Data Processing Agreement

Version 1.1 · Last updated: 1 June 2026

Parties and background

This Data Processing Agreement ("DPA") is entered into between:

(a)JLEC Limited, a company incorporated in Jersey, Channel Islands (company number 165488), trading as CitadelAero ("Processor"); and

(b)The operator customer identified in the Order Form or trial account ("Controller").

The parties have entered into a SaaS Subscription Agreement ("Principal Agreement") under which the Processor provides access to the CitadelAero aviation safety management system platform ("Service"). In the course of providing the Service, the Processor processes personal data on behalf of the Controller. This DPA governs that processing and forms part of the Principal Agreement. In the event of any conflict between this DPA and the Principal Agreement in relation to data protection matters, this DPA shall prevail.

This DPA applies to personal data processed under UK GDPR, EU GDPR, and the Data Protection (Jersey) Law 2018 ("Jersey DP Law"), as applicable to the parties' respective circumstances. References to "applicable data protection law" mean whichever of these frameworks applies in the relevant context.

1. Definitions

In this DPA, in addition to the definitions set out in the Principal Agreement:

"Applicable Data Protection Law" means, as applicable: (a) EU GDPR; (b) UK GDPR (as defined in section 3(10) of the Data Protection Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019); (c) the Data Protection (Jersey) Law 2018; and any subordinate legislation or binding guidance issued under any of the foregoing.

"Controller" has the meaning given in applicable data protection law, and in this DPA refers to the operator customer.

"Data Subject" has the meaning given in applicable data protection law.

"EEA" means the European Economic Area.

"EU GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.

"EU SCCs" means the standard contractual clauses for the transfer of personal data to third countries annexed to Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

"IDTA" means the International Data Transfer Agreement issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018.

"Occurrence Report Data" has the meaning given in the Principal Agreement.

"Personal Data Breach" has the meaning given in applicable data protection law.

"Processing" and "process" have the meanings given in applicable data protection law.

"Processor" has the meaning given in applicable data protection law, and in this DPA refers to JLEC Limited.

"Restricted Transfer" means a transfer of personal data to a country outside the UK or EEA that is not subject to an adequacy decision under applicable data protection law.

"Sub-processor" means any third party engaged by the Processor to process personal data on behalf of the Controller.

"Supervisory Authority" means any competent data protection authority under applicable data protection law, including the Jersey Office of the Information Commissioner ("JOIC"), the UK Information Commissioner's Office ("ICO"), and any relevant EU member state supervisory authority.

"Technical and Organisational Measures" or "TOMs" means the security measures described in Schedule C of this DPA.

"UK GDPR" has the meaning given in the definition of Applicable Data Protection Law above.

2. Scope and details of processing

2.1 The Processor shall process personal data on behalf of the Controller solely in connection with providing the Service under the Principal Agreement and strictly in accordance with the Controller's documented instructions as set out in this DPA and the Principal Agreement.

2.2 The subject matter, duration, nature, purpose, types of personal data, and categories of data subjects are set out in Schedule A to this DPA.

2.3 The Controller instructs the Processor to process personal data for the following purposes:

(a)providing the Service and its features and modules to the Controller and its Authorised Users;

(b)maintaining, supporting, securing, and improving the Service;

(c)complying with the Processor's legal obligations; and

(d)any other purpose expressly agreed in writing between the parties.

2.4 If the Processor is required by applicable law to process personal data beyond the scope of the Controller's instructions, the Processor shall, to the extent permitted by law, inform the Controller before carrying out such processing.

2.5 The Processor shall promptly inform the Controller if, in its reasonable opinion, an instruction from the Controller infringes applicable data protection law.

3. Processor obligations

3.1 Compliance with instructions

The Processor shall process personal data only on documented instructions from the Controller, unless required to do so by applicable law to which the Processor is subject. The Processor shall not process personal data for its own purposes or for any purpose not expressly authorised by the Controller.

3.2 Confidentiality of processing

The Processor shall ensure that persons authorised to process personal data on its behalf are subject to binding confidentiality obligations (whether under contract or applicable professional rules) in respect of that personal data. The Processor shall ensure that access to personal data is limited to those personnel who require access for the purpose of providing the Service.

3.3 Technical and organisational security measures

The Processor shall implement and maintain the Technical and Organisational Measures set out in Schedule C, which are designed to ensure a level of security appropriate to the risks presented by the processing, taking into account: (a) the state of the art; (b) the costs of implementation; (c) the nature, scope, context, and purposes of processing; and (d) the risks to the rights and freedoms of natural persons.

