TarmacTarmac

Data Processing Addendum

Effective date: 1 June 2025 — Enterprise customers only

This DPA is included automatically in Enterprise subscription agreements. To request a signed copy or custom DPA, email info@panrobotics.xyz.

1. Definitions

  • Controller: the Customer entity that determines the purposes and means of processing Personal Data.
  • Processor: Pan Robotics Ltd., acting on behalf of the Controller.
  • Personal Data: any information relating to identified or identifiable natural persons submitted by the Customer.
  • Sub-processor: a third party engaged by the Processor to assist in processing Personal Data.

2. Processing instructions

The Processor shall process Personal Data only on documented instructions from the Controller (as set out in the Terms of Service and this DPA) unless required by law. The Processor shall inform the Controller if an instruction infringes applicable data protection laws.

3. Security measures

The Processor implements appropriate technical and organisational measures including: TLS encryption in transit, encryption at rest, role-based access control, regular security reviews, and incident response procedures.

4. Sub-processors

The Processor may engage sub-processors listed in the Privacy Policy. The Processor will notify the Controller of any intended changes with at least 10 days' notice, allowing the Controller to object.

5. Data subject rights

The Processor shall provide reasonable assistance to the Controller to fulfil data subject requests (access, erasure, portability) within the timescales required by applicable law.

6. Data transfers

Transfers of Personal Data outside the EEA are covered by Standard Contractual Clauses (SCCs) under EU Commission Decision 2021/914 where applicable.

7. Breach notification

The Processor shall notify the Controller without undue delay, and in any case within 72 hours, after becoming aware of a Personal Data breach likely to result in a risk to individuals' rights.

8. Deletion on termination

Upon termination of the service agreement, the Processor will delete or return all Personal Data within 30 days, unless retention is required by law.