Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of, and is incorporated into, the Binnacle AI Terms of Service or any negotiated subscription agreement (the "Agreement") between Ikena Design & Build Group, d/b/a Binnacle AI ("Binnacle", "Processor") and the customer entity that accepts the Agreement ("Customer", "Controller"). It applies whenever Binnacle Processes Personal Data on behalf of the Customer in the course of providing the Binnacle service (the "Service").

1. Definitions

Capitalized terms not defined here have the meaning given in the Agreement. For purposes of this DPA:

• Applicable Data Protection Lawmeans all data protection and privacy laws applicable to a party's Processing of Personal Data, including (where relevant) the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR and Data Protection Act 2018 ("UK GDPR"), the California Consumer Privacy Act and California Privacy Rights Act (collectively "CCPA"), and U.S. federal and state privacy laws.
• Controller, Processor, Data Subject, Personal Data Breach, and Processinghave the meanings given in the GDPR. Where the CCPA applies, "Controller" corresponds to "Business" and "Processor" corresponds to "Service Provider."
• Customer Personal Data means Personal Data uploaded to, generated within, or otherwise Processed by the Service on behalf of the Customer.
• Sub-processormeans any third party engaged by Binnacle to Process Customer Personal Data on the Customer's behalf.
• Standard Contractual Clauses or SCCs means the standard contractual clauses approved by the European Commission in Decision 2021/914 of 4 June 2021, and where applicable the UK International Data Transfer Addendum issued by the UK Information Commissioner.

2. Subject matter and duration

The subject matter of the Processing is the provision of the Binnacle Service, a maritime crew compliance platform that helps the Customer manage U.S. Coast Guard credential tracking, vessel documentation, work-and-rest hours, drug-test records, drill logs, incident reports, and related compliance workflows. This DPA takes effect on the effective date of the Agreement and continues for so long as Binnacle Processes Customer Personal Data, plus the wind-down and deletion period described in Section 13.

3. Nature and purpose of processing

Binnacle Processes Customer Personal Data to (a) host, operate, and support the Service; (b) perform credential and document verification against U.S. Coast Guard and Federal Register systems on the Customer's instruction; (c) generate compliance notifications, expirations, and reports; (d) provide AI-assisted document classification and summarization where the Customer enables those features; (e) deliver transactional email and SMS to users identified by the Customer; (f) detect, prevent, and investigate security incidents; and (g) meet Binnacle's legal obligations. Binnacle does not Process Customer Personal Data for any other purpose, and in particular does not sell or share Customer Personal Data for cross-context behavioral advertising.

4. Categories of data subjects

The Personal Data Processed under this DPA may concern the following categories of Data Subjects:

• Crew members, deckhands, engineers, and other vessel personnel
• Captains, masters, and licensed officers
• Office, dispatch, and shoreside operations staff
• The Customer's administrators, managers, and platform users
• Authorized contacts the Customer adds for emergency, regulatory, or insurance purposes (e.g., next-of-kin, port agents, insurers)

5. Categories of personal data

Depending on which Service modules the Customer uses, Customer Personal Data may include:

• Identity data: full name, date of birth, photograph, signature
• Contact data: email address, phone number, mailing address, emergency contact details
• Maritime credential data: Merchant Mariner Credential (MMC) number, TWIC number, endorsements, ratings, license expirations
• Medical-fitness data limited to certificate number, issuer, and expiration date (Binnacle does not store medical diagnoses)
• Drug- and alcohol-testing data: consent records, test type, test date, pass/fail status, lab identifier
• Work-and-rest hours, watch schedules, position assignments, and voyage participation
• Training and drill participation records, including signatures and timestamps
• Account and authentication data: username, hashed password, multi-factor enrollment, role, audit-log entries
• Usage and device data: IP address, browser fingerprint, page views, timestamps, used solely for security and product operation
• Documents the Customer uploads (which may contain any of the above embedded in PDFs, images, or scans)

Binnacle does not require, and discourages the Customer from uploading, special categories of Personal Data under Article 9 GDPR beyond what is strictly necessary for compliance recordkeeping (e.g., medical certificate metadata).

6. Processor obligations

Binnacle will:

• Process Customer Personal Data only on the Customer's documented instructions, including those given through normal use of the Service, and as required by law (in which case Binnacle will give prior notice to the Customer where legally permitted);
• Ensure that personnel authorized to Process Customer Personal Data are subject to written confidentiality obligations or a statutory duty of confidentiality;
• Implement and maintain appropriate technical and organizational measures as described in Section 7;
• Assist the Customer, taking into account the nature of the Processing, with responding to Data Subject requests, data protection impact assessments, and consultations with supervisory authorities;
• Notify the Customer of Personal Data Breaches affecting Customer Personal Data within the timeframe set out in Section 8; and
• Make available the information necessary to demonstrate compliance with this DPA in the manner described in Section 12.

Customer is responsible for ensuring that it has a lawful basis to collect and disclose Personal Data to Binnacle, that it has provided required notices to Data Subjects, and that its instructions to Binnacle comply with Applicable Data Protection Law.

7. Security measures

Binnacle implements the following administrative, technical, and physical safeguards. The Customer acknowledges that these measures may evolve and that Binnacle may update them provided the overall level of protection is not materially diminished.

