Data Processing Agreement
Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the agreement between the customer identified in the applicable order form, contract, statement of work, or other written agreement ("Customer") and AirGradient ("AirGradient").
It applies to professional, school, city, research, NGO, enterprise, reseller, and partner deployments where AirGradient processes personal data on Customer's behalf.
Complete the legal entity details before signature. Customers may request a counter-signed copy at support@airgradient.com.
1. Agreement and Precedence
This DPA is incorporated into the agreement under which AirGradient provides services to Customer. If there is a conflict about personal data processing, this order applies unless the main agreement states otherwise:
- Mandatory transfer terms, including Standard Contractual Clauses where applicable.
- This DPA.
- The customer agreement, order form, or statement of work.
- AirGradient's published privacy, security, support, and technical documentation.
2. Key Definitions
"Applicable Data Protection Law" means all privacy and data protection laws that apply to Customer Personal Data, including where applicable GDPR, UK GDPR, Swiss FADP, Thai PDPA, and similar laws.
"Customer Personal Data" means personal data processed by AirGradient on behalf of Customer.
"Personal Data Breach" means a security breach causing accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
"Subprocessor" means a third party engaged by AirGradient to process Customer Personal Data for the Services.
Other data protection terms have the meanings given under Applicable Data Protection Law.
3. Roles, Scope, and Instructions
Customer is the controller of Customer Personal Data, or processor where Customer processes personal data on behalf of another controller. AirGradient is the processor where it processes Customer Personal Data on Customer's behalf and according to Customer's documented instructions.
AirGradient acts as controller for its own business operations, including direct support administration, customer relationship management, billing, direct shop/order fulfillment, legal compliance, security monitoring, and service improvement, as described in AirGradient's Privacy Policy.
Customer instructs AirGradient to process Customer Personal Data as necessary to provide dashboard hosting, app access, APIs, monitor data ingestion, alerts, reports, exports, support, optional public sharing, online shop/order handling through Ecwid by Lightspeed where applicable, professional services, and related technical services.
Documented instructions include the agreement, this DPA, Customer's product settings, public/private sharing settings, and written deployment or support instructions. AirGradient will inform Customer if AirGradient believes an instruction infringes Applicable Data Protection Law, unless legally prohibited from doing so.
4. Customer Responsibilities
Customer is responsible for:
- Having a lawful basis, providing notices, obtaining required consents, and responding to data subject requests where Customer is controller.
- Managing Customer users, roles, permissions, monitor locations, monitor names, project names, and public/private settings.
- Deciding whether monitor data is shared through the AirGradient map, public API, OpenAQ, or other public data channels.
- Avoiding unnecessary personal or sensitive data in monitor names, location names, support tickets, attachments, and public metadata.
- Providing data residency, retention, deletion, access, security, procurement, or notice requirements before deployment.
- Having authority to provide purchaser, recipient, billing, and shipping data when using the AirGradient online shop for other people.
5. AirGradient Obligations
Where AirGradient acts as processor, AirGradient will:
- Process Customer Personal Data only on documented instructions from Customer, unless required by law.
- Ensure authorized personnel are subject to confidentiality obligations.
- Maintain appropriate technical and organizational measures.
- Use Subprocessors only as described in this DPA and the Subprocessor List.
- Assist Customer with data subject requests, security, breach, DPIA, and supervisory authority consultation obligations where required and reasonably possible.
- Make available information reasonably necessary to demonstrate compliance with this DPA.
- Delete or return Customer Personal Data according to this DPA and the agreement.
AirGradient does not sell Customer Personal Data and does not use private Customer Personal Data for unrelated advertising or third-party monetization.
6. Processing Details
| Item | Description |
|---|---|
| Subject matter and purpose | Air quality monitoring services, dashboard, apps, APIs, alerts, reports, public sharing where enabled, support, online shop/order handling where applicable, and related professional services. |
| Duration | Agreement term plus post-termination periods needed for export, deletion, legal obligations, disputes, security, backup expiry, or public-data commitments. |
| Nature of processing | Collection, hosting, storage, retrieval, display, analysis, correction, export, sharing where instructed, deletion, security, and support. |
| Data subjects | Customer staff, dashboard users, monitor owners/maintainers, support requesters, purchasers/order recipients/billing or shipping contacts where applicable, and people identifiable from Customer's monitor deployment. |
| Data categories | Names, emails, roles, account IDs, authentication metadata, monitor IDs, project/place names, configuration, calibration, firmware metadata, coordinates, public/private status, measurements linked to locations/timestamps, route/GPS data where enabled, notifications, support messages/attachments, shop/order data, API tokens, audit logs, and operational metadata. |
| Sensitive data | Not intended. Customer must not submit special-category or highly sensitive data unless explicitly agreed in writing. |
| Public sharing and data residency | Controlled by Customer settings, the agreement, and documented regional requirements. |
Air quality measurements are not automatically health data, but they may become sensitive in context if combined with health statements, precise home locations, school deployment details, or personal route history.
7. Security
AirGradient maintains technical and organizational measures appropriate to the Services, including least-privilege access, MFA for administrative systems where supported, access review, prompt offboarding, confidentiality obligations, TLS or equivalent encryption in transit, encryption at rest where supported, separation between private customer data and public data feeds, retention and deletion controls, restricted administrative access, monitoring, patching, secure development practices, secret separation, dependency review, backup and recovery practices, restore testing, incident response, and vendor review.
Detailed controls are described in AirGradient's Information Security Policy, Backup and Disaster Recovery Procedure, and Incident Response Procedure.
