← APRON MaritimeLast updated 2026-05-20
Draft — pending legal review. This document accurately describes how the platform handles data today. The formal legal wording is being finalised with our solicitor and will be signed for clients in its final form.

Data Processing Agreement

Introduction

This Data Processing Agreement (the "DPA") forms part of the agreement between APRON Maritime Ltd. (the "Processor") and the customer organisation identified in the order form (the "Controller", and together with the Processor the "Parties") for the provision of the APRON Maritime platform (the "Services"). It is entered into to comply with Article 28 of the United Kingdom General Data Protection Regulation (UK GDPR) and, where applicable, Article 28 of Regulation (EU) 2016/679 (EU GDPR). Capitalised terms not defined here have the meaning given in the Services agreement or in UK GDPR / EU GDPR.

1. Definitions

  • "Applicable Data Protection Law" means UK GDPR, the Data Protection Act 2018, EU GDPR and any other data-protection or privacy law applicable to the processing of Personal Data under this DPA.
  • "Controller", "Processor", "Data Subject", "Personal Data", "Processing", "Personal Data Breach" have the meanings given in Applicable Data Protection Law.
  • "Subprocessor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Standard Contractual Clauses" means the contractual clauses adopted by the European Commission (Decision (EU) 2021/914) and the United Kingdom International Data Transfer Addendum to those clauses, in each case as in force from time to time.

2. Subject matter and details

The subject matter, duration, nature, purpose, categories of Data Subjects and categories of Personal Data Processed under this DPA are set out in Annex I. The Processor will only Process Personal Data on the documented instructions of the Controller, including with regard to transfers to third countries, except where required by Applicable Data Protection Law. Where the Processor is required by law to Process Personal Data otherwise than on the Controller’s instructions, the Processor will, where permitted, inform the Controller before doing so.

3. Customer obligations (controller)

The Controller represents and warrants that:

  • It has all necessary rights, consents and lawful bases to provide the Personal Data to the Processor and for the Processor to Process the Personal Data under this DPA.
  • Its instructions to the Processor regarding the Processing comply with Applicable Data Protection Law.
  • It is responsible for the accuracy, quality and legality of the Personal Data it submits to the Services, and for ensuring that its users only enter data they are entitled to enter.
  • It will respond to Data Subject requests, regulatory enquiries and audit findings concerning its Personal Data, with the assistance described in section 7 of this DPA.

4. Processor obligations

The Processor will:

  • Process Personal Data only on the Controller’s documented instructions (which include the Services agreement, this DPA, and the use of the Services as configured by the Controller).
  • Ensure that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Take all measures required pursuant to Article 32 of UK GDPR and EU GDPR (security of processing), as further described in section 5 and Annex II.
  • Respect the conditions on engaging Subprocessors set out in section 6.
  • Assist the Controller, taking into account the nature of the Processing, with appropriate technical and organisational measures, in fulfilling the Controller’s obligation to respond to Data Subject requests (Articles 12–22) and in meeting the Controller’s obligations under Articles 32–36 (security, breach notification, data-protection impact assessments and prior consultation), at the Controller’s reasonable cost where the assistance is not minor.
  • On termination, return or delete Personal Data as described in section 11.
  • Make available to the Controller all information necessary to demonstrate compliance with this DPA, subject to the audit conditions in section 10.

5. Security of processing

The Processor maintains a security programme that implements appropriate technical and organisational measures designed to protect Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing. The current measures are described in Annex II. The Processor may update them from time to time provided the overall level of protection is not materially reduced.

6. Subprocessors

The Controller provides general written authorisation for the Processor to engage Subprocessors. The current list of Subprocessors is set out in Annex III.

The Processor will give the Controller at least thirty (30) days’ prior written notice (which may be given by email to the Controller’s administrator and by an update to the public version of this DPA) of any addition or replacement of a Subprocessor. The Controller may object to the change on reasonable data-protection grounds during the notice period. If the Parties cannot resolve the objection in good faith within the notice period, the Processor may either (i) not engage the proposed Subprocessor for the Controller’s data, where commercially practicable, or (ii) terminate the affected portion of the Services agreement on written notice, with a pro-rata refund of any pre-paid fees for the unused remainder of the then-current term.

The Processor will impose on each Subprocessor data-protection obligations equivalent in substance to those imposed on the Processor under this DPA, and will remain liable to the Controller for the performance of each Subprocessor’s obligations.

