Legal

Data Processing Agreement

The GDPR processor-side agreement that governs how Full Fathom AI processes personal data on behalf of Customers.

Version 1.0Effective 22 April 2026

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

Data Controller: The entity identified as the Customer in the FullFathom AI Terms of Service ("Controller", "Customer")

and

Data Processor: Propel Group International Ltd (trading as FullFathom AI), a company registered in England and Wales under company number 16943846, with its registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ ("Processor", "FullFathom")

collectively referred to as the "Parties" and each individually as a "Party".

This DPA forms part of and is incorporated into the FullFathom AI Terms of Service ("Agreement"). In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of personal data.

2. Definitions

2.1. In this DPA, the following terms have the meanings set out below. Capitalised terms not defined in this DPA have the meanings given to them in the Agreement.

"Applicable Data Protection Law" means all applicable laws and regulations relating to the processing of personal data, including (a) the UK General Data Protection Regulation (UK GDPR) as retained by section 3 of the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018; (b) the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("EU GDPR"); and (c) any applicable national implementing legislation, in each case as amended, replaced, or superseded from time to time.
"Controller" has the meaning given in Applicable Data Protection Law.
"Data Subject" has the meaning given in Applicable Data Protection Law.
"EEA" means the European Economic Area.
"Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller in connection with the Agreement.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
"Processing" (and "process", "processed", "processes") has the meaning given in Applicable Data Protection Law.
"Processor" has the meaning given in Applicable Data Protection Law.
"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
"Supervisory Authority" means an independent public authority responsible for monitoring the application of Applicable Data Protection Law.

3. Subject Matter, Duration, Nature, and Purpose of Processing

3.1. Subject matter. The processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the FullFathom AI service, comprising a cloud-based document processing platform and an on-vessel AI runtime for offline crew question-and-answer functionality.

3.2. Duration. The Processor shall process Personal Data for the duration of the Agreement, plus any period required for data deletion or return as specified in this DPA.

3.3. Nature of processing. The processing activities include:

Processing Activity	Description
Document ingestion	Receiving, parsing, structuring, chunking, and embedding text from documents uploaded by the Controller
Bundle generation	Packaging processed document data into deployable software Bundles for designated vessels
Query processing (on-vessel)	Processing natural language queries submitted by crew members against the vessel's local document index (performed entirely on-vessel hardware)
Analytics aggregation	Receiving and storing anonymised, aggregated query analytics from vessels for fleet management reporting
Account management	Processing contact details and company information for account administration and support

3.4. Purpose. The purpose of the processing is to provide the Controller with AI-powered document search and question-and-answer capabilities for the Controller's vessel crew, using the Controller's own operational documentation.

4. Categories of Data Subjects

4.1. The Personal Data processed under this DPA may relate to the following categories of data subjects:

Category	Relationship to Controller
Controller's account holders	Employees or agents of the Controller who use the Cloud Platform (shore-side staff such as fleet superintendents, DPAs, QHSE managers)
Vessel crew members (indirect)	Employees or contractors of the Controller serving on designated vessels who use the Ship Runtime. The Ship Runtime does not collect personal identifiers; crew members are data subjects only to the extent that their personal data may be incidentally contained in query text.

5. Categories of Personal Data

5.1. The Personal Data processed under this DPA includes the following categories:

Category	Examples	Source
Contact details	Name, email address, phone number	Account registration
Professional details	Job title, role, department	Account registration
Company information	Company name, address	Account registration
Vessel information	Vessel name, IMO number, vessel type	Account setup
Query text	Natural language questions submitted by crew via the Ship Runtime (may incidentally contain names, roles, or other personal references)	On-vessel usage
Response text	AI-generated answers (may incidentally reference individuals mentioned in source documents)	On-vessel processing
Usage data	Login timestamps, feature usage on Cloud Platform	Cloud Platform usage

5.2. Special categories of data. The Processor does not intentionally process special categories of personal data (as defined in GDPR Article 9) under this DPA. If special category data is incidentally included in documents uploaded by the Controller or in crew query text, the Controller is responsible for ensuring an appropriate legal basis for such processing, in accordance with §7.1(f) below.

6. Obligations of the Processor

6.1. Processing on instructions. The Processor shall process Personal Data only on the documented instructions of the Controller, including with respect to transfers of Personal Data to a third country or an international organisation, unless required to do so by applicable law, in which case the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law from doing so.

