, please contact [email protected] with subject line: “DPA Request — [Your Company Name]”. Include your legal entity name, address, signatory name/title, and any required purchase order or reference. We will countersign and return a PDF copy by email.

Annex I – Details of Processing

A. List of Parties

Controller: The Customer identified in the Agreement.

Processor: Air Lift Inc., acting as processor of Personal Data on behalf of Customer.

B. Supervisory Authority

The competent Supervisory Authority is determined in accordance with Article 56 GDPR (or applicable law) based on Customer’s location in the EEA/UK/Switzerland.

C. Description of Processing

Subject Matter: Provision of the Air Lift platform (CRM, marketing automation, messaging, scheduling, funnels, reporting) and related support.

Nature & Purpose: Hosting, storage, transmission, organization, structuring, analysis, and other processing operations necessary to deliver the Services and customer support.

Duration: For the term of the Agreement and as otherwise required by law.

Categories of Data Subjects: Customer’s end users; Customer’s prospects and leads; Customer’s customers/clients; personnel authorized by Customer.

Categories of Personal Data: Identification and contact data (e.g., name, email, phone), account identifiers, communications metadata and content (e.g., messages sent via the Services), marketing engagement data (opens, clicks), scheduling details, device and log data (IP, browser), and other data submitted by Customer at its discretion. Special categories of data are not intended to be processed; Customer must not submit such data unless permitted by the Agreement and Applicable Data Protection Laws.

Frequency of Transfers: Continuous as necessary for the Services.

Retention: As described in the Agreement/Service settings and Section 10 of this DPA.

Annex II – Technical & Organizational Measures (TOMs)

  • Information Security Program: Documented policies covering access control, encryption, vulnerability management, incident response, business continuity, and vendor risk.
  • Access Control: Role-based access; least privilege; multi-factor authentication for privileged access; periodic access reviews; secure credential policies.
  • Encryption: TLS 1.2+ for data in transit; AES-256 for data at rest (where applicable); secure key management and rotation.
  • Network Security: Segmentation, firewalls, WAF, DDoS protections; monitoring and alerting for anomalies.
  • System Hardening & Patching: Baseline configurations; vulnerability scanning; timely patching; change management.
  • Logging & Monitoring: Centralized logging of security-relevant events; retention per policy; alerting on suspicious activities.
  • Software Development Security: Secure SDLC; code reviews; automated testing and static analysis; separate environments; controlled releases and rollback procedures.
  • Business Continuity & Backups: Redundant architecture; routine backups; recovery testing; geo-redundancy where applicable.
  • Personnel Security: Background checks where permitted; confidentiality obligations; security and privacy training.
  • Physical Security: Use of reputable cloud providers with audited physical and environmental controls.
  • Incident Response: Documented procedures; 24/7 monitoring; breach notification workflow consistent with legal requirements.
  • Data Minimization & Segregation: Logical tenant separation; configurable retention; secure deletion procedures.

Annex III – Authorized Sub-processors

Air Lift engages certain Sub-processors to support delivery of the Services (e.g., cloud hosting, email/SMS providers, analytics, customer support tooling). A current list of Sub-processors is available upon request and will be provided via email.

To request the current Sub-processor list or subscribe to change notifications, email [email protected] with subject: “Sub-processor List Request”.

US State Privacy Addendum (Service Provider / Processor Terms)

Where Air Lift processes Personal Data subject to US state privacy laws (including the CCPA/CPRA, CPA, CTDPA, UCPA, VCDPA), Air Lift acts as a “service provider” or “processor,” as applicable, and will:

  • Process Personal Data only for the limited and specified purposes described in the Agreement and this DPA;
  • Not “sell” or “share” Personal Data as defined by applicable law; not combine Personal Data with data obtained from other sources except as permitted to provide the Services;
  • Assist Customer in responding to consumer requests where required;
  • Implement reasonable security procedures and practices appropriate to the nature of the Personal Data;
  • Notify Customer if Air Lift determines it can no longer meet its obligations under applicable law;
  • Flow down the same obligations to authorized Sub-processors and monitor compliance;
  • At Customer’s direction, delete or return Personal Data at the end of Services, unless retention is permitted by law.

Contact

Questions about this DPA or privacy requests: [email protected]

Disclaimer

This sample DPA is provided for operational alignment with common data protection requirements and does not constitute legal advice. Customer should consult with legal counsel to ensure this DPA meets its specific compliance needs.

Resources

ROI Calculator (Cooming Soon)

Lead Calculator (Cooming Soon)

Insights (Cooming Soon)

Where to find us

© 2025 Air Lift. All rights reserved. The All-in-One CRM and Marketing System for Aviation Businesses.