This Data Processing Addendum ("
Addendum" or "
DPA") forms part of the agreement between AirDealer and the Customer governing access to and use of the AirDealer Platform (the "
Principal Agreement").
This Addendum applies to the extent AirDealer processes Personal Data on behalf of the Customer as a Processor in the course of providing the Platform.
1. Definitions1.1 Capitalised terms not defined in this Addendum have the meaning given in the Principal Agreement or the Privacy Policy.
1.2 For the purposes of this Addendum:
- "Controller" means the entity which determines the purposes and means of the processing of Personal Data.
- "Processor" means the entity which processes Personal Data on behalf of the Controller.
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined under applicable Data Protection Laws.
- "Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and any national implementing laws, in each case as amended from time to time.
- "Customer" means the entity that has entered into the Principal Agreement with AirDealer and acts as Controller for the purposes described in this Addendum.
- "Sub-processor" means any Processor engaged by AirDealer to process Personal Data on behalf of the Customer.
- "Incident" means a Personal Data Breach as defined under Data Protection Laws.
2. Roles of the Parties2.1 For the processing activities described in this Addendum, the Customer acts as
Controller and AirDealer acts as
Processor.
2.2 The Customer is responsible for:
- determining the purposes and means of the processing of Personal Data within the Platform;
- ensuring that it has a valid legal basis for all Personal Data that it submits or makes available to AirDealer for processing;
- providing appropriate privacy information to data subjects in relation to such processing.
2.3 AirDealer shall process Personal Data only on behalf of the Customer and only in accordance with the Customer's documented instructions, as set out in this Addendum, the Principal Agreement, and the Customer's configuration and use of the Platform.
3. Subject Matter, Duration, Nature and Purpose of Processing3.1 Subject matterAirDealer processes Personal Data submitted to or generated within the Platform by or on behalf of the Customer in connection with asset listings, user accounts, transactions, and related activities.
3.2 DurationProcessing shall continue for the term of the Principal Agreement and this Addendum, and thereafter as required for the purposes of returning or deleting Personal Data in accordance with Section 11.
3.3 Nature and purposeProcessing includes storage, organisation, retrieval, display, transmission, and other operations necessary to:
- provide and operate the Platform and related services;
- enable the Customer and its Users to create and manage listings, requests, and transactions;
- ensure security, integrity, and availability of the Platform;
- provide support, maintenance, and improvements as described in the Principal Agreement and Privacy Policy.
3.4 Types of Personal DataTypically include:
- identification and contact data of Users and contacts (e.g., name, business email, phone number, job title, organisation);
- role and permissions data;
- communication logs and activity data related to listings, requests, and transactions;
- any other Personal Data that the Customer chooses to include in listings or records (e.g., contact persons, signatories, representatives).
3.5 Categories of data subjectsTypically include:
- employees, contractors, and representatives of the Customer;
- employees, contractors, and representatives of counterparties or other third parties whose details the Customer records in the Platform.
3.6 AirDealer shall process Personal Data only to the extent necessary for the purposes described in this Addendum and shall not process Personal Data in a manner incompatible with those purposes.
Further details of the processing are provided in
Annex I.
4. Processing on Documented Instructions4.1 AirDealer shall process Personal Data only on the documented instructions of the Customer, unless required to do so by applicable law. In such a case, AirDealer shall inform the Customer of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.
4.2 Customer's instructions are primarily given through:
- this Addendum and the Principal Agreement;
- configuration and use of the Platform's features and settings;
- written instructions reasonably agreed between the parties from time to time.
4.3 If AirDealer considers that an instruction infringes Data Protection Laws, it will inform the Customer without undue delay. AirDealer shall not be obliged to follow such instruction until it has been confirmed or modified by the Customer.
4.4 For the purposes of Article 28(3)(a) GDPR, the parties agree that this Addendum, the Principal Agreement, and the Customer's configuration and use of the Platform collectively constitute the Customer's complete and documented instructions to AirDealer.
4.5 AirDealer shall not:
(a) sell Personal Data;
(b) retain, use, or disclose Personal Data for any purpose other than as necessary to perform the services under the Principal Agreement; or
(c) process Personal Data for its own independent purposes, except as required by applicable law.
5. Confidentiality5.1 AirDealer shall ensure that persons authorised to process Personal Data on its behalf:
- are bound by appropriate obligations of confidentiality; and
- process Personal Data only in accordance with this Addendum and the Customer's instructions.
