Data Processing Agreement

Last updated: 18 April 2026 — Version 1.0

This Data Processing Agreement (“DPA”) forms part of the Terms of Service (“Terms”) between you (“Controller”, “you”, “your”) and Sawai Gyoseishoshi Office (“Processor”, “we”, “us”, “our”, “MmowW”), a Gyoseishoshi office established in Hiroshima, Japan.

This DPA is entered into to reflect the parties’ agreement with respect to the processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the MmowW Drone service, in compliance with Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”), the UK General Data Protection Regulation (“UK GDPR”) as retained by the European Union (Withdrawal) Act 2018, the Data Protection Act 2018, and all other applicable data protection and privacy legislation.

Regulatory basis: This DPA satisfies the requirements of Article 28 of the GDPR and Article 28 of the UK GDPR, which require that processing by a processor be governed by a contract or other legal act that is binding on the processor with regard to the controller.

1. Definitions

1.1 In this DPA, the following terms shall have the meanings set out below. Where a term is not defined in this DPA, it shall have the meaning given to it in the GDPR or UK GDPR, as applicable.

“Applicable Data Protection Law” means the GDPR, the UK GDPR, the Data Protection Act 2018, and any other legislation in force from time to time which implements or supplements the foregoing, including any binding guidance or codes of practice issued by a Supervisory Authority.
“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. In this DPA, the Controller is you, the subscriber to MmowW Drone.
“Data Subject” means an identified or identifiable natural person whose Personal Data is processed under this DPA.
“EEA” means the European Economic Area (EU member states plus Iceland, Liechtenstein, and Norway).
“Personal Data” means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
“Processing” (and “process”, “processed”) means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
“Processor” means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller. In this DPA, the Processor is Sawai Gyoseishoshi Office, operating as MmowW.
“Service” means the MmowW Drone cloud-based compliance management platform, as described in the Terms of Service.
“Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller in connection with the Service.
“Supervisory Authority” means an independent public authority established by an EU/EEA member state or the United Kingdom pursuant to the GDPR or UK GDPR, respectively (e.g., the UK Information Commissioner’s Office (“ICO”), the Bundesbeauftragte für den Datenschutz (BfDI) in Germany, the CNIL in France).
“Terms of Service” or “Terms” means the MmowW Drone Terms of Service available at mmoww.net/uk/terms/ (or the equivalent page for your country).
“UK Adequacy Regulations” means the adequacy regulations made under Section 17A of the Data Protection Act 2018, as applicable.

2. Scope and Purpose of Processing

2.1 The Processor shall process Personal Data solely for the purpose of providing the Service to the Controller, as further described in this Section 2 and in the Terms of Service.

2.2 The purpose of processing includes:

Account creation, authentication, and session management;
Drone and aircraft registration record-keeping;
Pilot and team member management;
Flight logging and flight plan preparation;
Pre-flight checklists and daily inspection records;
Maintenance and repair tracking;
Insurance policy management;
Permit and operational authorisation tracking;
Incident and accident report management;
Compliance scoring and audit-readiness reporting;
Payment processing (via Stripe);
AI-assisted compliance guidance;
Communication related to the Service (e.g., notifications, alerts).

2.3 Duration of processing. The Processor shall process Personal Data for the duration of the Controller’s subscription to the Service, plus:

A 30-day data export period following termination or expiry of the subscription, during which the Controller may export their data; and
Any additional retention period required by law. Aviation authorities in certain jurisdictions require operators to retain flight logs, maintenance records, and related documentation for periods of 2 to 3 years (or longer). Where such retention is legally required, the Processor shall retain the minimum data necessary to satisfy those obligations, after which the data shall be securely deleted.

2.4 The Processor shall not process Personal Data for any purpose other than those described in this DPA and the Terms, unless required to do so by Applicable Data Protection Law, in which case the Processor shall inform the Controller of that legal requirement before processing (unless the law prohibits such notification on important grounds of public interest).