6.2. Documented instructions. The Controller's instructions for processing are set out in:

(a) This DPA;
(b) The Agreement (Terms of Service);
(c) The Controller's configuration of the Service (e.g., document uploads, vessel assignments, analytics preferences);
(d) Any additional written instructions provided by the Controller and accepted by the Processor.

6.3. Notification of conflicting instructions. If the Processor considers that an instruction from the Controller infringes Applicable Data Protection Law, the Processor shall promptly notify the Controller and shall be entitled to suspend the relevant processing until the Controller has amended or confirmed the instruction.

6.4. Confidentiality. The Processor shall ensure that all persons authorised to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.

6.5. Security measures. The Processor shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Annex B of this DPA.

6.6. Sub-processors. The Processor shall comply with the requirements of Section 8 of this DPA regarding the engagement of Sub-processors.

6.7. Data subject rights. The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligations to respond to requests for exercising the Data Subject's rights under Chapter III of the GDPR (Articles 15-22). This assistance shall include:

(a) Promptly notifying the Controller if the Processor receives a request from a Data Subject directly;
(b) Providing the Controller with the ability to access, rectify, or delete Personal Data through the Cloud Platform interface where technically feasible;
(c) Providing relevant information or data in the Processor's possession upon the Controller's reasonable request to enable the Controller to respond to a Data Subject request;
(d) Not responding to any Data Subject request directly, unless instructed to do so by the Controller or required by applicable law.

6.8. Assistance with obligations. The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to GDPR Articles 32 to 36, taking into account the nature of processing and the information available to the Processor. This includes assistance with:

(a) Security of processing (Article 32);
(b) Notification of a Personal Data Breach to the supervisory authority (Article 33);
(c) Communication of a Personal Data Breach to the Data Subject (Article 34);
(d) Data protection impact assessments (Article 35);
(e) Prior consultation with supervisory authorities (Article 36).

6.9. Deletion or return. At the choice of the Controller, upon termination of the Agreement, the Processor shall:

(a) Delete all Personal Data processed on behalf of the Controller within thirty (30) days of the end of the data export period specified in the Agreement; or
(b) Return all Personal Data to the Controller in a commonly used, machine-readable format within the data export period specified in the Agreement;

and, in either case, delete all existing copies of Personal Data unless applicable law requires retention. The Processor shall certify the deletion in writing upon the Controller's request. For the avoidance of doubt, the "data export period specified in the Agreement" means the thirty (30)-day period in Section 13.5(c) of the Terms of Service; the Processor shall therefore delete Personal Data within sixty (60) days of the effective date of termination, unless applicable law requires retention.

6.10. Audit and information. The Processor shall:

(a) Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28;
(b) Allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to the conditions in Section 9 of this DPA.

7. Obligations of the Controller

7.1. The Controller warrants and represents that:

(a) It has a lawful basis for the processing of Personal Data under this DPA;
(b) It has provided appropriate notices to Data Subjects regarding the processing of their Personal Data by the Processor;
(c) It shall comply with Applicable Data Protection Law in its use of the Service and in any processing instructions it provides to the Processor;
(d) It is responsible for ensuring the accuracy and currency of documents uploaded to the Cloud Platform;
(e) It shall ensure that any special category data (GDPR Article 9) that may be incidentally included in uploaded documents or crew queries is processed in accordance with an appropriate legal basis;
(f) Redaction of special-category data. It shall use reasonable efforts to redact special-category personal data (as defined in GDPR Article 9), including health-related information incidentally present in maritime operational documents such as medical fitness requirements or drug-and-alcohol policies, from documents uploaded to the Cloud Platform where practicable, and shall ensure that any special-category data that cannot be redacted is processed under an appropriate legal basis under GDPR Article 9.

8. Sub-processors

8.1. Authorised Sub-processors. The Controller hereby provides general written authorisation for the Processor to engage Sub-processors for the processing of Personal Data, subject to the conditions of this Section 8. The list of currently authorised Sub-processors is set out in Annex A.

8.2. Notification of changes. The Processor shall notify the Controller in writing at least thirty (30) days before engaging a new Sub-processor or replacing an existing Sub-processor. The notification shall identify the Sub-processor, the nature of the processing to be carried out, and the location of processing.

