Data Processing Agreement

This Data Processing Agreement ("DPA") is incorporated into and forms a binding part of the Relay Terms of Service (the "Agreement") between Aether Digital ("Relay" or "Processor") and the customer accepting those Terms ("Controller").

This DPA applies wherever Relay, in the course of providing its notification infrastructure services, processes Personal Data on behalf of the Controller. It establishes the rights and obligations of each party with respect to such processing, in compliance with applicable Data Protection Laws including the EU General Data Protection Regulation (GDPR/EU 2016/679) and all national implementing legislation.

In the event of any conflict between this DPA and the Agreement with respect to the processing of Personal Data, the provisions of this DPA shall prevail.

Processor shall process Controller Personal Data exclusively on documented instructions from Controller, as set out in this DPA and the Agreement, including with respect to transfers of Controller Personal Data to third countries or international organizations. Processor shall not process Controller Personal Data for any other purpose without prior written authorization from Controller.

Where Processor is required by Applicable Law to process Controller Personal Data beyond the scope of Controller's instructions, Processor shall notify Controller of that legal requirement before commencing such processing, unless prohibited by law from doing so on grounds of public interest.

Controller hereby authorizes Processor to: (i) process Controller Personal Data to the extent necessary for the delivery of the Services; (ii) transfer Controller Personal Data to any country or territory required for the provision of the Services, subject to compliance with Section 3 of this DPA and all applicable transfer requirements under Applicable Law; and (iii) engage Sub-Processors in accordance with Section 8.

Controller represents and warrants that it holds, and shall maintain throughout the term of the Agreement and this DPA, all rights, consents, and legal authorizations required to provide Controller Personal Data to Processor for the processing described herein. Controller is solely responsible for ensuring that all processing of Controller Personal Data by Processor is lawful under Applicable Law.

Controller is responsible for obtaining and maintaining all necessary consents from Data Subjects as required by Applicable Law, and for keeping records of such consents in accordance with applicable requirements. Controller agrees to comply with all of its obligations as a controller under Applicable Law, including but not limited to providing appropriate privacy notices to Data Subjects regarding the processing of their data through the Services.

Processor shall ensure that access to Controller Personal Data is restricted to Processor personnel who require such access for the purpose of performing the Services (the principle of least privilege). All such personnel shall be bound by written confidentiality obligations or professional statutory obligations of confidentiality with respect to Controller Personal Data.

Processor shall maintain appropriate access controls, credential management policies, and activity logging for all personnel with access to systems processing Controller Personal Data. Processor shall promptly revoke access for any personnel who no longer require it.

Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk presented by the processing of Controller Personal Data, taking into account the state of the art, the cost of implementation, the nature, scope, context and purposes of processing, and the likelihood and severity of risks to Data Subject rights and freedoms.

Such measures shall include, at minimum:

• Encryption of Controller Personal Data in transit (TLS 1.2 or higher) and at rest.
• Role-based access control and multi-factor authentication for all systems processing Controller Personal Data.
• Regular security assessments, vulnerability scanning, and penetration testing of platform infrastructure.
• Documented incident response procedures, including procedures for detecting and reporting Personal Data Breaches.
• Physical and logical access controls to data center facilities where Controller Personal Data is stored.
• Regular staff training on data protection and security best practices.

Processor shall review and update these security measures periodically and shall notify Controller of any material changes that may affect the protection of Controller Personal Data.

In the event that Processor becomes aware of a confirmed or reasonably suspected Personal Data Breach affecting Controller Personal Data, Processor shall notify Controller without undue delay and, where feasible, within 72 hours of becoming aware of the breach.

The breach notification shall, to the extent available at the time of notification, include:

• A description of the nature of the breach, including the categories and approximate number of Data Subjects and personal data records affected.
• The name and contact details of the data protection contact point from whom more information can be obtained.
• A description of the likely consequences of the breach.
• A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

Where it is not possible to provide all of the above information simultaneously, Processor may provide such information in phases without undue further delay. Processor shall cooperate with Controller and take commercially reasonable steps, as agreed by the parties or required by Applicable Law, to assist in the investigation, containment, mitigation, and remediation of any such breach.

