DATA PROCESSING ADDENDUM

Preamble

This Data Processing Addendum (“DPA”) is entered into between Aircraft Performance Group LLC, a Delaware limited liability company, and/or its subsidiaries Rocket Route Ltd., a United Kingdom private limited company, and APG Avionics LLC, a Delaware limited liability company (d/b/a Seattle Avionics), as applicable (collectively or individually, “APG”), and the customer identified in the applicable Service Agreement (“Customer”).

This DPA supplements and is incorporated into APG’s Terms of Service (the “Terms of Service,” available at https://flyapg.com/terms-of-service/, as may be updated from time to time) and any applicable Service Agreement between APG and Customer (together, the “Agreement”). In the event of any conflict between this DPA and the Agreement with respect to any matter relating to the processing of Personal Data, this DPA shall control.

This DPA applies where and to the extent that APG processes Personal Data on behalf of Customer as a Processor or Service Provider in connection with the products and services described in the Agreement. APG’s processing of Personal Data as a Controller for its own purposes is governed by APG’s Privacy Policy at https://flyapg.com/privacy-policy/ and is not subject to this DPA.

Acceptance. By accepting the Terms of Service, executing a Service Agreement that incorporates this DPA, or otherwise providing or receiving services where this DPA applies, each party agrees to be bound by this DPA. Customer agrees on behalf of itself and, to the extent required under applicable Data Protection Laws, on behalf of its Authorized Affiliates.

Section 1 — Definitions

Capitalized terms not defined in this DPA have the meanings given to them in the Agreement.

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a party, where “control” means ownership of more than fifty percent (50%) of the voting interests of the subject entity.

“Authorized Affiliate” means any Affiliate of Customer that (a) is subject to the Data Protection Laws and (b) is permitted to use the Services pursuant to the Agreement, but has not signed its own Service Agreement with APG.

“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. The term includes “Business” as defined under the CCPA and equivalent terms under other applicable Data Protection Laws.

“Customer Data” means Personal Data that APG processes on behalf of Customer in connection with the Services.

“Data Protection Laws” means all applicable laws and regulations relating to the processing, privacy, and security of Personal Data, including: (a) the EU GDPR; (b) the UK GDPR and Data Protection Act 2018; (c) the Swiss nFADP; (d) the CCPA/CPRA and other applicable U.S. laws; (e) Canada’s PIPEDA and provincial equivalents including Quebec Law 25; (f) the Saudi PDPL; (g) the Jordan PDPL No. 24 of 2023; and (h) any other applicable national, federal, state, or provincial data protection or privacy laws.

“Data Subject” means an identified or identifiable natural person to whom Personal Data relates.

“GDPR” means the EU GDPR and/or the UK GDPR, as applicable to the relevant processing activity.

“Personal Data” means any information relating to an identified or identifiable natural person. The term also includes “personal information” as defined under the CCPA and equivalent terms under other applicable Data Protection Laws.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed by APG.

“Processor” means a natural or legal person which processes Personal Data on behalf of the Controller. Includes “Service Provider” as defined under the CCPA and equivalent terms under other applicable Data Protection Laws.

“Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction. “Process” and “Processed” shall be construed accordingly.

“Restricted Transfer” means a transfer of Personal Data from within the EEA, the United Kingdom, or Switzerland to a country not determined to provide an adequate level of protection under applicable Data Protection Laws.

“Security Incident” means a confirmed Personal Data Breach affecting Customer Data.

“Services” means the products and services provided by APG to Customer under the Agreement.

“Standard Contractual Clauses” or “SCCs” means (a) for EU GDPR transfers: the clauses annexed to European Commission Implementing Decision 2021/914; and (b) for UK GDPR transfers: the International Data Transfer Addendum (IDTA) issued by the UK ICO under section 119A of the Data Protection Act 2018.

“Sub-processor” means any Processor engaged by APG or APG’s Affiliates to process Customer Data on APG’s behalf in connection with the Services.