The Processor may update or modify the TOMs from time to time, provided that any changes do not materially reduce the overall level of protection afforded to personal data.

3.4 Sub-processors

3.4.1 The Controller provides general written authorisation for the Processor to engage the sub-processors listed in Schedule B ("Authorised Sub-processors").

3.4.2 The Processor shall give the Controller not less than thirty (30) days' prior written notice before appointing a new sub-processor or replacing an existing sub-processor ("Sub-processor Change Notice"). The Controller may object to the proposed change within that notice period on reasonable grounds relating to data protection. If the Controller objects and the parties cannot resolve the issue within the notice period, the Controller may terminate the Principal Agreement without penalty on thirty (30) days' written notice, as its sole and exclusive remedy for such objection.

3.4.3 The Processor shall impose data protection obligations on each Sub-processor by way of a written contract that provides equivalent protections for personal data as those set out in this DPA. The Processor shall remain fully liable to the Controller for the performance of any Sub-processor's obligations under such contracts.

3.4.4 A current, complete list of Authorised Sub-processors is set out in Schedule B to this DPA.

3.5 Data subject rights

The Processor shall provide reasonable assistance to the Controller in fulfilling its obligations to respond to data subject rights requests under applicable data protection law, including requests for access, rectification, erasure, restriction, portability, and objection. Taking into account the nature of the processing and the information available to the Processor, the Processor shall:

(a)notify the Controller promptly (and in any event within five (5) business days) if the Processor receives a data subject rights request directly from a data subject in relation to data processed on behalf of the Controller; and

(b)not respond substantively to any such request without the Controller's express prior written authorisation, except where required to do so by applicable law.

3.6 Personal data breach notification

3.6.1 The Processor shall notify the Controller without undue delay, and in any event within 48 hours, of becoming aware of a Personal Data Breach affecting personal data processed on behalf of the Controller, to allow the Controller to comply with its own notification obligations under applicable data protection law.

3.6.2 Such notification shall, to the extent available at the time, include:

(a)the nature of the Personal Data Breach, including the categories and approximate number of data subjects and personal data records affected;

(b)the name and contact details of the Processor's data protection contact;

(c)the likely consequences of the Personal Data Breach; and

(d)the measures taken or proposed to be taken to address the breach and mitigate its effects.

3.6.3 Where information is not available in full at the time of initial notification, the Processor shall provide it in phases as it becomes available, without undue further delay.

3.6.4 The Processor shall cooperate with the Controller and take such steps as the Controller reasonably requires to assist with the investigation, mitigation, and remediation of the Personal Data Breach.

3.7 Data protection impact assessments and prior consultation

Taking into account the nature of the processing and the information available to the Processor, the Processor shall provide reasonable assistance to the Controller in carrying out data protection impact assessments ("DPIAs") and, where applicable, prior consultations with supervisory authorities, in relation to processing activities covered by this DPA.

3.8 Deletion and return of personal data

3.8.1 On termination or expiry of the Principal Agreement, the Processor shall:

(a)retain the Controller's personal data for a period of thirty (30) calendar days from the termination date ("Retention Period"), during which the Controller may request an export of its personal data in accordance with the Principal Agreement;

(b)on expiry of the Retention Period, permanently and securely delete all personal data from the Processor's systems and those of its Sub-processors, unless retention is required by applicable law; and

(c)provide the Controller with written confirmation of deletion within fifteen (15) business days of completing such deletion, upon the Controller's written request.

3.8.2 The Processor may retain anonymised, aggregated data that cannot reasonably be used to re-identify the Controller or any data subject, which shall not be subject to the deletion obligations in this clause.

3.8.3 Where the Processor is required by applicable law to retain personal data beyond the Retention Period, it shall notify the Controller of that requirement and restrict processing of the relevant data to only the extent necessary to comply with that obligation.

3.9 Audit and demonstration of compliance

3.9.1 The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with its obligations under this DPA and applicable data protection law, and shall permit and contribute to audits and inspections conducted by the Controller or a mandated third-party auditor, subject to the following conditions:

(a)the Controller shall give the Processor not less than thirty (30) days' prior written notice of any intended audit, specifying the scope, methodology, and anticipated duration;

(b)audits shall be conducted during normal business hours, no more than once per calendar year (unless a Personal Data Breach or regulatory investigation requires additional audit activity), and in a manner that minimises disruption to the Processor's operations;

(c)the Controller shall bear all reasonable costs associated with any audit it conducts; and

(d)the Controller shall ensure that any third-party auditor is bound by appropriate confidentiality obligations before commencing any audit.

