Oil & Gas
Maritime
Power Gen
Chemicals
Mining
Sewers
Cement
Nuclear
Infrastructure
EN
Flyability
Data Processing Agreement
TERMS AND CONDITIONS
1 INTRODUCTION
1.1 Subject matter. This Annex reflects the agreement between the Parties regarding the processing and security of Customer Personal Data in connection with the delivery by Flyability of cloud Services.1.2 Definitions. As used in this Annex, capitalised terms, in their singular or plural form, shall have the meanings specified in Article 12. The terms "data subject", "processing", "controller" respectively "controller of the data file" and "processor" used in this Annex shall have the meanings specified in the Swiss Data protection Legislation.
2 DATA PROTECTION LEGISLATIONS
2.1 Applicable legislations. The Parties acknowledge and agree that the following data protection legislations may, depending on the circumstances, apply to the processing of Customer Personal Data:(a) the Swiss Data Protection Legislation; and/or
(b) Other Applicable Data Protection Legislation.
2.2 Applicability of this Annex. Unless otherwise stated in this Annex, the provisions of this Annex, shall apply regardless of the legislation applicable to the processing of Customer Personal Data.
3 DATA PROCESSING
3.1 Roles and compliance3.1.1 Responsibility of the parties. The Parties acknowledge and agree that:
(a) the subject matter and details of the processing are specified in Appendix A;
(b) Customer is a controller, or a processor for a third party, as the case may be, of these Customer Personal Data under the Swiss Data Protection Legislation, as applicable;
(c) Flyability is a processor of Customer Personal Data under, except when it processes the Customer Personal Data to conform with the legal obligations applicable to it or for its internal business operations incident to the delivery of the services, as further specified in its privacy notice (in which case it acts as independent controller); and (d) each Party shall comply with its obligations under the Swiss Data Protection Legislation.
3.1.2 Authorization by a third-party controller. If Customer is a processor for a third party, Customer warrants to Flyability that Customer has obtained the express prior authorization of the applicable controller to Customer's instructions and actions regarding the Customer Personal Data, including the designation of Flyability for performance of the Services as another processor.
3.1.3 Other legislation. If Other Applicable Data Protection Legislation applies to the processing of the Customer Personal Data, Customer undertakes to Flyability to comply with the obligations applicable to it with regard to the processing of the Customer Personal Data and to inform Flyability in writing of any provisions contained in such legislation that could have an impact on the processing of the Customer Personal Data by Flyability as a processor for Customer.
3.2 Scope of processing
3.2.1 Nature and purpose of processing. Flyability shall process the Customer Personal Data in accordance with this Annex. When Flyability acts as processor or subprocessor of the Customer Personal Data, Flyability undertakes to process the Customer Personal Data only on documented instructions from Customer unless a legislation applicable to Flyability requires other processing of the Customer Personal Data by Flyability, in which case it shall inform Customer of that legal requirement before processing (subject to any legal provisions to the contrary).
3.2.2 Instructions by Customer. By entering into this Annex, Customer instructs Flyability to process the Customer Personal Data as a processor only in strict compliance with the Swiss Data Protection Legislation and furthermore only to provide and improve the Services, as documented in the Agreement including this Annex. Customer agrees that those are Customer's complete documented instructions to Flyability for the processing of Customer Personal Data and that any additional or alternate instructions must be agreed in writing.
3.3 Obligations of Customer. Customer shall be responsible, namely, for the quality, lawfulness and relevance of the Customer Data processed in the context of the Services and shall be liable to third parties affected by the processing and to the competent data protection authorities. In particular, Customer shall:
(a) provide sufficient information to the data subjects about the collection and processing of their personal data;
(b) obtain the valid consent of the data subjects to the processing of their personal data, if such consent is required under the Swiss Data Protection Legislation;
(c) ensure compliance with all rights of the data subjects (e.g. right of access and rectification, right to object etc.) as well as all obligations towards the competent data protection authorities under the Swiss Data Protection Legislation; and
(d) only delegate to Flyability processing operations that Customer would be entitled to carry out itself and only insofar as no legal or contractual obligation to maintain secrecy prohibits the intervention of the Flyability.
3.4 Responsibility. Customer shall bear sole responsibility for the processing of Customer Personal Data within the frame of the Services. Customer acknowledges and accepts that Flyability shall deem any processing of any Customer Personal Data within the frame of the Services, as permitted under the Agreement, as well as any instructions by Customer with respect to such processing activities as compliant with all applicable laws.
4 DELETION OF DATA
4.1 Access and Deletion by Customer. Flyability shall permit Customer to access, delete or modify the Customer Personal Data during the term of the Agreement.4.2 Deletion at the end of the relationship. Customer irrevocably requires Flyability to delete or permanently anonymize all Customer Personal Data (including any existing copies) to which Provider has access upon the term of the agreement. Flyability shall comply with this instruction as soon as possible, unless Flyability is required to retain all or part of Customer Personal Data for technical or legal reasons. Customer acknowledges and accepts that it is its sole responsibility to transfer and/or safeguard Customer Personal Data that it wishes to keep thereafter.
