HomeSchoolsVisionPricingAbout
addendum
Data Processing Addendum

Controller–Processor
Agreement.

This Data Processing Addendum (DPA) governs the relationship between AerEthos (Processor) and any school or educational institution (Controller) that engages AerEthos for yearbook or Vision services. It forms a binding part of the service agreement.

Effective
Upon service agreement signing
Jurisdiction
Ireland · European Union
Framework
GDPR Art. 28 compliant
Version
1.2 · March 2026
← Back to Terms
Binding agreement — please read in full
This DPA becomes legally binding upon execution of the AerEthos school service agreement. Schools are deemed to have accepted this DPA by paying the school onboarding fee and receiving written confirmation from AerEthos. If your school requires a separately countersigned version, contact nathan@aerethos.com.
§1

Definitions & Interpretation

In plain English
These are the key terms used throughout this document and what they mean.

In this DPA the following definitions apply:

Controller
The school or educational institution that determines the purposes and means of processing personal data relating to its students and staff. The Controller retains responsibility for ensuring lawful basis for processing and for providing adequate privacy notices to data subjects.
Processor
AerEthos, acting on the Controller's documented instructions to process personal data for the purpose of delivering yearbook design, production, and Vision platform services.
Personal Data
Any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
Processing
Any operation performed on Personal Data, including collection, storage, use, disclosure, erasure, or destruction.
Data Subject
An identified or identifiable natural person whose Personal Data is processed — in this context, primarily students and school staff.
Sub-Processor
A third party engaged by AerEthos (Processor) to process Personal Data on behalf of the Controller, where such processing is necessary to deliver the agreed services.
Supervisory Authority
The Data Protection Commission (DPC) of Ireland, being the lead supervisory authority with jurisdiction over AerEthos.
Standard Contractual Clauses (SCCs)
The standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission under Decision 2021/914/EU.
GDPR
Regulation (EU) 2016/679 of the European Parliament and of the Council, together with the Irish Data Protection Acts 1988–2018 and any subordinate legislation.
Vision Platform
The AerEthos digital memory archive platform, accessed via NFC chip or QR code, as described in §12 of this DPA.
§2

Scope & Duration

In plain English
This DPA covers all personal data AerEthos processes as part of the yearbook service. It lasts as long as AerEthos holds any of the school's data.

This DPA applies to all Personal Data processed by AerEthos (as Processor) on behalf of the school (as Controller) in connection with the provision of yearbook design, production, and Vision platform services, as set out in the school service agreement.

This DPA takes effect on the date the school service agreement is entered into (evidenced by payment of the school onboarding fee and written confirmation from AerEthos) and remains in force until:

  • All Personal Data processed under this DPA has been deleted or returned to the Controller in accordance with §13; or
  • The parties agree in writing that this DPA has terminated.

The obligations in this DPA survive termination of the service agreement to the extent that AerEthos continues to process or retain Personal Data belonging to the Controller.

Subject matter: Yearbook production and Vision platform services
Nature: Collection, storage, design, production, digital hosting, and deletion of student and staff personal data
Purpose: Production and delivery of the school yearbook; operation of the AerEthos Vision platform
Duration: As above; Vision content retained for minimum 30 years per §12
Categories of data subjects: Students (including minors); school staff
Categories of personal data: As set out in §4 of the Terms & Policies
§3

Roles: Controller & Processor

In plain English
The school is in charge of the data and decides what we do with it. AerEthos follows those instructions. We don't decide what to do with student data — you do.

The parties acknowledge and agree that in relation to Personal Data processed under this DPA:

  • The school acts as Controller and determines the purposes and means of processing student and staff personal data.
  • AerEthos acts as Processor and processes Personal Data only on the Controller's documented instructions, except where required to do otherwise by applicable law, in which case AerEthos shall inform the Controller of the relevant legal requirement before processing (unless prohibited by law).

AerEthos does not act as Controller in respect of student or staff personal data submitted through the yearbook process. AerEthos may act as an independent Controller in respect of its own business operations (communications with the school, billing records, security logs) — this processing is governed by AerEthos's Terms & Policies.

