Aircloud/Legal/Data Processing Agreement

Data Processing Agreement

Last updated: April 5, 2026

GDPR Art. 28Compliant Structure

This DPA is incorporated into and forms part of the Aircloud Terms of Service. Enterprise customers may execute a signed version by contacting legal@aircloud.com.

§

Introduction

[This Data Processing Agreement ("DPA") forms part of the agreement between Aircloud Technologies Inc. ("Aircloud," "Processor") and the customer entity identified in the associated account or order form ("Customer," "Controller"). This DPA governs Aircloud's processing of Personal Data on behalf of Customer in connection with the provision of GPU infrastructure services (the "Services").]

[This DPA supplements and is subject to the Aircloud Terms of Service. In the event of a conflict between this DPA and the Terms of Service with respect to the processing of Personal Data, this DPA shall govern. Capitalized terms not defined here have the meanings given to them in the Terms of Service.]

[This DPA is intended to satisfy the requirements of Article 28 of the GDPR for processing agreements between Controllers and Processors. It also addresses equivalent requirements under the UK GDPR and, to the extent applicable, other data protection laws.]

§

Definitions

[As used in this DPA, the following terms have the meanings set out below. Where applicable, these definitions align with Article 4 of the GDPR:]

Controller[The entity that determines the purposes and means of processing Personal Data. In this DPA, the Customer acts as the Controller with respect to Personal Data submitted to or processed through the Services.]
Processor[The entity that processes Personal Data on behalf of the Controller. Aircloud acts as a Processor with respect to Customer Personal Data.]
Personal Data[Any information relating to an identified or identifiable natural person ('data subject'), as defined in GDPR Article 4(1). In the context of the Services, this includes personal data contained in workloads, datasets, or inputs processed on the Customer's behalf.]
Processing[Any operation performed on Personal Data, whether automated or not, including collection, storage, use, disclosure, and deletion, as defined in GDPR Article 4(2).]
Data Subject[An identified or identifiable natural person whose Personal Data is processed in connection with the Services.]
Sub-processor[A third party engaged by Aircloud to process Personal Data in connection with delivering the Services to the Customer.]
Supervisory Authority[An independent public authority responsible for monitoring the application of data protection law, as designated under applicable law (e.g., the relevant EU Member State authority or the UK ICO).]
Standard Contractual Clauses (SCCs)[The standard data protection clauses adopted by the European Commission for the transfer of Personal Data to third countries, currently set out in Commission Decision 2021/914/EU.]
§

Scope of Processing

[Aircloud processes Personal Data on behalf of Customer only as strictly necessary to provide the Services and as documented in this DPA. The nature of processing activities includes: provisioning and operating GPU compute instances; processing API requests and responses as directed by the Customer; maintaining logs for billing, security, and operational purposes; and supporting Customer in fulfilling data subject requests.]

Categories of Personal Data

[The categories of Personal Data processed depend entirely on what the Customer chooses to submit to the Services. Aircloud does not dictate or limit what types of Personal Data the Customer may process, but the Customer is responsible for ensuring their processing has a lawful basis. Common categories may include: names and identifiers, professional or organizational information, technical identifiers (IP addresses, user IDs), and any personal data contained in training datasets, inference inputs, or model outputs uploaded or generated by the Customer.]

Categories of Data Subjects

[Data subjects are determined by the Customer's use case. They may include: the Customer's own end users, employees, contractors, or research subjects whose data is included in workloads processed on the platform. Aircloud does not have visibility into the identity of data subjects unless the Customer explicitly shares this information in a support context.]

Duration of Processing

[Aircloud processes Personal Data for the duration of the agreement between the parties, and for any retention period specified in this DPA or required by applicable law. Upon termination, data is handled in accordance with Section 10 (Data Retention and Deletion).]

§

Customer Obligations

[The Customer, as Controller, is solely responsible for: (a) ensuring that all Personal Data submitted to the Services has been collected and is being processed with a valid lawful basis under applicable data protection law; (b) providing adequate privacy notices to data subjects; (c) ensuring the accuracy and minimization of Personal Data submitted; (d) obtaining any required consents from data subjects; and (e) complying with all applicable data protection laws in connection with the Customer's use of the Services.]

[The Customer shall ensure that its instructions to Aircloud regarding the processing of Personal Data comply with applicable law. The Customer shall promptly notify Aircloud if it becomes aware of any instruction that would cause Aircloud to violate applicable data protection law.]

[The Customer is responsible for configuring access controls, encryption settings, and other security features made available through the Services. Aircloud is not responsible for security incidents resulting from the Customer's misconfiguration of such controls.]

§

Aircloud Obligations

[As Processor, Aircloud agrees to the following obligations with respect to Personal Data processed on behalf of the Customer:]

Processing Only per Instructions

[Aircloud will process Personal Data only in accordance with Customer's documented instructions, including those set out in this DPA and the Terms of Service, except where required to do so by applicable law. In such cases, Aircloud will inform the Customer before processing unless prohibited by law.]

