Respira mejor. Vive con inteligencia.®

Versión archivada · fijada v2026-06-01

Terrestream Indoor Air Quality Sensor

Data Processing Agreement

Effective June 1, 2026 · Version 1.0 · Aerodyne Inc. d/b/a Terrestream

This Data Processing Agreement (this “DPA” ) is entered into between Aerodyne Inc., a Delaware corporation doing business as Terrestream ( “Terrestream” ), and the Commercial User identified on the applicable Order Form or whose authorized representative countersigns this DPA ( “Customer” ). This DPA supplements and forms part of the Terrestream Terms and Conditions at terrestream.com/legal/terms (the “T&C” ) and the Terrestream Privacy Policy at terrestream.com/legal/privacy (the “Privacy Policy” ), each as in effect from time to time. Capitalized terms used and not defined here have the meanings given in the T&C and the Privacy Policy. If this DPA conflicts with the T&C or the Privacy Policy regarding the Processing of Customer Personal Data, this DPA controls; see §15.

§1. Definitions

The following definitions apply to this DPA. Capitalized terms not defined here have the meanings given in the T&C §1 or the Privacy Policy §P1.7.

“Applicable Privacy Law” has the meaning given in T&C §1 and, in the context of this DPA, applies to the Processing of Customer Personal Data.

“Customer” has the meaning given in the preamble above; for clarity, “Customer” is the “Commercial User” as defined in T&C §1, identified on the applicable Order Form (or whose authorized representative countersigns this DPA).

“Authorized User” has the meaning given in T&C §1 and includes, in the Commercial-User context, the account administrator, fleet administrators, viewers, installers, and other natural persons whom Customer has authorized to access the Cloud Services on Customer’s behalf as further described in T&C §13.7.

“Customer Personal Data” means Personal Information that is collected, transmitted, or generated by the Cloud Services in connection with Customer’s deployment of the Device, including (a) Personal Information about Authorized Users and other natural persons that Customer designates for access to the Cloud Services and (b) Personal Information about identifiable building occupants where Customer’s use of the Cloud Services causes such Personal Information to be collected. Customer Personal Data does not include Aggregate Data or Deidentified Data processed in accordance with PP §P6 and T&C §18.2.

“Documented Instructions” means Customer’s instructions to Terrestream regarding the Processing of Customer Personal Data, comprising (i) this DPA, (ii) the T&C, (iii) the Privacy Policy, (iv) the Order Form, (v) Customer’s configuration of the Cloud Services through the account administrator interface, and (vi) any additional written instructions Customer provides under §4.

“Order Form” means each written or electronic order document executed between Terrestream and Customer that identifies the Devices, subscription tier, billing terms, and any optional schedule under Annex D.

“Processing” has the meaning given in the Applicable Privacy Law and includes any operation or set of operations performed on Customer Personal Data, whether or not by automated means.

“Security Incident” (in Quebec: “confidentiality incident” within the meaning of art. 3.5 LPRPSP) means a confirmed unauthorized access to, acquisition of, disclosure of, loss of, alteration of, or destruction of Customer Personal Data that triggers a notification obligation under Applicable Privacy Law.

“Sub-Processor” means a third party engaged by Terrestream to Process Customer Personal Data on Terrestream’s behalf in connection with the Cloud Services, as further described in Privacy Policy §P5.2 and Annex C.

§2. Subject Matter, Scope, and Duration

2.1 Subject matter

The subject matter of the Processing under this DPA is the provision of the Cloud Services by Terrestream to Customer under the T&C, including the operation of the Device, Mobile App, and Web Dashboard, the generation of AI Outputs from Telemetry Data, and the administrative and support functions necessary to deliver those services.

2.2 Scope

This DPA applies to all Processing of Customer Personal Data carried out by Terrestream in connection with the Cloud Services for the duration of the underlying T&C relationship between Customer and Terrestream.

2.3 Duration

This DPA enters into force on the date both parties have executed it or, where executed through Customer’s acceptance of an Order Form referencing this DPA, on the effective date of that Order Form. It continues for so long as Terrestream Processes Customer Personal Data and, with respect to obligations that by their nature survive (including §12 return and deletion, §13 liability, and §14 survival), thereafter.

2.4 Description of Processing

The categories of data subjects, categories of Customer Personal Data, nature and purpose of Processing, and retention periods are set out in Annex A.

