Data Processing Agreement

DATA PROCESSING AGREEMENT
Between:

NEXIEL LIMITED t/a AeroPrep
CRO Number: 802963
VENTURE HUB, 136 CAPEL STREET, DUBLIN, D01 T2C9, IRELAND
("Processor" / "AeroPrep")

And:

[School/Organisation Legal Name]
[Registered Address]
[CRO/Company Registration Number if applicable]
[VAT Number if applicable]
("Controller" / "School")

Together referred to as the "Parties".

Effective date: The date on which the School's registration is approved by AeroPrep, or the date both Parties sign this Agreement, whichever is earlier.

RECITALS
A. The Controller operates as a flight school, Approved Training Organisation (ATO), Declared Training Organisation (DTO), flying club, or similar aviation training entity and wishes to use the AeroPrep platform to support student theory exam preparation.

B. In the course of providing the AeroPrep platform and School Portal to the Controller, the Processor will process personal data on behalf of the Controller as described in this Agreement.

C. The Parties wish to set out in this Agreement the terms governing such processing in compliance with Article 28 of Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR") and any applicable national implementing legislation.

D. This Agreement forms part of and supplements the AeroPrep Terms of Service. In the event of conflict between this Agreement and the Terms of Service on data protection matters, this Agreement prevails.

PART 1 — DEFINITIONS
1.1 In this Agreement:

"Applicable Data Protection Law" means the GDPR, any national legislation implementing or supplementing the GDPR in Ireland or any other relevant jurisdiction, and any related guidance, codes of practice, or decisions issued by a competent supervisory authority.

"Controller" has the meaning given in Article 4(7) GDPR — the entity that determines the purposes and means of processing personal data. In this Agreement, the School acts as Controller for the school-related processing described in Schedule 1.

"Data Subject" means an identified or identifiable natural person whose personal data is processed under this Agreement, including students, instructors, and school administrators.

"Personal Data" has the meaning in Article 4(1) GDPR — any information relating to an identified or identifiable natural person.

"Personal Data Breach" has the meaning in Article 4(12) GDPR — a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

"Processing" has the meaning in Article 4(2) GDPR.

"Processor" has the meaning in Article 4(8) GDPR — the entity that processes personal data on behalf of the Controller. In this Agreement, AeroPrep acts as Processor for the school-related processing described in Schedule 1.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission for the transfer of personal data to third countries, as applicable.

"Sub-processor" means any third party engaged by the Processor to carry out processing activities on behalf of the Controller.

"Supervisory Authority" means the Data Protection Commission of Ireland or any other competent data protection supervisory authority with jurisdiction over the relevant processing.

PART 2 — SCOPE AND RELATIONSHIP OF THE PARTIES
2.1 Controller's Role
The Controller determines the purposes and means of processing personal data of its students, instructors, and administrators for training management purposes, including assigning access, monitoring progress, conducting assessments, and maintaining training records.

2.2 Processor's Role
The Processor processes personal data on behalf of the Controller solely to provide the AeroPrep School Portal features described in Schedule 1 and in accordance with the Controller's documented instructions.

2.3 Independent Processing by AeroPrep
The Parties acknowledge that AeroPrep also processes certain personal data as an independent controller for its own purposes, including billing, fraud prevention, account security, platform analytics, and legal compliance. Such processing is not governed by this Agreement and is described in AeroPrep's Privacy Policy. The Processor will not process personal data provided by the Controller for the Processor's own independent purposes without a separate legal basis.

2.4 Compliance Responsibility
The Controller is responsible for ensuring it has a lawful basis for the processing described in Schedule 1 and that it has made appropriate disclosures to data subjects about the use of AeroPrep. The Processor is responsible for processing personal data in accordance with this Agreement and Applicable Data Protection Law.

PART 3 — PROCESSOR OBLIGATIONS
3.1 Instructions
The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data outside the European Economic Area, unless required to do so by Union or Member State law applicable to the Processor. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such notification.

3.2 Confidentiality
The Processor shall ensure that persons authorised to process the personal data are subject to appropriate obligations of confidentiality.

3.3 Security
The Processor shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as further described in Schedule 2 of this Agreement.

3.4 Sub-processing
The Processor shall not engage a sub-processor without the prior general or specific written authorisation of the Controller. The current list of sub-processors is set out in Schedule 3. The Processor shall:

Inform the Controller in advance of any intended addition or replacement of sub-processors, giving the Controller a reasonable opportunity (not less than 14 days) to object;

Impose data protection obligations on sub-processors equivalent to those in this Agreement;

Remain fully liable to the Controller for the performance of sub-processors' obligations.

