Legal & compliance

Data Processing Agreement

Last updated 26 June 2026

Data Processing Agreement (DPA)

Effective: on Order Form acceptance. Version: 2026-06-26.

This DPA forms part of the agreement between Waypoint Aviation Software Ltd ("Processor") and the customer organisation named in the Order Form ("Controller"). It governs the Processor's processing of personal data on the Controller's behalf and reflects the requirements of UK GDPR Art. 28 and EU GDPR Art. 28.

1. Definitions

"Personal Data", "Processing", "Controller", "Processor", "Data Subject", "Special Category Data", and "Supervisory Authority" have the meanings given in UK / EU GDPR. "Subprocessor" means any third party engaged by Waypoint to Process Personal Data on the Controller's behalf.

2. Subject-matter, duration, nature and purpose

The Processor processes Personal Data uploaded by the Controller to the Waypoint TMS Service for the duration of the Master Subscription Agreement, in order to provide the Service (training-records management, scheduling, regulator-ready reporting, mobile sync, audit).

3. Categories of Data Subject and Personal Data

Data Subjects: the Controller's employees and contractors, including pilots, instructors, examiners, training managers, compliance officers and admin staff.

Personal Data: identity (name, email, employee/licence number), employment data (role, fleet, base), training data (events, grades, remarks, signatures), authentication data (hashed password, session metadata, login IP, MFA enrolment), device data (push token, device model, OS).

Special Category Data: none, save where the Controller voluntarily uploads attached medical-fitness documents. The Processor processes such data solely as a passive store; the Controller is responsible for lawful basis under Art. 9 GDPR.

4. Processor obligations

The Processor will:

  • Process Personal Data only on the Controller's documented instructions, including with regard to international transfers, except where required by law (in which case the Processor will notify the Controller before processing, unless prohibited).
  • Ensure persons authorised to process the data are bound by confidentiality.
  • Implement and maintain the technical and organisational measures described in Annex II.
  • Engage Subprocessors only under § 5 of this DPA.
  • Assist the Controller with Data Subject requests, DPIAs, and Supervisory Authority consultations to the extent reasonable given the technical implementation of the Service.
  • Notify the Controller without undue delay (and in any event within 48 hours) of becoming aware of a Personal Data Breach affecting the Controller's data.
  • On termination, at the Controller's choice, return or delete all Personal Data within 30 days, save for backup copies overwritten on the rolling 30-day cycle.
  • Make available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, no more than once per year unless required by a Supervisory Authority.

5. Subprocessors

The Controller grants general written authorisation for the Processor to engage the Subprocessors listed at https://waypointtms.com/legal/subprocessors. The Processor will give the Controller at least 30 days' notice of any intended addition or replacement of a Subprocessor (via email to the Operator administrator and a banner in the Staff Console). The Controller may object on reasonable data-protection grounds within 30 days; if the parties cannot agree on a remedy, the Controller may terminate the affected portion of the Service with a pro-rata refund.

6. International transfers

To the extent the Processor or its Subprocessors transfer Personal Data outside the UK / EEA, the parties agree that:

  • Transfers from the EEA are governed by the EU Standard Contractual Clauses 2021/914, Module 2 (Controller-to-Processor) or Module 3 (Processor-to-Subprocessor), incorporated by reference and pre-completed by Annex I (parties), Annex II (technical and organisational measures, see below), Annex III (Subprocessor list).
  • Transfers from the UK are governed by the UK International Data Transfer Addendum (version B1.0) to the SCCs.

7. Liability

Each party's liability under this DPA is governed by the limitation-of-liability clause in the Master Subscription Agreement, save that nothing in this DPA limits liability that cannot be limited under applicable data-protection law.

8. Assignment and change of control

The Processor may assign or novate this DPA, together with the Master Subscription Agreement, to a successor entity in connection with a merger, acquisition, corporate reorganisation, financing, or a sale of all or substantially all of its business or assets. On any such transfer:

  • the successor will be bound by this DPA and will assume all of the Processor's obligations under UK / EU GDPR Art. 28, including the technical and organisational measures in Annex II and the Subprocessor commitments in § 5;
  • the Processor will notify the Controller in advance of any change of control that affects the entity Processing the Controller's Personal Data, and will treat the incoming entity in the same way as a new Subprocessor for the purposes of the Controller's objection rights in § 5; and
  • if the successor cannot maintain protections for the Personal Data equivalent to those required by this DPA and by applicable data-protection law, the Controller may object and terminate the affected Processing and Service, and the Processor (or its successor) will return or delete the Personal Data in accordance with § 4.

This DPA binds and benefits the parties' permitted successors and assigns. A change of control does not diminish the rights of the Controller, or of Data Subjects, under applicable data-protection law.


Annex I — Parties

Controller: as identified in the Order Form. Processor: Waypoint Aviation Software Ltd, with DPO contact at privacy@waypointtms.com.

Annex II — Technical and organisational measures

  • Encryption: TLS 1.2+ on all external traffic (HSTS enforced); AES-256 at rest on managed PostgreSQL volumes and object storage.
  • Access control: role-based access in the application (RBAC by tenant); MFA available for all admin and staff console accounts; principle-of-least-privilege IAM on infrastructure; no shared credentials.
  • Network: Helmet security headers (X-Frame-Options SAMEORIGIN, X-Content-Type-Options nosniff, Referrer-Policy, HSTS, cross-origin resource policy); allowlist-based CORS; rate-limiting on the login endpoint and a general rate limit on the API; trusted reverse proxy with mTLS to origin.
  • Application security: parameterised queries (Drizzle ORM), Zod input validation on all endpoints, OpenAPI contract-first generation to keep client/server in lockstep, dependency vulnerability scanning, SAST and secret-scanning on every change, annual third-party penetration test.
  • Audit: every privileged action (admin, staff, impersonation) is recorded with actor, action, target, IP and timestamp in an append-only audit log, retained for 2 years.
  • Data integrity & availability: because the Service holds operationally- and regulatory-critical training records, integrity controls (parameterised writes, optimistic-concurrency checks on report state transitions, append-only audit, tamper-evident PDF hash chains) and availability measures are maintained, and the Controller can export its records in a structured, machine-readable format at any time.
  • Backups & DR: managed PostgreSQL automated backups with 30-day point-in-time recovery; documented Disaster Recovery runbook with a 4-hour RTO and 1-hour RPO target; restore procedure tested at least annually.
  • Incident response: 24/7 on-call; Personal Data Breach notification within 48 hours; post-incident review published to affected customers.
  • Personnel: background checks on staff with production access, signed confidentiality agreements, mandatory annual security training.

Annex III — Subprocessors

See https://waypointtms.com/legal/subprocessors for the up-to-date list. Snapshot at the date of this DPA: Replit (hosting), Neon (PostgreSQL), Resend (email), Expo / EAS (mobile builds), Sentry (error monitoring), Stripe (billing).

← All legal documents