§3. Roles and Compliance Status

3.1 Allocation of roles

With respect to Customer Personal Data, Customer is the “business,” “controller,” “person responsible,” “enterprise,” where that role applies under Applicable Privacy Law, and Terrestream is the “service provider,” “contractor,” “processor,” “mandatary,” where that role applies.

3.2 CCPA/CPRA service provider status

Terrestream qualifies as a “service provider” under Cal. Civ. Code § 1798.140(ag) with respect to Customer Personal Data. To the extent that a particular transaction or disclosure by Customer to Terrestream falls within the “contractor” definition in Cal. Civ. Code § 1798.140(j), Terrestream undertakes the obligations applicable to contractors under that subsection with respect to that transaction. Terrestream:

  1. will not sell or share (within the meaning of Cal. Civ. Code § 1798.140(ad) and (ah)) Customer Personal Data;

  2. will not retain, use, or disclose Customer Personal Data for any purpose other than (a) the specific business purposes set out in this DPA and the Documented Instructions, (b) servicing the business relationship between Terrestream and Customer, or (c) as permitted under Cal. Civ. Code § 1798.140(ag)(1)(A)(i)–(v);

  3. will not retain, use, or disclose Customer Personal Data outside the direct business relationship between Terrestream and Customer;

  4. will not combine Customer Personal Data with Personal Information that Terrestream receives from another business or that Terrestream collects from interactions with consumers, except as expressly permitted by Cal. Civ. Code § 1798.140(ag)(1)(B); and

  5. will comply with applicable obligations imposed on service providers and contractors under the CCPA/CPRA and the CCPA Regulations, including identity verification under CCPA Regulations § 7050(c) where applicable.

3.3 Other state-law processor status

Terrestream is intended to act as a “processor” under applicable US state privacy laws that recognize that role, and Terrestream will Process Customer Personal Data in accordance with the processor obligations that apply to the services.

3.4 Canadian processor status

For Customers subject to Canadian privacy laws, Terrestream Processes Customer Personal Data on Customer’s behalf. Where Quebec Law 25 applies, the optional written-mandate schedule in Annex D sets out additional terms where Customer elects to invoke it.

3.5 Customer’s independent obligations

Customer remains responsible for its own compliance with Applicable Privacy Law as the business, controller, or person responsible, including providing notices to data subjects, obtaining consents where required, posting occupant-facing privacy notices in shared and tenant spaces per T&C §7.7, and responding to data subject requests as the entity required to respond.

§4. Customer Instructions; Permitted Processing

4.1 Documented Instructions

Terrestream Processes Customer Personal Data only on Documented Instructions, except where Applicable Privacy Law requires Processing without instruction (in which case Terrestream will notify Customer of that legal requirement before Processing, unless prohibited by law).

4.2 Permitted Processing purposes

Terrestream Processes Customer Personal Data solely for: (a) providing and improving the Cloud Services in accordance with the T&C; (b) generating AI Outputs subject to the boundaries in Privacy Policy §P6.4; (c) account administration, billing, subscription management, and customer support; (d) security, fraud prevention, abuse detection, and protection of Terrestream and Customer systems; (e) legal compliance and response to lawful requests; (f) creating Aggregate Data and Deidentified Data under Privacy Policy §P6, subject to §4.4 below; and (g) any additional purpose Customer documents in writing and Terrestream agrees to perform.

4.3 Unlawful instructions

Terrestream will inform Customer if, in Terrestream’s opinion, a Documented Instruction violates Applicable Privacy Law. Until the conflict is resolved, Terrestream may suspend the Processing in question.

4.4 Aggregate Data and Deidentified Data

Customer acknowledges that Customer Personal Data may be Processed to create Aggregate Data and Deidentified Data in accordance with Privacy Policy §P6 and T&C §18.2. “Deidentification” has the meaning given in art. 12 LPRPSP (deidentified information remains subject to the law); “anonymization” has the meaning given in art. 23 LPRPSP and the Regulation respecting the anonymization of personal information (in force May 30, 2024; anonymized information ceases to be subject to the law). After deidentification is complete, Aggregate Data and Deidentified Data are outside the scope of Customer Personal Data under this DPA. Terrestream will not combine Customer Personal Data in identified form with Personal Information from other accounts or sources except as permitted under §4.5(d). The exclusions in Privacy Policy §P6.3(f) apply unless separately authorized by Customer in writing.