7. Data subject rights

Taking into account the nature of the Processing, the Processor will provide reasonable assistance to the Controller, by appropriate technical and organisational measures, to enable the Controller to respond to requests for the exercise of Data Subjects’ rights under Articles 12–22 of UK GDPR / EU GDPR. Where a Data Subject contacts the Processor directly with such a request, the Processor will forward the request to the Controller without undue delay and will not respond except on the Controller’s instructions or as required by law.

8. Personal data breach notification

The Processor will notify the Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting the Controller’s Personal Data. The notification will include, to the extent then known: a description of the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach and mitigate its possible adverse effects. The Processor will cooperate with and assist the Controller in the investigation, mitigation and remediation of the breach to the extent reasonably required for the Controller to meet its own obligations under Articles 33 and 34 of UK GDPR / EU GDPR.

Security-relevant reports may be sent to security@apronmaritime.com.

9. International transfers

The Processor will not transfer Personal Data outside the United Kingdom or the European Economic Area, other than to a country or sector that is the subject of an adequacy decision, except: (a) where required to perform the Services and an appropriate transfer mechanism is in place (including the Standard Contractual Clauses and the UK Addendum where applicable); or (b) with the Controller’s prior written authorisation. The Subprocessors in Annex III that operate outside the EEA or UK rely on the Standard Contractual Clauses and the UK Addendum with the Processor.

10. Audits and information rights

The Processor will make available to the Controller all information reasonably necessary to demonstrate compliance with Article 28 of UK GDPR / EU GDPR and with this DPA.

The Controller may, at its own cost, audit the Processor’s compliance with this DPA no more than once per calendar year, on at least thirty (30) days’ prior written notice, during the Processor’s business hours, by a mutually agreed independent auditor subject to written confidentiality obligations equivalent to those in this DPA. Audits must not unreasonably interfere with the Processor’s operations or compromise the security or confidentiality of other customers’ data. The Processor may satisfy the audit right by providing a recent third-party audit report (such as a SOC 2 Type II or ISO/IEC 27001 report) in lieu of an on-site audit, where reasonably available.

More frequent audits may be required only where mandated by a supervisory authority or following a confirmed material Personal Data Breach affecting the Controller, and in either case the scope must be proportionate to the trigger.

11. Return or deletion on termination

Within thirty (30) days of termination or expiry of the Services agreement, the Processor will, at the Controller’s written choice, either return all Personal Data to the Controller in a commonly used format or delete it, subject to (i) any longer retention period required by Applicable Data Protection Law or by other regulatory requirement (including maritime regulatory record-keeping minimums applicable to the Controller’s operations), and (ii) standard backup-retention windows after which residual copies will also be deleted. The Processor will certify completion on request.

12. Anonymised and aggregated data

The Processor may compile aggregated and anonymised data derived from the Services. Such data is not Personal Data under Applicable Data Protection Law and is not subject to the deletion or use restrictions in this DPA, provided that the data cannot reasonably be used to re-identify the Controller, any Data Subject, any vessel or any charter. The Processor may use such data for any lawful purpose, including service improvement, fleet-wide benchmarking, statistical analysis, research, security analytics, and reporting on the maritime industry.

13. Liability

Each Party’s liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Services agreement and the Terms of Service. Nothing in this DPA limits or excludes liability that cannot be limited or excluded under Applicable Data Protection Law.

14. Term and precedence

This DPA takes effect when the Services agreement takes effect and continues for the duration of the Processor’s Processing of Personal Data on the Controller’s behalf. In the event of any conflict between the body of the Services agreement (or the Terms of Service) and this DPA in relation to the Processing of Personal Data, this DPA prevails. In the event of any conflict between this DPA and the Standard Contractual Clauses (or UK Addendum) in relation to international transfers, the Standard Contractual Clauses (or UK Addendum) prevail.

Annex I — Description of processing

A. List of Parties. The Controller is the customer organisation identified in the order form. The Processor is APRON Maritime Ltd..

