Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the Terms of Servicebetween Aevix (“Processor”) and the Customer (“Controller”) when the Controller is subject to the EU General Data Protection Regulation (GDPR), UK GDPR, Swiss FADP, or substantially similar data-protection laws.

1. Roles

The Customer is the Controller of Customer Personal Data. Aevix is the Processor and processes Customer Personal Data only on the Controller's documented instructions.

2. Scope and purpose

Aevix processes Customer Personal Data to provide the Service as described in the Terms of Service, including authentication, scheduling, certifications tracking, vehicle and equipment checks, incident records, and related operational workflows.

3. Categories of data subjects and data

• Data subjects:Customer's personnel (employees, volunteers, contractors), administrators, and any individuals referenced in operational records.
• Categories of personal data: Identifiers (name, email, phone), employment metadata (rank, station, shift), certifications, scheduling preferences, operational records, and authentication data. Special-category data is not processed unless the Controller chooses to upload it.

4. Subprocessors

The Controller authorizes Aevix to engage the subprocessors listed in our Subprocessor List. We will provide at least 30 days' advance notice of changes and the Controller may object as set out in that document. We impose data-protection terms on each subprocessor that are no less protective than this DPA.

5. International transfers

Where Customer Personal Data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, the transfer is governed by the EU Standard Contractual Clauses (Modules Two and Three, as applicable) and the UK International Data Transfer Addendum, which are incorporated by reference.

6. Security

Aevix implements the technical and organizational measures described in section 8 of our Privacy Policy, including encryption in transit (TLS), encryption at rest, role-based access controls, row-level security in the database, and audit logging.

7. Personal data breach

Aevix will notify the Controller without undue delay (and in any event within 72 hours of becoming aware) of a personal data breach affecting Customer Personal Data, providing the information needed to meet the Controller's notification obligations.

8. Data subject requests

Aevix will provide reasonable assistance to enable the Controller to respond to data-subject requests under applicable law. Administrative tools to export, correct, and delete data are provided in the Service.

9. Audits

Aevix will make available the information necessary to demonstrate compliance with this DPA. Where required, the Controller may request an audit no more than once per year, on at least 60 days' written notice, conducted under reasonable confidentiality terms and at the Controller's expense, unless the audit reveals a material breach.

10. Return or deletion

On termination, Aevix will, at the Controller's choice, return or delete Customer Personal Data within 30 days, except where retention is required by law.

11. Acceptance

Customers subject to applicable data-protection laws may accept this DPA by emailing privacy@aevix.app from a verified administrator address. We will counter-sign and return an executed copy.