Section 2 — Scope and Roles

2.0 Scope of Obligations

The obligations of APG set out in this DPA apply solely with respect to Personal Data that APG processes on behalf of Customer as a Processor or Service Provider in connection with the Services. Nothing in this DPA governs or restricts APG’s processing of Personal Data in its capacity as a Controller for its own purposes, which is governed by APG’s Privacy Policy.

2.1 Controller and Processor

As between APG and Customer, Customer is the Controller and APG is the Processor with respect to Customer Data. Customer determines the purposes and means of processing Customer Data, and APG processes Customer Data only on Customer’s behalf and in accordance with Customer’s instructions as set out in this DPA and the Agreement.

2.2 CCPA Service Provider

To the extent the CCPA applies, APG is a “Service Provider” as defined under the CCPA with respect to Customer Data. APG shall not: (a) sell or share Customer Data; (b) retain, use, or disclose Customer Data for any purpose other than the business purposes specified in this DPA and the Agreement; (c) retain, use, or disclose Customer Data outside of the direct business relationship between APG and Customer; or (d) combine Customer Data received from Customer with other Personal Data received from or collected in connection with APG’s other customers or from any other source, except as otherwise permitted under the CCPA, as described in APG’s Privacy Policy with respect to APG’s own controller activities, or as expressly authorized by Customer.

CCPA Certification. APG hereby certifies that it understands and will comply with the obligations and restrictions set forth in this Section 2.2.

2.3 Authorized Affiliates

Customer enters into this DPA on behalf of itself and its Authorized Affiliates. Customer is solely responsible for ensuring each Authorized Affiliate complies with this DPA. Claims by an Authorized Affiliate shall be brought by Customer on behalf of such Authorized Affiliate.

Section 3 — Processing Instructions

3.1 Instructions

APG shall process Customer Data only on documented instructions from Customer, including as set out in this DPA, Schedule 1, and the Agreement, and as further specified through Customer’s use of the Services, unless required to do so by applicable law. Where required by law, APG shall, to the extent permitted, inform Customer before processing.

3.2 Processing Outside Scope

If APG believes any instruction from Customer relating to Customer Data infringes applicable Data Protection Laws, APG shall promptly inform Customer. APG shall not be required to follow instructions that APG reasonably determines would cause APG to violate applicable law.

3.3 Compliance

Each party shall comply with its respective obligations under applicable Data Protection Laws. Customer is solely responsible for the accuracy, quality, and lawfulness of Customer Data and the means by which Customer acquired it, including ensuring all necessary rights, consents, and legal bases are in place.

Section 4 — Confidentiality of Processing

APG shall ensure that persons authorized to process Customer Data are subject to appropriate confidentiality obligations, and that such persons process Customer Data only to the extent necessary to perform their responsibilities in connection with the Services or as required by applicable law.

Section 5 — Security

5.1 Security Measures

APG shall implement and maintain appropriate technical and organizational measures designed to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access (“Security Measures”), taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of processing, including the specific risks presented where Customer Data includes precise geolocation, movement, flight planning, or other operational aviation data. APG’s current Security Measures are described in Schedule 2.

5.2 Updates

APG may update the Security Measures from time to time, provided that such updates do not materially decrease the overall security of the Services. APG shall promptly notify Customer of any material reduction in the Security Measures.

5.3 Customer Responsibilities

Customer is responsible for independently assessing whether the Security Measures meet Customer’s requirements and for implementing appropriate security measures on Customer’s own systems and networks used to access the Services.

Section 6 — Data Subject Rights

6.1 Assistance

Taking into account the nature of the processing, APG shall provide reasonable assistance to Customer in fulfilling obligations to respond to Data Subject requests (including access, rectification, erasure, restriction, portability, and objection). If APG receives a request directly from a Data Subject relating to Customer Data, APG shall, to the extent permitted by law, redirect the Data Subject to Customer and shall not respond without Customer’s prior written authorization.

