This Data Processing Agreement ("DPA") forms part of the Aether Terms of Service and governs the processing of personal data by Aether HQ ("Processor") on behalf of the customer ("Controller") in connection with the Aether platform and API.
This DPA applies where and to the extent that Aether processes personal data that is subject to the General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA), or other applicable data protection laws, on behalf of the customer.
1. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person as defined by applicable data protection law. "Processing" means any operation performed on personal data, including collection, storage, use, disclosure, and deletion. "Sub- processor" means any third party engaged by Aether to process personal data on the customer's behalf.
2. Scope of Processing
Aether processes personal data solely to provide the services described in the Terms of Service and only on documented instructions from the customer, unless required to do so by applicable law. The subject matter, nature, and purpose of processing are the operation of the social media API platform, including storing OAuth tokens, user profile data from connected social accounts, post content, analytics data, and message data.
3. Customer Obligations
The customer is responsible for ensuring that any personal data transferred to Aether for processing has been collected lawfully and that end users have been informed of any processing activities as required by applicable law. The customer must have a lawful basis for instructing Aether to process personal data.
4. Aether Obligations
Aether agrees to:
- Process personal data only on documented customer instructions
- Ensure that personnel authorized to process personal data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures as described in Section 5
- Assist the customer in responding to data subject rights requests to the extent Aether holds the relevant data
- Delete or return all personal data after the end of the service relationship, at the customer's choice
- Provide all information necessary to demonstrate compliance with this DPA upon reasonable request
5. Security Measures
Aether implements the following security measures to protect personal data: encryption at rest (AES-256) and in transit (TLS 1.2+); access controls and role-based permissions; OAuth tokens encrypted before storage; regular security audits; incident response procedures with customer notification within 72 hours of discovery of a personal data breach.
6. Sub-processors
Aether uses the following categories of sub-processors: cloud infrastructure (MongoDB Atlas, Upstash Redis), analytics (Tinybird), payment processing (Stripe), email (Resend), and media storage (Cloudflare R2). Aether will notify the customer of any intended changes to sub-processors and provide the customer with the opportunity to object. A current list of sub-processors is available at aetherhq.dev/privacy.
7. International Transfers
Where personal data is transferred outside the European Economic Area or the United Kingdom, Aether will ensure appropriate safeguards are in place, including Standard Contractual Clauses adopted by the European Commission or equivalent mechanisms recognized under applicable law.
8. Data Subject Rights
Aether will assist the customer in fulfilling its obligations to respond to data subject requests (access, rectification, erasure, portability, restriction, and objection). Where Aether receives a data subject request directly, it will promptly notify the customer unless prohibited by law.
9. Audit Rights
Aether will provide all information reasonably necessary to demonstrate compliance with this DPA and allow for audits conducted by the customer or its designated auditor, subject to reasonable advance notice and confidentiality obligations. Audit costs are borne by the customer unless the audit reveals a material breach by Aether.
10. Termination
Upon termination of the service agreement, Aether will, at the customer's choice, delete or return all personal data and delete existing copies unless applicable law requires storage of the personal data.
11. Governing Law
This DPA is governed by the same law as the Terms of Service. Where GDPR applies, the data protection supervisory authority of the customer's primary establishment shall have jurisdiction.
12. Contact
For DPA-related inquiries or to request a countersigned DPA for your records, contact privacy@aetherhq.dev.