AURORA

Data Processing Addendum

Last updated: June 30, 2026

This Data Processing Addendum (“DPA”) forms part of the Terms of Service and applies where Aurora processes personal data on behalf of an Operator (the “Controller”) in providing the Service. To the extent of any conflict on data-protection matters, this DPA controls.

1. Roles

For personal data an Operator submits or manages about its clients, attendees, and donors, the Operator is the Controller and Aurora is the Processor. For Aurora's own account and platform data, Aurora is the Controller (see the Privacy Policy).

2. Processing scope & instructions

Aurora processes personal data only to provide the Service and per the Controller's documented instructions (including configuration within the product) and applicable law. Subject matter: provision of the drone-show operations platform. Data subjects: the Operator's clients, their representatives, broadcast attendees, and donors. Data types: contact details, contract/signature audit data, payment metadata, uploaded content, and minimal attendee/donor data.

3. Confidentiality & security

Aurora ensures personnel authorized to process personal data are bound by confidentiality and implements the technical and organizational measures described in the Privacy Policy's Security section, appropriate to the risk.

4. Sub-processors

The Controller authorizes Aurora to engage the sub-processors listed in the Privacy Policy (including AWS, Stripe, SendGrid, Twilio, Mapbox, and AI providers for opted-in features). Aurora imposes data-protection obligations on sub-processors and remains responsible for their performance. Aurora will provide notice of new sub-processors and a chance to object on reasonable grounds.

5. Data-subject requests & assistance

Taking into account the nature of processing, Aurora provides tools and reasonable assistance to help the Controller respond to data-subject requests and to meet its security, breach-notification, and impact-assessment obligations. Aurora notifies the Controller without undue delay after becoming aware of a personal-data breach affecting the Controller's data.

6. International transfers

Where Aurora transfers Controller personal data internationally, it uses an appropriate transfer mechanism such as the Standard Contractual Clauses, which are incorporated by reference where applicable.

7. Return & deletion

On termination, Aurora will, at the Controller's choice and subject to legal retention, make Controller personal data available for export and then delete it within the retention window described in the Privacy Policy.

8. Audits

Aurora will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, subject to confidentiality and reasonable scheduling.

Questions about this DPA can be sent to privacy@aurorashows.com.