OFFICIAL DOCUMENTS

Legal & Compliance

Data Processing Addendum (DPA)

Effective Date: June 2, 2026 | Last Updated: June 2, 2026

1. Introduction and Parties

This Data Processing Addendum ("DPA") forms part of the Terms of Service or other agreement between ON AIR FLOW LLC ("Processor") and the customer ("Controller" or "you") for the provision of the instrumental music streaming and licensing services (the "Service").

This DPA applies where the Processor processes Personal Data on behalf of the Controller in connection with the Service, and is intended to ensure compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the California Consumer Privacy Act ("CCPA"), and other applicable data protection laws.

2. Definitions

For the purposes of this DPA, the following terms shall have the meanings set out below. Capitalized terms not defined herein shall have the meaning given to them in the GDPR or the applicable agreement.

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation or set of operations performed on Personal Data.
  • "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
  • "Controller" means the entity that determines the purposes and means of the Processing of Personal Data.
  • "Processor" means ON AIR FLOW LLC, which processes Personal Data on behalf of the Controller.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

3. Scope and Duration

This DPA applies to all Personal Data processed by the Processor in connection with the Controller's use of the Service. This DPA shall remain in effect for the duration of the Controller's subscription to the Service and for any additional period required by applicable law or until all Personal Data has been returned or securely deleted.

4. Nature and Purpose of Processing

The Processor processes Personal Data solely for the purpose of providing the Service to the Controller, including but not limited to:

  • Creating and managing Controller accounts and subscriptions
  • Processing payments and billing information
  • Providing customer support and technical assistance
  • Sending service-related communications and updates
  • Improving and securing the Service
  • Complying with legal and regulatory obligations

5. Categories of Data Subjects and Personal Data

5.1 Data Subjects

The categories of Data Subjects whose Personal Data may be processed include:

  • Employees, contractors, and authorized users of the Controller
  • Individuals whose information is provided by the Controller in connection with the Service

5.2 Categories of Personal Data

The types of Personal Data processed may include:

  • Identification and contact data (name, email address, job title, company name)
  • Account credentials and authentication data
  • Billing and payment information (processed via third-party payment processors)
  • Usage data and analytics related to the Service
  • Technical data (IP address, device information, browser type)

6. Obligations of the Processor

The Processor agrees to:

  • Process Personal Data only on documented instructions from the Controller, unless otherwise required by applicable law.
  • Ensure that persons authorized to process Personal Data are bound by confidentiality obligations.
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
  • Not engage any Sub-processor without prior written authorization from the Controller (general authorization is granted for the Sub-processors listed in Section 7).
  • Assist the Controller in responding to requests from Data Subjects exercising their rights under the GDPR.
  • Assist the Controller in ensuring compliance with obligations under Articles 32 to 36 of the GDPR.
  • At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless retention is required by law.
  • Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA.

7. Sub-processors

The Controller provides general written authorization for the Processor to engage the following Sub-processors for the purposes indicated:

Sub-processorServiceLocation
Stripe, Inc.Payment processingUnited States
Amazon Web Services (AWS)Cloud infrastructure & storageUnited States / EU
Google LLC (Google Workspace)Email, productivity & analyticsUnited States
Anytime Mailbox / PostNetVirtual mailbox & mail handlingUnited States

The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors. The Controller may object to such changes within 10 business days.

8. Security Measures

The Processor implements and maintains appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures include, but are not limited to:

  • Encryption of Personal Data in transit (TLS 1.2+) and at rest
  • Access controls and authentication mechanisms
  • Regular security assessments and vulnerability testing
  • Employee training on data protection and security
  • Incident response and breach notification procedures

9. Personal Data Breach Notification

In the event of a Personal Data Breach, the Processor shall notify the Controller without undue delay and, where feasible, not later than 72 hours after becoming aware of it. The notification shall include:

  • A description of the nature of the Personal Data Breach
  • The categories and approximate number of Data Subjects concerned
  • The likely consequences of the Personal Data Breach
  • The measures taken or proposed to address the Personal Data Breach

10. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under the GDPR (access, rectification, erasure, restriction, portability, objection, and automated decision-making).

11. International Data Transfers

The Processor is located in the United States. Where Personal Data is transferred from the European Economic Area (EEA) or the United Kingdom to the United States, the Processor relies on appropriate safeguards, including Standard Contractual Clauses approved by the European Commission, or other lawful transfer mechanisms.

12. Audits and Inspections

The Controller has the right, upon reasonable notice, to conduct audits or request information from the Processor to verify compliance with this DPA. The Processor shall cooperate fully and provide access to relevant documentation and personnel.

13. Liability and Indemnification

Each party shall be liable for any damages arising from its own breach of this DPA. The Processor shall indemnify the Controller against claims, losses, and damages arising from the Processor's failure to comply with its obligations under this DPA, subject to the limitations set forth in the main agreement.

14. Termination

Upon termination or expiration of the Controller's subscription, the Processor shall, at the Controller's choice, return or securely delete all Personal Data processed on behalf of the Controller, and certify such deletion in writing, unless retention is required by applicable law.

15. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of the State of New Mexico, United States of America, without regard to its conflict of law principles. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the state and federal courts located in the State of New Mexico, without prejudice to the rights of Data Subjects under the GDPR.

16. Contact Information

For any questions or requests regarding this Data Processing Addendum, please contact:

ON AIR FLOW LLC
2105 Vista Oeste NW, Suite E #2134
Albuquerque, NM 87120
United States

Privacy Inquiries: privacy@onairflow.store

Legal Inquiries: legal@onairflow.store

This Data Processing Addendum is effective as of the date first written above and forms an integral part of the agreement between the parties.

Company Address

ON AIR FLOW LLC
2105 Vista Oeste NW, Suite E #2134
Albuquerque, NM 87120
United States

Privacy Inquiries

Legal Inquiries

Last updated June 2, 2026 • On Air Flow LLC • Albuquerque, NM, United States