8.3. Controller's right to object. The Controller may object to the appointment of a new Sub-processor within fourteen (14) days of receiving the notification referred to in Section 8.2, provided that such objection is based on reasonable grounds relating to data protection. If the Controller objects:

(a) The Processor shall use reasonable efforts to make available an alternative arrangement that avoids the use of the objected-to Sub-processor;
(b) If no alternative is reasonably available, either Party may terminate the Agreement by providing thirty (30) days' written notice, and the Controller shall receive a pro-rata refund of any pre-paid fees for the unexpired term.

8.4. Sub-processor obligations. The Processor shall:

(a) Enter into a written agreement with each Sub-processor that imposes data protection obligations no less protective than those set out in this DPA;
(b) Remain fully liable to the Controller for the acts and omissions of its Sub-processors;
(c) Conduct appropriate due diligence on Sub-processors to ensure they are capable of providing the level of protection required by this DPA and Applicable Data Protection Law.

9. Audit Rights

9.1. Audit scope. The Controller, or a third-party auditor appointed by the Controller (subject to reasonable confidentiality obligations), may conduct an audit to verify the Processor's compliance with this DPA.

9.2. Frequency. The Controller may conduct one (1) audit per twelve (12) month period, unless:

(a) A competent supervisory authority requires or requests an additional audit; or
(b) A Personal Data Breach has occurred.

9.3. Notice. The Controller shall provide at least thirty (30) days' written notice of an audit, specifying the proposed scope, duration, and start date.

9.4. Conduct. Audits shall be conducted during normal business hours, with minimal disruption to the Processor's operations. The Controller shall bear its own costs in connection with any audit.

9.5. Confidentiality. Any information obtained during an audit shall be treated as Confidential Information of the Processor.

9.6. Alternative evidence. The Processor may satisfy the audit requirement by providing:

(a) A current SOC 2 Type II report or equivalent independent third-party audit report;
(b) A completed data protection questionnaire or self-assessment;
(c) Relevant certifications (e.g., ISO 27001);

provided that the Controller reasonably considers such evidence sufficient to demonstrate compliance.

10. Personal Data Breach Notification

10.1. Notification to Controller. The Processor shall notify the Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Controller.

10.2. Content of notification. The notification shall include, to the extent available:

(a) A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects affected and the categories and approximate number of Personal Data records affected;
(b) The name and contact details of the Processor's data protection contact;
(c) A description of the likely consequences of the Personal Data Breach;
(d) A description of the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

10.3. Ongoing updates. Where it is not possible to provide all information at the time of the initial notification, the Processor shall provide additional information in phases as it becomes available, without undue delay.

10.4. Assistance. The Processor shall cooperate with the Controller and take reasonable steps to assist the Controller in investigating, mitigating, and remediating the Personal Data Breach, including:

(a) Preserving evidence relating to the breach;
(b) Assisting the Controller in fulfilling its obligations to notify the supervisory authority and affected Data Subjects;
(c) Taking immediate steps to contain and minimise the impact of the breach.

10.5. Record keeping. The Processor shall maintain a record of all Personal Data Breaches, including the facts relating to the breach, its effects, and the remedial action taken.

11. International Data Transfers

11.1. Primary processing location. The Processor shall process Personal Data within the United Kingdom and the European Economic Area, specifically in the AWS eu-west-2 (London) region.

11.2. Restriction on transfers. The Processor shall not transfer Personal Data to a country outside the UK or EEA unless:

(a) The transfer is to a country that has been recognised as providing an adequate level of data protection by the relevant authority;
(b) Appropriate safeguards have been implemented in accordance with GDPR Article 46, such as Standard Contractual Clauses; or
(c) A derogation under GDPR Article 49 applies.

11.3. Transfer mechanisms. Where transfers to third countries are necessary (e.g., due to Sub-processor locations), the Processor shall ensure that:

(a) Standard Contractual Clauses (Module 3: Processor to Sub-processor) approved by the European Commission are in place;
(b) The UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs is in place for transfers from the UK;
(c) A transfer impact assessment has been conducted.

11.4. On-vessel processing. The Ship Runtime processes data locally on vessel hardware. Such processing does not constitute a transfer of Personal Data by the Processor to a third country, as the data remains under the Controller's control on the Controller's designated vessel hardware.

12. Term and Termination

12.1. This DPA shall come into effect on the date the Agreement becomes effective and shall continue in force until the later of:

(a) The termination or expiry of the Agreement; and
(b) The date on which the Processor ceases to process Personal Data on behalf of the Controller.

