GDPR Article 28 Disclosure

Third-Party Sub-Processors

Complete list of vendors processing data on behalf of ZEA AI

Last Updated: 01 October 2025 | Next Review: January 2026 (Quarterly)

ZEAS GLOBAL FZCO trading as ZEA AI acts as the Data Processor for the PAXP Aviation Platform. Under GDPR Article 28, we must publicly disclose all sub-processors and provide 30 days' notice before adding new ones.

Your Rights

Before Signing Up

Review this list to ensure all sub-processors meet your compliance standards

30 Days' Notice

Receive advance notification before we add any new sub-processors

Right to Object

Object to new sub-processors within 14 days if they don't meet GDPR standards

Right to Terminate

Terminate your contract if you reasonably object to a change

How to Object: Email support@zeaai.co within 14 days of notification.

Active Sub-Processors

1. Supabase, Inc.

Purpose

Secure database hosting for user accounts, flight metadata, and audit logs

Data Handled

User accounts, flight operational data (NO passenger PII)

Location

🇪🇺 Primary: EU (Frankfurt, Germany)

Safeguards

SOC 2 Type IIISO 27001GDPR DPA

Visit Website →

2. Microsoft Corporation (Azure OpenAI)

⚠️ Temporary Processing Only: Passport images are processed in-memory for <5 seconds and immediately discarded. NO data storage or model training.

Purpose

AI-powered passport OCR, MRZ extraction, ICAO Doc 9303 validation

Data Handled

Passport images (transient processing ONLY - not stored)

Location

🇨🇭 Switzerland North (primary), 🇮🇪 Ireland (fallback)

Safeguards

EU Data BoundaryNo TrainingSCCs

Visit Website →

3. Apple Inc. (Apple Wallet)

Purpose

Digital boarding pass generation and delivery

Data Handled

Flight details, passenger names, booking references, push tokens

Location

🌍 Global (US, EU, Asia)

Safeguards

DPF CertifiedE2E EncryptionSCCs

Visit Website →

4. Google LLC (Google Wallet)

Purpose

Digital boarding pass generation for Android devices

Data Handled

Flight details, passenger names, booking references, push tokens

Location

🌍 Global (US, EU, Asia)

Safeguards

DPF CertifiedISO 27001SCCs

Visit Website →

5. Vercel Inc.

Purpose

Application hosting and content delivery (CDN)

Data Handled

User session data, API logs, performance metrics

Location

🇮🇪 Primary: EU (Dublin), Global CDN

Safeguards

SOC 2 Type IIISO 27001GDPR DPA

Visit Website →

6. Resend Technologies Inc.

Purpose

Transactional email delivery (verifications, notifications, alerts)

Data Handled

Email addresses, user names, notification content

Location

🇺🇸 US (with SCCs)

Safeguards

GDPR DPASCCsTLS

Visit Website →

Sub-Processor Change Policy

1. Notification

30 days' advance notice via email and this page

2. Review Period

14 days to object if inadequate safeguards

3. Resolution

Alternative processor or contract termination option

To Object: Email support@zeaai.co with your company name, account ID, specific sub-processor, and reason for objection (data protection concerns).

International Data Transfers

Destination	Mechanism	Details
🇪🇺 Within EU/EEA	No mechanism needed	Data stays in EU
🇬🇧 UK to EU	UK-EU adequacy decision	Automatic recognition
🇺🇸 To USA	EU-US DPF OR SCCs	Both mechanisms in place
🇨🇭 To Switzerland	Adequacy decision	Automatic recognition

Standard Contractual Clauses (SCCs): We use EU Commission's 2021/914 SCCs (Modules 2 & 3) for all transfers to countries without adequacy decisions.