Data Processing Agreement
Last updated April 15, 2026
This Data Processing Agreement ("DPA") supplements the Binnacle AI Terms of Serviceand applies when Binnacle AI ("Processor") processes personal data on behalf of the Customer ("Controller"). By using Binnacle, you accept this DPA.
1. Processor role
Binnacle acts as Processor of Customer Data, including crew names, MMC numbers, TWIC numbers, medical certificate data, drug test results, and documents uploaded by the Customer. Customer is the Controller of such data.
2. Scope of processing
Binnacle processes Customer Data solely for the purposes of (a) providing the Binnacle service, (b) technical support, (c) security monitoring, and (d) legal compliance. We do not process Customer Data for any other purpose without written authorization.
3. Security measures
Binnacle implements administrative, technical, and physical safeguards including:
- TLS 1.2+ encryption for data in transit
- AES-256 encryption for data at rest
- Role-based access control with least-privilege principles
- Audit logging of all data access
- Regular vulnerability scanning and patch management
- Access revocation within 24 hours of employee departure
- Annual third-party security review (SOC 2 Type II in progress)
4. Subprocessors
Binnacle uses the following subprocessors. Any change requires 30 days' notice to Customer; Customer may object within that period.
| Subprocessor | Purpose | Location |
|---|---|---|
| Vultr | Hosting + database | USA |
| Anthropic | Document classification AI | USA |
| Resend | Transactional email | USA |
| Twilio | SMS notifications | USA |
| Stripe | Payment processing | USA |
5. Breach notification
Binnacle will notify Customer without undue delay (and no later than 72 hours) after becoming aware of a confirmed Personal Data Breach affecting Customer Data. Notification will include the nature of the breach, affected data categories, estimated volume, and mitigation steps taken.
6. Data subject rights
Binnacle provides tools for Customer to fulfill data subject requests (access, rectification, erasure, portability) directly via the service. For requests Binnacle cannot fulfill through standard tooling, we will cooperate with Customer at reasonable cost.
7. Return or deletion
Upon termination, Customer has 30 days to export Customer Data via the Binnacle export feature or by written request. After 30 days, Binnacle will delete Customer Data from production systems. Encrypted backups are retained for 90 days and then purged.
8. Audit rights
Customer may audit Binnacle's compliance with this DPA no more than once per year, with 30 days' notice, at Customer's expense, subject to reasonable confidentiality obligations. Binnacle will provide its most recent SOC 2 Type II report in lieu of on-site audit when available.
9. International transfers
Customer Data is stored in the United States. For EU/UK Customer Data, Binnacle relies on Standard Contractual Clauses (SCCs) and the EU-U.S. Data Privacy Framework where applicable.
10. Contact
DPA-related questions: legal@binnacleai.com. Breach reporting: security@binnacleai.com.