3. Types of Personal Data Processed

3.1 The following categories of Personal Data may be processed under this DPA:

Category	Examples
Pilot identification data	Full name, email address, qualifications, licence/certificate numbers, Operator ID, Flyer ID
Organisation data	Company/organisation name, registration numbers, business addresses, team structure
Flight operation data	Flight logs (dates, times, locations, coordinates, altitudes, durations), flight plans, pre-flight checklist results
Aircraft data	Registration numbers, serial numbers, manufacturer and model details, aircraft photographs, weight class
Insurance data	Policy numbers, insurance provider name, coverage dates, liability limits
Maintenance records	Inspection dates, maintenance actions, battery cycle counts, component replacement records
Incident/accident reports	Incident descriptions, dates, locations, severity, corrective actions taken
Payment data	Email address and payment tokens (processed by Stripe). MmowW does not store credit/debit card numbers, CVVs, or full card details.
Authentication data	Email address, hashed passwords (bcrypt), OAuth tokens (Google), session tokens
Usage and technical data	IP addresses (server logs, temporary), API request metadata, browser user-agent (for compatibility)

3.2 The Processor does not intentionally collect or process special categories of Personal Data (Article 9 GDPR) such as health data, biometric data, racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, or data concerning sex life or sexual orientation. The Controller shall not submit such data to the Service.

4. Categories of Data Subjects

4.1 Personal Data processed under this DPA relates to the following categories of Data Subjects:

Registered users — drone pilots and organisation administrators who create an account on the Service;
Team members — additional pilots or staff members added to an organisation account by the organisation administrator;
Third parties referenced in records — individuals whose names or contact details may appear in flight plans, incident reports, or insurance documents as submitted by the Controller (e.g., landowner contact details, witness names).

4.2 The Controller is responsible for ensuring that it has a lawful basis for providing the Personal Data of any third-party Data Subjects to the Service, and for informing such Data Subjects of the processing in accordance with Articles 13 and 14 of the GDPR.

5. Obligations of the Processor

5.1 Documented instructions. The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or international organisation, unless required to process by Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. The instructions of the Controller are documented in this DPA and the Terms of Service. The Controller may issue additional written instructions consistent with the Terms, which the Processor shall follow provided they are lawful and reasonable.

5.2 Confidentiality. The Processor shall ensure that all persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is restricted to personnel who require access to perform the Service, and such access is granted on a need-to-know, least-privilege basis.

5.3 Security measures. The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required by Article 32 of the GDPR. The specific measures are described in Section 8 of this DPA.

5.4 Sub-processors. The Processor shall not engage another processor (Sub-processor) without prior specific or general written authorisation of the Controller. The Controller provides general authorisation for the Sub-processors listed in Section 6 of this DPA. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, in accordance with Section 6.

5.5 Assistance with Data Subject rights. Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the Data Subject’s rights under Chapter III of the GDPR, as further described in Section 10.

5.6 Assistance with security and breach notification. The Processor shall assist the Controller in ensuring compliance with Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor. This includes assistance with:

Security of processing (Article 32);
Notification of a Personal Data Breach to the Supervisory Authority (Article 33);
Communication of a Personal Data Breach to the Data Subject (Article 34);
Data protection impact assessments (Article 35), where the Controller is required to carry out such an assessment;
Prior consultation with the Supervisory Authority (Article 36).

5.7 Deletion or return of data. At the choice of the Controller, upon termination of the Service, the Processor shall delete or return all Personal Data to the Controller, and delete existing copies, unless Union or Member State law requires storage of the Personal Data. The procedures for data return and deletion are set out in Section 11.

5.8 Audit and demonstration of compliance. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR, and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. The Processor shall immediately inform the Controller if, in the Processor’s opinion, an instruction infringes the GDPR, UK GDPR, or other applicable data protection provisions.

Audit process: Audit requests must be submitted in writing to info@mmoww.net with at least 30 days’ notice. Audits shall be conducted during normal business hours (JST), shall not unreasonably interfere with the Processor’s operations, and shall be at the Controller’s expense. The Processor may require the auditor to execute a reasonable non-disclosure agreement before any audit commences.

