Data Processing Addendum

2.1 Automatic Application

This DPA automatically incorporates into the Agreement without separate execution. Customer’s continued use of the Services following the Effective Date of this DPA constitutes acceptance of its terms.

2.2 Relationship to Agreement

This DPA supplements and is incorporated into the Agreement. In the event of any conflict between this DPA and the Agreement regarding the processing of Personal Information, this DPA shall control.

2.3 Dual Processing Framework

This DPA governs Company’s processing of Personal Information in two distinct capacities:

2.4 Customer Direction and Control

Customer acknowledges and agrees that:

• Customer directs both Customer Personnel and Prospective Employees to use Company’s Services
• Customer maintains control over Customer Personnel data processing decisions
• Company maintains independent business authority for background screening processes
• Different legal frameworks apply to each processing relationship as set forth herein

3.1 Processing Authorization

Service Provider processes Customer Personnel Personal Information solely:

• For specific business purposes in this DPA and the Agreement
• Per Customer’s documented instructions
• To provide platform access and Services
• To comply with applicable legal obligations

3.2 Prohibited Activities

Service Provider shall not:

• Sell Customer Personnel Personal Information
• Share Personal Information for cross-context behavioral advertising
• Retain, use, or disclose Personal Information outside the business relationship with Customer
• Combine Personal Information with information from other sources (except as permitted by CPRA § 1798.145(a)(3))
• Process Personal Information for any commercial purpose not specified in this DPA

3.3 Permitted Business Purposes

Service Provider may process Customer Personnel Personal Information for:

• Platform Access: Creating and managing user accounts, login credentials, and authentication
• Service Delivery: Providing credentialing platform functionality and technical support
• Security Monitoring: Detecting unauthorized access and maintaining platform security
• Usage Analytics: Generating reports on platform usage for Customer
• Compliance: Meeting regulatory requirements for airport security and access control
• Auditing: Counting interactions and verifying system functionality
• Short-term Processing: Transient use that does not involve disclosure to third parties

3.4 Subprocessors

4.1 Independent Authority

For background screening, Company has authority to:

• Collect Personal Information directly from Prospective Employees
• Determine screening methodologies and sources
• Establish retention per legal requirements
• Respond directly to privacy rights requests
• Maintain records per applicable law

4.2 Customer’s Role

Customer acknowledges that for background screening services:

• Customer directs Prospective Employees to complete Company’s screening process
• Customer provides screening criteria and position requirements
• Customer receives screening results and makes independent hiring decisions
• Company maintains independent legal obligations to Prospective Employees under CPRA and Fair Credit Reporting Act (FCRA)

4.3 Lawful Processing Basis

Company’s Independent Business processing is based on:

• Legitimate Business Interests: Providing comprehensive employment screening services
• Legal Compliance: Meeting Fair Credit Reporting Act and aviation security requirements
• Prospective Employee Consent: Where required for specific types of background checks
• Customer Authorization: To conduct screening on Customer’s behalf as Consumer Reporting Agency

4.3 Third-Party Sources

Company may obtain Personal Information from: consumer reporting agencies, government databases, courts, educational institutions, previous employers, credit bureaus (when legally permissible).

4.4 Screening Reports

Company will provide screening results to Customer in accordance with FCRA requirements, aviation security regulations for airport personnel clearances, EEO laws and non-discriminatory requirements and Customer’s specified screening criteria and position requirements.

5.1 Service Provider Data Assistance

For Personal Information processed under the Service Provider relationship, Service Provider shall:

• Assist Customer in responding to consumer rights requests within ten (10) business days of Customer’s request
• Provide data access to enable Customer to fulfill rights requests for Customer Personnel data
• Implement technical measures to facilitate data portability, deletion, and correction as instructed by Customer
• Not respond directly to Customer Personnel unless specifically authorized by Customer in writing

FEDERAL COMPLIANCE LIMITATION: Service Provider shall not delete Personal Information when retention required by 49 CFR Parts 1542, 1544, or TSA directives. Service Provider shall:

1. Document specific federal regulation requiring retention
2. Notify individual of legal basis for denial
3. Specify minimum retention period
4. Limit use to compliance purposes only

5.2 Independent Business Rights

For Personal Information processed under the Independent Business relationship, Service Provider shall:

• Respond directly to Prospective Employee rights requests in accordance with applicable law
• Verify identity using reasonable methods appropriate to the request type and sensitivity
• Process deletion, correction, opt-out, and data access requests independently
• Coordinate with Customer when rights requests may affect Customer’s hiring processes or decisions

5.3 Federal Retention Requirements

Both Company and Customer acknowledge federal aviation security regulations mandate retention of:

• Security training records (49 CFR § 1542.113)
• Criminal history records checks (49 CFR § 1542.209)
• Security threat assessments
• Airport access media records
• Unescorted access authority documentation

When deletion requested for federally-required data:

• Neither party shall delete during mandatory retention period
• Responding party cites specific federal regulation
• Data retained for minimum period required
• Data used solely for compliance
• Data deleted promptly upon expiration

This limitation applies regardless of which party receives the request.

