airysairys
ProductPricing
Request access →
Legal

Data Processing Addendum

Last updated · June 25, 2026

This Data Processing Addendum (“DPA”) forms part of the agreement between you (“Customer”) and airys, inc. and applies where airys processes personal data on your behalf in providing the Services.

This DPA supplements our Terms of service and reflects the parties' agreement on the processing of personal data under applicable data protection laws, including the EU General Data Protection Regulation (“GDPR”), the UK GDPR, and US state privacy laws. Capitalized terms not defined here have the meaning given in the Terms.

1. Roles of the parties

In short: You are the controller; airys is your processor.

For personal data of your end users that airys processes through the Services (“Customer Personal Data”), Customer is the controller and airys is the processor. Where Customer is itself a processor acting on behalf of a third-party controller, airys is a sub-processor. airys will process Customer Personal Data only as described in this DPA.

2. Definitions

“Controller,” “processor,” “data subject,” “personal data,” “processing,” and “personal data breach” have the meanings given in the GDPR. “Sub-processor” means any processor engaged by airys to process Customer Personal Data. “Applicable Data Protection Laws” means the data protection and privacy laws applicable to the processing under this DPA.

3. Processing of customer personal data

airys will process Customer Personal Data only on Customer's documented instructions, including as set out in the Terms, this DPA, and Customer's use and configuration of the Services, unless required to do otherwise by law (in which case airys will inform Customer unless legally prohibited). The subject matter, duration, nature, purpose, types of personal data, and categories of data subjects are described in Annex I.

4. Confidentiality

airys ensures that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations and access the data only as necessary to provide the Services.

5. Security

airys implements appropriate technical and organizational measures to protect Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage, as described in Annex II. No method of transmission or storage is fully secure, but airys maintains measures designed to provide a level of security appropriate to the risk.

6. Sub-processors

In short: We use a short list of infrastructure providers, and you can object to changes.

Customer authorizes airys to engage the sub-processors listed in Annex III to process Customer Personal Data. airys imposes data protection obligations on each sub-processor that are no less protective than those in this DPA, and remains responsible for each sub-processor's performance. airys will give Customer notice of any intended addition or replacement of a sub-processor and a reasonable opportunity to object on reasonable data-protection grounds.

7. Data subject requests

Taking into account the nature of the processing, airys will assist Customer by appropriate technical and organizational measures, insofar as possible, to respond to requests from data subjects exercising their rights under Applicable Data Protection Laws. The Services also let Customer access, export, correct, and delete Customer Personal Data directly.

8. Personal data breach

airys will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and will provide information reasonably available to assist Customer in meeting its own notification obligations.

9. Data protection impact assessments

airys will provide reasonable assistance to Customer with data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of the processing and the information available to airys.

10. International transfers

airys and its sub-processors may process Customer Personal Data in the United States and other countries. Where Applicable Data Protection Laws require, transfers of Customer Personal Data from the EEA, the UK, or Switzerland are made subject to appropriate safeguards, such as the European Commission's Standard Contractual Clauses (and the UK Addendum where applicable), which are incorporated by reference.

11. Return and deletion

On termination of the Services, and at Customer's choice, airys will delete or return Customer Personal Data, and delete existing copies unless retention is required by law. Customer may also export or delete its project's data at any time through the Services.

12. Audits

airys will make available to Customer information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer, subject to reasonable notice, confidentiality, and frequency limits.

13. Liability and governing law

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms. This DPA is governed by the laws of the Commonwealth of Puerto Rico and applicable US federal law, consistent with the Terms.

Annex I — Details of processing

  • Subject matter: provision of the airys customer-support Services.
  • Duration: for the term of the Terms and until deletion or return of Customer Personal Data.
  • Nature and purpose: hosting, storage, indexing, AI-assisted answering, ticketing, and email/widget support on Customer's behalf.
  • Types of personal data: identifiers and contact data (such as name and email), the content of support conversations and tickets, and any personal data Customer's end users choose to include.
  • Categories of data subjects: Customer's end users and Customer's own team members.

Annex II — Technical and organizational measures

  • Encryption of data in transit (TLS) and at rest.
  • Access controls and authentication for the dashboard via Auth0 by Okta, with role-based permissions.
  • Logical isolation of customer projects.
  • Use of reputable cloud infrastructure with managed security controls.
  • Confidentiality obligations for personnel and least-privilege access.
  • Monitoring and procedures for detecting and responding to incidents.

Annex III — Sub-processors

  • Amazon Web Services — cloud hosting and infrastructure (United States).
  • Amazon Bedrock — AI model processing for grounded answers (United States).
  • MongoDB Atlas — database and data storage on AWS (United States).
  • Auth0 by Okta — authentication and sign-in.
  • Stripe — payment processing.

Contact

Questions about this DPA, or to exercise rights or send notices under it, email legal@airys.ai.

airys

AI support for indie SaaS. Built for founders who are still in the inbox.

airys - Automate support with an SLA-aware AI that learns from every interaction | BetaListFeatured on Launch Llama

Product

  • Features
  • Pricing

Resources

  • Help center

Company

  • About
  • Contact

Legal

  • Privacy
  • Terms
  • DPA
  • Cookies
© 2026 airys, inc. Made quietly.