Data Processing Agreement (DPA)

1. Scope and Roles

This agreement governs the processing of personal data. ...through the service of Cumulus.aero acts as a Data Processor on behalf of the Flight School (the Data Controller).

2. Data Security

We implement industry-standard security measures. All data is hosted on European servers by European companies  ensuring data sovereignty and full compliance with GDPR.  We aim for 99.5% uptime. Maintenance windows will be communicated 48 hours in advance.

Data Breach Notification

In the event of a personal data breach, Cumulus.aero will notify the Client without undue delay (and no later than 48 hours) after becoming aware of the breach.

Access and user roles

The Client is responsible for managing access for its instructors and students. The Client must ensure that all login credentials are kept confidential.

3. Confidentiality

Following EASA recommendations, we treat all student and instructor data as sensitive strictly confidential and do not share it with third parties unless required by aviation authorities or law. To comply with the EU Data Act 2026, Cumulus.aero guarantees that the Client owns all data entered into the platform. We provide a “One-Click Export” tool allowing the Client to retrieve all student files and flight logs in a structured, machine-readable format (JSON/CSV) at any time. We will assist the Client in fulfilling their obligations to respond to students or employees ‘requests for exercising their rights (Right to Access, Erase, or Portability).

4. Confidentiality

As a B2B service, Cumulus.aero is not liable for indirect damages or loss of profit. Our liability is limited to the amount paid by the Client in the 12 months preceding the claim. We are not responsible for the accuracy of flight training data entered by instructors.

5. Technical and Organizational Measures (TOMs)

We implement the following security measures:

  • Hosting: All data stays in the EU.

  • Encryption: Data is encrypted at rest (AES-256) and in transit (TLS 1.3).

  • Access Control: Strict internal “need-to-know” access policies for users and our developers.