3.5 Data Subject Rights
The Processor shall assist the Controller, by appropriate technical and organisational measures and insofar as possible, in fulfilling the Controller's obligations to respond to data subject requests to exercise their rights under Chapter III of the GDPR, including requests for access, rectification, erasure, restriction, portability, and objection.

3.6 Compliance Assistance
The Processor shall assist the Controller in ensuring compliance with the Controller's obligations under Articles 32–36 of the GDPR (security, breach notification, data protection impact assessments, and prior consultation).

3.7 Deletion or Return
Upon termination or expiry of the school account or upon the Controller's written request, the Processor shall, at the Controller's choice, delete or return all personal data processed on behalf of the Controller, and delete existing copies, unless Union or Member State law requires continued storage. Upon request, the Processor shall provide written confirmation that deletion has been completed.

3.8 Audit Rights
The Processor shall make available to the Controller all information necessary to demonstrate compliance with this Agreement and shall allow for and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller. The Controller shall provide reasonable notice (not less than 30 days) and shall ensure that audits are conducted in a manner that minimises disruption to the Processor's operations. The costs of any audit shall be borne by the Controller unless the audit reveals a material breach of this Agreement.

3.9 Notification
The Processor shall promptly notify the Controller if, in the Processor's opinion, an instruction from the Controller would violate Applicable Data Protection Law.

PART 4 — CONTROLLER OBLIGATIONS
4.1 The Controller warrants and represents that:

It has a valid lawful basis under Article 6 GDPR (and Article 9 where applicable) for all processing described in Schedule 1;

It has provided appropriate privacy notices to data subjects (students, instructors, administrators) regarding the use of AeroPrep;

It has authority to enter into this Agreement and to provide the personal data to the Processor;

It will only instruct the Processor to process personal data in accordance with Applicable Data Protection Law;

It will promptly update the Processor of any changes to its instructions that may affect the Processor's processing obligations.

PART 5 — PERSONAL DATA BREACHES
5.1 The Processor shall notify the Controller without undue delay, and in any event within 48 hours of becoming aware of a Personal Data Breach affecting personal data processed under this Agreement.

5.2 The notification shall include, to the extent then known:

A description of the nature of the breach, including categories and approximate number of data subjects and personal data records concerned;

The name and contact details of the data protection point of contact;

The likely consequences of the breach;

The measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

5.3 The Controller remains responsible for notifying the Supervisory Authority and data subjects as required under Articles 33 and 34 GDPR where it is the controller for the affected processing.

5.4 The Processor shall reasonably cooperate with and assist the Controller in any such notifications.

PART 6 — INTERNATIONAL TRANSFERS
6.1 The Processor shall not transfer personal data outside the European Economic Area without:

The transfer being to a country with an EU adequacy decision; or

Appropriate safeguards being in place, such as Standard Contractual Clauses; or

Another lawful transfer mechanism under Chapter V GDPR.

6.2 Where sub-processors operate outside the EEA, the Processor shall ensure appropriate safeguards are in place and available to the Controller on request.

PART 7 — TERM AND TERMINATION
7.1 This Agreement enters into force on the Effective Date and continues for as long as the Processor processes personal data on behalf of the Controller under the AeroPrep Terms of Service.

7.2 This Agreement terminates automatically on termination or expiry of the School's AeroPrep account, subject to any obligations that survive termination (including data deletion obligations under clause 3.7).

PART 8 — LIABILITY AND INDEMNITY
8.1 Each Party's liability under this Agreement is subject to the limitations set out in the AeroPrep Terms of Service, to the extent permitted by Applicable Data Protection Law.

8.2 To the extent required by GDPR, where both Parties are found to be responsible for damage caused by processing, each shall be held liable for the damage in accordance with Article 82 GDPR.

8.3 Nothing in this Agreement limits either Party's liability for fraud, wilful misconduct, or any liability that cannot lawfully be limited.

PART 9 — GOVERNING LAW
9.1 This Agreement is governed by the laws of Ireland.

9.2 Any dispute arising from this Agreement shall be subject to the exclusive jurisdiction of the courts of Ireland, without prejudice to mandatory consumer or data subject rights.

