Skip to main content
§ Data Processing Addendum

Data Processing Addendum

Effective date: 14 May 2026 · Version 1.0

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between the customer (“Customer”) and the True Blue Horizon contracting entity (“TBH”). It applies when TBH processes personal data on behalf of Customer in the course of providing the Service.

To execute this DPA without a signature ceremony, Customer may countersign by sending an email to legal@truebluehorizon.com from a verifiable corporate address with the subject line “DPA Acceptance — [Customer name]”.

1. Definitions

Data Protection Laws” means applicable data protection laws, including the EU GDPR, UK GDPR, Swiss FADP, California CCPA / CPRA, and analogous US state privacy laws. Capitalised terms not defined here have the meaning given in the GDPR or, where applicable, CCPA.

2. Roles & Scope

For personal data within Customer Data, Customer is the controller (or business) and TBH is the processor (or service provider). TBH will process personal data only on documented instructions from Customer, the primary instructions being the Terms of Service and Customer's use of the Service.

Categories of data subjects, types of personal data, and processing purposes are set out in Annex I.

3. Processor Obligations

  • Process personal data only as instructed by Customer.
  • Ensure persons authorised to process personal data are bound by confidentiality.
  • Implement appropriate technical and organisational security measures, including those in Annex II.
  • Assist Customer in responding to data subject requests and in meeting obligations under Articles 32–36 GDPR.
  • Notify Customer without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach affecting Customer personal data.
  • On termination, at Customer's choice, delete or return all Customer personal data, subject to legal retention and routine backup expiry.
  • Make available information reasonably necessary to demonstrate compliance and allow audits per Section 7.

4. Sub-Processors

Customer authorises TBH to engage the sub-processors listed at /subprocessors. TBH will (a) impose data-protection obligations on each sub-processor no less protective than this DPA, (b) remain liable for sub-processor acts and omissions, and (c) provide 30 days' advance notice before adding or replacing sub-processors. Customer may object by terminating the affected portion of the Service with a pro-rata refund within the notice period.

5. International Data Transfers

Where TBH transfers EU, UK, or Swiss personal data to a country not deemed adequate, the transfer is governed by:

  • The European Commission's 2021 Standard Contractual Clauses (Module Two: controller-to-processor; Module Three: processor-to-processor), incorporated by reference;
  • The UK Information Commissioner's International Data Transfer Addendum (UK Addendum) for transfers subject to UK GDPR; and
  • For Swiss data, the SCCs as supplemented to apply Swiss FADP terms (FDPIC guidance).

Where required, the Annexes to the SCCs are populated as set out in Annexes I and II below. The optional docking clause is selected. The supervisory authority for Module Two SCCs is the authority of the EU member state in which the data exporter is established.

6. CCPA / US State Law

For personal information subject to CCPA / CPRA, TBH acts as a service provider. TBH will (a) process personal information only for the business purposes set out in the Terms, (b) not sell or share personal information, (c) not retain, use, or disclose personal information outside the direct business relationship, (d) not combine personal information with data from other sources except as permitted under CCPA regulations, and (e) notify Customer if it can no longer meet its CCPA obligations. Equivalent commitments apply under analogous state laws (VCDPA, CPA, CTDPA, UCPA, OCPA, TDPSA, MNCDPA, and others).

7. Audit

Customer may, on at least 30 days' written notice and not more than once per 12 months (unless required by a data protection authority or following a confirmed breach), request a copy of TBH's most recent third-party security assessment (e.g., SOC 2 Type II once available) and ask reasonable follow-up questions. Audits will be conducted during normal business hours, at Customer's expense, and under confidentiality, in a manner that does not unreasonably interfere with TBH's operations.

8. Liability

TBH's liability under this DPA is subject to the limitation of liability in the Terms of Service, as applied on an aggregate basis across this DPA and the Terms. Nothing in this DPA limits either party's liability to data subjects under applicable Data Protection Laws.

Annex I — Description of Processing

  • Data exporter: Customer. Data importer: TBH.
  • Categories of data subjects:Customer's personnel and Authorized Users (including owners, captains, crew), and any other individuals whose data Customer submits to the Service.
  • Categories of personal data: identifiers (name, email, account ID, IP, device ID), commercial info (subscription, billing), internet activity, precise geolocation (Vessel GPS), inferences (AI-derived vessel insights), and chat content.
  • Sensitive data: precise geolocation; account credentials.
  • Frequency: continuous, for the duration of the subscription.
  • Nature & purpose: hosting, storage, transmission, analytics, AI inference, support, security, billing, communications, and audit logging in connection with the Service.
  • Retention: as described in the Privacy Policy.
  • Sub-processors: see /subprocessors.

Annex II — Technical & Organisational Measures

  • Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256 or equivalent).
  • Multi-tenant data isolation enforced by row-level security in Supabase / PostgreSQL and tenant-scoped access controls in BigQuery.
  • Role-based access control with least-privilege provisioning; MFA for administrative access.
  • Centralised audit logging for security-relevant actions, with retention of at least 365 days.
  • Vulnerability management, dependency scanning, and patching on a documented schedule.
  • Background checks for personnel with access to production systems, where lawful.
  • Incident response plan, with a target of notifying affected Customers within 72 hours of confirming a personal data breach.
  • Annual penetration testing by an independent firm (once applicable to the operating scale).
  • Business continuity and backup strategy with at least daily snapshots and 90-day retention.
  • Contractual confidentiality and data-protection commitments from all sub-processors.