Confidentiality

[Aircloud ensures that all personnel authorized to process Personal Data are bound by appropriate confidentiality obligations, whether by contract or by operation of law.]

Security

[Aircloud implements and maintains technical and organizational security measures as described in Section 8 of this DPA.]

Sub-processor Engagement

[Aircloud engages sub-processors only as described in Section 6 and ensures sub-processors are bound by data protection obligations no less protective than those in this DPA.]

Assistance with Rights Requests

[Aircloud provides reasonable assistance to the Customer in fulfilling its obligations to respond to data subject requests, as described in Section 7.]

Assistance with Security Obligations

[Taking into account the nature of processing and information available, Aircloud assists the Customer in ensuring compliance with its obligations under GDPR Articles 32–36 (security, breach notification, DPIA, prior consultation).]

Breach Notification

[In the event of a Personal Data breach affecting Customer data, Aircloud notifies the Customer without undue delay and, where feasible, within 72 hours of becoming aware of the breach.]

Deletion or Return

[Upon termination of the Services, Aircloud deletes or returns Customer Personal Data as described in Section 10, unless retention is required by applicable law.]

Information and Audit

[Aircloud makes available to Customer all information necessary to demonstrate compliance with this DPA and contributes to audits as described in Section 11.]

§

Subprocessors

[The Customer provides a general authorization to Aircloud to engage the sub-processors listed below and any sub-processors notified pursuant to the change notification process. Aircloud remains liable to the Customer for the acts and omissions of its sub-processors to the same extent as if Aircloud performed the processing directly.]

Current Sub-processors

Sub-processorPurposeLocationDPA Reference
Amazon Web ServicesCloud infrastructure (Trusted-tier GPU instances)United States / EU regionsaws.amazon.com/compliance/gdpr-center
StripePayment processing (billing data only)United Statesstripe.com/en-gb/legal/dpa
[Email Provider]Transactional notificationsUnited States[DPA URL]
[Support Platform]Customer support ticket managementUnited States[DPA URL]
[Error Monitoring]Application error tracking (dev/ops data)United States[DPA URL]

Notification of Changes

[Aircloud maintains an up-to-date list of sub-processors at aircloud.com/legal/subprocessors. Aircloud will notify Customers of any intended addition or replacement of sub-processors by email and/or in-console notice at least 14 days before the change takes effect.]

Customer Objection Rights

[The Customer may object to a new sub-processor by notifying Aircloud in writing within 14 days of the change notification. If the Customer objects and Aircloud cannot address the objection by offering an alternative means of providing the relevant functionality, either party may terminate the affected Services with 30 days written notice.]

§

Data Subject Rights

[Under the GDPR and equivalent laws, data subjects have the rights listed below. As Controller, the Customer is responsible for receiving and responding to data subject requests. Aircloud's role is to provide technical assistance to the Customer in fulfilling these requests as they pertain to Personal Data processed through the Services.]

Right of Access (Art. 15)

[Upon Customer request, Aircloud will provide access to data held in the Customer's account within the platform. Aircloud does not directly respond to data subject access requests on behalf of the Customer.]

Right to Rectification (Art. 16)

[The Customer may correct Personal Data within the Services using available platform controls. Aircloud can assist with corrections in systems inaccessible to the Customer upon written request.]

Right to Erasure (Art. 17)

[Aircloud will delete or anonymize Personal Data upon Customer instruction, subject to the deletion timelines in Section 10 and any legal retention requirements.]

Right to Restriction (Art. 18)

[Aircloud will restrict processing of specific data at the Customer's instruction where technically feasible.]

Right to Data Portability (Art. 20)

[Aircloud provides export tools within the platform to allow Customers to retrieve Personal Data in machine-readable formats. Contact support for bulk export assistance.]

Right to Object (Art. 21)

[As Processor, Aircloud processes data only on Customer instructions and does not exercise independent judgment about the purposes of processing. Objections to processing based on Aircloud's own legitimate interests are not applicable in this context.]

[Aircloud will promptly notify the Customer if it receives a data subject request directly and will not respond to such requests without the Customer's authorization, except as required by applicable law.]

§

Security Measures

[Aircloud implements and maintains the following technical and organizational security measures pursuant to GDPR Article 32. These measures are designed to ensure a level of security appropriate to the risks presented by the processing:]

Technical Measures

Encryption at Rest: [All Customer data and backups are encrypted using AES-256. Encryption keys are managed through a key management service with hardware security module (HSM) backing.]
Encryption in Transit: [All data transmission between clients and the Services, and between internal services, uses TLS 1.2 or higher with strong cipher suites.]
Network Isolation: [Customer workloads operate within isolated network environments. GPU instances are provisioned with private networking; public egress is controlled and configurable.]
Access Controls: [Access to production systems is restricted using role-based access control (RBAC), enforced multi-factor authentication, and just-in-time access provisioning. All privileged access is logged.]
Vulnerability Management: [Aircloud conducts regular vulnerability assessments, patches critical vulnerabilities on an expedited basis, and performs periodic penetration testing.]
Logging and Monitoring: [Infrastructure and access logs are collected and monitored for anomalous activity. Security event alerts are reviewed by on-call engineering staff.]