6.2 Cooperation

Upon Customer’s reasonable written request, APG shall provide reasonable cooperation to assist Customer to: (a) conduct data protection impact assessments; (b) consult with relevant supervisory authorities; and (c) respond to regulatory inquiries relating to the processing of Customer Data under this DPA. APG may charge Customer for time and expenses incurred in providing material assistance that goes beyond what is reasonably required in connection with the Services.

Section 7 — Sub-processors

7.1 Authorization

Customer grants APG general written authorization to engage Sub-processors, subject to the requirements of this Section 7. APG’s current Sub-processor list is available at https://flyapg.com/sub-processors/. APG shall update the list prior to any addition or replacement.

7.2 Notification and Objection

APG shall notify Customer of intended changes to the Sub-processor list at least fourteen (14) days before any change takes effect, and shall provide a mechanism for Customer to subscribe to such notifications. Customer may object on reasonable data protection grounds within fourteen (14) days. If APG cannot accommodate the objection within thirty (30) days, Customer may terminate the affected Services with a pro-rata refund of prepaid fees.

7.3 Sub-processor Obligations

APG shall impose data protection obligations on each Sub-processor no less protective than those in this DPA. APG remains liable to Customer for the acts and omissions of its Sub-processors, subject to the limitations in Section 11 and Section 8 of the Terms of Service.

Section 8 — International Transfers

8.1 General

APG shall not transfer Personal Data from the EEA, UK, or Switzerland to a third country except: (a) where the destination country has been determined to provide adequate protection; (b) pursuant to the SCCs per Section 8.2; (c) via another recognized transfer mechanism; or (d) where Customer has provided explicit consent.

8.2 Standard Contractual Clauses

To the extent a Restricted Transfer occurs, the parties incorporate the relevant SCCs by reference into this DPA:

8.2(a) EEA Transfers

EU SCCs Module Two (Controller to Processor) apply, with APG as data importer and Customer as data exporter. General Sub-processor authorization per Clause 9(a) with 14-day notice. Governing law: Ireland. Forum: courts of Ireland. Annexes I, II, and III correspond to Schedules 1, 2, and the Sub-processor List respectively.

8.2(b) UK Transfers

The UK IDTA applies, with APG as importer and Customer as exporter, incorporating the details in Schedules 1 and 2.

8.2(c) Swiss Transfers

The EU SCCs apply as adapted per FDPIC guidance, with EU GDPR references construed as references to the nFADP.

8.3 Data Privacy Framework

To the extent APG participates in the EU-U.S., UK Extension, or Swiss-U.S. Data Privacy Framework, such participation provides an additional transfer mechanism. The SCCs in Section 8.2 serve as fallback if APG’s DPF certification is suspended or revoked.

8.4 Jurisdiction-Specific Requirements

To the extent applicable Data Protection Laws impose country- or jurisdiction-specific requirements relating to registration, appointment of privacy personnel, local representatives, data localization, security assessments, or prior notifications or filings, each party shall comply with the requirements applicable to it in its role under such laws. The parties shall cooperate in good faith to implement any transfer mechanism, assessment, approval, consent, filing, or supplementary measure required under applicable Data Protection Laws for cross-border transfers of Customer Data.

Section 9 — Security Incidents

9.1 Notification

72-Hour Notification. APG shall notify Customer without undue delay, and in any event within seventy-two (72) hours of becoming aware, of a confirmed or reasonably suspected Security Incident. Such initial notification may be preliminary and need not contain full details. Notification shall be provided to the email address associated with Customer’s account or as otherwise designated in writing. APG’s notification obligation is not a concession of fault or liability.

9.2 Content of Notification

To the extent available, APG’s notification shall include: (a) the nature of the Security Incident, including categories and approximate number of affected Data Subjects and records; (b) APG’s data protection contact details; (c) the likely consequences; and (d) measures taken or proposed to address the incident. APG shall supplement the notification as additional information becomes available.