3.9.2 Without prejudice to clause 3.9.1, the Processor may satisfy its audit obligations by providing the Controller with relevant security certifications, third-party audit reports (such as SOC 2 Type II reports from sub-processors), or written responses to reasonable due diligence questionnaires.

4. Controller obligations

4.1 The Controller represents and warrants that it has, and shall maintain throughout the term of the Principal Agreement, all necessary legal bases under applicable data protection law to instruct the Processor to process personal data as contemplated by this DPA and the Principal Agreement.

4.2 The Controller is responsible for the accuracy, quality, and lawfulness of all personal data it submits to or generates within the Service, and for obtaining any necessary consents from data subjects in connection with the Controller's use of the Service.

4.3 The Controller shall provide the Processor with clear and documented processing instructions and shall promptly notify the Processor of any changes to those instructions that may affect the Processor's ability to provide the Service.

4.4 The Controller is responsible for implementing appropriate internal access controls to ensure that access to personal data within the Service — including, in particular, Occurrence Report Data — is restricted to those Authorised Users who are entitled to access it under the Controller's own data protection and regulatory policies.

4.5 The Controller shall ensure that its personnel who access or use the Service are aware of the Controller's obligations under applicable data protection law and under this DPA.

4.6 The Controller acknowledges that the Processor is not in a position to assess whether the personal data provided by the Controller is subject to any special legal protections beyond those expressly identified in this DPA, and that it is the Controller's responsibility to identify and communicate any such requirements.

5. Protected occurrence data — EU Regulation 376/2014

Aviation-specific provision. This section applies to Occurrence Report Data and reflects the specific legal obligations arising under EU Regulation 376/2014 and the UK Occurrence Reporting Regulations 2016. These obligations are additional to and operate alongside the parties' general data protection obligations.

5.1 The parties acknowledge the special status of Occurrence Report Data under the Occurrence Reporting Legislation (as defined in the Principal Agreement), which establishes that:

(a)occurrence report information is protected data that may only be used for the maintenance or improvement of aviation safety;

(b)the identity of occurrence reporters must be protected and reporters must not face adverse consequences resulting from information they have reported; and

(c)occurrence report data must not be used in connection with any disciplinary, civil, criminal, or administrative proceedings against reporters, except in cases of gross negligence or wilful misconduct as defined under applicable law.

5.2 As between the parties in relation to Occurrence Report Data:

(a)the Controller is the data controller and is solely responsible for ensuring that its collection, use, retention, and disclosure of Occurrence Report Data complies with the Occurrence Reporting Legislation and the Controller's obligations as a reporting entity under applicable aviation regulation;

(b)the Processor acts solely as data processor and shall process Occurrence Report Data only in accordance with the Controller's instructions and solely for the purpose of providing, operating, maintaining, and technically supporting the Service; and

(c)the Processor shall not access, review, analyse, disclose, transfer, or use Occurrence Report Data for any purpose beyond the provision of the Service, including — without limitation — product development, feature improvement, benchmarking, analytics, or the training or fine-tuning of any artificial intelligence, machine learning, or large language model, without the Controller's express prior written consent in each case.

5.3 The Processor shall ensure that any personnel or Sub-processors who may have incidental technical access to Occurrence Report Data (for example, in the course of maintenance or incident response):

(a)are subject to binding confidentiality obligations in respect of that data; and

(b)are made aware, prior to any such access, of the protected status of occurrence report information and the restrictions on its use under the Occurrence Reporting Legislation.

5.4 Disclosure of Occurrence Report Data to any third party — including any competent aviation authority, regulator, or law enforcement body — is prohibited except:

(a)as expressly instructed in writing by the Controller; or

(b)where required by a binding legal obligation or court order, in which case the Processor shall, to the fullest extent permitted by law, give the Controller prompt prior written notice of such requirement before making any disclosure, to allow the Controller to seek appropriate protective or confidentiality orders.

5.5 The Controller is responsible for configuring the role-based access controls within the Service to restrict access to Occurrence Report Data to those Authorised Users who are entitled to access such data under the Controller's safety reporting procedures and its obligations under the Occurrence Reporting Legislation.