§4

Instructions & Permitted Processing

In plain English
AerEthos will only do what you tell us to do with the data. If you ask us to do something illegal, we'll tell you.

AerEthos shall process Personal Data only:

  • On the documented instructions of the Controller, as set out in the service agreement and any subsequent written instructions;
  • As necessary to deliver the yearbook and Vision platform services; and
  • In compliance with applicable data protection law.

The Controller acknowledges that AerEthos's obligations under this DPA constitute the Controller's primary documented instructions for the purposes of Article 28(3)(a) GDPR. Additional instructions may be given in writing at any time; AerEthos will inform the Controller if, in its reasonable opinion, an instruction infringes GDPR or other applicable data protection law.

AerEthos shall not process Personal Data for any purpose other than the performance of the services without the Controller's prior written consent.

§5

Confidentiality

In plain English
Everyone at AerEthos who touches your data is bound by confidentiality. We don't share it. We don't sell it.

AerEthos shall ensure that all persons authorised to process Personal Data under this DPA:

  • Are subject to binding confidentiality obligations (whether by contract or statutory duty);
  • Process Personal Data only in accordance with the Controller's instructions and this DPA;
  • Are informed of the confidential nature of the Personal Data and the applicable restrictions.

AerEthos shall not disclose Personal Data to any third party except as authorised by this DPA (sub-processors in accordance with §7), required by applicable law, or with the Controller's prior written consent.

These confidentiality obligations survive termination of the DPA indefinitely.

§6

Security Obligations

In plain English
We are required by law to keep your data secure. Here's exactly what we do.

AerEthos shall implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include, at minimum:

  • Encryption of all Personal Data in transit using TLS 1.2 or higher (HTTPS enforced)
  • Encryption of Personal Data at rest using AES-256 (via hosting provider)
  • Multi-factor authentication (MFA) on all administrative accounts and production systems
  • Access controls based on the principle of least privilege — access to Personal Data is restricted to personnel who require it for service delivery
  • Secure, private source code repositories with access logging and audit trails
  • Payment data processed exclusively by Stripe (PCI DSS Level 1 certified) — AerEthos does not store, process, or transmit cardholder data
  • Regular application of security patches to dependencies and infrastructure components
  • Confidentiality obligations imposed on all personnel with access to Personal Data
  • Documented data processing procedures and access policies
  • Periodic review of access permissions and security configurations
  • Maintenance of an internal data breach register
  • Supplier due diligence for all sub-processors prior to engagement

In assessing the appropriate level of security, AerEthos takes into account: the state of the art; the costs of implementation; the nature, scope, context, and purposes of processing; and the risks of varying likelihood and severity to the rights and freedoms of natural persons — in particular risks arising from accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of or access to Personal Data.

The Controller acknowledges that AerEthos processes Personal Data on behalf of multiple schools and that security measures are designed to provide appropriate protection across all engagements. School-specific security requirements beyond those set out in this DPA should be raised in writing prior to service commencement.

§7

Sub-Processors

In plain English
We use a small number of trusted third-party providers (like Vercel for hosting and Stripe for payments). We've listed them all. We'll tell you before we add any new ones.

The Controller provides general authorisation for AerEthos to engage the sub-processors listed below. AerEthos shall:

  • Impose data protection obligations on each sub-processor equivalent to those set out in this DPA;
  • Remain fully liable to the Controller for the performance of sub-processors' obligations;
  • Notify the Controller of any intended addition or replacement of sub-processors with at least 30 days' advance notice, giving the Controller the opportunity to object;
  • If the Controller reasonably objects to a new sub-processor and AerEthos cannot accommodate the objection, either party may terminate the service agreement on 30 days' notice without liability for the termination itself.
Sub-Processor
Services Provided
Location
Transfer Mechanism
Vercel, Inc.
Hosting, CDN, edge network (website and Vision platform)
United States
EU–US DPF; SCCs (Module 2)
Stripe, Inc.
Payment processing and fraud prevention
United States
EU–US DPF; SCCs (Module 2)
GitHub, Inc. (Microsoft)
Source code hosting and CI/CD pipeline
United States
EU–US DPF; SCCs (Module 2)
Cloudflare, Inc.
DDoS protection and DNS resolution
United States
EU–US DPF; SCCs (Module 2)

AerEthos will maintain an up-to-date sub-processor list and make it available to the Controller on request. Transfer Impact Assessments (TIAs) for US-based sub-processors are available on request.

