Air Trending logo simple
Meet Us
Free Strategy Call
Data Processing Agreement — Air Trending

Air Trending

Data Processing Agreement (DPA)

This DPA sets out how Air Trending processes personal data on your behalf when we deliver managed marketing and sales services, and the protections that apply.

Last Updated: June 2026

Preamble & Parties

This Data Processing Agreement ("DPA") forms part of the agreement between the customer identified in the applicable proposal or statement of work ("Customer", "Controller") and Sternac LLC, operating as Air Trending ("Air Trending", "Processor"), together the "Parties".

This DPA reflects the Parties' agreement on the processing of Personal Data in connection with the marketing and sales services that Air Trending provides to Customer (the "Services"). Capitalized terms not defined here have the meaning given in the main agreement between the Parties (the "Agreement"), including the Terms of Service.

1. Definitions

Applicable Data Protection Laws means all laws and regulations on privacy and data protection that apply to the processing under this DPA, including as applicable the EU GDPR, the UK GDPR, the Spanish LOPDGDD, the Swiss FADP, and US state privacy laws.

Personal Data means any information relating to an identified or identifiable natural person that Air Trending processes on behalf of Customer under the Agreement.

Process and Processing have the meaning set out in Applicable Data Protection Laws.

Sub-processor means any processor engaged by Air Trending to assist in providing the Services and that processes Personal Data.

Supervisory Authority means the competent data protection authority in the EEA, the UK or Switzerland, as applicable.

2. Scope, Role & Instructions

  1. Roles. Customer is the Controller, or a processor acting for a controller, and appoints Air Trending as Processor to process Personal Data as needed to provide the Services.
  2. Instructions. Air Trending processes Personal Data only on Customer's documented instructions, as set out in the Agreement, this DPA, Customer's configuration and use of the Services, and as required by law. Where legally permitted, Air Trending will inform Customer if an instruction appears to infringe Applicable Data Protection Laws.
  3. Customer responsibilities. Customer is responsible for the lawfulness of the Personal Data, for obtaining all necessary notices and consents, including marketing consent for contacts and leads, and for its own configuration and use of the Services.

3. Confidentiality

Air Trending ensures that the personnel authorized to process Personal Data are bound by appropriate confidentiality obligations and receive appropriate guidance on data protection and security.

4. Security Measures

Air Trending implements and maintains appropriate technical and organizational measures designed to protect Personal Data, as described in Annex II (the "Security Measures"). Customer is responsible for reviewing the information made available by Air Trending and for determining whether the Services meet Customer's requirements.

5. Sub-processors

  1. Authorization. Customer gives general written authorization for Air Trending to engage Sub-processors to process Personal Data in connection with the Services.
  2. Obligations. Air Trending enters into a written agreement with each Sub-processor imposing data protection obligations no less protective than those in this DPA, and remains responsible for each Sub-processor's performance.
  3. List & updates. A current list of Sub-processors is maintained by Air Trending, see Annex III and the Sub-processors page. Air Trending will give notice of new Sub-processors, and Customer may object on reasonable data protection grounds within a reasonable period. If Customer objects, the Parties will work in good faith toward a solution. If none is found, Customer may suspend or terminate the affected Services without penalty.

6. International Data Transfers

  1. Mechanisms. Where Air Trending processes Personal Data subject to EU, UK or Swiss transfer restrictions outside the EEA, the UK or Switzerland, the following mechanisms apply, as relevant and to the extent permitted by law:
    • EU Standard Contractual Clauses. The European Commission's Standard Contractual Clauses for controller to processor (Module 2) and processor to processor (Module 3), as set out in Commission Implementing Decision (EU) 2021/914 ("SCCs"), are incorporated by reference, with details completed by Annex I and the Security Measures in Annex II. Where the SCCs conflict with this DPA, the SCCs prevail.
    • UK Addendum. For transfers subject to UK law, the International Data Transfer Addendum issued by the UK ICO is incorporated by reference and supplements the SCCs.
    • Swiss adaptations. For transfers subject to Swiss law, references in the SCCs to the GDPR are read as references to the Swiss FADP where appropriate.
  2. Alternative safeguards. If another valid transfer mechanism becomes available and is used by Air Trending, that mechanism may be used instead of the SCCs.

7. Data Subject Requests

Taking into account the nature of the processing, Air Trending will assist Customer by appropriate technical and organizational measures, as far as possible, to help Customer respond to requests from data subjects to exercise their rights. If Air Trending receives a request directly from a data subject relating to Personal Data for which Customer is the Controller, Air Trending will promptly notify Customer and will not respond except on documented instructions or as required by law.

8. Personal Data Breach

Air Trending will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA, and will provide the information reasonably necessary for Customer to meet its own legal obligations.

9. Audit & Compliance

On Customer's reasonable request, Air Trending will make available the information necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits by Customer or an auditor mandated by Customer, provided that: (a) audits occur no more than once a year, unless required by a Supervisory Authority or following a confirmed Personal Data Breach; (b) audits take place during normal business hours, on reasonable notice, and without interfering with operations; and (c) Customer signs reasonable confidentiality undertakings. Evidence may include independent reports, certificates and summaries of controls.