6. Sub-processors

6.1 The Controller provides general written authorisation for the Processor to engage the Sub-processors listed in this Section 6. Each Sub-processor is bound by data protection obligations no less protective than those set out in this DPA.

6.2 Current Sub-processors:

Sub-processor	Purpose	Location	Data Processed
Supabase, Inc.	Database hosting, user authentication, Row Level Security enforcement	AWS (region varies; primary: US)	All user data (account information, flight logs, aircraft records, organisation data, authentication data)
Stripe, Inc.	Payment processing, subscription management, billing	United States	Email address, payment tokens, subscription status. MmowW does not transmit or store card numbers.
Xserver Inc. (VPS: 162.43.88.10)	API server, data processing engine, build server	Japan	API request/response data (including Personal Data in transit), temporary processing logs
Xserver Inc. (Shared: 85.131.213.120)	Web hosting for mmoww.net (static content)	Japan	Static web content delivery only; no Personal Data stored at rest
Google LLC (Google Cloud Platform)	OAuth 2.0 user authentication (optional sign-in method)	United States	Email address, OAuth access tokens
Anthropic, PBC (Claude API)	AI-assisted compliance guidance feature	United States	Chat messages submitted by the user. The AI feature does not require PII; however, users may voluntarily include Personal Data in chat messages.

6.3 Notification of changes. The Processor shall notify the Controller in writing (by email to the Controller’s registered email address) of any intended addition of or replacement of Sub-processors at least 30 days before the new Sub-processor begins processing Personal Data.

6.4 Right to object. The Controller may object to the appointment of a new Sub-processor by notifying the Processor in writing within 30 days of receiving the notification under Section 6.3. The objection must state reasonable grounds relating to data protection. If the Controller objects:

The Processor shall use commercially reasonable efforts to make available to the Controller a change in the Service or recommend a commercially reasonable change to avoid the use of the objected-to Sub-processor;
If the Processor cannot accommodate the objection within 30 days of receiving it, either party may terminate the affected portion of the Service by providing written notice to the other party. Upon such termination, the Controller shall be entitled to a pro-rata refund of any prepaid fees for the period following termination.

6.5 Sub-processor liability. Where a Sub-processor fails to fulfil its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of that Sub-processor’s obligations.

7. International Data Transfers

7.1 The Processor is established in Japan. The primary database infrastructure (Supabase) and certain Sub-processors are located in the United States. The Processor and its Sub-processors may process Personal Data outside the EEA and the United Kingdom.

7.2 Japan — EU adequacy decision. The European Commission adopted an adequacy decision for Japan on 23 January 2019 (Commission Implementing Decision (EU) 2019/419), which was renewed and remains in effect. Transfers of Personal Data from the EEA to Japan are therefore permitted under Article 45 of the GDPR without requiring additional safeguards.

7.3 Japan — UK adequacy. The United Kingdom has recognised Japan as providing an adequate level of data protection under the UK GDPR. Transfers of Personal Data from the UK to Japan are therefore permitted under the UK Adequacy Regulations.

7.4 United States — EU-US Data Privacy Framework. Transfers of Personal Data to Sub-processors in the United States (Stripe, Google, Anthropic) are covered by the EU-US Data Privacy Framework (“DPF”), adopted by the European Commission on 10 July 2023 (Commission Implementing Decision (EU) 2023/1795), and/or the UK Extension to the EU-US DPF. The Processor shall ensure that its US-based Sub-processors are certified under the DPF or that equivalent safeguards (such as Standard Contractual Clauses) are in place.

7.5 Supplementary measures. Where required by Applicable Data Protection Law or guidance from a Supervisory Authority, the Processor shall implement supplementary technical and organisational measures to ensure that transferred Personal Data receives an essentially equivalent level of protection as it would within the EEA or the UK.

7.6 Future transfer mechanisms. If any transfer mechanism relied upon under this Section 7 is invalidated or otherwise ceases to be a valid basis for international data transfers, the Processor shall use commercially reasonable efforts to implement an alternative lawful transfer mechanism within a reasonable period.

