Data Processing Addendum

This Data Processing Addendum (DPA) supplements the Terms of Service and describes the processor relationship between you (the Controller) and Aether Finance Systems (the Processor) for personal data processed through the hosted service.

We process personal data only on documented instructions from the Controller, for the purposes set out in the Agreement, and in accordance with applicable data protection law, including GDPR Article 28 where EU personal data is involved and the Personal Data Protection Bill for Pakistani personal data.

Technical and organisational security measures include: encryption in transit (TLS 1.3) and at rest (AES-256), role-based and attribute-based access controls, annual third-party penetration testing, SOC 2 Type II readiness (audit scheduled H2 2026), and a 24/7 security incident response process.

Subprocessors are listed and maintained publicly. We provide 30 days' notice of any material change to the subprocessor list; the Controller may object in writing, in which case the parties will negotiate a reasonable alternative in good faith.

Data subject requests routed to the Processor are forwarded to the Controller without undue delay; the Processor does not respond on the Controller's behalf unless explicitly instructed.

On termination, all personal data is returned or deleted within 30 days unless statutory retention obligations apply; in which case it is segregated and encrypted until the retention period expires, at which point it is permanently destroyed.

This DPA is governed by the laws applicable to the underlying Terms of Service and forms an integral part of them.