10. Return & Deletion

On termination or expiry of the Agreement, and on Customer's written request, Air Trending will delete or return all Personal Data processed on behalf of Customer, except where retention is required by law. Where deletion is not feasible, Air Trending will continue to protect the Personal Data under this DPA and limit further processing to what requires retention.

11. Assistance & DPIAs

Taking into account the nature of the processing and the information available to it, Air Trending will provide reasonable assistance to Customer with data protection impact assessments and prior consultations with Supervisory Authorities relating to Customer's use of the Services, in each case only to the extent required by Applicable Data Protection Laws.

12. Liability & Precedence

Each Party's liability under this DPA is subject to the limitations and exclusions of liability in the Agreement. If there is any conflict between this DPA and the Agreement, this DPA prevails to the extent of the conflict regarding the processing of Personal Data. If there is any conflict between this DPA and the SCCs, the SCCs prevail.

13. Term & Termination

This DPA takes effect when Customer first uses the Services or otherwise accepts the Agreement, and remains in force for as long as Air Trending processes Personal Data on behalf of Customer.

How to Obtain a Signed Copy

If you need a signed DPA by email, contact gdpr@air-trending.com with the subject line "DPA Request, [Your Company Name]". Include your legal entity name, address, and signatory name and title. We will countersign and return a PDF copy by email.

Annex I: Details of Processing

A. List of Parties

Controller: the Customer identified in the Agreement.

Processor: Sternac LLC, operating as Air Trending, processing Personal Data on behalf of Customer.

B. Supervisory Authority

The competent Supervisory Authority is determined under Article 56 GDPR, or applicable law, based on Customer's location in the EEA, the UK or Switzerland.

C. Description of Processing

Subject matter: provision of marketing and sales services, including advertising campaigns, lead generation, CRM and automation management on the Air Lift platform, funnel and website work, and reporting, together with related support.

Nature and purpose: collection, hosting, storage, organization, structuring, transmission, analysis and other operations necessary to deliver the Services and support.

Duration: the term of the Agreement, and as otherwise required by law.

Categories of data subjects: Customer's prospects and leads, Customer's clients and customers, and personnel authorized by Customer.

Categories of Personal Data: identification and contact data such as name, email and phone, account identifiers, communications content and metadata for messages sent through the Services, marketing engagement data such as opens and clicks, scheduling details, and device and log data such as IP and browser. Special categories of data are not intended to be processed. Customer must not submit such data unless permitted by the Agreement and Applicable Data Protection Laws.

Frequency of transfers: continuous, as necessary for the Services.

Retention: as described in the Agreement and service settings, and in Section 10 of this DPA.

Annex II: Technical & Organizational Measures

  • Access control. Role based access to client accounts and tools, on a least privilege basis. Access to a client's accounts is limited to the team members delivering that client's Services, and is logged.
  • Credential and account security. Secure handling of access credentials, use of multi factor authentication where available, and prompt removal of access when no longer needed.
  • Encryption. Transport encryption (TLS) for data in transit across the platforms and tools we use, and reliance on the at rest encryption provided by those platforms.
  • Vendor and sub-processor management. Use of reputable platforms with their own audited security programs, under data protection terms no less protective than this DPA. See Annex III.
  • Data minimization and separation. We process only the data needed for the Services, and we never mix one client's data with another's.
  • Logging and monitoring. Access to client accounts is logged within the relevant platforms, and unusual activity is reviewed.
  • Personnel. Confidentiality obligations and data protection guidance for the people who deliver the Services.
  • Incident response. A documented process to identify, contain and report incidents, including breach notification consistent with legal requirements.
  • Business continuity. Reliance on the redundancy and backup capabilities of the cloud platforms used to deliver the Services.

Annex III: Authorized Sub-processors

Air Trending engages the Sub-processors listed on its Sub-processors page to support the Services, for example CRM and automation, advertising and analytics, consent management, payments, and hosting.

To request the current Sub-processor list or to subscribe to change notifications, email gdpr@air-trending.com with the subject "Sub-processor List Request".

US State Privacy Addendum

Where Air Trending processes Personal Data subject to US state privacy laws, including the CCPA and CPRA, CPA, CTDPA, UCPA and VCDPA, Air Trending acts as a "service provider" or "processor", as applicable, and will:

  • Process Personal Data only for the limited and specified purposes in the Agreement and this DPA;
  • Not "sell" or "share" Personal Data as defined by applicable law, and not combine it with data from other sources except as permitted to provide the Services;
  • Assist Customer in responding to consumer requests where required;
  • Implement reasonable security procedures appropriate to the nature of the Personal Data;
  • Notify Customer if it determines it can no longer meet its obligations under applicable law;
  • Flow down the same obligations to authorized Sub-processors and monitor compliance;
  • At Customer's direction, delete or return Personal Data at the end of the Services, unless retention is permitted by law.

Contact

Questions about this DPA or privacy requests: gdpr@air-trending.com

Disclaimer

This DPA is provided for operational alignment with common data protection requirements and does not constitute legal advice. Customer should consult its own legal counsel to ensure this DPA meets its specific compliance needs.

Company
Resources
Air Lift
Discover
Log In
© 2026 Air Trending. All rights reserved. Enhancing your presence in the aviation industry.