8. Subprocessors and Data Recipients
Customer gives AirGradient general written authorization to use Subprocessors to provide the Services. AirGradient maintains a Subprocessors and Data Recipients list covering relevant hosting, infrastructure, email, support, shop, payment, map, notification, communication, forum, and public data providers.
AirGradient imposes appropriate data protection obligations on Subprocessors that process Customer Personal Data on AirGradient's behalf. Where a customer contract requires advance notice of new or replacement Subprocessors, AirGradient provides notice according to the contract. Customer may object on reasonable data protection grounds. If the objection cannot reasonably be resolved, Customer may terminate the affected Services according to the agreement.
9. Public Data Sharing
Customer controls whether Customer monitor data is private or public unless the agreement states otherwise. If Customer enables public sharing, public monitor data may be made available through the AirGradient public map, public API, OpenAQ, or other enabled public data channels and may include selected public location, measurements, timestamps, source information, attribution, and license information.
Public data may be accessed, downloaded, cached, republished, analyzed, or combined with other datasets by third parties. Disabling public sharing stops future sharing through AirGradient-controlled channels, but AirGradient cannot guarantee deletion from OpenAQ, external API users, caches, downloaded datasets, research copies, screenshots, or third-party tools after valid publication.
Customer is responsible for confirming that public monitor locations, contributor names, project names, place names, and related metadata can lawfully be made public.
10. Online Shop and Ecwid by Lightspeed
AirGradient may use Ecwid by Lightspeed / Lightspeed Ecom (E-Series), payment providers, shipping providers, and related commerce tooling for online shop, cart, checkout, order management, fulfillment, tax/customs handling, warranty support, and legally required order records.
For direct shop/order fulfillment, AirGradient normally acts as controller. To the extent shop/order data is processed on behalf of a professional Customer under the main agreement, AirGradient acts as processor or subprocessor. AirGradient does not store raw payment card numbers in AirGradient systems.
11. Data Subject Requests and Breaches
AirGradient will reasonably assist Customer with data subject requests relating to Customer Personal Data where required by Applicable Data Protection Law and reasonably possible through the Services.
If AirGradient receives a request directly from a data subject relating to Customer Personal Data for which Customer is controller, AirGradient may refer the requester to Customer unless legally prohibited from doing so. AirGradient may verify identity before disclosing, changing, or deleting account, monitor, support, shop, or deployment data.
AirGradient will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notice will include, to the extent known, the incident nature, affected Services, affected data and data subjects, likely consequences, measures taken or proposed, recommended Customer actions where applicable, and a contact point.
Customer is responsible for regulator and data subject notifications where Customer is controller, unless the Parties agree otherwise or AirGradient is legally required to notify.
12. International Transfers
AirGradient users, customers, staff, infrastructure, and service providers may be in different countries. EU/EEA personal data may be processed in the EU, Thailand, the United States, Singapore, or other locations depending on AirGradient infrastructure, vendors, and Customer deployment configuration.
Where Applicable Data Protection Law requires a transfer mechanism, the Parties use appropriate safeguards such as EU Standard Contractual Clauses, the UK IDTA or UK Addendum, adequacy decisions, binding corporate rules, or another lawful transfer mechanism.
Where Standard Contractual Clauses are required, Module 2 applies where Customer is controller and AirGradient is processor, and Module 3 applies where Customer is processor and AirGradient is subprocessor, unless a signed transfer addendum states otherwise.
Customer must document required EU hosting, data residency, or other location requirements before deployment.
13. Return, Deletion, Retention, and Audit
At the end of the Services, AirGradient will delete or return Customer Personal Data as agreed, unless continued retention is required or permitted by law, contract, security, dispute handling, backup expiry, or public-data commitments.
Customer may export available data through the Services where export functionality is available. Backup copies expire through normal backup retention unless preservation is required for legal, security, or incident response reasons. Public data already distributed to third parties may not be recoverable or deletable by AirGradient.
AirGradient will make available information reasonably necessary to demonstrate compliance with this DPA, such as current policies, the Subprocessor List, security summaries, incident/backup procedure summaries, and relevant third-party trust documentation.
Any additional audit must be reasonable, scoped to Customer Personal Data and the Services, confidentiality-protected, non-disruptive, and designed to avoid access to other customers' data, source code, credentials, production systems, internal vulnerability details, or confidential third-party information.
14. Legal Requests, Liability, Term, and Changes
If AirGradient receives a legally binding request for Customer Personal Data, AirGradient will notify Customer where legally permitted and appropriate and will seek to limit disclosure to the legally required scope.
Each Party's liability under this DPA is subject to the limitations and exclusions of liability in the agreement, unless Applicable Data Protection Law requires otherwise. This DPA remains in effect for as long as AirGradient processes Customer Personal Data under the agreement, and terms that by their nature continue remain effective after termination.
AirGradient may update this DPA template from time to time to reflect changes in services, law, security controls, vendors, or operational practices. Material changes that affect signed customer terms are handled according to the agreement.
15. Customer Deployment Checklist
Before launch, Customer and AirGradient confirm the Customer legal entity, Contracting party, Controller/processor roles, Deployment purpose, Affected people, Privacy notices, Consents, Public/private monitor settings, Public names/URLs, OpenAQ/API sharing, User roles, Admin permissions, Support contacts, Escalation contacts, Hosting, Data residency, Retention, Deletion., Procurement, Contract notice requirements, Route/GPS features, Online shop/order handling.