Data Processing Agreement
UK GDPR Addendum — Effective April 2026
1. Roles and Scope
Under the UK General Data Protection Regulation (UK GDPR), the Customer ("Data Controller") engages AirCEO, a trading name of Tarquin Barnsby ("Data Processor"), to process personal data strictly for the purpose of providing the AirCEO autonomous outbound pipeline platform.
This DPA applies to all personal data processed by AirCEO on the Controller's behalf, including but not limited to: lead contact details, email addresses, company names, engagement telemetry, and AI-generated correspondence.
2. Processing Instructions
AirCEO shall process personal data only on documented instructions from the Controller, specifically:
- Ingesting and storing lead contact data uploaded or imported by the Controller.
- Generating and dispatching outbound email sequences configured by the Controller.
- Classifying and routing inbound replies using AI-powered intent analysis.
- Enriching lead records with publicly available business information.
- Producing campaign performance analytics and intelligence reports.
AirCEO shall not process personal data for any purpose beyond the documented instructions without prior written consent from the Controller, except where required by UK law.
3. Tenant Isolation & Security
AirCEO implements the following technical and organisational measures to protect personal data:
- Row-Level Security (RLS): All operational data is logically isolated at the database level. Each tenant's data is cryptographically scoped via UUID-based tenant identifiers, ensuring mathematical isolation between environments.
- Encryption at Rest: Sensitive credentials and API keys are encrypted using AES-256-GCM with per-record initialisation vectors.
- Encryption in Transit: All communications use TLS 1.3.
- Access Controls: Service role keys are restricted to server-side background processes. Client-side access uses scoped anonymous keys governed by RLS.
- Authentication: User identity is managed via Clerk with multi-factor authentication support.
4. Sub-Processors
The Controller authorises AirCEO to engage the following sub-processors. AirCEO ensures equivalent contractual obligations are imposed on each sub-processor:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Supabase | Primary database & storage | EU (Frankfurt) |
| Clerk | Authentication & identity | United States |
| Stripe | Payment processing | United States |
| OpenAI | AI text generation & classification | United States |
| Anthropic | AI text generation (fallback) | United States |
| Mistral AI | Voice synthesis (TTS) | EU (France) |
| Deepgram | Speech recognition (STT) | United States |
| Resend | Transactional email delivery | United States |
| Mailgun | Outbound email delivery | EU / United States |
| Inngest | Background job orchestration | United States |
| Upstash | Rate limiting (Redis) | EU (Frankfurt) |
| Vercel | Application hosting & CDN | Global (Edge) |
| Sentry | Error monitoring | United States |
| Twilio | Telephony & SMS | United States |
For US-based sub-processors, Standard Contractual Clauses (SCCs) or equivalent UK transfer mechanisms are in place. AirCEO will notify the Controller at least 30 days before engaging a new sub-processor, providing the Controller with an opportunity to object.
5. Data Breach Notification
In the event of a personal data breach, AirCEO shall:
- Notify the Controller without undue delay and within 72 hours of becoming aware of the breach.
- Provide the Controller with sufficient information to meet their own notification obligations to the ICO and affected data subjects.
- Cooperate fully with the Controller's investigation and remediation efforts.
- Document all breaches, including facts, effects, and remedial actions taken, in an internal breach register.
6. Data Deletion & Return
Upon termination of the service agreement, AirCEO shall, at the Controller's election:
- Return all personal data to the Controller in a structured, commonly used, machine-readable format (CSV/JSON export); or
- Delete all personal data within 90 days of termination, and certify deletion in writing upon request.
Residual data retained in encrypted backups will be purged in accordance with the backup retention cycle (maximum 180 days). Data subject to legal retention requirements (e.g., financial records) will be retained for the minimum period required by law.
7. Audit Rights
The Controller has the right to audit AirCEO's compliance with this DPA. AirCEO shall:
- Make available all information necessary to demonstrate compliance with Article 28 of the UK GDPR.
- Allow and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller.
- Audits shall be conducted with reasonable notice (minimum 30 days) during normal business hours, no more than once per calendar year unless a data breach has occurred.
8. Personnel & Confidentiality
AirCEO ensures that all personnel authorised to process personal data are bound by contractual confidentiality obligations. Access to personal data is restricted to those who require it for the performance of their duties and is governed by the principle of least privilege.
9. Data Subject Requests
AirCEO shall assist the Controller in responding to data subject access requests (DSARs) and other rights requests under Articles 15–22 of the UK GDPR. AirCEO will promptly forward any such request received directly to the Controller and will not respond to data subjects independently without the Controller's instruction.
10. Governing Law
This DPA is governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales. This DPA forms an integral part of the Terms of Service and prevails over any conflicting provisions in the main agreement with respect to data protection matters.