Data Processing Agreement

1. Parties and Roles

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer" or "Controller") and Jetlane Networks, LLC ("Jetlane" or "Processor") where Jetlane processes personal data on Customer's behalf under EU GDPR, UK GDPR, Swiss FADP, or analogous laws.

For account and billing data, Jetlane is an independent controller; that processing is described in the Privacy Policy. This DPA covers personal data Customer chooses to process using Jetlane infrastructure (e.g. Customer's end users whose data resides on a Jetlane VPS).

2. Subject Matter and Duration

Subject matter: providing the Services described in the Terms.
Duration: the term of the subscription, plus the deletion period in Section 9.
Nature and purpose: hosting, transmission, and storage of Customer data so Customer can deliver its own services.
Categories of data subjects: as determined by Customer (typically Customer's end users, employees, or contacts).
Categories of personal data: as determined by Customer (Jetlane does not access or read application data).

3. Customer Instructions

Jetlane processes Customer personal data only on documented instructions from Customer, including instructions in the Terms, the Services configuration set by Customer (e.g. region, retention), and reasonable written instructions delivered to dpa@jetlane.io. We will inform Customer if we believe an instruction violates applicable law, and may decline pending clarification.

4. Confidentiality

Personnel authorized to process Customer personal data are bound by written confidentiality obligations or appropriate statutory duties.

5. Security Measures (Article 32 GDPR)

Jetlane implements appropriate technical and organizational measures, including:

• Physical: data centers with 24/7 staffed security, biometric access, CCTV, redundant power and cooling (Equinix Tier III/IV)
• Network: edge firewalls, default DDoS mitigation, segregated management network
• Logical: encrypted transit (TLS 1.2+), encrypted-at-rest options on storage volumes, role-based access controls, MFA on all administrative interfaces
• Personnel: background-check screening for staff with production access, written confidentiality terms, mandatory security training
• Monitoring: centralized log collection, anomaly detection, vulnerability scanning, documented patch cadence
• Incident response: documented runbooks, on-call rotation, post-incident review with corrective actions

6. Sub-Processors

Customer authorizes Jetlane to engage the following sub-processors:

Jetlane provides at least 30 days notice before adding or replacing a sub-processor (via in-product notice or email to the billing contact). Customer may object on reasonable grounds; if the parties cannot agree on accommodation within 30 days, Customer may terminate the affected Services and receive a pro-rata refund of unused prepaid fees.

Jetlane remains liable for the acts and omissions of its sub-processors as if its own.

7. Data Subject Requests

Jetlane will, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as possible, in responding to requests for exercising data subject rights. We typically respond to assistance requests within 7 days. Direct data subject requests received by Jetlane will be forwarded to Customer without undue delay; Customer is responsible for substantive responses.

8. Personal Data Breach

Jetlane will notify Customer without undue delay, and in any case within 72 hours, after becoming aware of a personal data breach affecting Customer personal data. Notification will include, to the extent known: nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed.

9. Return or Deletion of Data

Upon termination of the Services, Customer may export data for 30 days. After that period, Jetlane will delete or render irretrievable all Customer personal data, including backups within 90 days, unless retention is required by law.

10. Audits

Customer may, on at least 30 days written notice and no more than once per 12-month period (more frequently if required after a security incident), audit Jetlane's compliance with this DPA. Audits are conducted at Customer's expense during business hours, do not unreasonably interfere with operations, and are subject to confidentiality terms reasonably required by Jetlane. Independent third-party reports (e.g. SOC 2) may be provided in lieu of on-site audits where they reasonably address Customer's questions.

11. International Transfers

Where Customer personal data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties incorporate the European Commission's Standard Contractual Clauses (Decision 2021/914) as data exporter (Customer) and data importer (Jetlane), Module Two (controller to processor) or Module Three (processor to processor) as applicable. The UK International Data Transfer Addendum and Swiss equivalents apply where relevant. Annexes are completed with the information in this DPA.

12. Term and Termination

This DPA enters into force on the effective date of the Terms and remains in effect for as long as Jetlane processes Customer personal data. Sections regarding confidentiality, breach notification, deletion, and liability survive termination.

13. Order of Precedence

In case of conflict between this DPA and the Terms, this DPA prevails for matters of personal data processing. In case of conflict between this DPA and the Standard Contractual Clauses, the SCCs prevail.

14. Contact

Data protection inquiries and DPA-related notices: dpa@jetlane.io or privacy@jetlane.io.