← Back to AirUnit.io

Data Processing Agreement

Version Date: February 15, 2026

Preamble

This Data Processing Agreement (“DPA”) forms part of the Terms of Service and any applicable subscription agreement (collectively, the “Agreement”) between:

AirUnit.io (“Processor” or “AirUnit”)

and

The Customer identified in the subscription agreement (“Controller” or “Agency”)

This DPA sets forth the parties' obligations with respect to the processing of personal data and operational data in connection with the AirUnit.io aviation operations management platform.

1. Definitions

“Agency Data” means all data, information, and content that the Controller or its authorized users upload, submit, store, or transmit through the Service.

“Authorized Users” means individuals authorized by Controller to access and use the Service.

“Data Subject” means an identified or identifiable natural person whose personal data is processed.

“Personal Data” means any information relating to an identified or identifiable natural person, as defined under applicable data protection laws.

“Processing” means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.

“Security Incident” means any unauthorized access to, acquisition of, or disclosure of Personal Data.

“Sub-processor” means any third party engaged by Processor to process Personal Data on behalf of Controller.

2. Scope and Purpose of Processing

2.1 Purpose

Processor shall process Agency Data solely for the purpose of providing the Service as described in the Agreement, including:

  • Operating the aviation operations management platform
  • Storing and organizing flight records, maintenance logs, and compliance data
  • Providing reporting and analytics functionality
  • Delivering customer support and technical assistance
  • Maintaining system security and preventing fraud

2.2 Categories of Data Subjects

The Personal Data processed under this DPA may relate to the following categories of data subjects:

  • Agency employees (pilots, mechanics, administrators, command staff)
  • Contractor personnel authorized to access the Service
  • Other individuals whose information is entered into the Service by Controller

2.3 Types of Personal Data

The following types of Personal Data may be processed:

  • Contact information (names, email addresses, phone numbers)
  • Employment information (role, title, department)
  • Authentication data (account credentials managed by Clerk)
  • Activity logs (system access and usage data)
  • Professional qualifications (pilot certifications, training records)

3. Controller Obligations

Controller represents and warrants that:

  • It has the legal authority to provide Agency Data to Processor for processing
  • It has provided any required notices to, and obtained any required consents from, Data Subjects
  • Its instructions to Processor comply with all applicable laws and regulations
  • It will use the Service only for lawful purposes consistent with the Agreement
  • It has implemented appropriate access controls within its organization

4. Processor Obligations

4.1 Processing Instructions

Processor shall:

  • Process Agency Data only on documented instructions from Controller, unless required by law
  • Inform Controller if, in Processor's opinion, an instruction infringes applicable data protection laws
  • Not process Agency Data for any purpose other than providing the Service

4.2 Confidentiality

Processor shall:

  • Ensure that personnel authorized to process Agency Data are bound by confidentiality obligations
  • Limit access to Agency Data to personnel who require access to perform the Service
  • Not disclose Agency Data to any third party except as permitted by this DPA or required by law

4.3 Security Measures

Processor shall implement and maintain appropriate technical and organizational measures to protect Agency Data, including:

  • Encryption of data at rest and in transit (TLS 1.2+, AES-256)
  • Database-level tenant isolation through Row-Level Security (RLS)
  • Role-based access controls
  • Multi-factor authentication availability
  • Automated daily backups with encryption
  • Regular security assessments and monitoring
  • Incident detection and response capabilities

5. Sub-processors

5.1 Authorized Sub-processors

Controller authorizes Processor to engage the following sub-processors:

Sub-processorPurposeLocation
NeonPostgreSQL database hostingUnited States (US-East)
VercelApplication hosting and CDNUnited States
ClerkAuthentication and identityUnited States
AWS S3Encrypted backup storageUnited States (US-East)
ResendTransactional email deliveryUnited States
AnthropicAI features (when enabled)United States

5.2 Sub-processor Changes

Processor shall provide Controller with at least thirty (30) days' notice before engaging any new sub-processor. Controller may object to the engagement of a new sub-processor by providing written notice within fifteen (15) days. If the parties cannot resolve the objection, Controller may terminate the affected Service.

5.3 Sub-processor Obligations

Processor shall ensure that each sub-processor is bound by data protection obligations no less protective than those in this DPA. Processor remains liable for the acts and omissions of its sub-processors.

6. Security Incident Response

6.1 Notification

Processor shall notify Controller of any Security Incident without undue delay and in any event within seventy-two (72) hours of becoming aware of the incident. Notification shall include:

  • Description of the nature of the incident
  • Categories and approximate number of affected Data Subjects
  • Categories and approximate number of affected records
  • Contact information for Processor's incident response team
  • Description of likely consequences
  • Description of measures taken or proposed to address the incident

6.2 Cooperation

Processor shall cooperate with Controller's reasonable requests for information and assistance regarding Security Incidents, including for purposes of Controller's compliance with breach notification obligations.

7. Data Subject Rights

Processor shall assist Controller in responding to Data Subject requests to exercise their rights, including rights of access, correction, deletion, and portability. Processor shall:

  • Promptly notify Controller of any Data Subject request received directly
  • Provide reasonable technical and organizational assistance to enable Controller to respond to such requests
  • Not respond directly to Data Subject requests unless authorized by Controller

8. Data Retention and Deletion

8.1 Retention During Service

Processor shall retain Agency Data for the duration of the subscription term and process it in accordance with Controller's instructions.

8.2 Post-Termination

Upon termination or expiration of the Agreement:

  • Processor shall retain Agency Data for a grace period of ninety (90) days
  • During the grace period, Controller may request data export in standard formats (JSON, CSV)
  • Following the grace period, Processor shall permanently delete all Agency Data within thirty (30) days
  • Processor shall provide written confirmation of deletion upon request
  • Backup copies may be retained for disaster recovery purposes but shall be deleted within ninety (90) days following the grace period

8.3 Exceptions

Processor may retain Agency Data beyond the deletion timeline to the extent required by applicable law, provided that Processor continues to protect such data in accordance with this DPA.

9. Audits and Assessments

Upon Controller's written request (no more than once per year), Processor shall provide:

  • Documentation of security measures and controls
  • Summary of any third-party security assessments or certifications
  • Responses to reasonable security questionnaires

Controller acknowledges that detailed audit rights may be addressed in a separate enterprise agreement and that Processor's sub-processors maintain their own compliance certifications (SOC 2 Type II for Neon, Vercel, and Clerk).

10. Data Transfers

All Agency Data is stored and processed within the United States. Processor shall not transfer Agency Data to any country outside the United States without Controller's prior written consent. If such transfer becomes necessary, Processor shall implement appropriate safeguards in compliance with applicable law.

11. Term and Termination

This DPA shall remain in effect for the duration of the Agreement. The obligations of Processor with respect to the protection and deletion of Agency Data shall survive termination of the Agreement.

12. Liability

The limitations of liability set forth in the Agreement apply to this DPA. Each party shall be liable for its own acts and omissions in relation to this DPA.

13. General Provisions

  • This DPA shall be governed by the same laws governing the Agreement.
  • In the event of conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters.
  • This DPA may be amended by Processor with thirty (30) days' notice. Material changes shall be communicated via email.
  • If any provision of this DPA is found invalid, the remaining provisions shall remain in effect.

14. Acceptance

By executing the Agreement that incorporates this DPA, or by using the Service, the parties agree to be bound by the terms of this Data Processing Agreement.

Processor

AirUnit.io

Controller (Agency)

As identified in subscription agreement

Related Documents

Terms of ServicePrivacy PolicySecurity Overview