Data Processing Agreement

1.1 Processor: BaleAir UG, Diefenbacherstr. 30, 75433 Maulbronn, Germany, operator of the SkyDesk platform.

1.2 Controller: The Customer that has entered into the Main Agreement with the Processor for use of SkyDesk.

1.3 The Controller and Processor are each a "Party" and together the "Parties".

2.1 The Processor provides the Controller with access to SkyDesk, a software-as-a-service platform for managing charter requests and related workflows in the private aviation sector.

2.2 In the course of providing SkyDesk, the Processor may process personal data on behalf of the Controller where the Controller uploads, stores, transmits, generates, or otherwise makes personal data available within the platform ("Customer Personal Data").

2.3 This DPA governs the Processor's processing of Customer Personal Data on behalf of the Controller in connection with the provision of SkyDesk.

2.4 This DPA does not apply to personal data processed by BaleAir UG for its own purposes as controller, including account administration, billing, fraud prevention, legal compliance, or business communications relating to its own customer relationship.

3.1 This DPA enters into force when the Controller accepts the Main Agreement and remains in force for as long as the Processor processes Customer Personal Data on behalf of the Controller under the Main Agreement.

3.2 This DPA terminates automatically upon termination or expiry of the Main Agreement, subject to any provisions that by their nature survive termination.

4.1 The nature of the processing may include, in particular: collection, recording, organisation, structuring, storage, hosting, retrieval, consultation, display, adaptation, generation of documents, transmission, and deletion of Customer Personal Data as part of the SkyDesk platform.

4.2 The purpose of the processing is to provide the SkyDesk platform and its agreed features to the Controller, including the management of charter requests, documents, contacts, passenger-related information, communications, and related business workflows.

5.1 Depending on the Controller's use of SkyDesk, the categories of Customer Personal Data may include:

• - identification and contact data of business contacts, clients, passengers, and other relevant persons, such as name, email address, phone number, postal address, and company details;
• - travel-related data, such as flight details, itinerary information, passenger lists, trip-related notes, and booking-related information;
• - document data contained in generated, uploaded, or stored files;
• - communication data contained in messages, comments, notes, or internal records within the platform;
• - any other personal data that the Controller chooses to enter into the platform.

5.2 The categories of data subjects may include:

• - the Controller's business contacts;
• - customers and prospective customers;
• - passengers and travel companions;
• - employees, contractors, or representatives of the Controller;
• - other individuals whose personal data the Controller enters into SkyDesk.

5.3 The Controller is solely responsible for determining the categories of Customer Personal Data processed through its use of SkyDesk and for ensuring that such processing is lawful.

6.1 The Processor shall process Customer Personal Data only on documented instructions from the Controller, unless otherwise required by applicable Union or Member State law.

6.2 The Parties agree that the Main Agreement, this DPA, and the Controller's configuration and use of SkyDesk constitute the Controller's complete and documented instructions at the time this DPA is concluded.

6.3 The Controller may issue additional documented instructions where necessary for compliance with applicable data protection law, provided such instructions are reasonable, technically feasible, and do not materially alter the agreed services.

6.4 The Processor shall inform the Controller without undue delay if, in the Processor's opinion, an instruction infringes the GDPR or other applicable data protection law.

The Processor shall:

7.1 process Customer Personal Data only in accordance with this DPA and the documented instructions of the Controller;

7.2 ensure that persons authorised to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

7.3 implement and maintain appropriate technical and organisational measures in accordance with Art. 32 GDPR, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing;

7.4 assist the Controller, taking into account the nature of the processing, by appropriate technical and organisational measures, insofar as possible, for the fulfilment of the Controller's obligation to respond to requests for exercising data subject rights under Chapter III GDPR;

7.5 assist the Controller in ensuring compliance with the obligations pursuant to Arts. 32 to 36 GDPR, taking into account the nature of processing and the information available to the Processor;

7.6 notify the Controller without undue delay after becoming aware of a personal data breach affecting Customer Personal Data;

7.7 upon termination of the services, delete or return Customer Personal Data in accordance with Section 13 of this DPA, unless applicable law requires storage;

7.8 make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and Art. 28 GDPR.

8.1 The Controller is responsible for the lawfulness of the processing of Customer Personal Data, including the existence of a valid legal basis and the provision of any required data protection notices to data subjects.

8.2 The Controller shall ensure that its instructions to the Processor comply with applicable data protection law.

8.3 The Controller shall use SkyDesk only in accordance with the Main Agreement and applicable law and shall not instruct the Processor to process special categories of personal data unless expressly agreed and appropriately safeguarded.

8.4 The Controller shall inform the Processor without undue delay if it becomes aware of any inaccuracies, legal concerns, or irregularities relating to the Processor's processing under this DPA.

9.1 The Controller grants the Processor general written authorisation to engage sub-processors for the processing of Customer Personal Data.

9.2 The Processor shall inform the Controller of any intended addition or replacement of sub-processors by updating the relevant list or by other appropriate notice.