Organizational Measures

Incident Response: [Aircloud maintains a documented incident response plan. Identified Personal Data breaches are escalated internally and Customer notification occurs within 72 hours of confirmed breach discovery.]
Personnel Training: [All staff with access to Personal Data undergo data protection training upon onboarding and annually thereafter.]
Vendor Management: [Sub-processors are assessed against security requirements prior to engagement and are subject to contractual data protection obligations.]
SOC 2 Type II: [Aircloud is pursuing SOC 2 Type II certification. Audit reports are made available to Customers under NDA as described in Section 11.]
§

Data Transfers

[Aircloud's primary infrastructure is located in the United States. Processing of Customer Personal Data may involve transfer of that data to countries outside the European Economic Area (EEA) or United Kingdom that may not provide an equivalent level of data protection.]

[Where Aircloud transfers Personal Data originating from the EEA or UK to a third country, it relies on the following transfer mechanisms:]

EU Standard Contractual Clauses

[For transfers from the EEA to the United States and other third countries, Aircloud relies on the Standard Contractual Clauses (Module 2: Controller to Processor) as adopted by Commission Decision 2021/914/EU. Customers may request a signed copy at dpo@aircloud.com.]

UK International Data Transfer Agreements

[For transfers from the UK, Aircloud uses the UK International Data Transfer Agreement (IDTA) or UK addendum to EU SCCs as applicable.]

Adequacy Decisions

[Where the European Commission has issued an adequacy decision for the destination country (e.g., EU-U.S. Data Privacy Framework to the extent applicable), Aircloud relies on that decision in addition to or in lieu of SCCs.]

[Customers requiring data residency within a specific region (e.g., EU-only processing) should contact sales@aircloud.com. Regional data residency is available for Trusted-tier instances subject to capacity availability and may require a supplementary order form.]

§

Data Retention & Deletion

[Upon termination of the agreement or receipt of a written deletion instruction from the Customer, Aircloud will delete all Customer Personal Data from production systems within 30 days. Deletion from backup systems occurs on the standard backup rotation schedule, which does not exceed 90 days.]

Active workload data (GPU instance storage)Deleted within 24 hours of instance termination
Platform logs containing personal data90 days rolling window, then deleted or anonymized
Billing records containing personal dataRetained for 7 years (legal requirement)
Support tickets3 years from last interaction, then deleted
Account data30 days post-account deletion, then purged
BackupsOverwritten within 90-day rotation cycle

[Upon Customer request, Aircloud will provide written confirmation of deletion within 30 days of completing the deletion process. Where Aircloud is required by applicable law to retain certain data, it will notify the Customer of the basis for such retention and the anticipated retention period.]

§

Audit Rights

[Aircloud will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA and will permit audits as described below. Audits are conducted at the Customer's expense.]

Audit Reports

[Aircloud will provide, upon written request and subject to a non-disclosure agreement, copies of its most recent SOC 2 Type II report, ISO 27001 certificate (if applicable), penetration test executive summaries, and other relevant third-party audit reports. Provision of these reports satisfies Aircloud's audit obligation under GDPR Article 28(3)(h) for the matters covered.]

On-site Audits

[If the Customer is not satisfied with the audit reports provided, the Customer may request an on-site audit no more than once per calendar year, with 60 days advance written notice, conducted during normal business hours and subject to reasonable confidentiality restrictions. Aircloud may require that such audits be conducted by a mutually agreed third-party auditor. Costs are borne by the Customer. Any audit must not unreasonably disrupt Aircloud's operations or compromise the security or confidentiality of other customers' data.]

§

Liability

[Each party's liability under this DPA is subject to the limitation of liability provisions in the Aircloud Terms of Service, to the maximum extent permitted by applicable data protection law. Nothing in this DPA limits either party's liability to data subjects or to supervisory authorities under applicable data protection law.]

[Aircloud is liable to the Customer for damages caused by processing that does not comply with this DPA or applicable law, where Aircloud is responsible for the non-compliance. The Customer indemnifies Aircloud against claims by data subjects or supervisory authorities arising from Customer's failure to comply with its obligations as Controller, including failure to have a lawful basis for processing.]

[In the event of a multi-party claim involving both Controller and Processor liability, liability is apportioned based on each party's degree of responsibility for the damage caused, as provided for under GDPR Article 82.]

§

Contact

[For questions about this DPA, to execute a signed version, or for data protection matters generally, contact:]

Aircloud Technologies Inc.Data Protection Officer[Address to be added]dpo@aircloud.com

[For enterprise DPA execution, signed copies, or region-specific data residency requirements, email legal@aircloud.com with subject line "DPA Request." We will respond within 3 business days.]

Questions? Email legal@aircloud.com© 2026 Aircloud Technologies Inc.