6. Security Measures6.1 Taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing, as well as the risks to data subjects, AirDealer shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in the Privacy Policy,
Annex II to this Addendum, and security documentation made available to Customer.
6.2 Such measures include, where appropriate:
- encryption of data in transit and at rest,
- role-based access controls and least-privilege principles,
- secure infrastructure, monitoring, and logging,
- access restrictions to production systems and environments,
- incident response and breach notification procedures.
6.3 Customer is responsible for:
- configuring the Platform's access controls, roles, and permissions in line with its own security and compliance requirements;
- managing its own Users and ensuring secure use of credentials and devices.
7. Sub-processors7.1 Customer provides a
general authorisation for AirDealer to engage Sub-processors for the processing of Personal Data on behalf of the Customer.
7.2 AirDealer shall:
- ensure that Sub-processors are bound by data protection obligations no less protective than those set out in this Addendum;
- remain responsible for the performance of its Sub-processors' obligations;
- maintain a list of current Sub-processors involved in Personal Data processing (which may include infrastructure providers and tools, as described in the Privacy Policy and in the Sub-processor List).
7.3 AirDealer shall notify the Customer of any intended addition or replacement of Sub-processors that materially affect the processing of Personal Data, allowing the Customer to raise reasonable objections on data protection grounds within a reasonable period. In such case, the parties shall discuss in good faith appropriate solutions; if none can be found, Customer may have a right to terminate the affected services as set out in the Principal Agreement.
7.4 Sub-processors may include providers of artificial intelligence and machine learning services used to support Platform functionality. Such providers may process limited Personal Data strictly as necessary to deliver the relevant features, subject to appropriate contractual, technical, and organisational safeguards.
7.5 AirDealer shall ensure that any Sub-processor processes Personal Data only on documented instructions that are consistent with those set out in this Addendum.
8. Assistance to the Customer8.1 Taking into account the nature of processing and the information available to AirDealer, AirDealer shall assist the Customer, as reasonably requested, in:
- implementing appropriate security measures;
- fulfilling the Customer's obligations to respond to data subject requests;
- notifying supervisory authorities and data subjects in case of a Personal Data Breach;
- conducting data protection impact assessments (DPIAs) and prior consultations where required.
8.2 AirDealer may charge reasonable fees for such assistance where the effort required is significant and goes beyond basic support.
8.3 All assistance under this Section shall be subject to technical feasibility and proportionality, taking into account the nature of the processing and the information available to AirDealer.
9. Data Subject Requests9.1 If AirDealer receives a request from a data subject seeking to exercise rights under Data Protection Laws in relation to Personal Data for which the Customer is Controller, AirDealer shall:
- where reasonably identifiable, direct the data subject to submit the request to the Customer; or
- promptly notify the Customer of the request and, where appropriate, provide reasonable assistance to the Customer in fulfilling it.
9.2 The Customer is responsible for responding to such requests and for verifying the identity and authority of the requester.
10. Personal Data Breach Notification10.1 In the event of a Personal Data Breach affecting Personal Data processed on behalf of the Customer, AirDealer shall notify the Customer
without undue delay after becoming aware of the breach, in line with its Incident Response Policy.
10.2 Such notification shall include, to the extent reasonably available:
- a description of the nature of the breach;
- the categories and approximate number of data subjects and records concerned;
- the likely consequences of the breach;
- the measures taken or proposed to be taken to address the breach and mitigate possible adverse effects.
10.3 Customer is responsible for determining whether to notify any supervisory authority, affected data subjects, or other third parties, and for making such notifications, unless otherwise agreed or required by law.
10.4 AirDealer shall use reasonable efforts to notify the Customer of a Personal Data Breach within seventy-two (72) hours after becoming aware of the breach, where feasible.
11. Return and Deletion of Personal Data11.1 Upon expiry or termination of the Principal Agreement, or upon written request from the Customer, AirDealer shall:
- provide the Customer with the ability to export Personal Data from the Platform, where technically feasible; and
- delete or anonymise Personal Data from its active systems, unless retention is required by applicable law or is technically necessary for limited backup purposes.
11.2 Personal Data stored in backups will be securely isolated and protected from any further processing and will be deleted in accordance with AirDealer's standard backup retention schedules.
11.3 Where technically feasible, Personal Data shall be made available in a structured, commonly used, and machine-readable format.
11.4 Personal Data retained in backups shall not be actively processed and shall only be accessed where strictly necessary for disaster recovery or legal compliance.