9.3 Assistance

APG shall reasonably cooperate with Customer in the investigation, mitigation, and remediation of any Security Incident. Customer is responsible for notifying supervisory authorities and Data Subjects as required by applicable Data Protection Laws.

Section 10 — Data Retention and Return

10.1 Retention

APG shall retain Customer Data only for as long as necessary to provide the Services and as required by applicable law or the Agreement.

10.2 Return or Deletion

Upon expiration or termination of the Agreement, or upon Customer’s written request, APG shall, at Customer’s election: (a) return Customer Data in a commercially reasonable format; or (b) securely delete or destroy Customer Data — within sixty (60) days of the relevant request or effective termination date. APG shall provide written confirmation of deletion upon request.

For the avoidance of doubt, this Section 10.2 does not apply to anonymized or de-identified data that does not constitute Personal Data under applicable Data Protection Laws, provided that such data does not identify, and cannot reasonably be used to identify, any individual or Customer, and is maintained and used in accordance with applicable Data Protection Laws.

Notwithstanding the foregoing, APG is not required to delete Customer Data that is retained in backup or disaster recovery systems until such data is deleted in the ordinary course of APG’s routine backup management, provided that such retained data remains protected in accordance with this DPA and is not used for any other purpose.

Customer is responsible for exporting or retrieving any Customer Data needed by Customer prior to the expiration or termination of the Agreement.

10.3 Legal Retention

APG may retain Customer Data to the extent required by applicable law, provided that APG continues to protect such data in accordance with this DPA and does not process it for any other purpose.

Section 11 — Liability

11.1 Subject to the Agreement

Each party’s liability under this DPA is subject to the exclusions and limitations in the Agreement, including: (a) the aggregate cap of total Subscription Fees paid in the twelve (12) months preceding the first event giving rise to the claim; and (b) the exclusion of indirect, incidental, special, consequential, exemplary, and punitive damages — in each case as set out in Section 8 of the Terms of Service.

11.2 Mandatory Law

Nothing in this Section limits either party’s liability to the extent such limitation is not permitted under applicable Data Protection Laws, including liability to supervisory authorities or Data Subjects.

Section 12 — Audit Rights

12.1 Documentation

APG shall make available to Customer, on reasonable written request, information reasonably necessary to demonstrate compliance with this DPA, such as third-party audit reports, security certifications, penetration test summaries, and security questionnaire responses, in each case to the extent APG maintains such documentation in the ordinary course.

12.2 On-Site Audit

To the extent required by applicable Data Protection Laws and not satisfied by Section 12.1, APG shall permit Customer (or an authorized representative who is not a competitor of APG) to audit APG’s processing of Customer Data, subject to: (a) at least thirty (30) days’ prior written notice; (b) no mo`re than once per calendar year absent a Security Incident; (c) conduct during normal business hours with minimal disruption; (d) Customer bearing all audit costs; and (e) prior written agreement on scope, duration, and confidentiality.

Section 13 — Jurisdiction-Specific Provisions

The provisions of this Section 13 supplement and, in the event of conflict, take precedence over the general provisions of this DPA to the extent the relevant Data Protection Laws apply.

13.1 European Economic Area (EU GDPR)

Where APG processes Personal Data subject to the EU GDPR: 

•    GDPR-defined terms (Controller, Processor, etc.) apply as defined in the EU GDPR.
•    APG shall maintain records of processing activities carried out on Customer’s behalf as required under Article 30(2) of the EU GDPR.
•    APG shall cooperate with the competent supervisory authority in the performance of its tasks.
•    APG shall notify Customer of any legally binding request for disclosure of Customer Data by a law enforcement or governmental authority, to the extent permitted by law.
•    Sub-processors in the EEA shall be subject to terms consistent with the requirements of Article 28 of the EU GDPR.

