Data Processing Agreement

Version 2026-05-17 · Effective 5/17/2026

1. Introduction

This Data Processing Agreement (this "DPA") forms part of the Terms of Service between Lou Holdings LLC, a Delaware limited liability company doing business as Av8Book ("Processor," "we," or "us") and the Customer identified in the applicable account or order ("Controller," "Customer," or "You") (together, the "Parties"). This DPA governs the Processing of Personal Data carried out by Av8Book on behalf of Customer in connection with Customer's use of the Av8Book service (the "Service").

This DPA applies only to the extent Av8Book Processes Personal Data on behalf of Customer as a processor (within the meaning of the GDPR) or service provider (within the meaning of the CCPA). For data Av8Book collects directly from end users for its own purposes (for example, marketing-site form submissions, sales conversations), the Privacy Policy applies and Av8Book acts as controller.

In the event of conflict between this DPA and the Terms of Service with respect to the Processing of Personal Data, this DPA controls.

2. Definitions

Capitalized terms used but not defined in this DPA have the meanings given to them in the Terms of Service or, where applicable, in the EU General Data Protection Regulation (EU) 2016/679 (the "GDPR"), the UK Data Protection Act 2018 and the UK GDPR (collectively, "UK Data Protection Law"), or the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act (collectively, the "CCPA").

• Applicable Data Protection Law means the GDPR, UK Data Protection Law, the CCPA, and any other privacy or data-protection law that applies to a Party's Processing of Personal Data in connection with the Service.
• Customer Personal Data means Personal Data Processed by Av8Book on behalf of Customer in connection with Customer's use of the Service.
• Personal Data has the meaning given in Applicable Data Protection Law (including "personal information" under the CCPA).
• Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.
• Processing (and its derivatives) has the meaning given in Applicable Data Protection Law.
• Standard Contractual Clauses or SCCs means the standard contractual clauses approved by the European Commission for the transfer of personal data to third countries (Commission Implementing Decision (EU) 2021/914), and the UK International Data Transfer Addendum or UK IDTA where applicable to a UK transfer.
• Sub-processor means any third party engaged by Av8Book to Process Customer Personal Data on its behalf.

3. Scope and Roles

With respect to Customer Personal Data, Customer is the controller (or, where Customer is itself a processor on behalf of another controller, Customer is the processor) and Av8Book is the processor. Av8Book Processes Customer Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law (in which case Av8Book will inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest).

The Terms of Service, this DPA, Customer's use of the Service in accordance with the Terms of Service, and any subsequent written instructions agreed by the Parties together constitute the documented instructions from Customer to Av8Book regarding the Processing of Customer Personal Data. The subject matter, nature, and purpose of the Processing; the duration of the Processing; the types of Personal Data Processed; and the categories of data subjects are described in Annex I.

4. Av8Book's Obligations

Av8Book will:

1. Process on instructions.Process Customer Personal Data only on Customer's documented instructions as described in Section 3, and immediately inform Customer if, in Av8Book's opinion, an instruction infringes Applicable Data Protection Law.
2. Confidentiality. Ensure that persons authorized to Process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3. Security. Implement and maintain the technical and organizational measures described in Annex II to ensure a level of security appropriate to the risk, in accordance with GDPR Article 32.
4. Sub-processors. Comply with Section 5 (Sub-processors) when engaging Sub-processors.
5. Data subject requests.Taking into account the nature of the Processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible, to fulfill Customer's obligation to respond to requests for exercising data-subject rights (access, rectification, erasure, restriction, portability, objection, and automated decision-making).
6. Assistance with GDPR Articles 32–36. Assist Customer in ensuring compliance with its obligations under GDPR Articles 32 (security), 33 and 34 (breach notification), 35 (data protection impact assessments), and 36 (prior consultation with supervisory authorities), taking into account the nature of the Processing and the information available to Av8Book.
7. Deletion or return on termination. Comply with Section 10 (Deletion or Return).
8. Information and audits. Make available to Customer the information necessary to demonstrate compliance with GDPR Article 28, and allow for and contribute to audits conducted by Customer or another auditor mandated by Customer, on the terms set forth in Section 11.

5. Sub-processors

5.1 General authorization. Customer grants Av8Book a general authorization to engage Sub-processors to Process Customer Personal Data. The current list of Sub-processors is identified in Annex III and at any time in Section 5 of our Privacy Policy.