5.6 Nothing in this DPA or the Principal Agreement authorises the Processor to forward or report Occurrence Report Data to any national or international aviation safety database or competent authority on behalf of the Controller. The Controller remains solely responsible for all mandatory and voluntary occurrence reporting obligations under applicable aviation regulation.

6. International data transfers

6.1 All personal data processed under this DPA is stored at rest within the European Union (EU West region, Frankfurt, Germany) using Supabase infrastructure. The Processor will not transfer personal data outside the EEA or UK except as set out in this clause 6.

6.2 Jersey as destination. JLEC Limited is incorporated in Jersey, Channel Islands. Jersey benefits from:

(a)an adequacy decision from the European Commission for transfers from the EEA to Jersey (preserved from the Directive era and applicable under EU GDPR); and

(b)adequacy recognition from the UK Government for transfers from the UK to Jersey.

Transfers of personal data from the Controller (whether in the UK or EEA) to JLEC Limited in Jersey are therefore permitted without additional transfer mechanisms.

6.3 Transfers to US-based Sub-processors. Certain Sub-processors listed in Schedule B are headquartered in the United States or may transfer personal data to the United States in the course of providing their services. The Processor ensures that such transfers are protected by:

(a)the EU Standard Contractual Clauses (Commission Decision 2021/914/EU) — Module 3 (Processor-to-Processor) — entered into between the Processor and each relevant US-based Sub-processor, as further described in Schedule D; and/or

(b)the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as applicable to transfers involving UK personal data.

6.4 Where the Processor enters into EU SCCs or an IDTA with a Sub-processor as contemplated by clause 6.3, the Processor shall make copies of such agreements available to the Controller on request, subject to any commercially sensitive or confidential information being redacted.

6.5 The Processor shall ensure that the transfer mechanisms described in this clause 6 remain valid and shall promptly notify the Controller of any material change to the legal basis for any Restricted Transfer.

6.6 The EU Standard Contractual Clauses applicable to transfers under this DPA are incorporated by reference in Schedule D. Schedule D sets out the completed Annex I (parties and transfer description) and Annex II (Technical and Organisational Measures, by reference to Schedule C) for each applicable Module 3 transfer. Annex III (list of Sub-processors) is as set out in Schedule B.

7. UK GDPR — specific provisions

7.1 Where this DPA involves the processing of personal data of data subjects located in the United Kingdom, the parties agree that the UK GDPR applies to that processing, and that each party shall comply with the UK GDPR in relation to such processing.

7.2 References in this DPA to "EU GDPR" and "EU SCCs" shall, in the context of UK personal data, be construed as references to "UK GDPR" and "UK IDTA" (or the UK Addendum to the EU SCCs) respectively, as appropriate.

7.3 For UK personal data transfers to third countries, the Processor will use the IDTA or the UK Addendum to the EU SCCs as the applicable transfer mechanism, as described in clause 6.3(b).

7.4 The competent supervisory authority for the Processor in relation to UK personal data processing is the UK Information Commissioner's Office (ico.org.uk).

8. Jersey law — specific provisions

8.1 JLEC Limited, as a Jersey-incorporated entity, is subject to the Data Protection (Jersey) Law 2018 in its own right. JLEC Limited is registered with the Jersey Office of the Information Commissioner (JOIC).

8.2 In relation to personal data for which JLEC Limited acts as data controller (as described in the Privacy Policy), JLEC Limited complies with the Jersey DP Law 2018, which is substantively aligned with the EU GDPR.

8.3 In its capacity as data processor under this DPA, JLEC Limited provides equivalent protections to those required by EU GDPR and UK GDPR, consistent with the Jersey DP Law 2018 and Jersey's adequacy status.

9. Liability

9.1 The liability of each party under or in connection with this DPA shall be subject to the limitations of liability set out in the Principal Agreement, save that:

(a)nothing in the Principal Agreement or this DPA limits either party's liability to data subjects or to supervisory authorities under applicable data protection law; and

(b)the parties acknowledge that liability to data subjects and supervisory authorities is governed by applicable data protection law and not solely by the contractual arrangements between the parties.

9.2 If either party receives a claim from a data subject or supervisory authority arising from the other party's breach of this DPA or applicable data protection law, the liable party shall indemnify the other party against any resulting fines, penalties, compensation payments, and reasonable legal costs, subject always to the liability caps in the Principal Agreement.