§8

Data Subject Rights

In plain English
If a student or parent asks to see, correct, or delete their data, the school handles that request. AerEthos will help you respond to it within the legal timeframes.

The Controller is responsible for receiving and responding to data subject rights requests (access, rectification, erasure, restriction, portability, objection) from students, parents, and staff in accordance with Articles 15–22 GDPR.

AerEthos shall, upon receiving a data subject rights request directly (where a data subject contacts AerEthos rather than the school):

  • Promptly redirect the data subject to the Controller (school) for handling;
  • Notify the Controller of the request without undue delay;
  • Provide reasonable assistance to the Controller in fulfilling the request, including by making available to the Controller the relevant Personal Data held by AerEthos.

AerEthos shall action confirmed erasure requests relating to Vision platform content within fourteen (14) days of receiving the Controller's written instruction to do so.

Erasure of student content from the Vision platform does not affect the physical yearbook. Content permanently incorporated into printed books cannot be recalled or modified.
§9

Personal Data Breach

In plain English
If there is a data breach, we will tell you within 24 hours. We will then help you notify the Data Protection Commission and any affected students.

AerEthos shall notify the Controller without undue delay, and in any event within 24 hours of becoming aware of a personal data breach affecting Personal Data processed under this DPA.

The breach notification shall include, to the extent available at the time of notification:

  • A description of the nature of the breach, including the categories and approximate number of data subjects and Personal Data records affected;
  • The name and contact details of AerEthos's data protection contact;
  • The likely consequences of the breach;
  • The measures taken or proposed to address the breach and to mitigate its possible adverse effects.

Where all information cannot be provided simultaneously, AerEthos shall provide information in phases as it becomes available. The Controller remains responsible for notifying the Data Protection Commission under Article 33 GDPR (within 72 hours of becoming aware) and for notifying data subjects where required under Article 34 GDPR.

AerEthos shall provide reasonable assistance to the Controller in fulfilling its notification obligations. AerEthos shall maintain an internal breach register documenting all breaches and the actions taken, regardless of whether external notification is required.

§10

Data Protection Impact Assessment

In plain English
For high-risk uses of data (like NFC technology), we may need to do a formal risk assessment. AerEthos will help schools complete this if needed.

AerEthos shall provide reasonable assistance to the Controller in carrying out Data Protection Impact Assessments (DPIAs) required under Article 35 GDPR where processing operations are likely to result in high risks to the rights and freedoms of data subjects.

In particular, AerEthos acknowledges that the Vision NFC platform — involving systematic processing of access metadata from minors — may require a DPIA in certain jurisdictions or where required by a school's own data protection policies. AerEthos has conducted an internal DPIA for the Vision platform and will share this with schools on request.

Where a school is required by its data protection officer (DPO) or supervisory authority to conduct a DPIA prior to deploying Vision, AerEthos undertakes to provide all reasonably requested technical documentation, including sub-processor details, data flows, retention periods, and security measures.

§11

International Transfers

In plain English
Some of our providers are based in the US. We've set up the correct legal frameworks (EU–US Data Privacy Framework and Standard Contractual Clauses) to make sure your data is protected to EU standard.

Where AerEthos transfers Personal Data to sub-processors located outside the European Economic Area (EEA), it does so only on the basis of one or more of the following transfer mechanisms:

  • EU–U.S. Data Privacy Framework (DPF): where the recipient is a certified participant in the DPF. AerEthos verifies DPF certification prior to engaging US-based sub-processors and monitors certifications on an ongoing basis.
  • Standard Contractual Clauses (SCCs) — Module 2 (Controller-to-Processor): European Commission Decision 2021/914/EU, incorporated by reference into contracts with each affected sub-processor. Where required, these are supplemented by Transfer Impact Assessments (TIAs) and additional technical safeguards (e.g. encryption at rest and in transit).