5.2 Change notice and right to object.Av8Book will provide at least thirty (30) days' advance notice of any intended addition or replacement of a Sub-processor that will Process Customer Personal Data, by in-product banner or by email to the Customer-designated contact. Customer may object in writing to Support@av8book.com within the notice period on reasonable grounds relating to data protection. If the Parties cannot resolve the objection within thirty (30) days, Customer may terminate the affected portion of the Service for convenience and receive a pro-rated refund of any prepaid fees attributable to the terminated portion.

5.3 Flow-down.Av8Book will impose on each Sub-processor data-protection obligations no less protective than those in this DPA and will remain fully liable to Customer for the performance of each Sub-processor's obligations.

6. International Transfers

Av8Book is based in the United States. Customer Personal Data may be transferred to, and Processed in, the United States and other countries where Av8Book or its Sub-processors operate.

Where Customer Personal Data originating in the European Economic Area, the United Kingdom, or Switzerland is transferred to a country not the subject of an adequacy decision under Applicable Data Protection Law, the transfer is governed by the applicable Standard Contractual Clauses, which are incorporated into this DPA by reference and deemed executed by the Parties as of the date of Customer's acceptance of the Terms of Service. The Parties agree that:

• For EU transfers: Module Two (controller-to-processor) of the SCCs applies, with the optional Clause 7 (docking) excluded, Option 2 selected for Clause 9 (general authorization for Sub-processors with the notice period set forth in Section 5.2), Option 1 selected for Clause 17 (Member-State law of Ireland), Clause 18 designating the courts of Ireland, and Annexes I, II, and III to the SCCs populated by the corresponding Annexes to this DPA;
• For UK transfers: the UK International Data Transfer Addendum (IDTA) issued by the UK Information Commissioner's Office is incorporated, with Tables 1, 2, and 3 populated by the corresponding Annexes to this DPA;
• For Swiss transfers: the SCCs apply with the modifications recommended by the Swiss Federal Data Protection and Information Commissioner (FDPIC) to extend their effect to Swiss-originating data.

7. Personal Data Breach Notification

Av8Book will notify Customer of a confirmed Personal Data Breach affecting Customer Personal Data without undue delay and in any event within forty-eight (48) hoursof Av8Book's confirmation of the breach. The notice will include, to the extent then known:

• The nature of the Personal Data Breach, including (where possible) the categories and approximate number of data subjects and Personal Data records concerned;
• The likely consequences of the Personal Data Breach;
• The measures taken or proposed to be taken by Av8Book to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects;
• A point of contact at Av8Book for further information.

Where, and insofar as, it is not possible to provide the information at the same time, the information may be provided in phases without further undue delay. Notification of a Personal Data Breach is not an acknowledgment by Av8Book of any fault or liability with respect to the Personal Data Breach.

8. Data Subject Requests

Av8Book will, taking into account the nature of the Processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible, to fulfill Customer's obligation to respond to requests by data subjects to exercise their rights under Applicable Data Protection Law. If Av8Book receives a request from a data subject relating to Customer Personal Data, Av8Book will (unless prohibited by law) promptly forward the request to Customer without itself responding, and will direct the data subject to submit the request through the Customer.

9. Cooperation with Supervisory Authorities; DPIAs

Av8Book will, on reasonable request and at Customer's expense (other than for matters caused by Av8Book's breach of this DPA), provide Customer with reasonable information and assistance necessary for Customer to conduct any data protection impact assessment or prior consultation with a supervisory authority that is required under Applicable Data Protection Law in connection with Customer's use of the Service.

10. Deletion or Return on Termination

On termination or expiry of the Terms of Service, or earlier on Customer's written request, Av8Book will (at Customer's election) delete or return to Customer all Customer Personal Data and delete any existing copies, except to the extent applicable law requires retention of all or part of the Customer Personal Data, in which case Av8Book will isolate and protect that Customer Personal Data from any further Processing except to the extent required by law. Av8Book's standard self-serve data-export and deletion tools satisfy this obligation; bespoke export or deletion beyond those tools is available on reasonable request at Av8Book's then-current professional services rates.

Backup copies of Customer Personal Data may persist in routine backups for up to ninety (90) days after deletion and will be overwritten in the ordinary course of backup rotation.

11. Audits

Av8Book will make available to Customer, on reasonable written request and not more than once per calendar year, (a) Av8Book's then-current security documentation (including any then-available third-party security attestations or summaries) and (b) responses to a reasonable security questionnaire. To the extent the foregoing is insufficient to demonstrate compliance with Article 28 and Customer has a reasonable basis to require additional audit, Customer may, at its expense and on at least thirty (30) days' prior written notice, conduct an on-site or remote audit, subject to Av8Book's reasonable confidentiality, scheduling, and operational requirements. Audits will be limited to information and systems necessary to verify compliance with this DPA and may not disrupt the Service or compromise the confidentiality of other customers' data.

