Data Processing Agreement

Capitalized terms not defined here have the meanings given in the Agreement.

“Applicable Data Protection Laws” means all data protection and privacy laws applicable to the processing of Personal Data under this DPA, including the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR, the Swiss Federal Act on Data Protection (“FADP”), the California Consumer Privacy Act and California Privacy Rights Act (“CCPA/CPRA”), the Texas Data Privacy and Security Act (“TDPSA”), and equivalent state privacy laws.

“Customer Data” has the meaning given in the Agreement.

“Data Subject” means an identified or identifiable natural person to whom Personal Data relates.

“Personal Data” means any Customer Data that is “personal data,” “personal information,” or equivalent under Applicable Data Protection Laws.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data Processed under this DPA.

“Processing” means any operation or set of operations performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, transmission, restriction, erasure, or destruction.

“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses approved by the European Commission in Commission Implementing Decision (EU) 2021/914, Module Two (Controller to Processor).

“Subprocessor” means a third party engaged by HangarOS to Process Personal Data on its behalf.

2.1 Roles. With respect to Personal Data processed under this DPA, Customer is the Controller (or in some cases a Processor on behalf of its own customers), and HangarOS is the Processor (or sub-processor). The details of Processing are set out in Annex I.

2.2 Subject matter and duration. The subject matter of Processing is the provision of the Service. Processing will last for the term of the Agreement plus the retention periods set out in this DPA and the Privacy Policy.

2.3 Processing on documented instructions. HangarOS will Process Personal Data only on documented instructions from Customer, including with regard to transfers to a third country, unless required to do so by applicable law. The Agreement, this DPA, and Customer's use of the Service are documented instructions. HangarOS will inform Customer if, in HangarOS's opinion, an instruction violates Applicable Data Protection Laws.

Customer represents and warrants that:

• (a) it has and will maintain all rights, lawful bases, notices, and consents required to enable HangarOS to Process Personal Data as contemplated by the Agreement and this DPA;
• (b) its instructions to HangarOS comply with Applicable Data Protection Laws;
• (c) it is responsible for the accuracy, quality, and legality of Personal Data and the means by which it acquired Personal Data;
• (d) it has provided required notices to its Users, students, instructors, and other Data Subjects whose Personal Data is Processed in the Service; and
• (e) it will configure the Service (including role and permission settings) consistent with the principle of data minimization.

HangarOS will:

• (a) Process Personal Data only on Customer's documented instructions;
• (b) ensure that personnel authorized to Process Personal Data are bound by confidentiality obligations;
• (c) implement and maintain the technical and organizational measures in Annex II;
• (d) engage Subprocessors only in accordance with Section 6;
• (e) taking into account the nature of the Processing, assist Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling Customer's obligations to respond to requests from Data Subjects (Section 9);
• (f) assist Customer in ensuring compliance with its security, breach-notification, data-protection impact assessment, and prior-consultation obligations (Articles 32 to 36 of the GDPR, and analogous provisions under other laws);
• (g) at Customer's choice, delete or return Personal Data at the end of the Agreement, subject to retention required by law (Section 11);
• (h) make available to Customer information necessary to demonstrate compliance with this DPA and Article 28 of the GDPR, and allow audits as set out in Section 8; and
• (i) immediately inform Customer if, in HangarOS's opinion, an instruction infringes Applicable Data Protection Laws.

5.1 HangarOS will implement and maintain the technical and organizational measures in Annex II, which are appropriate to the nature, scope, context, purposes, and risks of Processing.

5.2 HangarOS may update its security measures from time to time, provided the level of protection is not materially reduced.

6.1 General authorization. Customer provides general authorization for HangarOS to engage Subprocessors. The list of current Subprocessors is published at hangaros.com/legal/subprocessors and is incorporated as Annex III to this DPA.

6.2 Notice of new Subprocessors. HangarOS will provide at least 30 days' prior notice of any addition or replacement of a Subprocessor by updating the Subprocessor List and, where Customer has subscribed to such notifications, by email.

6.3 Right to object. Customer may object to a new Subprocessor on reasonable data-protection grounds by written notice to legal@hangaros.com within 14 days of HangarOS's notice. The parties will discuss the objection in good faith. If HangarOS cannot accommodate the objection, Customer may, as its sole and exclusive remedy, terminate the affected portion of the Service for convenience without further liability beyond fees due through the termination date.

6.4 Subprocessor agreements. HangarOS will impose, by written agreement, data-protection obligations on each Subprocessor that are no less protective than this DPA. HangarOS remains responsible for the performance of each Subprocessor's obligations.

7.1 HangarOS will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer's Personal Data.

7.2 The notice will include, to the extent then known: the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, the measures taken or proposed to address the breach, and a HangarOS contact point. HangarOS will provide further information as it becomes available.

7.3 HangarOS's notification is not, and shall not be construed as, an admission of fault or liability.

7.4 Customer is responsible for any required notifications to Data Subjects and regulators under Applicable Data Protection Laws.

