AERONOVA

AERONOVA SYSTEMS SRL — DATA PROCESSING AGREEMENT

Effective Date: [To be confirmed] | Last Updated: March 2026

This Data Processing Agreement ("DPA") is entered into between: Controller: the Client organisation (as defined in the AeroNova Terms of Service) that subscribes to the Platform. Processor: Aeronova Systems SRL, CUI/CIF [To be inserted], registered in Romania, trading as AeroNova.

This DPA supplements and forms an integral part of the Terms of Service. In the event of any conflict, this DPA prevails regarding personal data processing. By accepting the Terms of Service, the Client accepts and is bound by this DPA without requiring any additional signature.

SECTION 1 — DEFINITIONS

Terms used in this DPA have meanings given in GDPR (EU) 2016/679 Article 4, including: "Personal Data," "Processing," "Controller," "Processor," "Sub-Processor," "Data Subject," "Personal Data Breach," and "Supervisory Authority."

SECTION 2 — SUBJECT MATTER AND SCOPE

2.1 Subject matter: provision of the AeroNova compliance management platform and associated services.

2.2 Duration: the duration of the Principal Agreement plus such additional period as is necessary to complete data deletion obligations.

2.3 Nature and purpose: processing personal data to provide ISMS compliance management, AI-assisted document generation, risk register management, incident tracking, evidence storage, audit preparation, training management, and compliance briefing generation.

2.4 Types of personal data processed: names and contact details of Accountable Managers, IS Managers, IT Contacts, and other designated personnel; job titles and roles; staff training records including completion dates and assessment results; incident report descriptions referencing individuals; supplier and contractor contact details; and any other personal data the Controller enters.

2.5 Categories of data subjects: employees, contractors, consultants, and management personnel of the Controller.

SECTION 3 — CONTROLLER OBLIGATIONS

3.1 The Controller warrants that: it has a lawful basis under GDPR Article 6 for all personal data it inputs; it has provided all necessary privacy notices to data subjects; where required, it has obtained valid consent or established another lawful basis; its instructions comply with applicable data protection law; it will not input special category data under GDPR Article 9 into the Platform.

SECTION 4 — PROCESSOR OBLIGATIONS

4.1 Documented Instructions: Process personal data only on documented instructions from the Controller (these Terms and this DPA constitute such instructions), except where required by applicable EU or Romanian law.

4.2 Confidentiality: Ensure all persons authorised to process personal data are subject to binding confidentiality obligations.

4.3 Security: Implement appropriate technical and organisational measures per GDPR Article 32, including: AES-256 encryption at rest; TLS 1.2+ encryption in transit; role-based access controls; EU data residency for primary storage (Supabase EU Frankfurt); Supabase Row Level Security policies ensuring org-scoped data isolation; Upstash Redis rate limiting; CORS restricted to aeronovais.com; regular security testing.

4.4 Sub-Processors:General written authorisation is hereby given for sub-processors listed in Section 7. At least thirty (30) days' notice of any intended new sub-processor. Controller may object within fourteen (14) days on reasonable data protection grounds. AeroNova imposes equivalent data protection obligations on all sub-processors and remains fully liable for their performance.

4.5 Data Subject Rights: Assist the Controller in fulfilling data subject rights requests within seventy-two (72) hours of receipt.

4.6 Article 32-36 Assistance: Assist the Controller with: security measures (Article 32); breach notification (Article 33); DPIAs (Article 35); prior consultation (Article 36).

4.7 AI Training Restriction:AeroNova shall not use Client Data or personal data processed under this DPA to train, fine-tune, or improve any AI or machine learning model, including any internal AI systems. Transmission to Anthropic is subject to Anthropic's contractual prohibition on using API input data for model training. AeroNova will notify the Controller immediately if Anthropic modifies this restriction.

4.8 Deletion and Return:At the Controller's choice on termination: return all personal data in structured machine-readable format, or delete all personal data. Completed within thirty (30) days after the end of the data export period, unless law requires further storage. Written certification of deletion provided on request.

4.9 Audit Rights:Make available all information necessary to demonstrate GDPR Article 28 compliance. Allow audits by the Controller or mandated auditor, subject to: thirty (30) days' prior written notice; reasonable scope during business hours; auditor bound by confidentiality; Controller bearing audit costs.

4.10 Notification of Unlawful Instructions: Immediately inform the Controller if any instruction infringes GDPR or applicable data protection law.

SECTION 5 — PERSONAL DATA BREACH NOTIFICATION

5.1 Notify the Controller without undue delay and no later than twenty-four (24) hours of becoming aware of a personal data breach.

5.2 Initial notification shall include: nature of the breach; categories and approximate number of data subjects and records affected; name and contact of data protection contact; likely consequences; measures taken or proposed.

5.3 Full Article 33 information shall be provided within seventy-two (72) hours of initial notification to enable the Controller to meet its own regulatory notification obligations.

5.4 AeroNova shall cooperate with the Controller and take reasonable steps to assist in investigation, mitigation, and remediation of each breach.

5.5 Breach Response Assistance:AeroNova shall, at the Controller's reasonable written request, provide: reasonable technical assistance identifying breach scope and cause; reasonable cooperation with forensic investigation if required; all information held by AeroNova relevant to the Controller's supervisory authority notification. The Controller bears sole responsibility for its own Article 33/34 notifications.

SECTION 6 — INTERNATIONAL DATA TRANSFERS

6.1 AeroNova shall not transfer personal data outside the EEA unless: the European Commission has issued an adequacy decision for the recipient country; Standard Contractual Clauses are in place (Commission Implementing Decision (EU) 2021/914); or a GDPR Article 49 derogation applies.

6.2 AeroNova has entered into SCCs with each USA-based sub-processor listed in Section 7. Transfer impact assessments have been conducted. AeroNova will promptly inform the Controller if it can no longer ensure essentially equivalent protection for data transferred outside the EEA.

SECTION 7 — AUTHORISED SUB-PROCESSORS

  • Anthropic, LLC — USA — AI document generation and content — Receives organisational data, personnel names, system descriptions, risk data, incident descriptions for generating ISMS compliance documents, briefings, and AI suggestions. Contractually prohibited from using API input data for AI model training.
  • Supabase, Inc. — Germany (EU Frankfurt) — Primary database and file storage — Stores all application data, documents, evidence files, and compliance records. EU data residency.
  • Clerk, Inc. — USA — User authentication and organisation management — Stores user profiles, email addresses, authentication tokens, and organisation membership data.
  • Stripe, Inc. — USA and Ireland — Payment processing — Processes payment card details, billing addresses, and transaction records.
  • Resend, Inc. — USA — Transactional email delivery — Receives recipient email addresses and email content for transactional email delivery only.
  • Upstash, Inc. — USA and EU — Rate limiting — Receives IP addresses and request metadata for abuse prevention.
  • Vercel, Inc. — USA — Application hosting — Processes HTTP requests, IP addresses, and request headers for application delivery.

SECTION 8 — TERM AND GOVERNING LAW

8.1 This DPA remains in effect for the duration of the Principal Agreement and survives termination to the extent necessary for data deletion obligations and ongoing confidentiality.

8.2 This DPA is governed by Romanian law, without prejudice to direct applicability of GDPR.

8.3 Disputes under this DPA shall be resolved per the Principal Agreement dispute resolution provisions.

SECTION 9 — ACCEPTANCE

By accepting the AeroNova Terms of Service, the Client accepts and is bound by this Data Processing Agreement. No separate signature is required.

Contact: privacy@aeronovais.com