5 DATA SECURITY
5.1 Security measures5.1.1 Security measures of Flyability. Flyability shall implement and maintain appropriate technical and organisational measures to protect Customer Personal Data against the occurrence of Security Incidents. These measures include in particular:
(a) the use of firewalls;
(b) the pseudonymisation and encryption of personal data;
(c) the means to ensure the ongoing confidentiality, integrity, availability and resiliency of processing systems and services;
(d) the means to limit access to Customer Personal Data to personnel who need to access it in the course of providing the Services;
(e) the means to restore the availability of and access to Customer Personal Data within an appropriate time frame in the event of a Security Incident; and
(f) a procedure to regularly test, analyse and evaluate the effectiveness of technical and organisational measures to ensure the security of the processing.
5.1.2 Security compliance by Flyability's personnel. Flyability shall take appropriate measures to ensure compliance with the above-mentioned security measures by its employees and subcontractors , in particular by ensuring that all persons authorized to handle Customer Personal Data are committed to process Customer Data are contractually bound to maintain confidentiality or are subject to an appropriate legal obligation of confidentiality.
5.1.3 Appropriateness of security measures. Customer warrants that it has verified, and undertakes to continuously verify, that the technical and organizational measures specified in this Section 4.1 are sufficient to adequately protect the Customer Data in accordance with the requirements set forth in the Swiss Data Protection Legislation.
5.2 Security Incidents
5.2.1 Notification of Security Incidents to Customer. If Flyability becomes aware of a Security Incident, Flyability undertakes to inform Customer as soon as possible by
any useful means (in particular via the contact person designated by Customer). Flyability shall, to the extent possible, describe the nature of the Security Incident, as well as any measures taken by Flyability to mitigate potential risks and the measures that Flyability recommends Customer take. The actions of Flyability in connection with this Section 5.2.1 shall not constitute, and shall not be construed as, an admission by Flyability of any fault or liability in connection with the Security Incident that has occurred.
5.2.2 Obligations of Customer. Flyability will not review the content of Customer Data for the purpose of identifying the type of data involved. Customer shall be solely responsible for carrying out any analysis of Customer Data and for complying with the legal provisions applicable to it, in particular any obligations of Customer to provide a notification of the Security Incident to any competent authority and/or the data subjects. In this context, Flyability shall provide Customer with any assistance reasonably required by Customer in order to comply with its obligations.
5.3 Information on and audits of the security measures
5.3.1 Information. Flyability shall make available to Customer, in addition to the information contained in the Agreement, including this Annex, all documents and information reasonably necessary to demonstrate Flyability's compliance with its obligations hereunder.
5.3.2 Right of audit. Flyability shall allow Customer or an independent auditor appointed by Customer to conduct audits (including inspections) to verify Flyability's compliance with its obligations under this Annex. Upon conclusion of the audit, Customer shall forward the complete audit report to Flyability, free of charge.
5.3.3 Request. Any request under Sections 5.3.1 (Information) or 5.3.2 (Audits) must be communicated to Flyability in writing and indicate (i) the Customer Personal Data
concerned, (ii) the reasons for which the conditions referred to in Sections 5.3.1 (Information), respectively 5.3.2 (Audits) apply to these data, (iii) the specific documents to be reviewed, respectively the specific obligations of Flyability to be audited, and (iv) that Customer expressly undertakes to use the information collected only to ensure that Flyability is in compliance with its obligations with regard to the Customer Personal Data and in particular that the information collected will not be used in connection with any legal or administrative proceedings against Flyability. Unless there are exceptional circumstances, Customer may not make more than one request per year.
5.3.4 Exercise of rights. Upon receiving a request in accordance with the preceding Section, and provided that all conditions are met, Flyability shall comply with the request as follows:
(a) Flyability shall inform Customer, with regard to the review of documents (Section 5.3.1 [Information] above), of the period during which it may consult the documents at Flyability's offices. Unless otherwise expressly agreed by Flyability, Customer shall not be authorized to make copies of the documents consulted. Alternatively, Flyability may decide to provide the documents by any other useful means, in particular by sending them electronically;
(b) Flyability shall inform Customer with regard to audits (Section 5.3.2 [Audit] above) of (i) the date or dates on which the audits may take place and (ii) the scope of the audit, in particular the inspections that may be carried out, in order to check Flyability's compliance with its obligations under this Annex. Customer's internal costs or the costs of the independent auditor appointed by it shall be borne entirely by Customer. Flyability may invoice Customer for its own costs associated with the reparation for and execution of the audit based on the costs incurred by Flyability. Flyability may object to any independent auditor appointed by Customer if, in the opinion of Flyability, the auditor is not sufficiently qualified, is a competitor of Flyability, or in any other way would not be able to perform its duties properly. In this case, Customer may either carry out the audit itself or propose another auditor to Flyability.