13.2 United Kingdom (UK GDPR)

Where APG processes Personal Data subject to the UK GDPR:

•    Where Customer Data relates to individuals in the United Kingdom, APG’s processing of that data is governed by the UK GDPR and the Data Protection Act 2018.
•    References to the “GDPR” in this DPA include the UK GDPR as the context requires.
•    The UK IDTA under Section 8.2 governs Restricted Transfers of Personal Data of UK residents to the United States. If the UK IDTA is amended or replaced by the ICO, the parties shall execute any required replacement transfer mechanism within a reasonable time.
•    Rocket Route Ltd., as a UK-established entity, may act as APG’s representative for UK GDPR purposes with respect to Personal Data of UK residents processed by or on behalf of Rocket Route Ltd.
•    Where Rocket Route Ltd. is the contracting entity identified in the applicable Service Agreement, Rocket Route Ltd. acts as the data importer in its own right under the UK GDPR and the UK IDTA incorporated under Section 8.2, and not merely as a sub-processor or affiliate of Aircraft Performance Group, LLC. In such cases, references in this DPA to APG as the Processor or data importer shall be construed as references to Rocket Route Ltd. with respect to the processing of Personal Data of UK residents under that Service Agreement.

13.3  California (CCPA / CPRA)
Where APG processes Personal Data of California residents on behalf of Customer:

•    The obligations set out in Section 2.2 apply in full.
•    APG shall not retain, use, or disclose Customer Data for any commercial purpose other than the business purposes specified in this DPA and the Agreement.
•    APG shall assist Customer in responding to verifiable consumer requests (access, deletion, correction, opt-out) with respect to Customer Data, to the extent APG has access and Customer directs such assistance.
•    APG shall promptly notify Customer if APG determines it can no longer meet its obligations under the CCPA with respect to Customer Data.
•    Customer has the right to take reasonable steps to ensure APG uses Customer Data consistently with Customer’s CCPA obligations, and to stop and remediate unauthorized use of Customer Data.

13.4 Canada (PIPEDA and Quebec Law 25)

Where APG processes Personal Data of Canadian residents on behalf of Customer:

•    APG shall implement safeguards meeting the standards required under PIPEDA and, where applicable, Quebec Law 25, to protect Customer Data against loss, theft, and unauthorized access, disclosure, copying, use, or modification.
•    APG shall notify Customer without undue delay of any actual or suspected Security Incident involving Customer Data relating to Canadian residents where there is a real risk of significant harm to any individual.
•    APG shall cooperate with Customer to respond to requests from individuals exercising rights under applicable Canadian data protection laws, including access, correction, and withdrawal of consent.
•    For transfers from Quebec, APG shall conduct a privacy impact assessment if required under Law 25 and implement any recommended measures.

13.5 Kingdom of Saudi Arabia (Saudi PDPL)

Where APG processes Personal Data of individuals in the Kingdom of Saudi Arabia on behalf of Customer:

•    APG shall process Customer Data relating to individuals in the Kingdom of Saudi Arabia in accordance with the Saudi PDPL and its implementing regulations.
•    APG shall not transfer Customer Data relating to Saudi residents outside of the Kingdom of Saudi Arabia except where permitted under the Saudi PDPL, including where necessary for performance of the Services and subject to appropriate contractual protections.
•    APG shall cooperate with Customer to respond to requests from Saudi residents exercising rights under the Saudi PDPL, including access, correction, and deletion.
•    APG shall notify Customer without undue delay of any Personal Data Breach affecting Customer Data relating to Saudi residents.

13.6 Hashemite Kingdom of Jordan (Jordan PDPL)

Where APG processes Personal Data of individuals in the Hashemite Kingdom of Jordan on behalf of Customer:

•    APG shall process Customer Data relating to individuals in the Hashemite Kingdom of Jordan in accordance with the Jordan PDPL No. 24 of 2023 and any implementing regulations.
•    Transfers of Customer Data relating to Jordanian residents to the United States shall be subject to contractual safeguards consistent with the requirements of the Jordan PDPL.
•    APG shall cooperate with Customer in responding to requests from Jordanian residents exercising their rights under the Jordan PDPL.
•    APG shall notify Customer without undue delay of any Security Incident affecting Customer Data relating to Jordanian residents.

