Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Service (“Agreement”) between OrangeTree Technologies, a North Carolina limited liability company (“HangarOS,” “Processor,” “we,” “us,” or “our”) and the entity or individual that has agreed to the Agreement (“Customer,” “Controller,” “you,” or “your”).

This DPA applies to the processing of Personal Data by HangarOS on behalf of the Customer in connection with the HangarOS software-as-a-service platform (the “Service”). This DPA is incorporated into and subject to the terms of the Agreement.

In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.

For the purposes of this DPA, the following terms shall have the meanings set forth below. Capitalized terms not defined herein shall have the meanings given to them in the Agreement.

1.1 “Applicable Data Protection Laws” means all data protection and privacy laws and regulations applicable to the processing of Personal Data under this DPA, including but not limited to: the EU General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK General Data Protection Regulation (“UK GDPR”), the Swiss Federal Act on Data Protection (“FADP”), the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), the Texas Data Privacy and Security Act (“TDPSA”), and any other applicable U.S. state privacy laws.

1.2 “Controller” means the entity that determines the purposes and means of the processing of Personal Data. For the purposes of this DPA, the Customer is the Controller.

1.3 “Customer Data” means any Personal Data that the Customer (or its authorized users) uploads, submits, stores, or transmits through the Service, including but not limited to: student records, instructor records, aircraft information, scheduling data, maintenance records, invoice data, and any other information processed through the Service on behalf of the Customer.

1.4 “Data Subject” means an identified or identifiable natural person to whom Personal Data relates.

1.5 “Personal Data” means any information relating to an identified or identifiable natural person, as defined under Applicable Data Protection Laws.

1.6 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

1.7 “Processor” means the entity that processes Personal Data on behalf of the Controller. For the purposes of this DPA, HangarOS is the Processor.

1.8 “Sub-processor” means any third party engaged by HangarOS to process Customer Data on behalf of the Customer.

1.9 “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission (Commission Implementing Decision (EU) 2021/914).

2.1 Customer as Controller. The Customer is the Controller of Customer Data and determines the purposes and means of processing. The Customer is responsible for ensuring that it has a lawful basis for processing Personal Data and that it has provided all necessary notices and obtained all necessary consents from Data Subjects.

2.2 HangarOS as Processor.HangarOS processes Customer Data solely on behalf of and in accordance with the Customer's documented instructions as set forth in this DPA, the Agreement, and through the Customer's use and configuration of the Service.

2.3 Details of Processing. The subject matter, nature, purpose, duration, types of Personal Data, and categories of Data Subjects are described in Annex I of this DPA.

The Customer shall:

• Ensure that its use of the Service and its instructions to HangarOS comply with all Applicable Data Protection Laws
• Ensure that it has provided all required notices and obtained all required consents from Data Subjects prior to uploading Personal Data to the Service
• Be solely responsible for the accuracy, quality, and legality of Customer Data and the means by which it was acquired
• Promptly notify HangarOS of any changes in applicable law that may affect HangarOS's obligations under this DPA
• Ensure that its personnel and authorized users comply with the terms of this DPA

HangarOS shall:

• Process Customer Data only in accordance with the Customer's documented instructions, unless required to do so by applicable law (in which case HangarOS shall, to the extent permitted by law, inform the Customer of such legal requirement before processing)
• Ensure that persons authorized to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
• Implement and maintain appropriate technical and organizational measures to protect Customer Data as described in Annex II of this DPA
• Comply with the conditions for engaging Sub-processors as set forth in Section 6 of this DPA
• Taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer's obligation to respond to requests for exercising Data Subject rights
• Assist the Customer in ensuring compliance with its obligations regarding security of processing, notification of Personal Data Breaches, data protection impact assessments, and prior consultations with supervisory authorities, taking into account the nature of processing and the information available to HangarOS
• At the choice of the Customer, delete or return all Customer Data after the end of the provision of the Service, and delete existing copies unless applicable law requires storage of the Personal Data
• Make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA, and allow for and contribute to audits and inspections as described in Section 8
• Immediately inform the Customer if, in HangarOS's opinion, an instruction from the Customer infringes Applicable Data Protection Laws

5.1 Technical and Organizational Measures. HangarOS implements and maintains appropriate technical and organizational security measures to protect Customer Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures are described in detail in Annex II.

5.2 Minimum Security Standards. HangarOS shall, at a minimum, implement the following security measures:

• Encryption of Customer Data in transit (TLS 1.2 or higher) and at rest (AES-256)
• Multi-factor authentication for administrative access
• Role-based access controls with the principle of least privilege
• Regular security assessments and vulnerability scanning
• Automated backups with encryption
• Incident response procedures and logging
• Network segmentation and firewall protections
• Row-level security (RLS) policies to ensure data isolation between customers

5.3 Updates. HangarOS may update its security measures from time to time, provided that such updates do not materially decrease the overall level of security protection.

