Public legal documents

AiboTask — Data Processing Addendum (DPA)

Version: 1.3
Effective date: 5 April 2026

This Data Processing Addendum (“DPA”) forms part of the subscription or services agreement between the Customer/Tenant and the Provider for the use of aibotask (also branded as AiboTask) (the “Service”). If there is a conflict between this DPA and the main agreement, this DPA governs for matters of personal data processing.

1) Parties

1.1 Customer / Tenant (Data Controller)

Legal name: {TENANT_LEGAL_NAME}
RUC (if applicable): {TENANT_RUC}
Address: {TENANT_ADDRESS}
Privacy contact email: {TENANT_PRIVACY_EMAIL}

1.2 Provider / Platform Operator (Data Processor for Tenant Work Data)

Legal name: AirTek Technologies
RUC: 0924829179001
Address: Cooperativa Adesdac MZ 70 S 13, Ecuador
Privacy contact email: ruben.lazaro@clitecser.com
Hosting: Amazon Web Services (AWS) — us-east-1 (N. Virginia, United States)

The Provider operates the Service under the brand name aibotask.

2) Definitions

Applicable Data Protection Law: Ecuadorian data protection law (including the Ley Orgánica de Protección de Datos Personales) and any other law applicable to the parties.
Personal Data: any information relating to an identified or identifiable natural person.
Processing: any operation performed on personal data, whether automated or not.
Controller: the party that determines the purposes and means of the processing.
Processor: the party that processes personal data on behalf of the Controller.
Tenant Work Data / Service Data: personal data and other data submitted to or generated within the Service in connection with work orders, proof-of-service, service reports, GPS route history (during active ONLINE work and any enabled assigned route assist), materials, activities, and related operations.

3) Roles and scope

3.1 Roles

The Customer/Tenant is the Controller of Tenant Work Data.
The Provider is the Processor of Tenant Work Data, acting on the Customer’s documented instructions.

3.2 Scope

This DPA applies to the Provider’s processing of Tenant Work Data in connection with the Service.

The Provider may also act as a Controller for limited platform-level data (e.g., SaaS360 account provisioning, license administration, billing administration, support ticketing, security logs, and support communications). Such processing is governed by the Provider’s Privacy Policy.

Note (billing/payment): Payment processing for subscriptions managed through SaaS360 is handled by a payment processor (Kushki) and generally involves platform-level billing data. This processing is typically governed by the Provider’s Privacy Policy and the subscription/billing terms, and is not part of the core Tenant Work Data processing described in this DPA.

4) Processing details (Article-like requirements)

The processing details are described in Annex 1 (Processing Details) and may be updated by the Customer’s configuration of the Service (e.g., enabling features).

5) Processor obligations

The Provider will:

Process on instructions only
Process Tenant Work Data only on documented instructions from the Customer, including as configured in the Service, unless required by law.
Confidentiality
Ensure that persons authorized to process Tenant Work Data are bound by confidentiality obligations.
Security measures
Implement appropriate technical and organizational measures to protect Tenant Work Data, as described in Annex 2 (Security Measures).
Assist the Customer
Provide reasonable assistance to the Customer to respond to:
- data subject rights requests, and
- regulator inquiries,
  to the extent the Provider is legally permitted and the information is available to the Provider.
Subprocessors
Engage subprocessors only as described in Section 6 and Annex 3.
Personal data incidents / breaches
Notify the Customer without undue delay after becoming aware of a personal data breach affecting Tenant Work Data, and provide reasonable information to support the Customer’s response.
Deletion / return
Upon termination of the Service, delete or return Tenant Work Data as described in Section 9.

6) Subprocessors

6.1 Authorized subprocessors

The Customer authorizes the Provider to use the subprocessors listed in Annex 3 (Subprocessor List).

6.2 Changes to subprocessors

The Provider will maintain an up-to-date list of subprocessors and will provide notice of material changes (e.g., adding a new subprocessor that processes Tenant Work Data) through a reasonable method (e.g., admin notice or email).
If the Customer has a reasonable objection based on data protection grounds, the parties will discuss a solution in good faith (which may include configuration changes or termination in accordance with the main agreement).

