Review AirBot’s commitments as a data processor under GDPR, CCPA, and other privacy laws.

1. Definitions

Personal Data: Any data relating to an identified or identifiable individual. Processing: Any operation performed on personal data (collection, storage, access, transmission, etc.). Sub-Processor: A third-party entity engaged by the Processor to process data. Data Subject: An individual whose personal data is processed.

2. Purpose and Scope

The Processor shall process Personal Data solely to provide the AirBot service. The Processor will not use or disclose Personal Data for any purpose other than as instructed by the Controller.

3. Processor Obligations

The Processor agrees to: • Process data only on documented instructions from the Controller • Implement appropriate technical and organizational security measures • Ensure employees and contractors are bound by confidentiality • Assist the Controller in responding to data subject requests • Notify the Controller of any data breach without undue delay • Delete or return all personal data at contract termination, at the Controller’s choice

4. Sub-Processors

The Controller authorizes the Processor to use the following Sub-Processors: • OpenAI – LLM for guest communication • Render – Hosting & infrastructure provider • PMS Platforms (e.g., Hostaway) – Data retrieval and guest info The Processor will ensure Sub-Processors are GDPR/CCPA compliant and enter into written agreements with them imposing the same data protection obligations.

5. Controller Obligations

The Controller agrees to: • Provide clear instructions for data processing • Ensure all data subjects have been properly informed • Use the AirBot platform in compliance with applicable data privacy laws

6. International Transfers

The Processor will not transfer Personal Data outside of the EU/EEA or US without ensuring adequate safeguards are in place (e.g., Standard Contractual Clauses, Privacy Shield, or an equivalent framework).

7. Security Measures

The Processor maintains industry-standard security practices, including: • Data encryption at rest and in transit • Regular vulnerability assessments • Role-based access control • Logging and monitoring of data access

8. Term and Termination

This DPA remains in effect for the duration of the Controller’s use of AirBot. Upon termination, data will be securely deleted or returned based on the Controller’s instruction.

9. Governing Law

This DPA shall be governed by and construed in accordance with the laws of The United Arab Emirates, without regard to conflict of laws principles.