4.5 No prohibited Processing

Terrestream will not (a) sell Customer Personal Data, (b) share Customer Personal Data for cross-context behavioral advertising, (c) engage in targeted advertising using Customer Personal Data, (d) combine Customer Personal Data with Personal Information from other sources except as permitted by CCPA/CPRA § 1798.140(ag)(1)(B), or (e) use Customer Personal Data to train production AI models on identified raw Personal Information of Authorized Users or building occupants except with the express opt-in consent required by Privacy Policy §P6.4.

§5. Confidentiality

5.1 Personnel commitments

Terrestream ensures that personnel authorized to Process Customer Personal Data are bound by written confidentiality obligations and are trained on Applicable Privacy Law and security obligations.

5.2 Access limitations

Terrestream limits access to Customer Personal Data to personnel and Sub-Processors with a documented need-to-know and applies the access controls described in Annex B.

§6. Security Measures

6.1 Technical and organizational measures

Terrestream maintains the technical and organizational measures described in Annex B (the “TOMs” ). The TOMs are designed to provide a level of security appropriate to the risk presented by the Processing, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing.

6.2 Evolution of TOMs

Terrestream may update the TOMs from time to time to maintain or improve the security posture, provided that no update materially reduces the protection afforded to Customer Personal Data.

6.3 Customer-side security

Customer is responsible for the security of (a) Customer’s account credentials and Authorized User access, (b) Customer’s networks and connected systems, and (c) Customer’s configuration of the Cloud Services. Customer’s breach of T&C §13 is subject to T&C §13.6 (causal-nexus reduction of warranty and liability).

§7. Sub-Processors

7.1 General authorization

Customer authorizes Terrestream to engage the Sub-Processors listed in Annex C and at terrestream.com/legal/sub-processors (the “Sub-Processor List” ) to Process Customer Personal Data on Terrestream’s behalf.

7.2 Notice of new or replacement Sub-Processors

Terrestream will provide Customer with at least thirty (30) days’ advance notice of any material addition or replacement of a Sub-Processor that Processes Customer Personal Data, by updating the Sub-Processor List and, where the change is material to Customer’s deployment, by email to the account administrator.

7.3 Customer objection right

Customer may object to the engagement of a new Sub-Processor on reasonable data-protection grounds by written notice to Terrestream within fifteen (15) days after the notice in §7.2. The parties will work in good faith to resolve the objection. If a resolution is not reached, Terrestream may, at its option, (a) not appoint the Sub-Processor with respect to Customer Personal Data, (b) take corrective steps reasonably acceptable to Customer, or (c) allow Customer to terminate the affected portion of the Cloud Services with a pro-rata refund of unused prepaid fees for the affected portion.

7.4 Sub-Processor contracts

Terrestream imposes written contractual obligations on each Sub-Processor that are no less protective of Customer Personal Data than this DPA in substance.

7.5 Sub-Processor performance

Terrestream remains liable to Customer for each Sub-Processor’s performance of obligations Terrestream has delegated under this DPA, to the same extent and subject to the same limitations as if Terrestream had performed the obligation itself, including the liability cap and carve-outs in §13.

§8. Cross-Border Transfers

8.1 Location of Processing

Terrestream Processes Customer Personal Data on infrastructure located in the United States, including through Sub-Processors. By executing this DPA, Customer acknowledges and (where required) instructs Terrestream to transfer Customer Personal Data to the United States for Processing.

8.2 Canadian transfers

For Customer Personal Data of Canadian individuals, Terrestream maintains the contractual safeguards described in Privacy Policy §P5.3 with each Sub-Processor that Processes such data, consistent with PIPEDA, PIPA-BC, and PIPA-AB. For Quebec residents, Terrestream has conducted the privacy impact assessment required by Quebec Law 25 §17 before transferring Personal Information outside Quebec; the documented safeguards are described in Privacy Policy §P8.2.

8.3 Onward transfers

Where a Sub-Processor located in the United States makes an onward transfer of Customer Personal Data to a non-US jurisdiction, Terrestream requires that Sub-Processor to maintain protections substantially equivalent to those in this DPA.