9.3 For the purposes of Article 82 EU GDPR / UK GDPR, where the Processor is held liable for damage caused by processing that was not in accordance with the Controller's instructions or this DPA, the Processor may invoke the exemption provided in Article 82(3) to the extent applicable.

10. Term and termination

10.1 This DPA is coterminous with the Principal Agreement and shall remain in force for the duration of the Principal Agreement. It automatically terminates on termination or expiry of the Principal Agreement.

10.2 The Processor's obligations with respect to the deletion of personal data under clause 3.8, and the provisions of clauses 5 (Protected Occurrence Data), 6 (International Data Transfers), 9 (Liability), and 11 (General) shall survive termination of this DPA.

11. General

11.1 Governing law. This DPA and any dispute or claim arising out of or in connection with it (including non-contractual disputes) shall be governed by and construed in accordance with the law of England and Wales, without prejudice to the mandatory provisions of any applicable data protection law.

11.2 Jurisdiction. The courts of England and Wales shall have exclusive jurisdiction over any dispute arising under this DPA, subject to any rights of data subjects or supervisory authorities under applicable data protection law.

11.3 Precedence. In the event of any conflict between this DPA and the EU SCCs or IDTA incorporated in Schedule D, the EU SCCs or IDTA (as applicable) shall prevail in relation to the relevant Restricted Transfer.

11.4 Entire agreement. This DPA (together with the Principal Agreement) constitutes the entire agreement between the parties in relation to the processing of personal data under the Principal Agreement and supersedes all prior agreements and understandings in relation to such processing.

11.5 Severance. If any provision of this DPA is invalid or unenforceable, it shall be deemed deleted and the remaining provisions shall continue in full force.

11.6 Amendments. This DPA may only be amended by a written instrument signed by authorised representatives of both parties, or as otherwise permitted by the Principal Agreement.

11.7 No third-party rights. This DPA does not confer any rights on any person under the Contracts (Rights of Third Parties) Act 1999, except that data subjects have rights under applicable data protection law which are unaffected by this clause.

Schedule A — Description of processing activities

This Schedule A satisfies the requirements of Article 28(3) EU GDPR / UK GDPR regarding the description of the subject matter, duration, nature, and purpose of processing, and the type of personal data and categories of data subjects.

A.1 Subject matter

The processing of personal data by JLEC Limited in the course of providing the CitadelAero aviation safety management system platform to the Controller under the Principal Agreement.

A.2 Duration

For the term of the Principal Agreement, and for 30 days following termination (Retention Period), after which personal data will be permanently deleted in accordance with clause 3.8 of this DPA.

A.3 Nature of processing

Collection, storage, retrieval, consultation, structuring, use, transmission (within the platform), restriction, erasure, and destruction of personal data, by automated means, in the course of operating a multi-tenant SaaS platform.

A.4 Purpose of processing

To provide the Service to the Controller, including all platform modules and features, and to maintain, support, and secure the Service.

A.5 Types of personal data

Category	Data elements
Staff personal data	Full name, work email address, job title, employee number, aviation licence number and type, department, aircraft type ratings and authorisations
Training records	Training type and completion dates, expiry dates, certificate files, training provider details
Occurrence report data	Occurrence narrative, date, location, aircraft details; reporter identity (if not anonymous); witness information; risk assessments relating to the occurrence. This data may be protected under the Occurrence Reporting Legislation — see clause 5.
User account data	Login credentials (passwords stored as hashed values only), role and module permission configuration, session metadata, user activity logs within the platform
Document records	Operator-uploaded controlled documents and files; document acknowledgement records (who has read/acknowledged a document and when); document review assignments
Compliance and audit records	Audit attendees and sign-off records, findings assigned to named individuals, corrective action ownership
Meeting records	Meeting attendee lists, minutes, action owners and assignees, sign-off records
Workflow records	Step assignees, completion records, sign-off records, workflow owner details

A.6 Categories of data subjects

(a)Employees, contractors, and agents of the Controller who are Authorised Users of the Service;

(b)Employees, contractors, and agents of the Controller whose personal data is managed within the Service (e.g. staff profiles, training records), whether or not they are themselves Authorised Users;

(c)Individuals who submit occurrence reports through the Service (reporters), including those who submit anonymously — note that the platform stores reporter identity in a separate field that operators may configure to restrict access; and

(d)Any other individuals whose personal data is included in documents or records uploaded to or created within the Service by the Controller.