12.2. Upon termination of this DPA, the Processor shall comply with Section 6.9 (Deletion or return) of this DPA.

13. Liability

13.1. The liability of each Party under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement, except that such limitations and exclusions shall not apply to the extent prohibited by Applicable Data Protection Law.

13.2. Notwithstanding the limitations of liability in the Agreement, the aggregate liability of either Party for claims arising under or in connection with this DPA that relate to a breach of Applicable Data Protection Law (including any liability under GDPR Article 82) shall not exceed the greater of: (a) the total fees paid or payable by the Controller to the Processor under the Agreement in the twenty-four (24) months immediately preceding the event giving rise to the claim; or (b) one hundred thousand pounds sterling (GBP 100,000).

13.3. Nothing in this DPA shall exclude or limit either Party's liability for: (a) death or personal injury caused by its negligence; (b) fraud or fraudulent misrepresentation; or (c) any liability which cannot be excluded or limited by Applicable Data Protection Law.

14. General

14.1. Precedence. In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.

14.2. Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

14.3. Governing law. This DPA shall be governed by and construed in accordance with the laws of England and Wales.

14.4. Amendments. This DPA may be amended only by a written instrument signed by both Parties, or by the Processor updating this DPA to reflect changes in Applicable Data Protection Law, with at least thirty (30) days' prior notice to the Controller.

Annex A -- Authorised Sub-processors

The following Sub-processors are authorised by the Controller as of the effective date of this DPA:

Sub-processor	Legal Entity	Processing Activity	Data Categories	Location
Amazon Web Services	Amazon Web Services EMEA SARL	Cloud infrastructure: compute, storage, database hosting	All Cloud Platform data (documents, embeddings, account data, anonymised analytics)	EU (eu-west-2, London, United Kingdom)
Clerk	Clerk, Inc.	User authentication and identity management for Cloud Platform	Email addresses, names, authentication metadata	United States (certified under the EU-US Data Privacy Framework and UK Extension to the EU-US DPF)

Annex B -- Technical and Organisational Security Measures

The Processor implements the following technical and organisational security measures:

B.1. Encryption

Measure	Implementation
Encryption at rest	AES-256 encryption for all data stored in S3 object storage; encrypted EBS volumes for database storage; encrypted SQLite databases on vessel
Encryption in transit	TLS 1.2 or higher for all data transmission between systems; mutual TLS for vessel-to-cloud Bundle transfers

B.2. Access Control

Measure	Implementation
Authentication	Multi-factor authentication for all Cloud Platform administrator accounts; Clerk-managed authentication for customer accounts
Authorisation	Role-based access control (RBAC) on Cloud Platform; multi-tenant data isolation ensuring customers can only access their own data
Principle of least privilege	System access granted on a need-to-know basis; regular access reviews
Vessel access	Ship Runtime accessible only on vessel LAN; no internet-facing ports; no user authentication required (vessel network security is the Customer's responsibility)

B.3. Data Isolation

Measure	Implementation
Multi-tenancy	Logical data separation by company_id across all database tables, object storage paths, and application logic
Vessel isolation	Each vessel receives a dedicated Bundle containing only that vessel's assigned documentation
Query isolation	On-vessel query logs are stored locally and not shared between vessels

B.4. Infrastructure Security

Measure	Implementation
Cloud hosting	AWS eu-west-2 with VPC isolation, security groups, and network ACLs
Vulnerability management	Automated dependency scanning; regular security patching
Monitoring	Application and infrastructure monitoring; alerting for anomalous activity
Backup	Regular automated backups of PostgreSQL databases; point-in-time recovery capability

B.5. Organisational Measures

Measure	Implementation
Staff training	Data protection awareness training for all staff
Confidentiality	All staff bound by contractual confidentiality obligations
Incident response	Documented incident response procedure; designated incident response team
Business continuity	Disaster recovery procedures; regular backup testing
Vendor management	Due diligence and data protection assessment for all Sub-processors

B.6. On-Vessel Security

Measure	Implementation
No PII collection	Ship Runtime does not collect personal identifiers from crew
Local processing	All AI inference performed locally; no data transmitted during query processing
Bundle integrity	SHA-256 checksum verification before applying any Bundle update
Anonymisation	Query analytics anonymised before any sync to Cloud Platform
Log rotation	Query logs automatically rotated; maximum 10,000 entries per vessel