5.3.5 Confidential information. The provisions contained in this Section 5.2.2 shall not be interpreted as requiring Flyability to provide Customer with (i) any information relating to trade secrets of Flyability or any information of a confidential nature or (ii) any information concerning customers of Flyability (except Customer). Flyability may make the review of documents (Section 5.3.1 Information] above) or the conduct of an audit (Section 5.3.2 [Audits] above) subject to the conclusion of a specific confidentiality agreement.
6 FLYABILITY'S ASSISTANCE
6.1 In General. Flyability shall, if so requested by Customer and always subject to the payment of its fees and costs relating thereto, provide to Customer the assistance reasonably necessary for Customer to meet its obligations under the Swiss Data Protection Legislation, as further specified in Sections 6.1 to 6.4 below. Customer also undertakes to provide Flyability with all necessary information to enable Flyability to demonstrate compliance with its obligations under the Swiss Data Protection Legislation.6.2 Requests from data subjects. If Flyability receives a request from a data subject regarding Customer Personal Data, Flyability shall direct the data subject to submit its request to Customer, and Customer shall be responsible for responding to all such requests. The Parties agree that it is the sole responsibility of Customer to respond to requests from data subjects.
6.3 Actions by Customer. Flyability shall assist Customer in complying with its legal obligations to the data subjects, to the extent reasonable and compatible with the functionality of the Services. The measures shall cover all rights of the data subjects under the Swiss Data Protection Legislation, in particular access, rectification, limitation, objection, erasure and portability of their Customer Personal Data.
6.4 Impact assessments and prior consultation. Flyability undertakes, to the extent it can reasonably be expected to do so in light of the nature of the processing and the information available to it, to assist Customer in ensuring its compliance with its impact assessment and prior consultation obligations pursuant to the Swiss Data Protection Legislation.
7 INTERNATIONAL DATA TRANSFERS
7.1 Authorized countries. Customer agrees that Flyability shall retain and process Customer Personal Data in Switzerland and the European Union or in any country in which Flyability or one of its subcontractors maintains facilities, including in the US.7.2 Special authorization. Flyability shall inform Customer (unless Flyability is under a legal obligation not to disclose) prior to any transfer of Customer Personal Data to
a country not specified in Section 7.1 above and Customer undertakes to authorize such transfer provided that Flyability can guarantee by any useful means an dequate level of protection for the Customer Personal Data.
7.3 Authorization for Sub-processors. Customer agrees that where Flyability engages a sub-processor in accordance with Section 8 below, for carrying out specific processing activities (on behalf of Customer) in a third country not recognised by Switzerland as ensuring an adequate level of personal data protection, Flyability may use Standard Contractual Clauses of the European Commission, or another lawful mechanism, in order to comply with the requirements of the Swiss Data Protection Legislation, and Customer hereby agree to such transfer provided that the condition for the use of those lawful mechanism are met.
8 SUB-PROCESSING
8.1 Consent. Unless otherwise provided in the Agreement, Customer specifically authorizes Flyability to use sub-processors, which may be Affiliated Entities of Flyability or other third parties. The sub-processors approved by Customer as of the effective date of this Annex are listed in Appendix A. Flyability undertakes to inform Customer in advance and in writing of any planned changes with respect to the addition or replacement of other sub-processors, in order to permit Customer to raise objections against any such sub-processors.8.2 Requirements. In the event of a delegation in accordance with Section 8.1 above, Flyability undertakes to ensure in writing that:
(a) the sub-processor will only access and process Customer Personal Data to the extent necessary to perform its obligations; and
(b) the sub-processor has contractual obligations to Flyability that are at least equivalent to those of Flyability to Customer arising from this Annex and the Agreement.
8.3 Objection. Customer shall have 30 days after being informed of the planned addition or replacement of a sub-processor (including the name and location of the applicable sub-processor and the activities it will perform) to submit its objections. If Flyability confirms the appointment of the sub-processor to Customer, Customer shall be entitled to terminate the applicable Agreement, insofar as it concerns the subcontracted Services, with immediate effect by written notice sent within 14 days of receipt of Flyability's confirmation. This termination right shall be Customer's sole and exclusive remedy in the event of an objection to a new sub-processor. Customer's failure to react within any of the deadlines specified in this Section 8.3 shall be deemed an acceptance of the new sub-processor.
9 REGISTER OF PROCESSING ACTIVITIES
Customer acknowledges that Flyability may be required to:(a) collect and store certain information, including the name and contact details of each processor and/or controller with whom Flyability acts and, where applicable, the local representative of the controller and/or the data protection officer, as well as the categories of processing carried out; and
(b) make such information available to any competent authority.