6.1 Authorization. The Customer provides general written authorization for HangarOS to engage Sub-processors to process Customer Data, subject to the requirements of this Section 6.

6.2 Current Sub-processors. The current list of Sub-processors is set forth in Annex III of this DPA. HangarOS shall make the current list of Sub-processors available to the Customer upon request.

6.3 New Sub-processors.HangarOS shall notify the Customer at least 30 days before engaging a new Sub-processor or replacing an existing Sub-processor. Notification shall be sent via email to the address associated with the Customer's Account.

6.4 Objection.The Customer may object to a new Sub-processor within 14 days of receiving notice. If the Customer objects on reasonable data protection grounds, HangarOS shall use commercially reasonable efforts to make available an alternative arrangement. If no alternative is reasonably available, either party may terminate the affected portion of the Service with 30 days' written notice.

6.5 Sub-processor Agreements. HangarOS shall enter into a written agreement with each Sub-processor imposing data protection obligations substantially similar to those set forth in this DPA. HangarOS remains fully liable for the acts and omissions of its Sub-processors.

7.1 Notification. HangarOS shall notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach affecting Customer Data.

7.2 Contents. The notification shall include, to the extent reasonably available:

• A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and records concerned
• The name and contact details of HangarOS's point of contact for further information
• A description of the likely consequences of the Personal Data Breach
• A description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects

7.3 Cooperation. HangarOS shall cooperate with the Customer and take commercially reasonable steps to assist in the investigation, mitigation, and remediation of each Personal Data Breach.

7.4 No Assessment by HangarOS.HangarOS's obligation to notify the Customer of a Personal Data Breach shall not be construed as an acknowledgment of fault or liability.

8.1 Audit Rights. HangarOS shall make available to the Customer, upon reasonable request (not more than once per 12-month period unless required by a supervisory authority or following a Personal Data Breach), information necessary to demonstrate compliance with this DPA.

8.2 Third-Party Audits.Upon reasonable request and subject to reasonable confidentiality obligations, HangarOS shall allow for and contribute to audits conducted by the Customer or a qualified third-party auditor appointed by the Customer. The Customer shall provide at least 30 days' prior written notice of any audit.

8.3 Scope.Audits shall be limited to the processing of Customer Data and shall be conducted during normal business hours with minimal disruption to HangarOS's operations.

8.4 Costs. The Customer shall bear its own costs in connection with any audit. If the audit reveals a material non-compliance by HangarOS, HangarOS shall bear the reasonable costs of the audit and promptly remedy the non-compliance at its own expense.

8.5 Certifications and Reports. In lieu of an on-site audit, HangarOS may, at its discretion, provide the Customer with relevant security certifications, third-party audit reports (such as SOC 2 Type II), or other evidence of compliance.

9.1 Location of Processing. Customer Data is primarily processed and stored in the United States using Amazon Web Services (AWS) infrastructure in the US East (N. Virginia) region (us-east-1).

9.2 Transfer Mechanisms. To the extent that Customer Data is transferred from the European Economic Area (EEA), United Kingdom (UK), or Switzerland to the United States or any other country that has not received an adequacy decision, HangarOS shall ensure that such transfers are made in accordance with Applicable Data Protection Laws by relying on one or more of the following transfer mechanisms:

• Standard Contractual Clauses (SCCs)— The parties agree that the EU Commission-approved SCCs (Module Two: Controller to Processor) are incorporated into this DPA by reference and apply to transfers of Personal Data from the EEA. For transfers from the UK, the UK International Data Transfer Addendum shall apply. For transfers from Switzerland, the SCCs shall apply with the modifications required by the FADP.
• EU-U.S. Data Privacy Framework— Where applicable and to the extent HangarOS is certified under the EU-U.S. Data Privacy Framework.
• Other mechanisms— Any other valid transfer mechanism under Applicable Data Protection Laws.

9.3 Supplementary Measures. HangarOS shall implement appropriate supplementary measures (technical, organizational, and contractual) to ensure that the transferred Personal Data receives a level of protection essentially equivalent to that guaranteed within the EEA/UK/Switzerland.

10.1 Notification.If HangarOS receives a request directly from a Data Subject to exercise their rights under Applicable Data Protection Laws with respect to Customer Data, HangarOS shall promptly notify the Customer and shall not respond to the request without the Customer's prior authorization, unless required by applicable law.

10.2 Assistance. HangarOS shall, taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures in responding to Data Subject requests, including requests for access, rectification, erasure, restriction, portability, and objection.

10.3 Self-Service. To the extent that the Customer is able to respond to Data Subject requests using the functionality of the Service (e.g., data export, account deletion), HangarOS shall be deemed to have fulfilled its assistance obligations under this Section.