12. CCPA Service-Provider Provisions

To the extent Customer is a "business" and Av8Book is a "service provider" (each as defined in the CCPA) with respect to any Customer Personal Data, Av8Book:

• Will not sell or share (as those terms are defined in the CCPA) Customer Personal Data;
• Will not retain, use, or disclose Customer Personal Data for any purpose other than the specific purpose of performing the Service for Customer, including for any commercial purpose other than the business purposes specified in the Terms of Service or this DPA, or as otherwise permitted by the CCPA;
• Will not retain, use, or disclose Customer Personal Data outside the direct business relationship between Customer and Av8Book;
• Will not combine Customer Personal Data with personal information that Av8Book receives from or on behalf of another person, or that Av8Book collects from its own interactions with a consumer, except as expressly permitted by the CCPA;
• Certifies that it understands and will comply with the restrictions in this Section.

Av8Book will notify Customer if it determines it can no longer meet its obligations under the CCPA, and Customer may take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Data.

13. Liability

The liability of each Party arising out of or in connection with this DPA, whether in contract, tort (including negligence), under statute, or otherwise, is subject to the exclusions and limitations of liability set forth in the Terms of Service, except to the extent applicable law prohibits such limitation in respect of liability under Applicable Data Protection Law.

14. Term and Termination

This DPA is effective on the date Customer accepts the Terms of Service (or, if later, the date on which Av8Book first Processes Customer Personal Data) and continues for the term of the Terms of Service, plus any post-termination period during which Av8Book Processes Customer Personal Data as permitted under Section 10. The obligations of Section 10 (Deletion or Return), Section 11 (Audits), and any provisions that by their nature should survive termination will survive termination of this DPA.

15. Governing Law

This DPA is governed by the law specified in Section 17 (Governing Law) of the Terms of Service, except that the SCCs and UK IDTA incorporated by Section 6 are governed by the laws of, and subject to the jurisdiction described in, those instruments.

16. Order of Precedence

In the event of conflict among the documents comprising the agreement between the Parties with respect to the Processing of Personal Data, the order of precedence (highest first) is: (1) the SCCs and UK IDTA, where applicable to a transfer; (2) this DPA; (3) the Terms of Service; (4) any other policy or document referenced by the foregoing.

Annex I — Description of Processing

I.1 Parties

Data exporter (Controller): the Customer identified in the applicable Av8Book account or order.
Data importer (Processor): Lou Holdings LLC d/b/a Av8Book, a Delaware limited liability company, registered office at 6124 Stillmeadow Drive, Nashville, TN 37211, USA.

I.2 Subject matter and duration

Av8Book provides a cloud-hosted scheduling, dispatch, billing, training-records, and operations platform for flight schools and similar aviation businesses. Processing continues for the term of Customer's subscription to the Service plus the deletion windows set out in Section 10.

I.3 Nature and purpose of Processing

Hosting, collecting, organizing, structuring, storing, retrieving, transmitting, displaying, and analyzing Customer Personal Data for the purpose of providing, maintaining, securing, and improving the Service; performing billing and payment functions; sending operational and transactional communications as configured by Customer; complying with legal obligations; and protecting against fraud or unauthorized access.

I.4 Categories of data subjects

• Customer's personnel (owners, administrators, dispatchers, instructors, mechanics);
• Customer's students, renters, and other end users of the Service;
• Other natural persons whose Personal Data is uploaded by Customer to the Service (for example, emergency contacts, designated examiners, parents/guardians of minor students).

I.5 Types of Personal Data

• Identification and contact data (name, email address, mobile phone number, postal address);
• Account and authentication data (hashed password, authentication tokens, IP address, device identifiers, audit-log entries);
• Aviation operational data (bookings, dispatch records, flight times, instructor sign-offs, training records, endorsements, logbook entries, aircraft squawks, maintenance items, certificate numbers);
• Regulatory data (FAA Tracking Number, TSA citizenship status, AFSP approval, medical-certificate class and expiration, driver's license number, passport number);
• Billing data (invoice line items, payment records, account balances, prepaid-package usage; payment-instrument tokens via Stripe; no card or bank-account numbers are stored on Av8Book's infrastructure);
• Communication metadata and content for messages sent through the Service (email subject + first 200 characters of body for the delivery log; SMS recipient + timestamp + delivery status, no plaintext body retained after send);
• Optional AI-extraction inputs and outputs (where the end user opts in, the document file plus the structured extraction returned by Anthropic; see Privacy Policy Section 17).