A.7 Special categories of personal data

The Controller may upload documents or records that incidentally contain special category data (as defined in Article 9 EU GDPR). The Processor does not specifically solicit special category data, and the Controller is responsible for ensuring that any special category data included in the Service is processed on an appropriate legal basis.

Occurrence Report Data is not itself a special category under Article 9 EU GDPR, but has a distinct legal status under the Occurrence Reporting Legislation and is subject to the additional protections in clause 5 of this DPA.

Schedule B — Authorised sub-processors

The Controller hereby provides general written authorisation under Article 28(2) EU GDPR / UK GDPR for the Processor to engage the following sub-processors. Additions or replacements are subject to the Sub-processor Change Notice procedure in clause 3.4.2.

Sub-processor	Service	Location	Transfer mechanism
Supabase Inc.	Database hosting and file storage — all customer data at rest	EU West (Frankfurt, Germany)	EU SCCs Module 3; UK IDTA
Vercel Inc.	Application hosting, CDN, serverless compute	US-headquartered; EU edge serving UK/EU traffic	EU SCCs Module 3; UK IDTA
Microsoft Corporation	Transactional email delivery (Microsoft Graph API — Mail.Send only)	US-headquartered; EU processing available	EU SCCs Module 3; UK IDTA
Paddle.com Market Limited	Payment processing and VAT invoicing (merchant of record)	UK-registered; US affiliates	UK-based; SCCs for US affiliate transfers

Notes:

(a)"EU SCCs Module 3" refers to the standard contractual clauses for processor-to-processor transfers under Commission Decision 2021/914/EU.

(b)"UK IDTA" refers to the International Data Transfer Agreement issued by the UK Information Commissioner.

(c)Paddle.com Market Limited is incorporated in England and Wales (company number 08815936). Transfers to Paddle do not constitute Restricted Transfers within the UK. Any transfers by Paddle to its US affiliates are subject to appropriate transfer mechanisms as per Paddle's own data processing terms.

Schedule C — Technical and organisational measures (Article 32)

The following Technical and Organisational Measures are implemented by JLEC Limited to ensure a level of security appropriate to the risks of processing personal data in the Service.

C.1 Data isolation and access control

Measure	Description
Multi-tenant schema isolation	Each operator's data is stored in a logically isolated PostgreSQL schema within the Supabase database. No cross-tenant data access is possible through the application layer.
Role-based access control	Three-tier role hierarchy (admin / operator_admin / user) with module-level and folder-level permission controls configurable per user. Permissions stored and enforced server-side.
Session management	Custom JWT-based authentication with HTTP-only cookies, 8-hour session expiry, and server-side session validation on every API request.
Password security	User passwords are hashed using bcrypt with 10 rounds before storage. Plain-text passwords are never stored or logged.
Authorised User controls	Operators can activate/deactivate users, reset permissions, and remove access at any time through the Users module.

C.2 Data transmission and storage security

Measure	Description
Encryption in transit	All data transmitted between users and the Service is encrypted using TLS 1.2 or higher. Connections are enforced over HTTPS.
Encryption at rest	Data at rest is encrypted within the Supabase (PostgreSQL) infrastructure at the storage level, in accordance with Supabase's security architecture.
EU data residency	All customer personal data is stored in Supabase's EU West region (Frankfurt, Germany). No personal data is replicated outside the EU at rest.
File storage	Operator-uploaded files (documents, certificates, attachments) are stored in Supabase Storage within the same EU West region.

C.3 Logging, monitoring and incident response

Measure	Description
Activity logging	The Service maintains an audit log of significant user actions within each tenant environment.
Security logging	Login events, session activity, and security-relevant actions are logged for anomaly detection and incident investigation.
Breach response	The Processor maintains an internal incident response procedure. Confirmed Personal Data Breaches affecting Controller data will be notified to the Controller within 48 hours in accordance with clause 3.6.
Dependency monitoring	The Processor monitors for security vulnerabilities in platform dependencies and applies security patches on a risk-prioritised basis.

C.4 Sub-processor and supply chain security

Measure	Description
Sub-processor contractual controls	All Sub-processors are bound by data processing agreements imposing equivalent data protection obligations. Sub-processors are selected based on their security capabilities and certifications.
Supabase security posture	Supabase (the primary data store) holds SOC 2 Type II certification. Infrastructure operates on AWS in the EU West (Frankfurt) region.
Vercel security posture	Vercel provides SOC 2 Type II certified infrastructure for application hosting and CDN functions.