• TLS 1.2+ for all data in transit
• AES-256 encryption for data at rest, including database and backups
• Role-based access control with least-privilege defaults
• Multi-factor authentication required for production access
• Audit logging of administrative actions and access to Customer Personal Data
• Vulnerability scanning, dependency monitoring, and patch management
• Access provisioning tied to employment status; access revoked within 24 hours of departure
• Segregated production environments and routine backup integrity checks
• Annual third-party security review (SOC 2 Type II in progress as of the "Last updated" date)

8. Breach notification

Binnacle will notify the Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a confirmed Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent then known: (a) the nature of the Breach and categories and approximate volume of data and Data Subjects affected; (b) the likely consequences; (c) the measures taken or proposed to address the Breach and mitigate adverse effects; and (d) a point of contact for further information. Binnacle will cooperate with the Customer's reasonable requests to investigate and remediate the Breach. Notifications will be sent to the security contact email on file, with a copy to security@binnacleai.com for incident tracking.

9. Sub-processors

The Customer provides general written authorization for Binnacle to engage Sub-processors to Process Customer Personal Data, subject to the conditions in this Section 9. Binnacle remains fully liable to the Customer for the performance of each Sub-processor's obligations under a written agreement that imposes data protection obligations no less protective than this DPA.

The current Sub-processors as of the "Last updated" date are:

Binnacle will give the Customer at least thirty (30) days' advance notice of any intended addition or replacement of a Sub-processor by updating this page or by email to the privacy contact on file. The Customer may object on reasonable data protection grounds during the notice period. If the parties cannot agree on a resolution, the Customer may terminate the affected Service with a pro-rata refund of pre-paid fees for the unused portion of the term.

10. International data transfers

Customer Personal Data is hosted in the United States (Vultr's New Jersey region). Where Binnacle Processes Personal Data originating from the European Economic Area, the United Kingdom, or Switzerland, the parties agree that the Standard Contractual Clauses (Module Two: Controller-to-Processor) are incorporated by reference and shall apply, with the optional docking clause and Option 2 of Clause 9(a) (general written authorization for Sub-processors with thirty (30) days' notice). For UK transfers, the UK International Data Transfer Addendum applies in conjunction with the SCCs. Where Binnacle has self-certified to the EU-U.S. Data Privacy Framework or its UK or Swiss extensions, that framework may also be relied upon as a transfer mechanism. The governing law of the SCCs is the law of Ireland and the competent supervisory authority is the Irish Data Protection Commission, unless otherwise required by Applicable Data Protection Law.

11. Data subject rights

The Service provides self-service tools for the Customer to access, correct, export, and delete crew, vessel, and user records, which enables the Customer to respond to most Data Subject access, rectification, erasure, restriction, portability, and objection requests directly. For requests the Customer cannot fulfill through the Service, Binnacle will, taking into account the nature of the Processing, provide reasonable assistance at no additional cost where required by Applicable Data Protection Law. Data Subjects who contact Binnacle directly will be referred to the relevant Customer. Customers and Data Subjects may also contact privacy@binnacleai.com to initiate a data subject access request (DSAR); see also our Privacy Policy for the full process.

12. Audit rights

Binnacle will demonstrate compliance with this DPA by making the following available to the Customer on reasonable written request: (a) once a SOC 2 Type II report is available, the most recent executive summary; (b) until then, a completed security questionnaire (CAIQ-Lite or comparable) responding to the Customer's reasonable enquiries; and (c) a description of the security measures referenced in Section 7. The Customer may, no more than once per calendar year and on at least thirty (30) days' written notice, conduct an audit of Binnacle's compliance with this DPA. Audits will be conducted during business hours, with minimum disruption, at the Customer's expense, and subject to reasonable confidentiality obligations. Where a supervisory authority requires an on-site inspection, Binnacle will cooperate as required by law.

13. Return and deletion

On termination or expiry of the Agreement, the Customer has thirty (30) days to export Customer Personal Data through the Service or by written request. After this period, Binnacle will delete Customer Personal Data from production systems within a further thirty (30) days. Encrypted backups containing Customer Personal Data are retained for up to ninety (90) days from the date the data is removed from production and are then purged through routine backup rotation. Binnacle may retain Customer Personal Data to the extent required by law, in which case the data will continue to be subject to the confidentiality and security obligations of this DPA.

14. Liability and governing law

Each party's liability arising out of or in connection with this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Agreement. Where the SCCs apply, the parties' liability under the SCCs is allocated between the parties on the same basis. This DPA is governed by the laws of the State of Hawaii, without regard to its conflict-of-law principles, except where Applicable Data Protection Law mandates a different governing law (for example, the law of the SCCs). Any dispute will be resolved in the state or federal courts located in Honolulu, Hawaii, subject to any mandatory venue requirements of the SCCs or Applicable Data Protection Law.

15. Order of precedence and contact

In the event of a conflict between this DPA, the Agreement, and the SCCs, the following order of precedence applies, in descending order: (a) the SCCs, where applicable to the relevant transfer; (b) this DPA; and (c) the Agreement. All other terms of the Agreement remain in full force and effect.

DPA-related questions and redline requests: legal@binnacleai.com. Privacy and data subject requests: privacy@binnacleai.com. Security incidents and Breach reporting: security@binnacleai.com.

See also our Terms of Service and Privacy Policy.