AerEthos shall promptly notify the Controller if it believes any instruction would result in an unlawful international transfer. Documentation of transfer mechanisms for each sub-processor is available on request.

§12

AerEthos Vision — Special Provisions

In plain English
Because Vision stores student data permanently and uses NFC technology, it gets its own detailed section. This covers everything a data protection officer would want to know.
This clause sets out specific, additional provisions governing personal data processed through the AerEthos Vision platform. These provisions supplement (and in case of conflict, take precedence over) the general terms of this DPA with respect to Vision data.

The AerEthos Vision platform is a long-duration digital memory archive. Its purpose is to provide students with permanent access to school-related media (video, photographs, music metadata) and a searchable alumni directory. Processing under the Vision platform is characterised by:

  • Long retention: a minimum 30-year hosting commitment (see clause 12.3)
  • Public-facing access: no authentication required; content accessible to anyone with the URL
  • Minor data subjects: the majority of data subjects are likely to be under 18 at the time of initial processing
  • Post-service processing: data continues to be hosted and accessible long after the primary yearbook service is delivered

AerEthos Vision NFC uses passive NFC chips conforming to ISO/IEC 14443-A and NFC Forum Type 2 Tag specifications. The chip contains a single static URL record (NDEF format). No Personal Data is stored on the chip. The chip does not transmit data to AerEthos — a tap triggers a standard browser HTTP GET request to the hub URL.

The following data implications of NFC access are noted for DPIA purposes:

  • Access logging: each HTTP request to the hub URL results in server-side logging of IP address, user agent, timestamp, and page identifier. This logging occurs regardless of whether access was via NFC tap, QR scan, or direct URL entry.
  • No user identification: AerEthos does not use access logs to identify individual users. Logs are used in aggregate for security and troubleshooting only.
  • Read range: effective NFC read range is approximately 4cm. Accidental or covert activation by third parties is not a practical risk.
  • Chip security: chips are write-locked after URL programming. The URL cannot be modified or overwritten using standard consumer NFC-enabled devices.
  • No on-chip personal data: in the event a yearbook is lost or the chip is read by an unauthorised party, no Personal Data is exposed from the chip itself. The hub URL would need to be known to access content.

AerEthos commits to hosting all Vision hub content for a minimum period of thirty (30) calendar years from the date the hub first goes live. This commitment is contractual and forms part of the school service agreement.

In the event that AerEthos ceases to operate as a business during the retention period, AerEthos shall:

  • Provide the Controller with at least 6 months' written notice prior to cessation of hosting;
  • Use reasonable endeavours to transfer all hub content and infrastructure to a successor entity willing to honour the remaining retention commitment; or
  • Provide the Controller with a complete export of all hosted content in a standard, accessible format (MP4 for video, JPEG/PNG for images, CSV/JSON for metadata), at no additional cost.

The 30-year retention period applies to content hosted on the Vision platform. It does not apply to server access logs (retained for 90 days) or other operational data.

The Controller may instruct AerEthos to modify or remove specific content from a Vision hub at any time during the retention period. AerEthos shall action such instructions within 14 days of receipt. Where removal is requested by a data subject under the right to erasure (Article 17 GDPR), AerEthos will action the removal within 14 days of the Controller's forwarded instruction.

AerEthos shall maintain a log of all content modifications made after initial launch, including the date, nature of the change, and the instruction received. This log is available to the Controller on request.

Limitation: removal of content from the Vision platform does not affect the physical yearbook or any copies thereof already distributed to students.

By default, Vision hub URLs are:

  • Non-indexed: excluded from search engine indexing via robots.txt and meta directives
  • Unguessable: hub URLs incorporate a school-specific, randomised path segment that cannot be enumerated by brute force within a practical timeframe
  • Unauthenticated: no login is required to view hub content. This is intentional — authentication would create friction inconsistent with the seamless NFC tap experience.

