Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between Jet Lens, LLC ("JetLens") and the customer identified in the applicable Order Form or account ("Customer") — together the End User License Agreement and Terms of Service (the "Agreement") — and applies whenever JetLens processes Personal Data on Customer's behalf in providing the Service.

1. Roles and scope

• Customer is the controller of Personal Data submitted to the Service; JetLens is the processor, acting only on Customer's documented instructions. The Agreement, this DPA, and Customer's configuration and use of the Service are those instructions.
• "Personal Data" means information relating to an identified or identifiable natural person contained in Customer Data, within the meaning of the GDPR (EU 2016/679), the LGPD (Brazil Law 13.709/2018), and other applicable data protection laws.
• Nature and purpose of processing: hosting, storage, display, transmission, and analysis of records the Customer's personnel create in the Service (maintenance quality, compliance, training, and operational records).
• Categories of data subjects: Customer's employees and contractors who use the Service or are referenced in its records.
• Categories of Personal Data: names, work contact details, job titles, employment references, training and certification records, authorizations, and the content of work records that may identify individuals. The Service is not designed for, and Customer agrees not to submit, special categories of data (e.g., health, biometric) beyond what work records incidentally contain.
• Duration: the term of the Agreement plus the export-and-deletion window described in Section 7.

2. Processor obligations

JetLens will:

• process Personal Data only on Customer's documented instructions, including with regard to international transfers, unless required otherwise by law (in which case JetLens will inform Customer before processing, unless the law prohibits it);
• ensure that persons authorized to process Personal Data are bound by confidentiality obligations;
• implement and maintain the technical and organizational measures described in Annex A;
• not sell Personal Data, and not use Personal Data to train AI or machine-learning models (see the AI data-isolation commitments in the EULA, Section 6);
• assist Customer, taking into account the nature of processing, in responding to data subject requests (access, rectification, erasure, portability, objection) and in meeting Customer's security, breach-notification, and impact-assessment obligations;
• make available information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits as described in Section 6.

3. Subprocessors

• Customer provides general authorization for the subprocessors listed at /legal/subprocessors. JetLens imposes data-protection obligations on each subprocessor consistent with this DPA and remains responsible for their performance.
• JetLens will update that page before a new subprocessor processes Personal Data. Customer may object on reasonable data-protection grounds within 30 days of the update; if the objection cannot be resolved, Customer may terminate the affected subscription and receive a pro-rata refund of prepaid fees.

4. Security and breach notification

• JetLens maintains the technical and organizational measures in Annex A and will not materially decrease the overall security of the Service during a subscription term.
• JetLens will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach affecting Customer Data, with the information reasonably available to support Customer's own notification obligations, supplemented as the investigation progresses.

5. International transfers

The Service is hosted in the United States (see Subprocessors). Where Customer transfers Personal Data subject to the GDPR or LGPD to JetLens, the parties will, where required, execute the applicable standard contractual clauses or rely on another lawful transfer mechanism; Customer may request execution of the EU Standard Contractual Clauses (module two, controller-to-processor) by contacting privacy@jetlens.io.

6. Audits

No more than once per year (and additionally after a Personal Data breach), Customer may audit JetLens's compliance with this DPA by requesting JetLens's then-current security documentation, subprocessor audit reports available to JetLens, and written responses to a reasonable security questionnaire. On-site or technical audits require reasonable advance notice, must not compromise other customers' data, and are at Customer's expense.

7. Return and deletion

During the term, Customer may export Customer Data (including Personal Data) in machine-readable form using the Service's organization data export. After termination, JetLens makes Customer Data available for export for 30 days, then deletes it from its systems and instructs subprocessors to do the same, except where retention is required by law. Upon written request, JetLens will confirm deletion in writing.

8. Liability and order of precedence

This DPA is subject to the limitations of liability in the Agreement. If this DPA conflicts with the Agreement on the subject of Personal Data processing, this DPA controls.

Annex A — Technical and organizational measures

• Tenant isolation: every record is scoped to an organization ID; all queries are organization-scoped and row-level security is enforced at the database layer.
• Encryption: TLS 1.2+ in transit; AES-256 encryption at rest at the hosting layer.
• Access control: role-based access within the Service (admin / team / module permissions); production infrastructure access limited to authorized JetLens personnel using strong authentication.
• AI isolation: AI features receive only the requesting organization's data; no Customer Data is used for model training (EULA Section 6).
• Auditability: administrative and record-level actions are written to per-organization audit trails; data exports are themselves logged.
• Backups and recovery: automated database backups with point-in-time recovery at the hosting layer.
• Subprocessor assurance: primary hosting subprocessors are SOC 2 Type II audited (see Subprocessors page).

Contact

Privacy questions, data subject requests, or a countersigned copy of this DPA: privacy@jetlens.io.