8.4 Government access

Customer Personal Data Processed in the United States may be subject to lawful government access requests under U.S. law, including the Stored Communications Act, 18 U.S.C. § 2701 et seq., and the Clarifying Lawful Overseas Use of Data Act, 18 U.S.C. § 2713. Terrestream challenges overbroad or unlawful requests where it has reasonable grounds to do so and, where lawful and not prohibited by court order, notifies Customer of any request that targets Customer Personal Data.

§9. Data Subject Rights

9.1 Customer-facing requests

Where Customer is required to respond to a data subject request under Applicable Privacy Law, Terrestream provides reasonable assistance to Customer by (a) making available the data subject’s Customer Personal Data in a portable format through the account administrator interface, (b) executing deletion and correction requests upon Customer’s documented instruction, (c) restricting Processing in response to an SPI-limit, opt-out, or withdrawal request, and (d) cooperating with Customer’s verification of the requester’s identity.

9.2 Direct requests to Terrestream

If Terrestream receives a data subject request relating to Customer Personal Data directly from a data subject, Terrestream will (a) forward the request to Customer without undue delay where Customer is the entity required to respond, or (b) handle the request directly if and only if directed to do so by Customer or if required by Applicable Privacy Law.

9.3 Response timing

Terrestream targets initial acknowledgment of Customer’s assistance requests within seven (7) business days; the substantive response is provided within timeframes consistent with the statutory windows in Privacy Policy §P7.3.

9.4 Costs

Reasonable assistance under this §9 is provided at no additional charge. Extraordinary assistance, including responding to manifestly unfounded, excessive, or repetitive requests, may be charged at Terrestream’s then-current professional-services rates with prior notice to Customer.

§10. Security Incidents and Breach Notification

10.1 Notification

Terrestream notifies Customer without undue delay (and with diligence within the meaning of art. 3.5 LPRPSP for Personal Information concerning Quebec residents) after Terrestream confirms a Security Incident affecting Customer Personal Data, and in any event within the time required by Applicable Privacy Law applicable to Customer. Statutory notification periods run from the date of Terrestream’s confirmation, subject to the good-faith reasonable necessities of investigation contemplated by Cal. Civ. Code § 1798.82(a) and analogous state statutes, consistent with Privacy Policy §P10.3.

10.2 Content of notification

Each Security Incident notification under §10.1 will include, to the extent then known and lawful to disclose: (a) the nature of the incident, including where possible the categories and approximate number of data subjects and records concerned; (b) the likely consequences of the incident; (c) the measures taken or proposed to address the incident, including measures to mitigate adverse effects; and (d) the name and contact details of the Terrestream point of contact from whom more information can be obtained.

10.3 Cooperation

Terrestream cooperates reasonably with Customer’s investigation of, and response to, a Security Incident, including providing information needed for Customer’s notifications to regulators and affected individuals under Applicable Privacy Law.

10.4 No admission

A Security Incident notification under this §10 is not an acknowledgment of fault, liability, or noncompliance.

§11. Audits and Records

11.1 Records

Terrestream maintains records of its Processing of Customer Personal Data sufficient to demonstrate compliance with this DPA and Applicable Privacy Law.

11.2 Security documentation

On Customer’s reasonable written request and no more than once per twelve (12) month period, Terrestream provides Customer with then-current security documentation reasonably sufficient to support Customer’s vendor-security review, such as a SOC 2 Type II report if available, an equivalent third-party security assessment, or a written TOM summary.

11.3 On-site or remote audit

If the materials under §11.2 are not sufficient to satisfy a Customer audit obligation imposed by Applicable Privacy Law, Customer may request a supplemental remote audit of Terrestream’s Processing of Customer Personal Data, subject to: (a) at least thirty (30) days’ advance written notice; (b) reasonable scope agreed in advance; (c) audit no more frequently than once per twelve (12) month period unless a Security Incident or regulatory order requires otherwise; (d) execution of a confidentiality agreement protecting Terrestream’s proprietary information and other customers’ data; (e) conduct during normal business hours in a manner that does not unreasonably interfere with Terrestream’s operations; and (f) reimbursement to Terrestream at then-current professional-services rates for Terrestream personnel time required to support the audit. On-site audits require Terrestream’s prior written approval unless required by Applicable Privacy Law.

11.4 Findings

The parties cooperate in good faith to address audit findings. Each party treats audit findings, related materials, and information disclosed in the course of the audit as the confidential information of the disclosing party.