11.1 During the Agreement.HangarOS shall retain Customer Data for the duration of the Agreement and process it in accordance with the Customer's instructions.

11.2 Upon Termination.Upon termination or expiration of the Agreement, HangarOS shall, at the Customer's election:

• Return Customer Data to the Customer in a commonly used, machine-readable format (e.g., CSV or JSON); or
• Delete all Customer Data, including all copies, within 30 days of termination, unless applicable law requires longer retention.

11.3 Certification. Upon request, HangarOS shall provide written certification that it has complied with its deletion obligations under this Section.

11.4 Backup Copies. Customer Data stored in encrypted backup systems may be retained for up to an additional 30 days beyond the deletion period for disaster recovery purposes, after which it shall be securely deleted.

12.1 Term. This DPA shall remain in effect for as long as HangarOS processes Customer Data on behalf of the Customer, or until the Agreement is terminated, whichever is later.

12.2 Survival. Sections 1, 5, 7, 8, 9, 11, and 13 shall survive any termination or expiration of this DPA.

13.1 Liability Cap. The total liability of each party under this DPA shall be subject to the limitations and exclusions of liability set forth in the Agreement.

13.2 Indemnification. Each party shall indemnify and hold harmless the other party from any fines, penalties, damages, costs, or expenses arising from a breach of this DPA by the indemnifying party, subject to the limitations of liability in the Agreement.

14.1 Governing Law. This DPA shall be governed by the laws of the State of North Carolina, without regard to its conflict of laws principles, unless Applicable Data Protection Laws require otherwise. To the extent required by Applicable Data Protection Laws, the data protection provisions of the relevant jurisdiction shall apply.

14.2 Amendments. This DPA may not be amended except in writing signed by both parties. However, HangarOS may update the Annexes to this DPA as necessary to reflect changes in Sub-processors or security measures, provided that such changes do not materially reduce the overall level of data protection.

14.3 Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

14.4 Entire Agreement. This DPA, together with the Agreement and any Annexes hereto, constitutes the entire agreement between the parties with respect to the processing of Customer Data.

A. List of Parties

Data Exporter (Controller): The Customer, as identified in the Agreement.

Data Importer (Processor): OrangeTree Technologies (HangarOS), 4801 Glenwood Ave, Suite 200, Mailbox 31, Raleigh, NC 27612, United States. Contact: legal@hangaros.com

B. Description of Processing

HangarOS implements and maintains the following technical and organizational measures to protect Customer Data:

A. Encryption

• Data in transit: TLS 1.2 or higher for all API and web communications
• Data at rest: AES-256 encryption for all stored Customer Data
• Database encryption: AWS RDS encryption with AWS KMS-managed keys
• Backup encryption: All backups are encrypted at rest

B. Access Controls

• Role-based access control (RBAC) with the principle of least privilege
• Multi-factor authentication (MFA) for all administrative and production access
• Unique user credentials for all personnel; no shared accounts
• Automated deprovisioning of access upon personnel departure
• Row-level security (RLS) policies in PostgreSQL to ensure tenant data isolation

C. Infrastructure Security

• Hosted on Amazon Web Services (AWS) with SOC 2 Type II and ISO 27001 certifications
• Virtual private cloud (VPC) with network segmentation
• AWS WAF (Web Application Firewall) for API Gateway protection
• Serverless architecture (AWS Lambda) reducing attack surface
• Separate development and production environments

D. Authentication and Identity

• Amazon Cognito for user authentication and identity management
• JWT-based token authentication with appropriate expiration
• Secure password policies enforced at the identity provider level
• MFA support for end-user accounts

E. Monitoring and Logging

• Centralized logging of all API access and administrative actions
• Audit trail for data modifications
• Automated alerting for security anomalies
• Log retention for a minimum of 1 year

F. Incident Response

• Documented incident response plan
• Defined escalation procedures and roles
• 72-hour breach notification commitment (see Section 7 of this DPA)

G. Business Continuity

• Automated daily backups of all Customer Data
• Multi-availability-zone database deployment
• Disaster recovery procedures with defined recovery time objectives

H. Secrets Management

• AWS Secrets Manager for secure storage and rotation of credentials
• No hard-coded secrets in application code
• Environment-specific secrets with separate dev/prod isolation

The following Sub-processors are authorized to process Customer Data on behalf of HangarOS as of the effective date of this DPA:

This list is current as of the effective date of this DPA. For the most up-to-date list of Sub-processors, please contact legal@hangaros.com.

For questions about this DPA or to exercise rights under this DPA, please contact:

HangarOS 4801 Glenwood Ave, Suite 200, Mailbox 31, Raleigh, NC 27612, United States

Email: legal@hangaros.com