Data Processing Agreement.

1. Parties

Processor: Go Owl Digital Ltd, a UK company (Co. 17057072), operator of the Aviation Souk Platform (aviationsouk.com), registered at 1 Paradise Lane, Rowde, Devizes, SN10 2NN, United Kingdom.

Controller: the Customer (a Supplier or Buyer organisation) that instructs Aviation Souk to process personal data on its behalf. By accepting the Aviation Souk Terms of Service or submitting personal data through the Platform, the Customer agrees to this DPA.

2. Subject matter, duration, nature, and purpose of processing

• Subject: personal data submitted by the Controller to the Platform, including contact details of buyer employees (for RFQs), supplier representative names and email addresses (for claimed profiles), and any data embedded in uploaded documents.
• Duration: for the term of the Customer’s subscription or account, plus 30 days post-termination for data portability and deletion confirmation.
• Nature: collection, storage, indexing, translation (English ↔ Arabic), routing to named third parties (other suppliers the Customer has authorised), analytics, and deletion.
• Purpose: operating the Aviation Souk procurement-discovery service as described at /terms/, including AI-assisted supplier matching, RFQ routing, and account management.

3. Types of personal data and categories of data subjects

Types: names, work email addresses, job titles, company affiliations, phone numbers, and the content of submitted messages.

Categories of data subject: employees and representatives of the Customer organisation, and (for RFQs) the employees of third-party suppliers to whom the RFQ is routed.

4. Controller obligations

The Controller confirms that it has the lawful basis (consent, contract, or legitimate interest) to instruct Aviation Souk to process personal data on its behalf and has fulfilled any notice-and-disclosure obligations owed to data subjects under the applicable jurisdiction(s).

5. Processor obligations

Aviation Souk, as Processor, will:

• process personal data only on documented instructions from the Controller (including those given via the Platform UI);
• ensure persons authorised to process personal data are subject to confidentiality;
• implement appropriate technical and organisational security measures (see Section 8);
• engage sub-processors only as listed in Section 7, and notify the Controller of any changes;
• assist the Controller in responding to data-subject requests (access, rectification, erasure, portability, objection);
• notify the Controller of a personal-data breach without undue delay (and in any event within 72 hours of becoming aware);
• at the Controller’s choice on termination, delete or return all personal data, subject to any overriding legal retention obligation.

6. Data subject rights

The Controller is responsible for receiving and responding to data-subject requests. Aviation Souk will assist within 10 business days with the technical actions required (data export, deletion, rectification) at no additional charge for reasonable volumes.

Data subjects may contact hello@aviationsouk.com directly in respect of data they have submitted. We will redirect material requests to the appropriate Controller where relevant.

7. Authorised sub-processors

The Controller consents to Aviation Souk’s use of the following sub-processors, each of which is bound by a written agreement imposing data-protection obligations equivalent to those in this DPA:

• Supabase — EU-hosted application database (rows, account data, search queries).
• Vercel — global edge hosting for the Platform frontend and APIs.
• Resend — transactional email delivery (US/EU).
• OpenRouter (with its listed upstream LLM providers — OpenAI, Anthropic, Google, DeepSeek) — large-language-model inference for AI answer generation. Prompt content is sent; sub-processors may temporarily cache for abuse detection but are contractually prohibited from training on Customer data.
• Google LLC (Analytics) — anonymised pageview and engagement metrics. Opt-out available at /admin/opt-out/.
• Microsoft Corporation (Clarity) — session recordings and heatmaps. Text inputs are masked by default. Opt-out available as above.

Material changes to this list will be notified by email to active Customers at least 30 days before effect. If the Customer objects to a new sub-processor, the Customer may terminate their subscription pro-rata.

8. International data transfers

Personal data may be transferred from the UK/UAE/Saudi Arabia to the US (sub-processors hosted there). All such transfers rely on the UK International Data Transfer Agreement, the EU Standard Contractual Clauses, or — where applicable — adequacy regulations. On request, Aviation Souk will provide a copy of the transfer mechanism applicable to the Customer’s data flow.

9. Security measures

• Encryption in transit (TLS 1.2+) and at rest (AES-256 on all managed data stores).
• Principle-of-least-privilege access to customer data; internal admin access is audit-logged.
• Separation of production and development environments.
• Annual review of security measures and immediate remediation of identified weaknesses.
• Regular off-site backups retained in the same data-residency zone as the primary store.

10. Audit

Customer (or a mutually agreed third-party auditor) may audit Aviation Souk’s compliance with this DPA once per calendar year, on 30 days’ written notice, during working hours, at the Customer’s own cost, and subject to reasonable confidentiality undertakings.

11. Return or deletion of data

On termination of the Customer’s subscription, Aviation Souk will delete or (at the Customer’s election) return Customer personal data within 30 days, except to the extent retention is required by law.

12. Governing law

This DPA is governed by the laws of England and Wales and forms part of the Aviation Souk Terms of Service. Where the Customer is based in the UAE or Saudi Arabia, local mandatory provisions of UAE PDPL or Saudi PDPL apply in addition to, and where in conflict, in place of, the equivalent UK GDPR provisions.

13. Contact

For DPA queries, write to hello@aviationsouk.com with subject “DPA request”. We respond within 5 business days. Our data-protection point of contact is the Director, Go Owl Digital Ltd (Liam Walsh).