8.1 HangarOS will make available, on Customer's reasonable written request, information sufficient to demonstrate compliance with this DPA. In the first instance, HangarOS will provide third-party certifications, audit reports, or written responses to a security questionnaire.

8.2 Where the information referred to in Section 8.1 is not sufficient to demonstrate compliance and Customer has a documented reasonable belief of non-compliance, Customer (or an independent third-party auditor mutually agreed and bound by confidentiality, and not a competitor of HangarOS) may, at Customer's expense, conduct an audit:

• (a) on at least 30 days' prior written notice;
• (b) no more than once per twelve-month period (except where required by an Applicable Data Protection Law or following a confirmed Personal Data Breach);
• (c) during normal business hours;
• (d) in a manner that does not unreasonably interfere with HangarOS's operations;
• (e) without access to Personal Data of other customers, source code, trade secrets, or any data subject to legal privilege; and
• (f) under reasonable confidentiality terms.

8.3 If the audit identifies a material non-compliance, HangarOS will bear reasonable, documented audit costs.

9.1 HangarOS will, taking into account the nature of the Processing, assist Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling Customer's obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Laws.

9.2 Self-service functionality in the Service (including the ability to access, correct, export, and delete Customer Data) is deemed to satisfy HangarOS's assistance obligation to the extent it enables Customer to fulfill the relevant request.

9.3 If HangarOS receives a Data Subject request directly, it will, without undue delay, forward the request to Customer and will not respond directly unless legally required to do so.

10.1 HangarOS Processes Personal Data primarily in the United States (AWS region us-east-2). Subprocessors are listed in Annex III; some may Process Personal Data in other jurisdictions as noted.

10.2 To the extent HangarOS Processes Personal Data subject to the GDPR, UK GDPR, or Swiss FADP outside the EEA, UK, or Switzerland (as applicable) in a country without an adequacy decision, the parties incorporate the SCCs as follows:

• (a) GDPR transfers. Module Two (Controller to Processor) of the SCCs is incorporated, with Customer as data exporter and HangarOS as data importer. The optional docking clause applies. In Clause 7, the optional language is included. In Clause 9, Option 2 (general authorization) applies with the 30-day notice period set in Section 6. In Clause 11, the optional language is not included. The governing law (Clause 17) is Ireland; the courts (Clause 18) are the courts of Ireland.
• (b) UK transfers. The UK International Data Transfer Addendum to the SCCs (issued by the UK Information Commissioner) is incorporated. The Addendum's Tables are completed by reference to this DPA and the SCCs above.
• (c) Swiss transfers. The SCCs apply with modifications such that references to the GDPR are read as references to the FADP, references to the EU/EEA are read as references to Switzerland, the supervisory authority is the Swiss FDPIC, and the forum and governing law are Switzerland.

10.3 Annex I (data exporter and importer; description of Processing), Annex II (technical and organizational measures), and Annex III (Subprocessors) of this DPA also constitute Annexes I, II, and III to the SCCs.

11.1 During the Agreement, HangarOS retains Personal Data as needed to provide the Service.

11.2 On termination of the Agreement, HangarOS will retain Personal Data for 30 days to allow Customer to export it, after which HangarOS will delete or anonymize Personal Data, except (a) where retention is required by law, (b) for backups, which are deleted on the next rotation cycle (typically no longer than 35 days after primary deletion), and (c) for audit logs, which are retained for the periods described in our public Security Policy.

11.3 HangarOS will, on request, certify in writing that Personal Data has been deleted.

12.1 Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability in the Agreement.

12.2 Indemnification obligations in the Agreement apply to liabilities arising from a breach of this DPA, subject to the caps and exclusions in the Agreement.

13.1 This DPA takes effect on the Effective Date and continues for the term of the Agreement and for as long as HangarOS Processes Personal Data on Customer's behalf.

13.2 Sections 4, 5, 7, 8, 9, 10, 11, 12, and 13 survive termination.

14.1 Governing law. This DPA is governed by the laws of North Carolina, except where Applicable Data Protection Laws require otherwise (in which case the law specified by those laws applies to the questions they govern).

14.2 Updates. HangarOS may update this DPA and its Annexes from time to time to reflect changes in law, the Service, or our security and subprocessor practices, provided no update materially reduces the protections offered to Personal Data. Updates take effect on the date posted at hangaros.com/legal/data-processing-agreement.

14.3 Order of precedence. In the event of any conflict among the SCCs, this DPA, and the Agreement, the order of precedence is: (i) the SCCs, (ii) this DPA, (iii) the Agreement.

14.4 Entire agreement on Processing. This DPA, together with the Agreement, is the entire agreement of the parties regarding the Processing of Personal Data.

A. List of parties

Data Exporter (Controller): Customer, as identified in the Agreement.