B. Description of transfer / processing.

  • Categories of Data Subjects: the Controller’s crew (current and former), the Controller’s administrative and office personnel using the platform, guests during charter operations (where the Controller records guest data), and any other individuals whose Personal Data the Controller chooses to process through the Services.
  • Categories of Personal Data: identity and contact data; passport and visa data; certifications and training; rotation and travel records; logbook and voyage data; working time and rest records; medical and fitness-to-work data (special category data); financial and payment data; bank account details; guest preferences and dietary requirements; authentication data and audit-log entries for platform users. The list in the Privacy Policy elaborates the specifics.
  • Sensitive data (Article 9): health-related data where the Controller records it (medical fitness, claims, medications, allergies, dietary requirements).
  • Frequency of transfer: continuous, on a configurable basis as the Controller operates the Services.
  • Nature of Processing: hosting, storage, retrieval, organisation, structuring, analysis, transmission, backup, and deletion of Personal Data to provide the Services.
  • Purpose of Processing: to provide the Services to the Controller, including running yacht operations, supporting maritime regulatory compliance, generating operational reports, providing the optional features the Controller enables, and to operate, maintain, secure and improve the Services.
  • Retention period: for the duration of the Services agreement, plus the retention windows set out in the Privacy Policy and applicable maritime regulation.
  • Subprocessors: as listed in Annex III.

Annex II — Technical and organisational measures

The Processor maintains the following technical and organisational measures, which it may update from time to time provided the overall level of protection is not materially reduced.

Encryption. All connections to the Services use Transport Layer Security (TLS 1.2 or higher). Personal Data at rest is encrypted by the underlying database and object-storage providers using AES-256. In addition, designated sensitive columns (banking, passport, next-of-kin contacts, medical-claim descriptions and diagnoses, health-relevant crew fields, performance-review notes, and equivalent fields) are individually encrypted at the application layer using authenticated encryption (AES-256-GCM) with keys held outside the database content.

Access control. Role-based access control at the application layer; multi-factor authentication available and encouraged for administrative users; named-user accounts only; application-layer audit logging of administrative actions; least privilege for internal personnel; secrets and keys held in environment-scoped secret stores, not in code.

Network and infrastructure. The platform runs on managed cloud infrastructure in the European region. The vessel-side component synchronises with the cloud through authenticated, encrypted channels and runs in the operational context the Controller controls on board.

Operational security. Source-controlled change management; review of changes before merge to the production branch; staged rollout where appropriate; automated build and static analysis; regular dependency-vulnerability monitoring.

Backups and resilience. Managed database backups retained per the database provider’s standard retention. Object storage benefits from the provider’s redundancy guarantees. The on-vessel component permits operation during cloud connectivity outages, with reconciliation when connectivity returns.

Confidentiality of personnel. Personnel with access to Personal Data are bound by written confidentiality obligations and are made aware of their obligations under Applicable Data Protection Law.

Incident response. Documented incident-response procedures, including detection, escalation, containment, notification to the Controller within seventy-two (72) hours of becoming aware of a Personal Data Breach affecting the Controller, and post-incident review.

Data minimisation and retention. Retention is configured to the regulatory requirements applicable to the Controller’s data, with deletion or anonymisation at the end of the retention window.

Annex III — List of subprocessors

The Processor uses the following Subprocessors to provide the Services. The list may be updated under the conditions of section 6.

  • Neon Inc. — managed PostgreSQL hosting; European region; relied on for primary database storage.
  • Amazon Web Services, Inc. — S3 object storage (eu-central-1) and supporting infrastructure for uploaded files (passport scans, certificates, receipts, photos).
  • Vercel Inc. — application hosting and content delivery network edge; European region for our deployments.
  • Stripe, Inc. / Stripe Payments Europe Ltd. — payment processing for customer subscriptions. Cardholder data is collected and held by Stripe as a controller in respect of that data; the Processor does not store full payment card details.
  • Anthropic PBC — relevant only where the Controller has enabled the optional AI assistant for its account. Used to deliver model output for prompts sent by the Services.
  • Google LLC (Gmail) — relevant only where the Controller has enabled the optional AI assistant and connected an inbox. Used to retrieve and (if so directed) send email on the Controller’s behalf.
  • Firebase / Google LLC — push-notification delivery for the companion seafarer app (TouchBase Maritime), where the Controller’s crew choose to receive notifications on their phones. Behind a feature flag.

TouchBase Maritime Ltd. is a separate company operating the TouchBase Maritime seafarer app and is not a Subprocessor of the Processor; the cross-platform data flow is described in the Privacy Policy and in the TouchBase Maritime documents linked there.

Version 2026-05-20. Questions: privacy@apronmaritime.com.