Section 14 — General Provisions

14.1 Order of Precedence

In any conflict between this DPA and the Agreement with respect to the processing of Personal Data, this DPA shall prevail. In any conflict between this DPA and the SCCs, the SCCs shall prevail with respect to matters governed by them.

14.2 Amendments

APG may update this DPA to reflect changes in applicable Data Protection Laws or APG’s data processing practices, with at least thirty (30) days’ prior written notice of material changes. Continued use of the Services after the effective date constitutes acceptance of the revised DPA. Enterprise customers who have executed a separate written amendment shall not be subject to unilateral changes without their written consent.

14.3 Severability

If any provision of this DPA is held invalid or unenforceable, it shall be modified to the minimum extent necessary, and the remaining provisions shall remain in full force and effect.

14.4 Governing Law

This DPA is governed by the law specified in the Agreement, except that the EU SCCs are governed by the law of an EU Member State as specified therein, and the UK IDTA is governed by the law of England and Wales.

14.5 Contact

Questions regarding this DPA should be directed to support@flyapg.com or to: Aircraft Performance Group, LLC, 10375 Park Meadows Dr. #350, Lone Tree, CO 80124, USA.

Schedule 1 — Details of Processing

Scope note. The data categories and processing details set out below reflect APG’s core flight operations services. Where the applicable Service Agreement covers additional products or features specific to Rocket Route Ltd. (including flight recording and background location data) or APG Avionics LLC d/b/a Seattle Avionics (including flight sharing and community features), the parties agree to supplement this Schedule 1 in writing to reflect the categories of Customer Data and processing activities reasonably necessary for those additional products or features. Any material extension of processing scope beyond what is described below should be confirmed in writing by the parties.

Schedule 2 — Technical and Organizational Security Measures

Required under Article 32 of the GDPR and Annex II of the EU SCCs. APG may update these measures in accordance with Section 5.2.

Note: The measures described in this Schedule are provided for informational purposes to describe APG’s general categories of security controls. They do not constitute representations or warranties of any kind, express or implied, and shall not be construed as guarantees regarding the effectiveness or continued availability of any specific measure. APG’s sole obligation with respect to security is the obligation to maintain appropriate Security Measures as described in Section 5.1 of this DPA.

Access Control

•    Multi-factor authentication or equivalent strong authentication controls on production systems and administrative interfaces, where technically feasible
•    Periodic access rights review and recertification
•    Role-based access controls with full audit logging

Encryption

•    Industry-standard encryption protocols for all data in transit over public networks
•    Industry-standard encryption for data at rest

Physical Security

•    Customer Data hosted in third-party data centers that maintain industry-standard physical security controls and relevant compliance certifications
•    Industry-standard physical access controls and environmental protections

Incident Management

•    Documented security incident response procedures with defined roles and escalation paths
•    Periodic testing and review of incident response capabilities

Vulnerability Management

•    Security controls designed with reference to industry-recognized security frameworks
•    Periodic penetration testing
•    Risk-prioritized security patch management

Personnel Security

•    Pre-employment background screening for employees, to the extent permitted by applicable law and consistent with APG’s internal policies
•    Mandatory security awareness training
•    Confidentiality obligations for all personnel with access to Customer Data

Organizational Measures

•    Information security management system (ISMS) aligned with industry-recognized security frameworks
•    Written information security policies reviewed and updated periodically
•    Vendor risk management program governing Sub-processors

Business Continuity

•    Backup and disaster recovery procedures
•    Encrypted Customer Data backups consistent with encryption standards above

For questions about APG’s security practices, contact support@flyapg.com.

© 2025 Aircraft Performance Group, LLC | support@flyapg.com | flyapg.com/dpa/