Data Importer (Processor):
OrangeTree Technologies LLC d/b/a HangarOS
4801 Glenwood Ave, Suite 200, Mailbox 31, Raleigh, NC 27612, United States
Contact: legal@hangaros.com

B. Description of transfer

Categories of Data Subjects: Customer's employees, contractors, students, instructors, mechanics, prospective students, aircraft owners, and other individuals whose information is processed in the Service.

Categories of Personal Data: Names, email addresses, phone numbers, mailing addresses, dates of birth, FAA student pilot certificate numbers, medical certificate metadata (class, dates, AME name, certificate number — not full medical history), TSA AFSP status, training records (lesson reports, stage checks, endorsements, graduation certificates, flight log entries), instructor credentials and currency records, mechanic credentials, scheduling and booking records, maintenance records, knowledge base file metadata, audit log entries, billing metadata (last four digits and brand of payment card; no full PAN), and other operational data Customer chooses to upload.

Special-category data: HangarOS does not require special-category Personal Data. Customer is responsible for not uploading sensitive data beyond what is necessary to operate a flight school (for example, full medical records). Limited categories that may be present (such as a medical certificate class or expiry date) are processed only insofar as Customer chooses to upload them.

Frequency: Continuous, for the term of the Agreement.

Nature of Processing: Hosting, storage, transmission, organization, access, retrieval, modification, deletion, and other operations needed to provide the Service.

Purpose: To provide the Service as described in the Agreement, including scheduling, maintenance tracking, training recordkeeping, invoicing, knowledge base, AI-assisted features, multi-location operations, audit logging, and security.

Retention: As described in the Privacy Policy and Section 11 of this DPA.

C. Competent supervisory authority

For GDPR transfers, the competent supervisory authority is the supervisory authority of the EEA member state where the data exporter is established.

For UK transfers, the Information Commissioner's Office (ICO).

For Swiss transfers, the Federal Data Protection and Information Commissioner (FDPIC).

The following measures are implemented by HangarOS. HangarOS may update these measures over time, provided the level of protection is not materially reduced.

Encryption

• TLS 1.2 or higher for all data in transit.
• AWS KMS server-side encryption for object storage (Amazon S3, alias/aws/s3).
• AES-256-GCM application-layer encryption for sensitive OAuth tokens (such as QuickBooks Online tokens) prior to database storage; master key held in AWS Secrets Manager.
• Encryption at rest for the database, applied by Supabase (managed Postgres).

Access controls

• Multi-factor authentication required on every user account; supported factors include email OTP, SMS OTP, and TOTP authenticator apps.
• Role-based access control with least-privilege principles.
• Row-level security in the database for tenant isolation of multi-tenant data.
• Per-Lambda IAM roles scoped to least-privilege resource access.
• Service-role keys held only in AWS Secrets Manager; not stored in source code.

Authentication and identity

• Amazon Cognito user pools enforce a password policy requiring at least 12 characters, mixed case, numbers, and symbols, with password-history controls.
• Server-side and client-side checks against the Have I Been Pwned k-anonymity API to block known-breached passwords at signup and password change.
• CSRF protection using double-submit cookie pattern on all state-changing endpoints.
• Federated identity providers (Google OAuth 2.0; Microsoft Entra ID OIDC) where enabled.

Infrastructure

• AWS hosting in the us-east-2 region; AWS attests to SOC 2 Type II, ISO 27001, and ISO 27018.
• Separate AWS Lambda functions per logical service.
• Separate dev and prod environments with distinct credentials.
• S3 public access blocked at the bucket level; S3 versioning enabled on the primary user-file bucket.
• AWS WAF and API Gateway throttling.

Monitoring and logging

• AWS CloudTrail multi-region trail with Object Lock COMPLIANCE retention.
• Application audit logs (audit_logs) with INSERT-only enforcement and actor-state snapshotting.
• EventBridge alarms for security-relevant events such as CloudTrail tampering attempts.
• Error and performance telemetry via Sentry.
• Production access logged.

Incident response

• Documented internal incident response procedure with escalation paths.
• 72-hour breach notification commitment per Section 7 of this DPA.

Personnel

• Confidentiality obligations for all personnel with access to Personal Data.
• Security training for personnel.
• Access deprovisioning on role change or termination.

Vendor management

• Subprocessors reviewed before engagement.
• Subprocessors contractually bound to data-protection obligations.

Business continuity

• Daily database backups managed by Supabase.
• Multi-AZ deployment of the database tier.
• Source code in version control with full history.

Sealed records (FAA compliance)

• Database triggers enforce immutability of training records after instructor or chief instructor sign-off (lesson reports, stage checks, graduation certificates).

The current list of Subprocessors is maintained as a live page at hangaros.com/legal/subprocessors, which is incorporated into this DPA by reference. Customer can subscribe to update notifications by emailing privacy@hangaros.com.

As of the effective date of this DPA, Subprocessors include:

Last updated: May 22, 2026.