GDPR Article 32 & PART-IS Compliance

Data Processing Agreement
Security Addendum

Legal agreement documenting PAXP security commitments

Document Version: 1.0 | Effective Date: November 7, 2025 | Status: Active

PURPOSE: This Security Addendum supplements the PAXP Data Processing Agreement and outlines technical and organizational security measures implemented by PAXP (Data Processor) to protect Operator (Data Controller) data in compliance with GDPR Article 32 and to support Operator's EASA PART-IS compliance obligations.

Article 1: Security of Processing (GDPR Article 32)

1.1 Technical Security Measures

1.1.1 Encryption

Data at Rest

AES-256 (FIPS 140-2)
AWS KMS (HSM-backed)
Quarterly key rotation

Data in Transit

TLS 1.3 (min TLS 1.2)
Auto-renewed certificates
HSTS enabled

Application-Level

AES-256-GCM
Random IV per encryption
128-bit auth tag

1.1.2 Access Control

Authentication

MFA required (all users)
JWT tokens (HTTP-only cookies)
7-day session expiration
bcrypt password hashing (12 rounds)

Multi-Tenant Isolation

Database-enforced RLS
PostgreSQL security policies
Application-layer validation
Security violation logging

1.1.3 Application Security

API Security

Rate limiting (40-100 req/min)
CORS protection (strict whitelist)
Input validation & sanitization
Parameterized queries only

Vulnerability Management

Weekly automated scans
Zero known vulnerabilities
48-hour critical patch SLA
OWASP Top 10 mitigated

1.2 Organizational Security Measures

1.2.1 Data Minimization

Zero passenger PII storage
Real-time data fetch only
< 5 seconds retention (memory)
30-day crew data retention
12-month audit log retention

1.2.2 Personnel Security

Annual security training
GDPR training for staff
Confidentiality agreements
Need-to-know access only

1.2.3 Incident Response

Automated monitoring & alerts
4-hour containment target
24-hour operator notification
72-hour detailed report

1.2.4 Business Continuity

RTO: 4 hours
RPO: 1 hour
Automated daily backups
Quarterly backup testing

Article 2: Sub-Processors (GDPR Article 28)

Sub-Processor	Service	Location	Certification
Supabase, Inc.	Database hosting	EU (Frankfurt)	ISO 27001, SOC 2
Vercel Inc.	Application hosting	Global CDN	SOC 2 Type II
Microsoft Corp.	AI processing	EU (Switzerland)	ISO 27001, EU Data Boundary
Apple Inc.	Wallet delivery	Global	EU-US DPF
Google LLC	Wallet delivery (future)	Global	EU-US DPF

Note: Operator's Leon Software instance is NOT a sub-processor of PAXP. Leon is Operator's own system (source of truth). All sub-processors have signed DPAs with PAXP and maintain ISO 27001 or SOC 2 certification.

Article 3: Data Transfers Outside EU/EEA

General Principle: PAXP processes all Operator data within the EU/EEA. Primary database: EU-West-1 (Frankfurt, Germany). No data transferred outside EU/EEA except for Apple Wallet & Google Pay delivery (limited data, DPF-certified).

Primary Database

EU-West-1 (Frankfurt)

Application

EU region priority (Vercel CDN)

AI Processing

EU (Switzerland North)

Article 4: Audit Rights & Operator Obligations

4.1 Operator's Right to Audit

Frequency

Once per calendar year
Additional after incidents
30 days advance notice

Scope

Security documentation review
Audit log access
Security personnel interviews

4.2 Security Questionnaires

PAXP will complete reasonable security questionnaires with 15 business days response time (standard) or 5 days (urgent). First questionnaire per year included; subsequent questionnaires: £500 per questionnaire (>50 questions).

Contact: compliance@zeaai.co

Article 5: Security Incident & Breach Notification

PAXP Notification to Operator: Within 24 hours of becoming aware of a personal data breach (GDPR Article 28(3)(f))

Notification Timeline

Within 4 hours:Detect, assess, and contain incident

Within 24 hours:Notify affected operators by email + phone

Within 72 hours:Provide detailed incident report and assist with regulatory notifications

Note: PAXP notifies Operator; Operator notifies CAA/EASA (if required under PART-IS). PAXP will assist with technical content for regulatory notifications.

Appendix A: Security Control Matrix (PART-IS Mapping)

PART-IS Requirement	PAXP Security Control	Evidence Location
IS.GEN.010 - ISMS	Security policies documented	This Addendum, Articles 1-2
IS.GEN.030 - Access Control	MFA, RBAC, RLS	Article 1.1.2
IS.GEN.040 - Cryptography	AES-256-GCM, TLS 1.3	Article 1.1.1
IS.GEN.090 - Supplier Relations	Sub-processor management	Article 2
IS.GEN.100 - Incident Management	24-hour notification	Article 5
IS.GEN.110 - Business Continuity	RTO: 4h, RPO: 1h	Article 1.2.4
IS.GEN.120 - Compliance	GDPR 100%, audit rights	Articles 3, 4

Note: PAXP provides technical controls. Operator remains responsible for PART-IS compliance and CAA/EASA coordination.

Acknowledgment & Acceptance

This Security Addendum is incorporated into the PAXP Data Processing Agreement by reference.
Signed by Operator via DPA acceptance constitutes acceptance of this Security Addendum.

By signing the DPA, Operator acknowledges:

Review of PAXP's security measures outlined in this Addendum
Acceptance of these security measures as appropriate
Understanding of PAXP's role as Data Processor
Responsibility for operator's Leon instance security
Authorization of sub-processors listed in Article 2

Contact Information

PAXP Security Team

Email: security@zeaai.co

Monitoring: 24/7 for incidents

Response: 24 hours (standard), 4 hours (incident)

PAXP Compliance Team

Email: compliance@zeaai.co

Response: 5 business days (standard)

Urgent: 24 hours (audit support)

Document Control: Version 1.0 | Date: November 7, 2025 | Classification: Confidential - For Operator Signature

Next Review: February 7, 2026 (quarterly)

Questions: compliance@zeaai.co | security@zeaai.co

Data Processing AgreementSecurity Addendum