7) International transfers / cross-border processing

The Service is hosted in the United States (AWS us-east-1). For Ecuador-based Customers, this implies international processing/transfer.
The parties will implement appropriate safeguards as required under Applicable Data Protection Law (e.g., contractual measures with providers and security measures).

Backups: No backups are stored outside us-east-1 (as of the effective date).

8) Data subject rights requests

The Customer is responsible for receiving and responding to data subject requests.
The Provider will provide reasonable assistance by:
- enabling access/export where available,
- locating relevant records within the Service, and
- executing deletion/anonymization requests when instructed and technically feasible.

9) Deletion or return of Tenant Work Data

9.1 During the term

The Customer may delete Tenant Work Data through Service functionality (subject to role permissions and retention settings).

9.2 At termination

Upon termination/expiration of the Service, the Provider will, within a commercially reasonable period:

make Tenant Work Data available for export (if supported), and
delete Tenant Work Data from production systems, subject to:
- legal retention requirements, and
- backup/archival deletion cycles.

10) Audit and compliance

Upon reasonable prior notice, the Customer may request information necessary to demonstrate the Provider’s compliance with this DPA.
Where on-site audits are required, they must:

be limited in scope to Tenant Work Data processing,
occur during business hours, and
not compromise security or confidentiality of other tenants.

11) Liability

Liability is governed by the main agreement, unless Applicable Data Protection Law requires otherwise.

12) Signatures

Customer / Tenant:
Name: [insert customer legal name]
Title: [insert customer signatory title]
Signature: [insert signature]
Date: [dd / mm / yyyy]

Provider (AirTek Technologies):
Name: [insert provider legal representative]
Title: [insert title]
Signature: [insert signature]
Date: [dd / mm / yyyy]

Annex 1 — Processing Details

A1. Subject matter

Field service management operations and proof-of-service records.

A2. Duration

For the term of the main agreement, plus any retention period configured by the Customer and legally required retention.

A3. Nature and purpose of processing

Dispatching and managing work orders
Recording service activities, materials used, checklists, notes, and timestamps
Capturing photos and customer signatures (proof-of-service)
Capturing GPS location while the technician is ONLINE and, where configured, during assigned route assist for eligible assigned jobs to create route history and arrival-assist events
Sending operational alerts and job notifications (push notifications) and monitoring delivery/interaction events
Collecting usage analytics/telemetry for service reliability, performance, and product improvement
Generating service reports for customers and internal operations
Supporting billing/claims and audit trails

A4. Categories of data subjects

Technicians / employees / contractors of the Customer
Customer contacts / site contacts
End-customers signing proof-of-service
Other individuals whose data is entered into work orders (as configured by the Customer)

A5. Categories of personal data (examples)

Identity/contact: names, phone numbers, emails (if entered)
Location: service address; GPS route history during active ONLINE work and any enabled assigned route assist
Proof and evidence: photos, signature image, notes
Operational: materials used, activities performed, timestamps, job status
Technical: device identifiers (limited), authentication logs, security logs
Notifications: push notification tokens and notification delivery/interaction events (sent/delivered/opened)
Usage analytics: product usage/telemetry events (e.g., screen views, feature usage, performance metrics), including web telemetry via CloudWatch RUM where enabled

Annex 2 — Technical and Organizational Measures (summary)

The Provider maintains a security program appropriate to the Service, which may include:

Access control (role-based access, least privilege)
Authentication controls and logging
Encryption in transit (TLS) and encryption at rest where supported
Separation of tenant data via logical controls
Monitoring, vulnerability management, and incident response procedures
Backup controls limited to us-east-1 (N. Virginia, United States) (as of the effective date)

Annex 3 — Subprocessor List (as of the effective date)

Amazon Web Services, Inc. (AWS) — infrastructure hosting (compute, storage, database), including AWS SES (email delivery), Amazon Location Service (maps), Amazon Pinpoint (push messaging), Amazon CloudWatch RUM (web performance/usage telemetry), and related AWS monitoring/telemetry services. Primary region: us-east-1 (N. Virginia, United States).
Apple Inc. and/or Google LLC — platform push notification delivery services (Apple Push Notification service (APNs) for iOS and Firebase Cloud Messaging (FCM) for Android), depending on device OS.

If additional subprocessors are added, the Provider will update the list and provide notice as described in Section 6.2.