§12. Return and Deletion of Customer Personal Data

12.1 On termination

Within ninety (90) days after termination or expiration of the underlying T&C relationship between Customer and Terrestream, Terrestream, at Customer’s written election, either (a) returns Customer Personal Data to Customer in a structured, commonly used, machine-readable format, or (b) deletes Customer Personal Data from active Cloud Services systems. This ninety (90) day window for Commercial Users is distinct from, and supersedes for the B2B relationship, the thirty (30) day consumer-tier window in T&C §8.7.

12.2 Backup-rotation deletion

Following the action in §12.1, Customer Personal Data is scheduled for deletion from encrypted backups as backup rotations cycle through, consistent with the retention table in Privacy Policy §P11 and any legal-hold or preservation obligations.

12.3 Exceptions

Notwithstanding §12.1, Terrestream may retain Customer Personal Data to the extent required by Applicable Privacy Law, by a legal hold, or by a statutory minimum (for example, tax-recordkeeping). Aggregate Data and Deidentified Data are addressed in Privacy Policy §P6 and T&C §18.2.

12.4 Certification

On Customer’s written request, Terrestream provides written certification of completion of the actions in §12.1 and §12.2.

12.5 Bankruptcy or insolvency

If Terrestream files for bankruptcy protection or has an involuntary petition filed against it, Customer may demand return or deletion of Customer Personal Data under §12.1 on an expedited basis, to the extent compatible with applicable bankruptcy or insolvency law. This right is in addition to (not in substitution for) creditor rights under 11 U.S.C. § 365, the Bankruptcy and Insolvency Act (Canada), R.S.C. 1985, c. B-3, and the Companies’ Creditors Arrangement Act, R.S.C. 1985, c. C-36.

§13. Liability

13.1 Liability under the T&C

Each party’s liability under this DPA is subject to T&C §11 (Limitation of Liability), including the cap in T&C §11.1, the exclusions in T&C §11.2 and T&C §11.3, and the carve-outs in T&C §11.5.

13.2 Statutory remedies preserved

Nothing in this DPA or in T&C §11 limits a data subject’s non-waivable statutory remedies under Applicable Privacy Law against the party responsible.

13.3 Allocation of fault

Where both parties contribute to a Security Incident or other violation of Applicable Privacy Law, each party is responsible for its proportionate share of resulting liability to the extent permitted by law and based on its causal contribution.

13.4 Enhanced cap for Security Incidents involving Customer Personal Data

Notwithstanding the cap in §13.1 and T&C §11.1, Terrestream’s aggregate liability to Customer for claims arising out of or related to a Security Incident affecting Customer Personal Data, or to a material breach by Terrestream of §3, §6, §7, or §10 of this DPA, is the greater of (a) two times (2×) the total fees Customer paid to Terrestream in the twelve (12) months immediately preceding the event giving rise to the claim, or (b) two hundred fifty thousand U.S. dollars ($250,000 USD). This enhanced cap is the per-Customer aggregate limit for security and data-protection claims. Nothing in this section limits non-waivable statutory remedies that cannot be capped under Applicable Privacy Law.

13.5 Terrestream indemnification

Terrestream will indemnify, defend, and hold harmless Customer from any third-party claim, damage, loss, liability, judgment, settlement, cost, or expense (including reasonable attorneys’ fees) arising out of or related to Terrestream’s material breach of §3, §6, or §10 of this DPA, subject to the cap in §13.4. The indemnification procedure in T&C §12.2 applies, with the parties’ roles reversed (Customer giving notice of the claim; Terrestream assuming the defense).

§14. Term, Termination, and Survival

14.1 Term

This DPA enters into force as set out in §2.3 and continues for the duration described there.

14.2 Termination

This DPA terminates automatically on termination of the underlying T&C relationship between Customer and Terrestream. Either party may terminate this DPA on thirty (30) days’ written notice if the other party materially breaches this DPA and fails to cure the breach within that notice period.

14.3 Survival

Sections that by their nature survive termination remain in effect, including §1 (definitions, to the extent needed to interpret surviving provisions), §5 (confidentiality), §10 (Security Incidents, as to incidents that occurred during the term), §12 (return and deletion), §13 (liability), §15 (order of precedence), §16 (governing law), and §17 (general).

§15. Order of Precedence

15.1 General

If there is a conflict between this DPA and the T&C or the Privacy Policy with respect to the Processing of Customer Personal Data, this DPA controls.

