Data Processing Agreement | Airis

Last Updated: May 13, 2026

1. Parties and scope

This Data Processing Agreement ("DPA") applies where Green Sheep Family Factory Limited trading as Airis ("Airis") processes personal data on behalf of a business customer in connection with the Airis AI receptionist and dispatcher service. The customer is the controller and Airis is the processor for caller/job data unless the parties agree otherwise in writing.

2. Order of documents

This DPA forms part of the Airis Terms of Service. If there is a conflict, this DPA controls for processor obligations relating to caller/job personal data. A signed customer agreement or signed DPA can override this online DPA.

3. Subject matter and duration

The subject matter is Airis providing AI call intake, structured job capture, summary generation, dashboard display, notification and operational support services. Processing lasts for the term of the customer's Airis account and any post-termination retention period needed for deletion, export, legal, security or backup purposes.

4. Nature and purpose of processing

Airis may collect, receive, transmit, structure, store, retrieve, transcribe, summarise, display, delete and otherwise process personal data as needed to provide and support the service. Airis does not intentionally store raw call audio in its application database based on the current repo, but live audio is processed by telephony and AI providers and provider-side retention must be confirmed.

5. Categories of personal data

• Caller name, phone number and callback details.
• Job/problem descriptions, urgency and notes.
• Address, Eircode, area and location resolution data.
• Call metadata, transcript content where applicable, AI summaries and handoff records.
• Business operator account/contact details where needed to provide the service.
• Technical, audit, diagnostic and security logs.

6. Categories of data subjects

Data subjects may include callers, prospective customers of the trades business, business owners/operators, authorised users and support contacts.

7. Controller obligations

The customer will ensure it has a lawful basis for the processing, gives appropriate notices to callers, uses Airis only for lawful business purposes, provides documented instructions, handles controller-side data subject requests, and does not submit data that Airis is not designed to process unless agreed in writing.

8. Processor obligations

Airis will process personal data only on documented instructions from the customer, including instructions in the Terms, this DPA, product configuration and support requests. Airis will tell the customer if, in Airis's reasonable view, an instruction infringes GDPR or other EU/Irish data protection law.

9. Confidentiality

Airis will ensure people authorised to process customer personal data are bound by confidentiality obligations or an appropriate statutory duty of confidentiality.

10. Security measures

Airis will apply appropriate technical and organisational measures for an early SaaS product, including managed hosting, HTTPS, access controls, secret management, secure session cookies, least-privilege operational access where practical, logging controls, backups/provider durability where available, and incident response procedures. More detail is available in internal security documentation and can be summarised for customers on request.

11. Subprocessors

The customer gives Airis general authorisation to use subprocessors listed at /subprocessors. Airis will remain responsible for subprocessors' processor obligations and will use reasonable efforts to keep the list current. If Airis adds or replaces a material subprocessor for caller/job data, Airis will update the page or otherwise notify affected customers. Customers may object on reasonable data protection grounds by contacting login@airis.ie.

12. International transfers

Airis may use providers that process data outside the EEA. Airis will use reasonable efforts to rely on appropriate safeguards such as EU Standard Contractual Clauses, UK/EU addenda where relevant, Data Privacy Framework participation, provider transfer impact measures or another lawful transfer mechanism.

13. Assistance with data subject requests

Airis will provide reasonable assistance to the customer for access, rectification, erasure, restriction, portability and objection requests relating to caller/job data processed by Airis. Requests should be sent to login@airis.ie with enough detail to identify the relevant caller/job record.

14. Personal data breaches

Airis will notify the customer without undue delay after becoming aware of a personal data breach affecting customer caller/job data and will provide reasonable information and assistance for the customer's breach assessment and any required notification.

15. Deletion or return

At the end of service, Airis will delete or return customer personal data on reasonable request unless retention is required by law, security, dispute resolution, backup lifecycle or legitimate operational needs. Pilot customers can request export or deletion at login@airis.ie.

16. Audits and information

Airis will provide reasonable information needed to demonstrate compliance with this DPA. On-site audits are not practical for early pilots, but Airis may provide written security/compliance summaries, subprocessors information and answers to reasonable questionnaires. Any audit support must protect other customers, trade secrets, systems security and confidential information.

17. Records and compliance

Airis will keep appropriate records of processing for its processor activities and will cooperate reasonably with the customer where needed for GDPR compliance.