8. Security Measures (Article 32)

8.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement and maintain the following technical and organisational security measures:

8.2 Technical Measures

Encryption in transit: All data transmitted between the user’s browser and the Service is encrypted using TLS 1.2 or higher (HTTPS). All API communications use HTTPS exclusively.
Encryption at rest: The database (Supabase/PostgreSQL) encrypts data at rest using AES-256, managed by the infrastructure provider.
Access control: Row Level Security (RLS) is enabled on all database tables, ensuring that users can only access data belonging to their own organisation. API endpoints enforce authentication via JWT tokens.
Password security: User passwords are hashed using bcrypt with a cost factor of 10 or higher. Plaintext passwords are never stored or logged.
OAuth security: Google OAuth 2.0 integration uses server-side token exchange. Access tokens are short-lived and refresh tokens are stored securely.
API authentication: All API endpoints require valid authentication tokens. Service-role keys are stored exclusively on the server and are never exposed to client-side code.
Network security: The VPS server (162.43.88.10) uses firewall rules to restrict access to necessary ports only. SSH access requires key-based authentication.
Logging and monitoring: Server access logs and API request logs are maintained for security monitoring. Logs containing Personal Data are retained for a limited period and securely deleted thereafter.

8.3 Organisational Measures

Access limitation: Access to production systems and Personal Data is limited to authorised personnel of Sawai Gyoseishoshi Office on a strict need-to-know basis.
Confidentiality: All personnel with access to Personal Data are bound by professional confidentiality obligations (Gyoseishoshi professional duty of confidentiality under the Gyoseishoshi Act of Japan).
Incident response: A documented incident response procedure is maintained and tested. In the event of a suspected Personal Data Breach, the response procedure is initiated immediately (see Section 9).
Backup and recovery: Regular database backups are maintained by the infrastructure provider (Supabase). Backup data is subject to the same security measures as production data.
Secure development: Code changes are reviewed before deployment. Deployment to production follows a documented process with pre-deployment checks.
Sub-processor due diligence: Sub-processors are selected based on their ability to provide sufficient guarantees to implement appropriate technical and organisational measures, and their compliance with applicable data protection standards (e.g., SOC 2, ISO 27001).

8.4 The Processor shall regularly assess the adequacy and effectiveness of its security measures and shall update them as necessary to address evolving threats and changes in the processing environment.

9. Data Breach Notification

9.1 The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Controller.

9.2 The notification shall include, to the extent reasonably available at the time of notification:

A description of the nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned;
The name and contact details of the Processor’s point of contact from whom more information can be obtained;
A description of the likely consequences of the Personal Data Breach;
A description of the measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

9.3 Where it is not possible to provide all information at the same time, the Processor shall provide the information in phases without further undue delay.

9.4 The Processor shall assist the Controller in fulfilling the Controller’s obligations under Articles 33 and 34 of the GDPR (notification to the Supervisory Authority and communication to Data Subjects), taking into account the nature of the processing and the information available to the Processor.

9.5 The Processor shall document all Personal Data Breaches, including the facts relating to the breach, its effects, and the remedial action taken. This documentation shall be made available to the Controller upon request.

Breach notifications shall be sent to the Controller’s registered email address and, concurrently, to info@mmoww.net for record-keeping purposes.

10. Data Subject Rights

10.1 The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under Chapter III of the GDPR, including:

Right of access (Article 15) — the right to obtain confirmation of whether Personal Data is being processed and access to a copy of that data;
Right to rectification (Article 16) — the right to have inaccurate Personal Data corrected;
Right to erasure (“right to be forgotten”) (Article 17) — the right to request deletion of Personal Data, subject to legal retention obligations;
Right to restriction of processing (Article 18) — the right to request that processing be restricted in certain circumstances;
Right to data portability (Article 20) — the right to receive Personal Data in a structured, commonly used, machine-readable format (CSV or JSON);
Right to object (Article 21) — the right to object to processing in certain circumstances.

