1. Scope and Roles

The customer acts as controller, business, or equivalent role for the personal data processed under this DPA, except where the customer itself acts as a processor for another party. Aviat Group, LLC acts as processor, service provider, or contractor, as applicable.

This DPA applies only to personal data that we process on the customer's behalf to provide, secure, support, and operate the Services.

2. Processing Instructions and Obligations

• We process personal data only on documented customer instructions, including the customer's use of the Services, admin settings, support requests, and enabled integrations, unless otherwise required by law.
• We ensure personnel authorized to process personal data are subject to confidentiality obligations.
• We assist the customer, taking into account the nature of the processing and information available to us, with applicable data subject, regulator, and customer requests.
• We do not sell or share personal data, and we do not retain, use, or disclose it outside the direct business relationship with the customer except as permitted by law and the services agreement.

3. Security Measures

We maintain reasonable administrative, technical, and organizational measures designed to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure.

• Authentication controls and role-based permissions.
• Tenant isolation using application and database controls.
• Encryption in transit and encryption at rest for core systems.
• Rate limiting, input validation, and audit logging.
• Monitoring, alerting, vulnerability review, and incident response.
• Restricted production access on a need-to-know basis.
• Backup and recovery procedures for service restoration.

4. Subprocessors

The customer gives general authorization for us to engage subprocessors used to provide the Services. We require those subprocessors to protect personal data under written terms that are materially no less protective than the obligations in this DPA.

We will provide notice before adding or replacing a subprocessor that will materially process personal data, and the customer may object on reasonable data-protection grounds.

5. Security Incidents and Assistance

We will notify the customer without undue delay after becoming aware of a confirmed security incident affecting personal data processed under this DPA. We will provide reasonably available information about the nature of the incident, the categories of data affected, and the measures taken or proposed to address it.

We will also provide reasonable assistance with data subject requests, applicable breach-notification obligations, data protection impact assessments, and regulator consultations to the extent required by law and reasonably feasible.

6. Audits and Information Rights

Upon reasonable written request, we will make available information reasonably necessary to demonstrate compliance with this DPA. Customers may request a reasonable questionnaire, remote review of relevant documentation, or, where required by law or triggered by a security incident, a more detailed audit process subject to confidentiality and operational safeguards.

7. Return and Deletion

Upon termination or expiration of the services agreement, we will make available export functionality for at least 30 days and then delete or de-identify personal data from active systems, subject to ordinary backup retention and legal obligations.

8. International Transfers

If we process personal data subject to a restricted transfer, the parties agree to use an appropriate legal transfer mechanism, including the European Commission Standard Contractual Clauses and, for UK transfers, the UK International Data Transfer Addendum, to the extent required.

9. U.S. State Privacy Terms

To the extent U.S. state privacy laws apply, we act as a service provider or contractor and process personal data only for the business purposes set out in the services agreement and this DPA. We do not sell or share personal data and provide reasonable cooperation so customers can respond to verifiable privacy rights requests.

10. Annex I: Processing Details

• Subject matter: provision of the OmniTakeoff platform and related hosting, support, analytics, monitoring, billing, authentication, and customer-requested integrations.
• Duration: for the term of the services agreement plus any post-termination period needed for export, deletion, backup, security, or legal compliance.
• Categories of data subjects: customer administrators, estimators, employees, field users, support contacts, billing contacts, and individuals whose information appears in uploaded project files or customer records.
• Categories of personal data: identifiers, business contact information, account and role data, authentication and session data, billing metadata, communications content, device and usage data, and personal data embedded in customer content.

11. Annex II: Technical and Organizational Measures

Our current measures include authentication controls, role-based permissions, tenant isolation, encryption in transit and at rest, organization-scoped document access, rate limiting, logging, monitoring, vulnerability review, incident response, restricted production access, backup and recovery procedures, and confidentiality obligations for personnel with access to personal data.

12. Annex III: Authorized Subprocessors

Questions about this DPA may be sent to privacy@omnitakeoff.com.