C.5 Organisational measures

Measure	Description
Personnel confidentiality	All personnel with access to personal data are subject to contractual confidentiality obligations.
Access limitation	Access to customer data by Processor personnel is limited to circumstances where access is required for support, maintenance, or incident response purposes, and is logged.
Occurrence data access restrictions	Personnel and Sub-processors who may have incidental technical access to Occurrence Report Data are informed of the protected status of that data prior to any access.

Schedule D — EU Standard Contractual Clauses (Module 3) — Annex I

Note on incorporation. The Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 ("EU SCCs") are incorporated into this DPA by reference. The full text of the EU SCCs (Clauses 1–18) is available at: eur-lex.europa.eu/eli/dec_impl/2021/914/oj. The completed Annexes are set out below. Module 3 (Processor-to-Sub-processor) applies to transfers from JLEC Limited (as processor acting on behalf of the Controller) to US-based Sub-processors. Annex II (Technical and Organisational Measures) is as set out in Schedule C. Annex III (Sub-processors) is as set out in Schedule B.

Annex I.A — List of parties

Data exporter (Processor):

Name: JLEC Limited, trading as CitadelAero
Address: Jersey, Channel Islands
Contact: privacy@citadelaero.com
Activities: The Processor provides an aviation safety management system SaaS platform to the Controller and, in doing so, instructs the Sub-processors listed in Schedule B to process personal data on its behalf.
Role: Processor (acting on the instructions of the Controller as data controller)

Data importer (each Sub-processor): As identified in Schedule B to this DPA. Specific contact details for data protection matters are available in each Sub-processor's standard data processing terms. Role: Sub-processor (acting on the instructions of the data exporter).

Annex I.B — Description of transfer

Element	Detail
Categories of data subjects	As set out in Schedule A, section A.6
Categories of personal data	As set out in Schedule A, section A.5
Sensitive data transferred	Occurrence Report Data (protected under Occurrence Reporting Legislation — not Article 9 special category data, but subject to additional restrictions in clause 5 of this DPA). Incidental special category data may be present in operator-uploaded documents.
Frequency of transfer	Continuous — data is transferred to sub-processors on an ongoing basis in the course of providing the Service
Nature of processing	As set out in Schedule A, section A.3
Purpose of transfer	To enable Sub-processors to provide hosting, delivery, email, and payment infrastructure services in support of the CitadelAero platform
Retention period	Personal data is retained for the duration of the Principal Agreement plus 30 days (Retention Period), after which it is permanently deleted in accordance with clause 3.8

Annex I.C — Competent supervisory authority

The competent supervisory authority for the data exporter (JLEC Limited, Jersey) is the Jersey Office of the Information Commissioner (JOIC) (jerseyoic.org).

Where the Controller is subject to EU GDPR (i.e. is established in an EU member state or processes data of EU residents), the competent supervisory authority for the Controller is the data protection authority in the relevant EU member state.

Where the Controller is subject to UK GDPR, the competent supervisory authority is the Information Commissioner's Office (ICO) (ico.org.uk).

Schedule E — UK International Data Transfer Agreement

Note on UK transfers. For transfers of UK personal data (i.e. personal data of individuals in the United Kingdom) to Sub-processors located in countries not subject to a UK adequacy decision (including the United States), JLEC Limited enters into the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs with each relevant Sub-processor. The IDTA template is published by the UK Information Commissioner and is available at: ico.org.uk. Copies of executed UK IDTAs with relevant Sub-processors are available to the Controller on written request to privacy@citadelaero.com.

E.1 Parties and application

The UK IDTA is entered into as a separate agreement between JLEC Limited (as data exporter) and each relevant US-based Sub-processor (as data importer) where:

(a)JLEC Limited processes personal data of individuals located in the United Kingdom; and

(b)that data is transferred to a Sub-processor located in a country without a UK adequacy decision.

E.2 Completion details

The UK IDTA Table 1 (parties), Table 2 (selected SCCs, modules, and clauses), and Table 3 (appendix information) are completed in respect of each Sub-processor using the same information as set out in Schedule D (Annex I) above, adapted as required for the UK transfer context and the IDTA format.

E.3 Termination of the IDTA

JLEC Limited will notify the Controller if the UK Information Commissioner issues an updated or replacement IDTA that materially affects the protections applicable to transfers under this DPA, and will update its agreements with relevant Sub-processors accordingly within a reasonable timeframe.