PART 10 — GENERAL
10.1 Entire Agreement
This Agreement, together with the Schedules, constitutes the entire agreement between the Parties regarding the processing of personal data described herein and supersedes all prior agreements on the same subject matter.

10.2 Amendments
AeroPrep may amend this Agreement to reflect changes in Applicable Data Protection Law, guidance from supervisory authorities, or changes in sub-processors, by providing at least 30 days' written notice to the Controller. Continued use of the School Portal after the effective date of amended terms constitutes acceptance.

10.3 Severability
If any provision of this Agreement is found to be unenforceable, the remaining provisions remain in full force.

10.4 Precedence
In the event of conflict between this Agreement and the Terms of Service on data protection matters, this Agreement shall prevail.

SCHEDULE 1 — PROCESSING DETAILS
(As required by Article 28(3) GDPR)

Details
Subject matter: Operation of the AeroPrep School Portal for the Controller's student theory exam preparation programme

Duration: For the term of the School's active AeroPrep account

Nature of processing: Collection, storage, retrieval, display, analysis, export, deletion

Purpose of processing: Enabling the Controller to manage student access; monitor student progress; assign and administer exams; generate training reports; manage instructor accounts; facilitate EASA ATO training record compliance

Categories of data subjects: Students enrolled at the Controller's school; instructors employed or engaged by the Controller; school administrators

Categories of personal data: Names; email addresses; account credentials (hashed passwords); learning activity data (question attempts, answers, scores, exam sessions, bookmarks); assigned exam participation and results; instructor sign-off records; school role and permissions; device and session identifiers; study activity timestamps

Special categories: None anticipated. The Controller must not submit special category data unless separately agreed in writing

Controller's instructions: As set out in the AeroPrep Terms of Service and School Portal configuration, and as updated by the Controller's authorised administrator from time to time

SCHEDULE 2 — TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
The Processor implements the following measures, which may be updated from time to time in line with evolving good practice:

Access controls

Role-based access control (RBAC) limiting data access to authorised personnel and functions

Instructor and admin access limited to their own school's data

Super-admin access restricted to named individuals at NEXIEL LIMITED

All passwords stored as salted cryptographic hashes — never in plaintext

Session tokens stored in secure, httpOnly cookies (web) and Keychain/EncryptedSharedPreferences (mobile)

Transmission security

All data transmitted over HTTPS/TLS 1.2 or higher

Certificate pinning on mobile applications

API authentication required for all question and data endpoints

Storage security

Data stored on servers located within the European Union (Hetzner Cloud, EU datacentres)

Database access restricted by firewall and VPC rules

Backups encrypted and stored separately from primary data

Application security

Rate limiting on all authenticated endpoints

Audit logging of all admin actions and significant data access events

Anomalous usage detection (account sharing, bulk data extraction patterns)

Regular dependency and vulnerability review

Organisational measures

Access to production systems limited to named individuals at NEXIEL LIMITED with a legitimate need

Incident response process in place, including breach notification procedures

Regular internal review of security posture

SCHEDULE 3 — AUTHORISED SUB-PROCESSORS
The Controller grants general authorisation to the following sub-processors. AeroPrep will notify the Controller of any changes per clause 3.4.

Sub-processor: Hetzner Online GmbH
Role: Cloud hosting and infrastructure
Location: Germany (EU)
Safeguard: EU-based — no transfer

Sub-processor: Amazon Web Services (AWS)
Role: Object/file storage (S3)
Location: EU region (Frankfurt)
Safeguard: EU-based — no transfer

Sub-processor: Stripe, Inc.
Role: Payment processing
Location: USA
Safeguard: EU SCCs + adequacy framework

Sub-processor: Zeptomail (Zoho Corporation)
Role: Transactional email delivery
Location: EU/India
Safeguard: EU SCCs where applicable

Sub-processor: Vercel Inc. (if used for CDN/edge)
Role: Content delivery
Location: Global
Safeguard: EU SCCs

SCHEDULE 4 — EXECUTION
Signed for and on behalf of NEXIEL LIMITED t/a AeroPrep:

Signature: _
Name: _
Title: _
Date: _

Signed for and on behalf of [School Name]:

Signature: _
Name: _
Title: _
Date: _

This Agreement may be executed electronically. An electronically signed or accepted version (including acceptance via a checkbox on the AeroPrep school registration portal, where the full DPA text was presented) constitutes a valid, binding agreement between the Parties.