I.6 Sensitive categories

Customer Personal Data may include the following categories that receive enhanced protection under Applicable Data Protection Law: medical-certificate data (limited to class, expiration, and examining-physician fields); government-issued identification numbers (FTN, driver's-license, passport); and Personal Data of minors under the conditions described in the Terms of Service Section 3. Av8Book applies access controls and audit logging to these fields and applies additional encryption-at-rest to government-issued identification numbers.

I.7 Frequency, duration, and retention

Continuous Processing for the duration of the Service. Retention as described in Privacy Policy Section 9 (Data Retention). Audit and SMS-consent records retained for the longer periods described there.

Annex II — Technical and Organizational Measures

Av8Book implements the following technical and organizational measures to ensure a level of security appropriate to the risk (GDPR Art. 32). The measures are subject to technical progress and may be updated from time to time, provided the overall level of protection is not diminished.

• Encryption in transit. TLS 1.2 or higher for all connections to the Service.
• Encryption at rest. Disk-level encryption at the storage layer (Supabase Postgres + Supabase Storage). Application-level encryption (PGP_SYM_ENCRYPT) for government-issued identification numbers.
• Access control. Role-based access control with least-privilege defaults; multi-tenant isolation enforced by application-level org scoping and Postgres row-level security policies; password hashing with bcrypt; multi-factor authentication available.
• Network security. Helmet HTTP security headers; CORS origin restriction; rate limiting (30 requests/minute/IP).
• Audit logging. Append-only audit log of privileged and material actions, with before/after data snapshots; platform-staff support access logged.
• Malware scanning. All uploaded documents scanned with ClamAV before storage; uploads with detected signatures rejected and the rejection audited.
• Backups. Daily database backups retained per Supabase plan policy; tested restore procedure.
• Logical separation. Customer data segregated by organization_id and (where applicable) location_id; every API request scoped to the requester's organization.
• Vulnerability management. Dependencies tracked; security advisories monitored; patches deployed in the ordinary course.
• Personnel. Personnel bound by written confidentiality obligations; background checks where applicable to role and law.
• Incident response. Documented incident-response process; breach notification per DPA Section 7.
• Sub-processor diligence. Sub-processors selected for security posture and contractually bound to obligations no less protective than this DPA.

Annex III — Sub-processors

The current list of Sub-processors that Process Customer Personal Data is published in Section 5 of our Privacy Policy and is reproduced below for reference. Av8Book will update the published list when a Sub-processor is added or replaced and provide notice as described in Section 5.2 of this DPA.

• Supabase — Postgres database hosting, file storage, real-time messaging. Hosting region: US-East-2.
• Fly.io — API and ClamAV malware-scanning compute hosting. Hosting region: United States.
• Vercel — Web frontend hosting and CDN.
• Stripe — Payment processing, ACH micro-deposit verification, subscription billing. Av8Book does not store payment-instrument numbers.
• Resend — Transactional email delivery.
• Twilio — SMS delivery (when enabled by Customer).
• ImprovMX — Inbound email forwarding for av8book.com addresses.
• QuickBooks Online (Intuit) — Optional accounting integration; only data Customer explicitly syncs is shared.
• MyFlightbook / LogTen Pro / ForeFlight — Optional logbook integrations; only data Customer explicitly sends is shared.
• Sentry — Error reporting (when enabled); IP address and email may be included in error events.
• Anthropic — Optional AI-assisted document reading; engaged only when an end user explicitly opts in per Privacy Policy Section 17. Inputs and outputs not used to train Anthropic's models; Anthropic may retain inputs/outputs for up to 30 days for trust-and-safety review.

Annex IV — Standard Contractual Clauses

Where Section 6 of this DPA requires the use of the Standard Contractual Clauses or the UK IDTA, the then-current Commission-approved or ICO-approved versions of those instruments are incorporated into this DPA by reference. The Parties agree that the Annexes/Tables of those instruments are populated as described in Section 6 and by the substance of Annexes I, II, and III of this DPA.

On reasonable written request, Av8Book will provide Customer with a fully executed copy of the applicable SCCs/IDTA with the Annexes/Tables populated.

Contact

Questions or notices under this DPA: legal@av8book.com.