9.3 The Controller may object to a new sub-processor on reasonable data protection grounds within 14 days of receiving notice. If the Parties are unable to resolve the objection in good faith, the Controller may terminate the affected services to the extent reasonably necessary.

9.4 Where the Processor engages a sub-processor, the Processor shall impose data protection obligations on that sub-processor that are no less protective than those set out in this DPA, in particular with regard to confidentiality, security, and assistance obligations.

9.5 The Processor remains responsible for the performance of its sub-processors' obligations to the extent required by law.

As of the date of this DPA, the Processor uses the following sub-processors for Customer Personal Data:

• Google LLC / Firebase - hosting, authentication, database, and infrastructure services. Google states that when customers use Firebase, Google generally acts as a data processor under GDPR on the customer's behalf.
• Mailgun Technologies, Inc. / Sinch group entities - transactional email delivery and related infrastructure for service-generated emails. Mailgun Technologies, Inc. is listed in the EU-U.S. Data Privacy Framework.

For the avoidance of doubt, Stripe is not listed here as a general sub-processor for Customer Personal Data under this DPA. Stripe's role varies depending on the activity; for BaleAir's own billing relationship it is addressed in the Privacy Policy and commercial terms.

11.1 The Processor shall implement and maintain appropriate technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

11.2 Such measures include, as applicable:

• - encryption of data in transit using TLS;
• - encryption or equivalent protection of stored data where appropriate;
• - access controls and role-based permissions;
• - authentication controls for internal systems;
• - least-privilege access for personnel;
• - logging and monitoring of relevant system activity;
• - backup and recovery procedures;
• - vulnerability management and security maintenance processes;
• - incident response procedures for security incidents and personal data breaches;
• - internal procedures for deletion and retention management.

11.3 The Processor may update the technical and organisational measures from time to time, provided that the overall level of security is not materially reduced.

12.1 If the Processor receives a request from a data subject relating to Customer Personal Data processed under this DPA, the Processor shall, to the extent legally permitted, forward the request to the Controller or advise the data subject to submit the request directly to the Controller.

12.2 The Processor shall provide reasonable assistance to the Controller in responding to such requests, taking into account the nature of the processing and the functionality of the services.

12.3 In the event of a personal data breach affecting Customer Personal Data, the Processor shall notify the Controller without undue delay and provide the Controller with relevant information available to the Processor, including, where applicable:

• - the nature of the breach;
• - the categories of data concerned;
• - the likely consequences;
• - measures taken or proposed to address the breach and mitigate its possible adverse effects.

12.4 The Processor shall take reasonable steps to contain, investigate, and mitigate the effects of the breach and shall provide supplementary information as it becomes available.

13.1 Upon termination or expiry of the Main Agreement, the Processor shall, at the Controller's choice, delete or return Customer Personal Data, to the extent technically feasible, unless applicable law requires further retention.

13.2 Where return is requested, the Processor may satisfy this obligation by making available an export function or other reasonable means of retrieving Customer Personal Data.

13.3 The Processor may retain residual copies of Customer Personal Data in encrypted backups for a limited transitional period where such retention results from standard backup and disaster recovery processes, provided that such retained data remains protected and is not actively processed except as required for backup integrity or legal compliance.

14.1 The Controller may, at its own expense, request information reasonably necessary to demonstrate the Processor's compliance with this DPA.

14.2 To the extent such information is not sufficient, the Controller may conduct an audit or inspection, itself or through an independent auditor bound by confidentiality obligations, subject to:

• - at least 30 days' prior written notice;
• - audits taking place during normal business hours;
• - no more than once per calendar year, unless a personal data breach, regulatory requirement, or reasonable suspicion of material non-compliance justifies an additional audit;
• - the audit not unreasonably disrupting the Processor's business operations;
• - the audit not granting access to data of other customers or to confidential information unrelated to the Controller.

14.3 The Processor may satisfy audit requests, where appropriate, by providing current third-party certifications, security documentation, audit summaries, or similar materials, provided these reasonably demonstrate compliance.

15.1 The Processor shall not transfer Customer Personal Data to a country outside the EEA unless an appropriate transfer mechanism under Chapter V GDPR is in place.

15.2 Such mechanisms may include:

• - an adequacy decision;
• - certification under the EU-U.S. Data Privacy Framework where applicable;
• - the European Commission's Standard Contractual Clauses or other appropriate safeguards.

15.3 Where transfers are carried out by sub-processors listed in Section 10, the transfer mechanism applicable to the relevant sub-processor shall apply accordingly.

16.1 Each Party shall be liable in accordance with the GDPR, applicable law, and the liability provisions of the Main Agreement.

16.2 The Processor shall not be liable to the extent that it has acted in accordance with lawful documented instructions of the Controller and has complied with its obligations under applicable data protection law.

16.3 Nothing in this DPA excludes or limits liability where such exclusion or limitation is prohibited by law.

17.1 This DPA is governed by the laws of the Federal Republic of Germany.

17.2 To the extent legally permissible, the courts of Mannheim, Germany shall have jurisdiction over disputes arising out of or in connection with this DPA.