12. Audits and Inspections12.1 AirDealer shall make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in this Addendum and, where applicable, allow for and contribute to audits, including inspections, conducted by the Customer or an independent auditor mandated by the Customer.
12.2 Any such audit shall:
- be subject to reasonable advance notice;
- be conducted during normal business hours;
- respect the confidentiality and security of AirDealer's systems and data, including data of other customers;
- not unreasonably interfere with AirDealer's business operations.
12.3 AirDealer may require the Customer or auditor to sign a separate non-disclosure agreement and may charge reasonable fees for audits that exceed basic information requests (e.g., on-site inspections).
12.4 AirDealer may satisfy its audit obligations under this Section by providing up-to-date security documentation, certifications, or third-party audit reports (where available), in lieu of permitting on-site audits, unless on-site audits are expressly required by applicable law or by a competent supervisory authority.
13. International Data Transfers13.1 AirDealer may process Personal Data in, and transfer Personal Data to, countries outside the EEA and UK, including through its Sub-processors, subject to appropriate safeguards as described in the Privacy Policy.
13.2 Where required by Data Protection Laws, the parties agree that:
- appropriate Standard Contractual Clauses or other valid transfer mechanisms will be implemented between AirDealer (and/or its relevant affiliates) and Sub-processors located outside the EEA/UK; and
- additional technical and organisational measures will be applied as necessary to ensure an essentially equivalent level of protection.
13.3 Where AirDealer receives a legally binding request from a public authority for access to Personal Data, AirDealer shall, where legally permitted, notify the Customer without undue delay and take reasonable steps to challenge such request if it believes it to be unlawful or disproportionate.
14. Liability14.1 The liability of each party under this Addendum shall be subject to the limitations and exclusions of liability set out in the Principal Agreement, except to the extent prohibited by applicable law.
14.2 Nothing in this Addendum shall limit the parties' obligations under Data Protection Laws.
15. Miscellaneous15.1 In the event of a conflict between this Addendum and the Principal Agreement in relation to the processing of Personal Data, the terms of this Addendum shall prevail to the extent of such conflict.
15.2 If any provision of this Addendum is held invalid or unenforceable, the remaining provisions shall remain in full force and effect and shall be interpreted so as to best achieve the parties' intent.
15.3 This Addendum shall be governed by and construed in accordance with the governing law specified in the Principal Agreement, unless Data Protection Laws require otherwise.
Annex I – Description of Processing1. List of PartiesData Controller - Customer
Data Processor - AirDealer
2. Subject Matter and Duration of the ProcessingSubject matterProcessing of Personal Data submitted to or generated within the AirDealer Platform in the context of:
- creation, management, and monitoring of listings for aircraft, helicopters, engines, APU, landing gear, propellers, MGB/TGB, and other aviation components;
- management of user accounts, organisational structures, and permissions;
- communication and coordination between institutional market participants regarding potential transactions.
DurationFor the term of the Principal Agreement and this Addendum, and thereafter as necessary for:
- export/return or deletion of Personal Data;
- limited retention in backups and logs in accordance with AirDealer's retention policies and legal obligations.
3. Nature and Purpose of the ProcessingNature of processingAirDealer will perform the following types of processing operations on behalf of the Customer, as necessary to provide the Platform:
- collection and receipt of Personal Data via user input, imports, or integrations;
- storage and organisation in data structures (e.g. tables, views, portfolios);
- retrieval, display, and sharing within the access model defined by the Customer;
- transmission between the Platform components;
- logging and monitoring of access and activity;
- backup, recovery, and deletion/anonymisation.
Purposes of processing- Provision and operation of the AirDealer Platform as a B2B aviation marketplace and data environment.
- Enabling the Customer and its Users to manage listings, requests, portfolios, and transaction-related data.
- Managing access control, roles, and permissions at user and organisation level.
- Enhancing security, monitoring for misuse, and supporting incident detection and response.
- Providing customer support, troubleshooting, and service quality improvements.
- Fulfilling legal and regulatory obligations that apply to AirDealer (e.g. record-keeping, compliance, security).
AirDealer will not process Personal Data for any independent purposes of its own, nor sell Personal Data.