15.2 Optional schedules

Where the optional Quebec Law 25 written-mandate schedule under Annex D is in force between the parties, that schedule controls over the body of this DPA with respect to the matters specifically addressed in the schedule. Health-sector, education-sector, or other regulated-sector terms must be handled in a separately executed addendum.

15.3 Order Form variations

An Order Form may include Customer-specific variations to this DPA. Such variations apply only to the Customer named on the Order Form and only to the extent expressly stated.

§16. Governing Law and Dispute Resolution

16.1 Governing law

This DPA is governed by Delaware law, without regard to its conflict-of-laws principles, consistent with T&C §19.1. Canadian carve-outs in T&C §19.11 apply to Canadian Customers.

16.2 Dispute resolution

Disputes arising out of this DPA are resolved under T&C §19 (Dispute Resolution), including the informal-resolution procedure in §19.2, the arbitration procedure in §19.3 (subject to Customer-jurisdiction carve-outs), the small-claims carve-out in §19.5, the Canadian carve-outs in §19.11, and the injunctive-relief carve-out in §19.12.

§17. General Provisions

17.1 Notices

Notices under this DPA are given to: (a) Terrestream, at Aerodyne Inc., Attn: Privacy Officer, 8 The Green, Ste A, Dover, DE 19901, USA, and terrestream.com/contact?dept=privacy; and (b) Customer, at the address on the Order Form or, if none, at the account administrator’s email on file.

17.2 Severability

If any provision of this DPA is held invalid or unenforceable, that provision is modified to the minimum extent necessary to make it enforceable, and the remainder of this DPA continues in effect.

17.3 Assignment

Assignment is governed by T&C §21.2; this DPA transfers with the underlying T&C agreement.

17.4 No waiver

Failure or delay to enforce any provision of this DPA is not a waiver.

17.5 Entire agreement

This DPA, together with the T&C, the Privacy Policy, the Order Form, and any optional schedules in force, is the entire agreement between the parties with respect to the Processing of Customer Personal Data and supersedes all prior or contemporaneous understandings on that subject.

17.6 Counterparts and electronic signature

This DPA may be executed in counterparts, including by electronic signature, each of which is deemed an original.

Annex A: Description of Processing

A.1 Categories of data subjects

The Processing under this DPA may concern the following categories of data subjects:

  1. Customer’s account administrators and other Authorized Users granted access to the Cloud Services under T&C §13.7;

  2. building occupants in spaces where Customer has deployed the Device, to the extent the Cloud Services collect Personal Information that is reasonably linkable to identifiable individuals (for example, where occupancy estimates are combined with Customer’s own scheduling, badge, or roster data); and

  3. natural persons who contact Customer-managed support or whose Personal Information is provided to Terrestream by Customer in connection with a support request.

A.2 Categories of Customer Personal Data

Categories of Customer Personal Data Processed under this DPA correspond to the categories described in Privacy Policy §P2.1, including:

  1. Identifiers (name, email, account identifier, Device serial number, IP address);

  2. Customer records (billing address, payment processor token);

  3. Commercial information (subscription status, Pro Trial dates, Pro Subscription history, purchase history);

  4. Internet or other electronic network activity (Mobile App and Web Dashboard usage logs, dashboard views, push-notification engagement);

  5. Geolocation (approximate location from IP; precise geolocation only with explicit opt-in for weather and outdoor-air-quality features);

  6. Professional or employment information (organizational role of Authorized Users);

  7. Inferences derived from Telemetry Data (composite air-quality scores, mold-risk indicators, ventilation recommendations, occupancy estimates, trend analyses);

  8. Telemetry Data (CO2, temperature, humidity, barometric pressure, IAQ index, VOC index, NOx index, particulate matter at PM 1.0/2.5/4.0/10.0, ambient light, with timestamps, Device identifiers, and firmware version);

  9. Network metadata (Wi-Fi SSID, BSSID, RSSI for provisioning and diagnostics, IP address, connection timestamps, firmware version); and

  10. Behavioral inferences within Sensitive Personal Information safeguards under Privacy Policy §P2.2 (sleep-stage IAQ correlation, occupancy and presence estimates, daily routines, smoking or cooking-frequency inferences, pet-presence inferences, aging-in-place patterns), where Customer’s deployment causes such inferences to be generated.