6.1 Technical Safeguards

Service Provider shall implement and maintain:

• Encryption: AES-256 encryption for data at rest, TLS 1.2+ for data in transit
• Access Controls: Multi-factor authentication, role-based access, principle of least privilege
• Network Security: Firewalls, intrusion detection/prevention systems, network segmentation
• Monitoring: Continuous security monitoring, logging, and alerting systems
• Vulnerability Management: Regular security assessments, penetration testing, and patch management

6.2 Administrative Controls

• Employee Training: Regular privacy and security training for all personnel with data access
• Background Screening: Appropriate vetting of employees with access to Personal Information
• Incident Response: Comprehensive breach response procedures and notification protocols
• Policy Management: Regular review and updates of security and privacy policies
• Vendor Management: Due diligence and ongoing oversight of third-party service providers

6.3 Physical Security

• Secure Facilities: Restricted access to data centers and offices with environmental controls
• Device Security: Encrypted storage devices, secure disposal procedures
• Media Controls: Secure handling and destruction of physical media containing Personal Information

7.1 Service Provider Data

Personal Information processed under the Service Provider relationship shall be retained according to:

• Customer written instructions (subject to federal requirements)
• Service Agreement terms and default retention periods
• Federal requirements: 49 CFR Parts 1542, 1544, TSA directives (supersede Customer instructions and CPRA deletion rights)
• Business necessity

Service Provider maintains federal retention schedule and shall not delete prior to expiration, even upon Customer instruction or consumer request.

7.2 Independent Business Data

Personal Information collected for background screening shall be retained according to:

• Fair Credit Reporting Act: Seven (7) years for employment screening records
• Aviation Security Regulations: As required by TSA and FAA (typically ten (10) years for security records)
• State Employment Laws: Varying retention requirements by jurisdiction
• Company Retention Policy: Established retention schedule for different data types

7.3 Deletion Procedures

Upon termination of services or expiration of retention periods:

• Service Provider Data: Deleted or returned to Customer as instructed within thirty (30) days
• Independent Business Data: Deleted according to applicable legal requirements and Company policy
• Backup Systems: Personal Information in backup systems deleted according to standard backup rotation
• Certification: Written certification of deletion provided upon Customer request

7.4 Legal Hold

Notwithstanding other retention provisions, Personal Information subject to litigation hold, legal proceedings, government investigation, regulatory inquiry, ongoing dispute resolution, or other legal preservation requirements shall be retained until such legal obligations are resolved.

8.1 Notification Requirement

Service Provider shall notify Customer within seventy-two (72) hours of becoming aware of:

• Security incidents involving unauthorized access, use, or disclosure of Personal Information
• Data breaches likely to result in risk to individual rights and freedoms
• System compromises involving unauthorized access to systems processing Customer data
• Any violation of this DPA by Service Provider or its subprocessors

8.2 Incident Information

Breach notifications shall include, to the extent known:

• Description of the incident and affected Personal Information categories
• Number and categories of individuals affected
• Likely consequences of the incident
• Measures taken or proposed to address the incident and mitigate harm
• Contact information for further inquiries

8.3 Cooperation In Response

Service Provider shall promptly investigate/contain incidents, cooperate with Customer’s incident response and regulatory notifications, preserve evidence and incident documentation and implement remediation measures.

9.1 Compliance Monitoring

Service Provider shall:

• Maintain detailed records of Personal Information processing activities
• Regularly assess compliance with this DPA and applicable privacy laws
• Promptly notify Customer of any compliance concerns or violations
• Take corrective action to address identified compliance gaps

9.2 Audit Rights

Customer may, upon reasonable advance written notice:

• Request and receive annual compliance certifications or reports
• Conduct reasonable remote desktop electronic audits of Service Provider’s data processing with no less than 5 business days’ written notice to Service Provider
• Engage qualified third-party auditors subject to appropriate confidentiality agreements
• Access relevant policies, procedures, and compliance documentation

Audits shall not unreasonably interfere with Service Provider’s business operations and shall be conducted no more than once annually unless triggered by a security incident or regulatory requirement.

9.3 Certifications

Upon Customer’s written request, Service Provider shall provide certification of annual DPA, security or privacy compliance.

11.1 Term

This DPA shall remain in effect for so long as Service Provider processes Personal Information on behalf of Customer or under the Independent Business relationship.

11.2 Effect of Termination

Upon termination or expiration of the Agreement:

• Service Provider Data: Customer may request return or deletion of Customer Personnel data within thirty (30) days
• Independent Business Data: Retained according to legal requirements and Company policy
• Transition Assistance: Service Provider will provide reasonable assistance with data transition
• Timeline: Data return or deletion completed within sixty (60) days unless otherwise agreed

11.3 Survival

The following provisions survive termination: data security obligations, confidentiality, audit/compliance for retained data, indemnification, liability and any other provisions that by their nature should survive.

14.1 Amendment

Service Provider may update this DPA from time to time by posting the updated version at airbadge.us/dpa. Material changes will be communicated to Customer through the Services platform. Customer’s continued use of the Services following notice of changes constitutes acceptance of the updated DPA.

14.2 Severability

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect, and the invalid provision shall be modified to the minimum extent necessary to make it valid and enforceable.

14.3 Integration and Interpretation

This DPA supplements the Agreement. In the event of any conflict or inconsistency between this DPA and the Agreement with respect to the processing of Personal Information, this DPA shall govern.

Service Provider Processing (Customer Personnel):

• Account Information: Names, email addresses, employee IDs
• Authentication Data: Login credentials, access tokens, session information
• Usage Data: Platform access logs, feature usage, system interactions
• Device Information: IP addresses, browser information, device identifiers
• Communication Records: Support requests, system notifications

Independent Business Processing (Prospective Employees):

• Application Information: Personal identifiers, contact information, employment history
• Government Identifiers: Social Security Numbers, driver’s license numbers, passport numbers
• Background Check Data: Criminal history, credit reports, employment verification, education verification
• Biometric Information: Fingerprints for security clearance
• Reference Information: Previous employer contacts and recommendations
• Education Records: Degrees, certifications, professional licenses
• Financial Information: Credit history (where applicable and legally permissible)