Data Processing Agreement

Last updated: 22 April 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer", "Controller") and Prime Calibre Pty Ltd (ABN 76 678 167 407, Australia), trading as Strait Up Maritime ("Processor", "Reseller"), and governs the processing of personal data in connection with the Service. The Service platform is owned and operated by Prime Calibre Limited (Hong Kong) ("Product Owner"), which acts as a sub-processor under this DPA.

1. Definitions

"Personal Data", "Processing", "Controller", "Processor", and "Data Subject" have the meanings given in the UK GDPR / EU GDPR as applicable.

2. Scope of processing

We process personal data solely to provide the Service as described in our Privacy Policy. The categories of data and processing activities are:

Category	Data	Purpose	Retention
Account data	Name, email, company	Authentication, communication	Duration of account. Deleted within 30 days of account termination.
Usage logs	Endpoints accessed, timestamps, vessel IDs screened	Service delivery, abuse prevention, audit	12 months from creation, regardless of account status, then deleted.
Session data	Session tokens, IP addresses	Authentication, security	Duration of session + 30 days, then deleted.
Uploaded documents	Files attached to vessel records	Storage and retrieval for Customer	Until deleted by Customer. Deleted within 30 days of account termination.
Payment data	Processed by Stripe (we do not store card details)	Billing	Per Stripe's retention policy.

Third-party personal data in documents. Uploaded documents may contain personal data relating to third parties (e.g., beneficial owners, directors, crew lists of screened vessels). The Customer is the Controller for this data and is responsible for ensuring they have a lawful basis for providing it. The Processor will process such data solely for storage and retrieval as part of the Service.

3. Obligations of the Processor

• Process personal data only on documented instructions from the Controller (i.e. as needed to provide the Service)
• Ensure that persons authorised to process personal data are under appropriate obligations of confidentiality
• Implement appropriate technical and organisational security measures (see Section 5)
• Not engage sub-processors without prior notification (see Section 4)
• Assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection)
• Delete or return all personal data upon termination of the Service, at the Controller's choice, in accordance with the retention schedule above
• Make available information necessary to demonstrate compliance with these obligations

4. Sub-processors

We use the following sub-processors to deliver the Service:

Sub-processor	Purpose	Location
Prime Calibre Limited	Platform owner, IP principal, product operation, data infrastructure	Hong Kong
Railway	Application hosting, database, object storage	Singapore
Cloudflare	CDN, DNS, DDoS protection	Global edge network
Stripe	Payment processing	Australia / US
Resend	Transactional email delivery	US

We will notify you by email at least 14 days before adding a new sub-processor. You may object by contacting us within that period.

5. Security measures

• All data transmitted over TLS 1.2+
• Cryptographically generated session tokens
• Encrypted cloud storage for uploaded documents
• Parameterised database queries (SQL injection prevention)
• Rate limiting and abuse detection
• Security headers (HSTS, X-Content-Type-Options, X-Frame-Options)
• Access controls per customer — no cross-tenant data access

6. Data breach notification

In the event of a personal data breach, we will notify you without undue delay and in any event within 72 hours of becoming aware of the breach. Notification will include the nature of the breach, categories and approximate number of records affected, likely consequences, and measures taken to address it.

7. International transfers

Your data is hosted in Singapore (Railway) and processed by Prime Calibre Limited in Hong Kong. Neither Singapore nor Hong Kong has an EU adequacy decision. For transfers of personal data from the UK/EEA to these jurisdictions, we rely on:

• The European Commission's 2021 Standard Contractual Clauses (Commission Implementing Decision 2021/914, Module Two: Controller to Processor, or Module Three: Processor to Processor, as applicable) between the Processor and each sub-processor in a non-adequate jurisdiction.
• For UK transfers, the UK International Data Transfer Addendum (IDTA) to the EU SCCs, as issued by the ICO.

Copies of the executed SCCs are available on request. We have conducted a Transfer Impact Assessment for each transfer destination and determined that the combination of SCCs, encryption in transit and at rest, and access controls provides an adequate level of protection.

8. Data subject rights

We will assist you in fulfilling data subject requests (access, rectification, erasure, portability, restriction, objection) to the extent technically feasible. Requests can be submitted to privacy@straitupmaritime.com.

9. Term and termination

This DPA is effective for the duration of your use of the Service. Upon termination, we will delete all personal data in accordance with the retention schedule in Section 2. Account data and uploaded documents are deleted within 30 days. Usage logs are retained for the remainder of their 12-month retention period for abuse prevention and audit, then deleted.

10. Governing law

This DPA is governed by the laws of New South Wales, Australia, consistent with the governing law of the Terms of Service. To the extent this DPA relates to the processing of personal data of UK or EU/EEA data subjects, the applicable data protection law (UK GDPR or EU GDPR) takes precedence over any conflicting provision.

11. Contact

Data protection enquiries: privacy@straitupmaritime.com