9.2 Customer undertakes to provide Flyability with all information reasonably necessary for Flyability to meet its obligations.
10 CUSTOMER CONTACT FOR DATA PROTECTION MATTERS
10.1 Customer data protection officer. If Customer has appointed a person in charge of data protection matters (such as a data protection officer) Customer may provide her or his contact details to Flyability. This person shall be Flyability's primary point of contact for all data protection communications, thus promoting faster and more efficient information sharing.10.2 Flyability's Contact person. All communications to be made to Flyability relating to this Annex and/or data protection shall be addressed to support@flyability.com.
11 MISCELLANEOUS
11.1 Agreement. The terms of the Agreement shall apply to all aspects which are not covered by this Annex.11.2 Order of precedence. In the event of a conflict or inconsistency between the terms of this Annex and the terms of the Agreement, the terms of this Annex shall take precedence, subject to express derogations specified in the Agreement.
11.3 Term. This Annex shall become effective upon signing of the subscription to Flyability's cloud Services and shall remain in effect until the end of the provision of such Services by Flyability under the Agreement (including, if applicable, during any period after termination of the Agreement during which Flyability continues to provide Services on a transitional basis, or continues to stores Customer Personal Data (the Term).
11.4 Electronic Form. The words “execution”, “signature” and similar words in this Annex shall be deemed to include unqualified electronic signatures (e.g. Docusign or any equivalent e-signature provider) which shall be of the same legal effect, validity or enforceability as a manually executed signature; while the term "in writing" shall include communications by email or other electronic forms.
11.5 No Waiver. The failure of a Party to exercise, or the delay in exercising, any of its rights under this Annex shall not be construed as a waiver of such right and shall not prevent or restrict the subsequent exercise of such right or any other right under this Annex. A waiver of any breach of this Annex shall be valid only if made in writing and, in any event, shall not be construed as a waiver of any other prior or subsequent breach.
12 DEFINITIONS
12.1 Affiliated Entity means any entity controlling, controlled by, or under common control with, a Party. For the purposes of this definition "control" means: (i) ownership of at least 50% of the entity's capital; (ii) ownership of at least 50% of the voting rights within the entity; or (iii) the power to exercise decisive influence over the management of the entity.
12.2 Agreement means the agreement between Flyability and its Customer for the procurement and use of Products and Services, including Flyability's Gernal Terms and Conditions of which this Annex constitutes an integral part.
12.3 Annex means this data processing annex.
12.4 Applicable Data Protection Legislation means either the Swiss Data Protection Legislation and any Other Applicable Data Protection Legislation, as applicable.
12.5 Customer has the meaning specified in the Agreement.
12.6 Customer Data means the data (i) transmitted by Customer to Flyability, collected by Flyability (from Customer or from third parties on behalf of Customer) or generated by Flyability in connection with the provision of the Services and (ii) that is held or processed by Flyability.
12.7 Customer Personal Data means data of a personal nature or personal data, i.e. any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or one or more elements specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity, according to and in accordance with the Swiss Data Protection Legislation, contained in Customer Data.
12.8 Flyability has the meaning specified in the Agreement.
12.9 Other Applicable Data Protection Legislation means all data protection legislation other than the Swiss Data Protection Legislation.
12.10 Parties means Flyability and Customer jointly, or individually either of them.
12.11 Security Incident means a security breach resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.
12.12 Services means the Cloud Services provided by Flyability to Customer under an Agreement; where "Cloud Services" as the meaning specified in the Agreement.
12.13 Swiss Data Protection Legislation means the Swiss Federal Data Protection Act and its implementing ordinances, as may be amended from time to time during the Term.
12.14 Term has the meaning set forth in Section 11.3.
***
APPENDIX A – SUBJECT MATTER AND DETAILS OF THE DATA PROCESSING
Categories of personal dataPersonal data processed via the Services may include the following categories of data:
- User information
- Flight information (including location data)
- Any personal data included in video footage or images.]
Data subjects
The personal data processed via the Services may relate to the following categories of data subjects:
- end users of the Services, including Customer's employees and consultants;
- any other person whose personal data is transmitted to Flyability.
Approved sub-processors
Approved sub-processo
| Name | Location | Processing activities | Which data is accessed | International transfers and safeguards |
|---|---|---|---|---|
| Amazon Web Servicies | Switzerland, EU (Germany), US |
Hosting | All Customer Data | As per AWS terms (Privacy Framework and/or EU SCC) |
| DataDog, Inc. | EU (Germany) | Logging and monitoring |
User information | As per DataDog terms (Master Subscription Agreement) |
| Stripe, Inc. | EU (Ireland) | Payments | User information | As per Stripe terms (Services Agreement) |