Data Processing Addendum (DPA)

This Data Processing Addendum ("DPA") forms part of the agreement between the Controller (the Flight School, Club, Organization, Aircraft Operator, Company, or other customer using AFRA, the "Customer") and the Processor, Causal Ventures FlexCo, Eigenhofen 4c, 6170 Zirl, Austria, FN 668045w, info@causal.cc.

This DPA supplements the AFRA Terms of Service and governs the processing of personal data under Regulation (EU) 2016/679 (GDPR).

1. Purpose of This DPA

The Customer uses AFRA to process information relating to pilots, students, instructors, employees, contractors, aircraft owners, members, and aviation personnel.

Where the Customer determines the purposes and means of processing personal data, the Customer acts as Controller. Where AFRA processes personal data on behalf of the Customer, Causal Ventures FlexCo acts as Processor.

2. Subject Matter of Processing

AFRA may process personal data in order to provide pilot management, aircraft management, document management, safety management, training management, compliance monitoring, assessment services, renewal tracking, reporting services, and AI-assisted analysis.

3. Categories of Data Subjects

Data subjects may include pilots, student pilots, instructors, examiners, members, employees, contractors, aircraft owners, operators, and administrators.

4. Categories of Personal Data

Personal data may include names, contact details, email addresses, telephone numbers, licence information, qualification information, ratings, endorsements, training records, flight experience, assessment information, aircraft assignment information, uploaded documents, and operational records.

5. Special Category Data

The Customer acknowledges that certain uploaded documents may contain special category data under Article 9 GDPR, such as medical certificates, health limitations, fitness declarations, and medical restrictions.

The Customer remains solely responsible for determining whether such information should be uploaded. AFRA processes such information solely upon Customer instruction through use of the Service.

6. Processor Obligations

AFRA shall:

• process personal data only on documented instructions of the Customer;
• ensure confidentiality obligations apply to authorized personnel;
• implement reasonable technical and organizational security measures;
• assist the Customer where reasonably possible in fulfilling GDPR obligations;
• notify the Customer of known personal data breaches where required by law;
• delete or return personal data upon termination subject to legal obligations.

7. Customer Responsibilities

The Customer remains solely responsible for lawful collection of personal data, obtaining required consents, legal basis for processing, accuracy of personal data, compliance with GDPR, compliance with employment laws, and compliance with aviation regulations. AFRA does not provide legal compliance services.

8. Security Measures

AFRA may implement measures including encrypted transmission, encrypted storage where available, access controls, role-based permissions, authentication controls, monitoring systems, backup systems, and logging systems. The Customer acknowledges that no system can guarantee absolute security.

9. Subprocessors

AFRA may use subprocessors including cloud infrastructure providers, AI providers, OCR providers, database providers, analytics providers, payment providers, security providers, and support providers. The Customer authorizes AFRA to engage such subprocessors as reasonably necessary to provide the Service. AFRA shall remain responsible for managing subprocessors in accordance with applicable law.

10. International Transfers

The Customer acknowledges that certain service providers may process information outside the European Economic Area. Where applicable, AFRA shall implement legally recognized safeguards including Standard Contractual Clauses, adequacy mechanisms, and contractual safeguards.

11. Data Subject Requests

Where AFRA receives a request relating to access, deletion, correction, restriction, portability, or objection, AFRA may either respond where legally required or direct the request to the Customer. The Customer remains primarily responsible for responding to data subject requests.

12. Personal Data Breaches

AFRA shall maintain procedures for identifying and responding to personal data breaches. Where legally required, AFRA shall notify the Customer without undue delay after becoming aware of a reportable breach. AFRA does not guarantee prevention of all security incidents.

13. Audit Rights

Where required by GDPR, the Customer may request reasonable information regarding AFRA's privacy and security practices. Audit requests must be reasonable, not disrupt operations, protect AFRA confidential information, and occur no more than once per calendar year unless legally required.

14. Data Deletion

Upon termination of services, AFRA may return data, provide export functionality, or delete data after applicable retention periods. The Customer is solely responsible for obtaining copies of data prior to termination. AFRA shall not be liable for data loss resulting from Customer failure to export data.

15. Limitation of Liability

This DPA does not expand AFRA's liability beyond the limitations set forth in the Terms of Service and applicable law. To the maximum extent permitted by law, liability remains limited as specified in the AFRA Terms of Service.

16. Governing Law

This DPA shall be governed by Austrian law.

17. Jurisdiction

Exclusive jurisdiction shall be Innsbruck, Austria, to the maximum extent permitted by applicable law.

18. Order of Precedence

In the event of conflict: (1) applicable law; (2) this DPA; (3) Terms of Service; (4) other agreements.

19. Acceptance

The Customer accepts this DPA by creating an organizational account, activating organizational features, uploading personal data, or continuing to use AFRA as an organization. Electronic acceptance shall have the same effect as a handwritten signature.