4. Types of Personal DataDepending on the Customer's use of the Platform, the following categories of Personal Data may be processed:
- User and account data
- First name, last name
- Business email address
- Business phone number (if provided)
- Job title, role, department
- Organisation name and type (e.g. operator, owner, asset manager, financial institution, intermediary)
- Authentication and authorisation data (e.g. username, role/permissions, organisation membership)
- Contact and counterparty data (entered by Customer)
- Names and business contact details of representatives of owners, operators, asset managers, financial institutions and other counterparties
- Role/relationship to the relevant asset or transaction (e.g. signatory, contact person, principal, representative)
- Usage and activity data
- Login timestamps and session identifiers
- IP addresses and device/browser metadata (as part of security logs)
- Actions taken on the Platform (e.g. creation, update, and viewing of listings and requests)
- Support communications and interactions with the Platform (e.g. tickets, messages)
- Listing-related personal references
- Where the Customer chooses to include names or contact details of specific individuals in asset listings, deal documentation references, or notes (e.g. "contact for this asset", "responsible manager").
- AI interaction data (where AI features are enabled)
- Query text submitted by Users to AI-powered features
- Contextual snippets or data points needed to generate responses (within the scope of the Customer's access controls)
The Platform is not intended to process special categories of Personal Data (e.g. health, biometric, or criminal data), and Customer should avoid uploading such data.
5. Categories of Data SubjectsDepending on how the Customer uses the Platform, data subjects typically include:
- Customer's own personnel
- Employees, contractors, and other authorised Users of the Customer's organisation who access the Platform.
- Representatives of third parties
- Employees and representatives of asset owners, operators, asset managers, financial institutions, intermediaries, and other institutional participants whose details are entered into the Platform by the Customer.
- Other institutional contacts
- Individuals whose business contact details appear in transaction-related records or listings (e.g. signatories, contact persons).
The Platform is intended for B2B use only and not designed for processing data of private consumers acting in a purely personal capacity.
6. Transfers to Third CountriesWhere relevant, Personal Data may be processed by or transferred to:
- Sub-processors located outside the EEA/UK, subject to appropriate safeguards (e.g. Standard Contractual Clauses and additional measures).
Details of such Sub-processors and their locations are maintained in the Sub-processor List.
Annex II – Technical and Organisational Security MeasuresAirDealer implements a set of technical and organisational measures designed to protect Personal Data processed on behalf of Customers. These measures include, as applicable:
1. Information Security Policies and Governance- Documented security policies approved by management and reviewed periodically.
- Defined roles and responsibilities for security, privacy, and incident response.
2. Access Control and Authentication- Role-based access controls (RBAC) for Platform users and internal staff.
- Principle of least privilege applied to data and system access.
- Strong authentication mechanisms; MFA for administrative and privileged accounts where available.
- Regular review of access rights.
3. Data Security- Encryption of data in transit using industry-standard protocols (e.g. TLS).
- Encryption of data at rest where appropriate (e.g. in underlying cloud infrastructure and services).
- Logical segregation of Customer data and controls to prevent cross-tenant data access.
4. Network and Infrastructure Security- Use of reputable cloud and SaaS providers with robust security practices.
- Network segmentation, firewalls, and security groups (as applicable).
- Hardening of configurations and principle of least privilege for cloud resources.
5. Logging and Monitoring- Logging of access and key security-relevant events.
- Monitoring for unusual or suspicious activity.
- Alerting on critical events and integration with incident response procedures.
6. Development and Change Management- Version control and change management processes for application code and configurations.
- Testing and review of changes before deployment to production.
- Secure development practices and reduction of security vulnerabilities.
7. Backup and Disaster Recovery- Regular backups of critical data and configurations.
- Secure storage of backups and restricted access.
- Disaster recovery processes and periodic validation of restore capabilities.
8. Incident Response- Documented Incident Response Policy and playbooks.
- Defined escalation paths and responsibilities.
- Procedures for investigation, containment, remediation, and communication of Personal Data Breaches.
9. Physical Security (via providers)- Use of data centres and SaaS infrastructure with appropriate physical security controls (access badges, surveillance, safeguards), as provided by underlying vendors.
10. Vendor and Sub-processor Management- Due diligence on key Sub-processors.
- Contractual data protection and security obligations for Sub-processors.
- Ongoing monitoring of provider status and security posture (e.g. status pages, security reports).
11. Training and Awareness- Security and privacy awareness for relevant personnel.
- Guidance on recognising and reporting security incidents, phishing, and social engineering.
These measures may evolve over time to reflect changes in technology, risk, and industry best practices, provided that the overall level of protection is not materially reduced.
End of Document