A.3 Nature and purpose of Processing

Terrestream Processes Customer Personal Data for the purposes set out in §4.2 of this DPA and in Privacy Policy §P4.1.

A.4 Duration of Processing

Customer Personal Data is Processed for the duration of the underlying T&C relationship between Customer and Terrestream and is retained in accordance with the retention table in Privacy Policy §P11. Return and deletion on termination are governed by §12 of this DPA.

Annex B: Technical and Organizational Measures

Terrestream maintains a written information security program designed to provide controls appropriate to the sensitivity of Customer Personal Data Processed. The program is designed to include controls such as:

  1. Encryption in transit designed to provide TLS 1.2 or higher between the Device, Mobile App, Web Dashboard, and Terrestream’s cloud;

  2. Encryption at rest designed to provide AES-256 or equivalent for Customer Personal Data in Terrestream’s cloud and in Sub-Processor storage where Customer Personal Data is held on Terrestream’s behalf;

  3. Access controls based on role-based access control and least-privilege principles, with multi-factor authentication for administrative access;

  4. Logging, monitoring, and intrusion-detection capabilities across production systems;

  5. Periodic penetration testing and vulnerability scanning by qualified testers;

  6. Secure-software-development-lifecycle practices including code review, dependency scanning, and pre-release security testing;

  7. Vendor diligence on each Sub-Processor before onboarding and periodically thereafter, consistent with Privacy Policy §P10.2;

  8. Personnel training and confidentiality obligations under §5 of this DPA; and

  9. Incident-response procedures aligned with the Security Incident notification obligations in §10 of this DPA.

The specific implementation of each control evolves as part of the program. Customer may request a current TOM summary in connection with an audit under §11.

Annex C: Approved Sub-Processors

The list of Sub-Processors approved to Process Customer Personal Data, including each Sub-Processor’s name, the categories of Processing performed, and the location of Processing, is maintained at terrestream.com/legal/sub-processors. Material changes to the Sub-Processor list are governed by §7 of this DPA. As of the effective date of this DPA, key Sub-Processor categories include cloud infrastructure, analytics, payment processing, email delivery, push notifications, authentication, and crash reporting, as further identified in Privacy Policy §P5.2.

Annex D: Quebec Law 25 Written Mandate (Optional Schedule)

This Annex D applies only where Customer is an enterprise subject to Quebec Law 25 and the Order Form expressly invokes this Annex. This Annex constitutes the written mandate required by Quebec Law 25 §18.3.

D.1 Purpose of the mandate

Customer (as “person responsible” ) mandates Terrestream (as “mandatary” ) to Process Personal Information of Quebec residents in connection with the Cloud Services, for the purposes described in §4.2 of this DPA and Privacy Policy §P4.1.

D.2 Confidentiality

Terrestream will maintain the confidentiality of Personal Information communicated under this mandate, will use the Personal Information only for the purposes of the mandate, and will not communicate the Personal Information to a third party except as expressly authorized by Customer or by law.

D.3 Notification of use beyond mandate

Terrestream will notify Customer if a use or communication of Personal Information beyond the scope of this mandate is required by law or by court order.

D.4 Categories of recipients

Personal Information communicated under this mandate may be processed by the Sub-Processors identified in Annex C, in the categories described in Privacy Policy §P5.2.

D.5 Duration

This mandate remains in force for the duration of the underlying T&C relationship and is subject to the return-and-deletion obligations in §12 of this DPA.

D.6 Cross-border assessment

The Quebec Law 25 §17 cross-border privacy impact assessment is summarized in Privacy Policy §P8.2 and forms part of the documented safeguards under this mandate.

D.7 Cross-references to the body of this DPA

In accordance with art. 18.3 LPRPSP, this written mandate incorporates by reference: (a) the security measures set out in §6 and Annex B (TOMs); (b) the sub-processor regime set out in §7 and Annex C; (c) the notification obligations under §10 (Security Incidents and breach notification); and (d) the audit rights set out in §11. These body provisions apply to the mandate with the same effect as if reproduced in this Annex.

Signature

This DPA is executed by the parties as follows. Where Customer accepts this DPA through an Order Form, the signature on the Order Form constitutes execution of this DPA.

Aerodyne Inc. d/b/a Terrestream

By: ____________________________
Name:
Title:
Date:

Customer

By: ____________________________
Name:
Title:
Organization:
Date: