GDPR Article 28 Compliance

Data Processing Agreement

Legal agreement between ZEA AI and operators/brokers

Effective Date: 01 October 2025 | Version: 1.0 | Status: ✅ Active

ZEAS GLOBAL FZCO trading as ZEA AI acts as the Data Processor for the PAXP Aviation Platform. This DPA forms part of your service agreement and is executed electronically upon account registration.

Parties to this Agreement

Data Controller

You (the Operator or Broker) control passenger and flight data. You determine purposes and means of processing.

Responsibilities:

Lawful basis for processing
Data subject notifications
Parental consent (if applicable)

Data Processor

ZEAS GLOBAL FZCO t/a ZEA AI
IFZA Business Park, Dubai Silicon Oasis
United Arab Emirates
📧 support@zeaai.co
🛡️ Data Protection Contact: Ozayr Soge (os@zeaai.co)

Responsibilities:

Security of processing
Confidentiality measures
Breach notification (24h)

Key Terms & Purpose

Critical Architecture Note

ZEA AI operates a privacy-by-design architecture:

1. Passport Processing: Images are processed transiently (<5 seconds) via Azure OpenAI (EU) and NEVER stored in ZEA AI databases. Extracted data is transmitted directly to your Leon API and immediately discarded.
2. Passenger Data Display: Passenger information is never stored or cached within PAXP. When a user views a flight, passenger data is securely retrieved from Leon via API in real time and immediately discarded after the session ends. This ensures full data minimisation and 'privacy-by-design' compliance — no persistent passenger data ever exists within PAXP.
3. Flight Operational Data: Non-personal flight information (schedules, routes, aircraft, costs) is stored securely in PAXP database for analytics purposes to support platform insights and performance optimization.
4. Crew Data: Names and roles are stored under legitimate interest for work-related scheduling and duty compliance purposes, and are automatically deleted 30 days after flight completion.

What ZEA AI Does

✅ Parses passport images using Azure OpenAI Vision (EU region)
✅ Extracts MRZ data per ICAO Doc 9303 standard
✅ Transmits extracted data to your Leon API
✅ Generates Apple/Google Wallet boarding passes
✅ Displays flight data from your Leon API in real-time

What ZEA AI Does NOT Do

❌ Store passport images or extracted passenger data
❌ Retain PII beyond transient processing
❌ Share data with unauthorized third parties
❌ Use customer data for AI model training

Processing Activities & Security

Data Type	Processing	Retention
Passport images	Transient AI parsing	NOT STORED (<5s)
Passenger personal data	Retrieved in real time when flight is viewed	NOT STORED — fetched on-demand, discarded after viewing
Flight operational data	Analytics & platform optimization	Retained for analytics
Crew data (names, roles)	Scheduling and duty compliance	30 days after flight (auto-delete)
User account data	Authentication & access control	Until account deletion
API logs (metadata)	Security monitoring (PII-free)	12 months

Encryption

TLS 1.3 in transit, AES-256 at rest

EU Hosting

Azure EU, Supabase EU, SCCs in place

Breach Response

24h controller notification

Your Obligations as Controller

As the Data Controller, you must:

✅ Ensure lawful basis for processing (e.g., Art 6(1)(b) contract necessity)
✅ Provide privacy notices to passengers/clients
✅ Obtain parental consent for children's data (where applicable)
✅ Respond to data subject rights requests within 30 days
✅ Notify ICO within 72 hours of a breach (if applicable)
✅ Review and approve/object to new sub-processors within 14 days
✅ Maintain your own records of processing activities (ROPA)

International Data Transfers

ZEA AI uses the following safeguards for international data transfers:

Within EU/EEA: No additional safeguards required
UK ↔ EU: UK-EU adequacy decision
To USA (Apple/Google): EU-US Data Privacy Framework OR Standard Contractual Clauses (EU 2021/914)
To UAE: ZEAS GLOBAL FZCO registered address (processing instructions only)
Azure OpenAI: EU Data Boundary enforced, Microsoft EU DPA

Electronic Acceptance

This DPA is executed electronically pursuant to Article 28 GDPR. By clicking to accept during account registration or by using the Services, you agree to be bound by this DPA with ZEAS GLOBAL FZCO t/a ZEA AI.

Clickwrap Logging: Your acceptance is recorded with user ID, timestamp, IP address, and document version for audit purposes. This constitutes a legally binding agreement equivalent to written signature.