Controller hereby provides general authorization for Processor to engage Sub-Processors for the purpose of delivering the Services, subject to the requirements of this Section.

Processor shall give Controller reasonable prior notice of any intended appointment of a new Sub-Processor. If Controller raises reasonable written objections to such appointment within seven (7) calendar days of notice, the parties shall cooperate in good faith to resolve those objections. If no resolution is reached within a further seven (7) days, either party may terminate the portion of the Services that requires use of the proposed Sub-Processor, without liability to the other party arising from that specific termination.

Before engaging any new Sub-Processor, Processor shall conduct appropriate due diligence to confirm that the Sub-Processor is capable of providing the level of data protection required by this DPA, and shall enter into a written agreement with the Sub-Processor imposing data protection obligations at least equivalent to those in this DPA. Processor remains fully liable to Controller for the performance of any Sub-Processor's obligations under this DPA.

An up-to-date list of current Sub-Processors may be requested at any time by contacting aetherdigital.contact@gmail.com.

Controller is solely responsible for receiving, evaluating, and responding to requests from Data Subjects exercising their rights under Applicable Law (including rights of access, rectification, erasure, restriction, portability, and objection).

Processor shall, upon Controller's written request and at Controller's reasonable expense, provide commercially reasonable assistance to help Controller fulfill its obligations with respect to Data Subject requests, including by providing access to relevant processing records and tools to retrieve or delete specific data where technically feasible.

If Processor receives a Data Subject request that relates to Controller Personal Data, Processor shall promptly notify Controller without responding to such request, unless required to do so by Applicable Law. In such event, Processor shall notify Controller in advance of responding to the extent permitted by law.

At Controller's written request and reasonable expense, Processor shall provide such information and assistance as is reasonably necessary to enable Controller to carry out any Data Protection Impact Assessment (DPIA) or prior consultation with a Supervisory Authority, as required under Article 35 or Article 36 of the GDPR, in connection with the processing of Controller Personal Data by Processor.

Processor shall make available to Controller such documentation, records, and summaries of its security and processing practices as are reasonably necessary for Controller to fulfill its obligations under Applicable Law in relation to such assessments.

Upon termination or expiry of the Agreement, or upon written request from Controller, Processor shall, within sixty (60) calendar days, either securely delete or return all copies of Controller Personal Data in Processor's possession or control, as directed in writing by Controller. Processor shall confirm completion of such deletion or return in writing upon request.

Processor may retain Controller Personal Data beyond this period only to the extent and for the duration required by Applicable Law. Where Processor retains data pursuant to a legal obligation, it shall notify Controller of such retention and the applicable legal basis, unless prohibited from doing so by law.

Upon Controller's prior written request (submitted with a minimum of thirty (30) days' notice), Processor shall make available to Controller or Controller's designated reputable third-party auditor such information, records, and facilities as are reasonably necessary to demonstrate Processor's compliance with this DPA. Any such auditor shall be bound by professional confidentiality obligations acceptable to Processor before being granted access to Processor's systems or data.

Any audit or inspection shall: (i) be conducted at Controller's sole cost and expense; (ii) occur during Processor's normal business hours with minimum disruption to Processor's operations; (iii) be limited to no more than one (1) audit per calendar year, except where Controller reasonably suspects a material compliance failure or is required by a Supervisory Authority to conduct additional audits; and (iv) be subject to Processor's reasonable security and confidentiality policies.

The results of any audit shall be treated as Processor's confidential information and shall not be disclosed to any third party without Processor's prior written consent, unless disclosure is required by Applicable Law.

Each party's liability to the other in connection with this DPA shall be subject to the limitations on liability set out in the Agreement. Nothing in this DPA shall be construed to limit either party's liability to Data Subjects or Supervisory Authorities under Applicable Law.

Controller shall indemnify, defend, and hold harmless Processor and its officers, employees, and agents from and against any claims, fines, penalties, damages, and costs (including reasonable legal fees) arising directly or indirectly from: (i) Controller's breach of this DPA or Applicable Law in its capacity as Controller; or (ii) Controller's provision of unlawful instructions to Processor that result in Processor processing Controller Personal Data in breach of Applicable Law.