Sign In Try for free

Data Processing Agreement

Data Processing AgreementData Processing Agreement

This Data Processing Agreement ("DPA") is entered into between:

  • Client ("Data Controller")
  • Jet Admin, Inc., a company registered in Delaware, USA ("Data Processor")

This DPA forms part of the Terms of Service and Privacy Policy between the parties.

1. Subject Matter and Duration

  • 1.1. This DPA governs the processing of personal data by Jet Admin, Inc. on behalf of the Client in accordance with GDPR.
  • 1.2. This DPA remains in effect for as long as Jet Admin, Inc. processes personal data on behalf of the Client.
  • 1.3. This DPA may be updated by mutual agreement if required due to changes in applicable data protection laws or the processing activities of Jet Admin, Inc. The Client will be notified of any material changes at least 30 days in advance.

2. Roles and Responsibilities

  • 2.1. The Client acts as the Data Controller, determining the purposes and means of processing personal data.
  • 2.2. Jet Admin, Inc. acts as the Data Processor, processing data strictly under the Client's instructions.

3. Data Processing Details

  • 3.1. Types of Personal Data:
    Names, email addresses, IP addresses. Payment data is processed by Paddle, not Jet Admin, Inc.
  • 3.2. Categories of Data Subjects:
    Users of the Client's applications.
  • 3.3. Purpose of Processing:
    Authentication and analytics.
  • 3.4. Legal Basis for Processing:
    Processing is based on the necessity to fulfill a contract (Article 6(1)(b) GDPR).

4. Data Transfers and Hosting

  • 4.1. Hosting Location:
    Data is stored and processed in Frankfurt, Germany.
  • 4.2. International Transfers:
    Data transfer to the USA is governed by the EU Standard Contractual Clauses (2021) along with additional security measures such as encryption and access controls.

5. Security Measures

  • 5.1. Data encryption (in transit and at rest).
  • 5.2. Access controls and two-factor authentication.
  • 5.3. Regular security audits and penetration testing.
  • 5.4. Anomaly detection and continuous monitoring.
  • 5.5. Logging and vulnerability testing to ensure GDPR compliance (Article 32).

6. Data Subject Rights

  • 6.1. Access and Deletion Requests:
    Users can request access, correction, or deletion of their data through Jet Admin, Inc.'s support in Intercom.
  • 6.2. Response Time:
    Jet Admin, Inc. will respond to all requests within 30 days, as required by GDPR.
  • 6.3. Appeal Process:
    If a data subject request is denied, Jet Admin, Inc. shall provide a justification, and the data subject may appeal the decision through the relevant EU Supervisory Authority.
  • 6.4. Assistance with DPIA:
    Jet Admin, Inc. shall provide reasonable assistance to the Client in conducting a Data Protection Impact Assessment (DPIA) if required under GDPR.
  • 6.5. Jet Admin, Inc. shall assist the Client in responding to requests from data protection authorities, including by providing necessary documentation and cooperating in audits or investigations related to data processing activities.

7. Data Retention and Deletion

  • 7.1. Personal data is retained for 3 months after contract termination unless a deletion request is made earlier.
  • 7.2. Upon a valid deletion request, Jet Admin, Inc. shall ensure permanent and irreversible deletion of personal data within 30 days, unless legal obligations require extended retention.
  • 7.3. Security logs and records of data breaches shall be retained for at least 12 months to ensure compliance with security and audit requirements.

8. Subprocessors

  • 8.1. Jet Admin, Inc. engages the following subprocessors:
    • Amazon Web Services (AWS) – hosting provider
    • OpenAI, Anthropic – AI generation services
    • Google Analytics, Amplitude – analytics services
  • 8.2. Jet Admin, Inc. shall notify the Client at least 30 days in advance of adding a new subprocessor.
  • 8.3. The Client has the right to object to new subprocessors within 14 days of notification.
  • 8.4. Jet Admin, Inc. ensures that all subprocessors enter into EU Standard Contractual Clauses (2021) or equivalent agreements, ensuring full compliance with GDPR.

9. Data Breach Notification

  • 9.1. In the event of a data breach, Jet Admin, Inc. will notify the Client within 72 hours via email or Slack.
  • 9.2. The notification will include the nature of the breach, affected data, mitigation measures, and recommended actions.

10. Liability and Dispute Resolution

  • 10.1. Each party is responsible for compliance with GDPR in its role as Data Controller or Data Processor.
  • 10.2. For EU data subjects, disputes related to GDPR compliance shall be subject to the jurisdiction of the relevant EU supervisory authority and courts.
  • 10.3. For non-EU data subjects, disputes shall be resolved in U.S. courts under Delaware law.