Schools that require additional access controls (e.g. IP restriction, password protection, time-limited access) may request these at the time of service onboarding. Additional controls may affect the user experience and are subject to technical feasibility assessment.

§13

Return & Deletion of Data

In plain English
When the project is over, we delete your data. For Vision content, it stays up for 30 years as agreed. Everything else is gone within 12 months of project completion.

Upon termination of the service agreement, or upon written request from the Controller, AerEthos shall:

  • Securely delete or return all Personal Data processed under this DPA (other than Vision platform content — see below) within 30 days of the termination date or written request;
  • Provide written certification to the Controller confirming the deletion has been completed;
  • Instruct sub-processors to delete their copies of the relevant Personal Data within the same timeframe.

Exception — Vision platform content: Content hosted on the Vision platform is subject to the 30-year retention commitment in §12.3 and will not be deleted upon termination of the service agreement. If the Controller instructs removal of Vision content, AerEthos will action this within 14 days (§12.4).

Exception — legal retention obligations: AerEthos may retain billing and payment records, and other data subject to statutory retention obligations, for the periods required by applicable law notwithstanding this clause.

§14

Liability & Indemnification

In plain English
If AerEthos causes a data protection breach, AerEthos is liable for the damage caused by that breach. If the school's instructions cause the problem, the school bears responsibility.

Each party's liability under this DPA shall be subject to the limitations and exclusions in the service agreement, to the maximum extent permitted by law.

AerEthos shall be liable for damage caused by processing that infringes GDPR where it has not complied with obligations specifically directed to processors, or where it has acted outside or contrary to the Controller's lawful instructions.

The Controller shall be liable for damage caused by processing that infringes GDPR where it has failed to comply with its obligations as Controller, including but not limited to: failure to ensure lawful basis for processing; failure to provide adequate privacy notices to data subjects; or failure to respond to data subject rights requests within the required timeframes.

Where both parties are responsible for damage caused by a breach, liability shall be apportioned between the parties according to their respective degree of fault.

Nothing in this DPA limits either party's liability for death or personal injury caused by negligence, fraud or fraudulent misrepresentation, or any other liability that cannot be excluded or limited under applicable law.
§15

Governing Law & Dispute Resolution

In plain English
This agreement is governed by Irish law. If there's a dispute, we try to resolve it between us first. If we can't, it goes to the Irish courts.

This DPA and any dispute or claim arising from or in connection with it (including non-contractual disputes) shall be governed by and construed in accordance with the laws of Ireland, without prejudice to any mandatory provisions of the law of the Controller's country of establishment.

In the event of a dispute relating to the interpretation or application of this DPA, the parties shall first attempt to resolve the dispute by good-faith negotiation. If the dispute is not resolved within 30 days of written notice from either party, it shall be submitted to the exclusive jurisdiction of the Irish courts, except where mandatory consumer or employment law provides otherwise.

Nothing in this clause prevents either party from seeking urgent injunctive or other equitable relief from a court of competent jurisdiction in any applicable territory.

Acceptance & execution

This DPA is deemed accepted by the Controller upon payment of the AerEthos school onboarding fee and receipt of written confirmation of service commencement. If a separately countersigned copy of this DPA is required by the Controller's data protection officer or legal counsel, please contact nathan@aerethos.com to arrange execution.

Processor
AerEthos
Represented by Nathan Sfendji
nathan@aerethos.com
Signed electronically upon service agreement commencement
Controller
Your school name
Authorised representative
Contact nathan@aerethos.com to request a countersigned version
I confirm I have read and understood this Data Processing Addendum and that it forms part of the service agreement between my school and AerEthos.
Version history
v1.2 · 18 Mar 2026
Added §12 Vision Special Provisions with NFC technical detail, DPIA guidance, URL security, 30-year retention mechanics, and sub-processor table. Added §10 DPIA assistance. Expanded §6 security sub-clauses. Added electronic acknowledgement.
v1.1 · 14 Mar 2026
Initial release.