Light logo Small logo
Dark logo Small logo
Light logo
Dark logo

Data Processing Addendum (DPA)

Last updated December 17, 2025

This Data Processing Addendum (“Addendum” or “DPA”) forms part of the agreement between vAMSYS LTD (“vAMSYS”, “we”, “us”, “our”) and the customer operating a Virtual Airline on the vAMSYS platform (“Customer”, “you”, “your”).

This Addendum applies only to processing where vAMSYS processes personal data on behalf of the Customer as a Processor, in accordance with Article 28 of the UK GDPR and EU GDPR.

1. Definitions

Capitalised terms not defined in this Addendum have the meanings given in the parties’ main agreement. The following terms have the meanings set out below:

  • Data Protection Laws means EU GDPR and UK GDPR, and any applicable data protection or privacy laws and regulations.
  • Controller, Processor, Personal Data, Personal Data Breach, and processing have the meanings given in Data Protection Laws.
  • Customer Data means Personal Data provided by or on behalf of the Customer for processing under this Addendum.
  • Sub-processor means any Processor engaged by vAMSYS to assist with processing Customer Data.

2. Scope and Roles

2.1 Mixed roles

The vAMSYS platform involves processing activities where vAMSYS may act as a Controller and/or Processor depending on the context. This Addendum applies only where vAMSYS acts as a Processor on behalf of the Customer.

2.2 Customer as Controller

For processing under this Addendum, the Customer is the Controller and vAMSYS is the Processor. The Customer determines the purposes and means of processing Customer Data.

2.3 vAMSYS as Controller (outside this Addendum)

For avoidance of doubt, vAMSYS acts as a Controller for platform-level processing such as user accounts, platform security, logging, billing, abuse prevention/enforcement, and other processing described in the vAMSYS Privacy Policy. This Addendum does not apply to those Controller activities.

3. Details of Processing

3.1 Subject matter and nature of processing

vAMSYS processes Customer Data to provide platform features operated by the Customer, including (without limitation) the Pilot Invite feature and related onboarding/association workflows.

3.2 Purpose of processing

  • Creating user accounts based on Customer-provided invite details.
  • Sending service emails necessary for account access and onboarding (e.g., temporary password / password reset prompts).
  • Associating invited users with the Customer’s Virtual Airline and enabling initial VA onboarding content configured in the platform.
  • Managing verification and automated deletion of unverified accounts.

3.3 Categories of data subjects

  • Prospective pilots invited by the Customer.
  • Pilots registered with the Customer’s Virtual Airline.

3.4 Categories of Personal Data

  • First name
  • Last name
  • Email address

3.5 Special categories of data

The parties do not intend for the Customer to provide special categories of Personal Data (sensitive data) for processing under this Addendum. The Customer shall not submit special categories of Personal Data unless expressly agreed in writing.

3.6 Duration of processing

Processing continues for the term of the Customer’s subscription, subject to the retention and deletion terms in this Addendum.

4. Customer Obligations

The Customer agrees that it:

  • Has and will maintain a valid lawful basis to provide Customer Data to vAMSYS for processing (for example, legitimate interests in inviting a pilot who has requested or reasonably expects an invitation).
  • Will provide appropriate notices to data subjects where required by Data Protection Laws.
  • Will ensure the accuracy of Customer Data it submits and will keep it up to date where required.
  • Will not instruct vAMSYS to process Customer Data in a manner that violates Data Protection Laws.

5. vAMSYS Obligations as Processor

5.1 Processing on instructions

vAMSYS will process Customer Data only on documented instructions from the Customer, including as set out in this Addendum and the Customer’s use/configuration of the Services, unless required to do otherwise by applicable law (in which case, vAMSYS will inform the Customer of that legal requirement where permitted).

5.2 Confidentiality

vAMSYS will ensure that persons authorised to process Customer Data are bound by confidentiality obligations.

5.3 Security

vAMSYS will implement appropriate technical and organisational measures designed to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Data.

5.4 Assistance

Taking into account the nature of processing, vAMSYS will provide reasonable assistance to the Customer to enable the Customer to comply with its obligations relating to:

  • data subject rights requests (access, correction, deletion, objection) to the extent applicable to Customer Data processed under this Addendum;
  • security, breach notification, and communications with supervisory authorities where required under Data Protection Laws, to the extent applicable to Customer Data processed under this Addendum.

6. Sub-processors

6.1 Authorisation

The Customer authorises vAMSYS to appoint Sub-processors to process Customer Data for the purposes described in this Addendum.

6.2 Current Sub-processors

Infrastructure / Hosting / Backups

  • Hetzner
  • Netcup
  • DigitalOcean
  • Cloudflare
  • Other hosting services as required to operate the Services

Email delivery

  • Mailgun EU

6.3 Sub-processor obligations

vAMSYS will impose data protection obligations on Sub-processors that are no less protective than those set out in this Addendum, to the extent applicable. vAMSYS remains responsible for the performance of its Sub-processors in relation to processing under this Addendum.

7. International Transfers

vAMSYS primarily hosts and processes Customer Data in the EU/UK (including Amsterdam and London as described above). If Customer Data is transferred outside the UK/EEA by vAMSYS or its Sub-processors, vAMSYS will ensure such transfers are subject to appropriate safeguards as required by Data Protection Laws (for example, adequacy decisions and/or contractual protections).

8. Retention, Deletion, and Return

8.1 Unverified accounts

Where an invited user account remains unverified, vAMSYS will delete the unverified user account after 7 days in accordance with platform rules.

8.2 Subscription lapse retention

If the Customer’s subscription ends or lapses, vAMSYS may retain VA and pilot data for up to 90 days to allow subscription restoration. After this period, vAMSYS will delete or anonymise Customer Data unless retention is required for legal compliance or abuse prevention.

8.3 Abuse prevention / banned users

vAMSYS may retain certain identifiers (such as email addresses and IP access logs) for extended periods where necessary to prevent fraud, abuse, or repeat violations, and to comply with legal obligations. Such retention is handled under vAMSYS’s Controller responsibilities.

9. Personal Data Breach

vAMSYS will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Data processed under this Addendum. vAMSYS will provide reasonable information available to it to help the Customer meet breach notification obligations under Data Protection Laws.

10. Audits and Compliance Information

The Customer may verify vAMSYS’s compliance with this Addendum through documentation-based audits. This means vAMSYS will provide written materials reasonably necessary to demonstrate compliance (for example, this Addendum, a list of Sub-processors, and high-level security descriptions). On-site audits and access to systems are excluded unless required by applicable law.

11. Liability

Each party remains responsible for its own compliance with Data Protection Laws. Nothing in this Addendum expands either party’s liability beyond the limitations and allocations set out in the parties’ main agreement, to the extent permitted by law.

12. Order of Precedence

In the event of a conflict between this Addendum and the parties’ main agreement regarding processing where vAMSYS acts as a Processor, this Addendum will prevail to the extent of that conflict.

13. Governing Law

This Addendum is governed by the laws of England and Wales.

14. Contact

Questions about this Addendum can be directed to: [email protected].