10.2 If the Processor receives a request from a Data Subject directly, the Processor shall promptly notify the Controller and shall not respond to the Data Subject directly unless instructed to do so by the Controller or required to do so by Applicable Data Protection Law.

10.3 The Processor shall respond to requests from the Controller regarding Data Subject rights within 5 business days of receiving such a request. Where a request is complex or voluminous, the Processor shall inform the Controller of the expected timeline for completion.

10.4 Self-service data export. The Service provides the Controller with self-service tools to export their data in structured, machine-readable formats (CSV and JSON) at any time during the subscription period, facilitating the Controller’s compliance with data portability requests.

10.5 Self-service account deletion. The Controller may request deletion of their account and all associated Personal Data by contacting info@mmoww.net. Upon verification of the request, the Processor shall delete the account and all associated Personal Data within 30 days, subject to any legal retention obligations described in Section 2.3.

11. Term and Termination

11.1 This DPA shall come into effect on the date the Controller first accepts the Terms of Service (including by creating an account) and shall remain in effect for so long as the Processor processes Personal Data on behalf of the Controller.

11.2 Upon termination or expiry of the Controller’s subscription to the Service, the following process shall apply:

Data export period (30 days): The Controller shall have 30 days from the date of termination to export their data using the Service’s self-service export tools. The Processor shall provide data in structured, commonly used, machine-readable formats (CSV and/or JSON).
Deletion: After the 30-day data export period, the Processor shall securely delete all Personal Data associated with the Controller’s account, including all copies in production databases, unless retention is required by Applicable Data Protection Law or by aviation authority record-keeping requirements (as described in Section 2.3).
Retained data: Where data is retained pursuant to a legal obligation, the Processor shall isolate such data, restrict processing to only that which is required by the legal obligation, and securely delete the data upon expiry of the retention period.
Confirmation: Upon request, the Processor shall provide written confirmation that all Personal Data has been deleted (or, where applicable, identify the data retained and the legal basis for retention).

11.3 At the Controller’s written request (prior to deletion), the Processor shall return all Personal Data to the Controller in a structured, commonly used, machine-readable format, rather than deleting it.

11.4 The provisions of this DPA that by their nature should survive termination (including Sections 5.2, 5.8, 9, and 12) shall survive the termination of this DPA.

12. Liability

12.1 Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, except as provided in this Section 12.

12.2 Nothing in this DPA or the Terms of Service shall limit or exclude either party’s liability for:

Intentional or grossly negligent breaches of this DPA or Applicable Data Protection Law;
Fines, penalties, or compensation orders imposed by a Supervisory Authority or court of competent jurisdiction directly attributable to a party’s breach of its obligations under this DPA;
Fraud or fraudulent misrepresentation;
Any other liability that cannot be limited or excluded by Applicable Data Protection Law.

12.3 Where the Processor is liable for damages caused by processing that infringes the GDPR or UK GDPR, the Processor shall be liable for the damage caused by processing only where it has not complied with obligations of the GDPR or UK GDPR specifically directed to processors, or where it has acted outside of or contrary to lawful instructions of the Controller, in accordance with Article 82 of the GDPR.

12.4 Each party shall indemnify and hold harmless the other party from and against all claims, damages, losses, costs, and expenses (including reasonable legal fees) arising from or related to any breach of this DPA by the indemnifying party, subject to the limitations set out in Section 12.1.

13. Governing Law and Dispute Resolution

13.1 This DPA is governed by the same law that governs the Terms of Service between the parties:

For United Kingdom users: the laws of England and Wales.
For EU/EEA users: the laws of the EU member state in which the Data Subject has their habitual residence (e.g., German law for DE users, French law for FR users, Dutch law for NL users, Swedish law for SE users).
For Australian users: the laws of the Commonwealth of Australia.
For New Zealand users: the laws of New Zealand.
For Canadian users: the laws of the Province of Ontario and the federal laws of Canada applicable therein.
For Japanese users: the laws of Japan.

13.2 The courts of the applicable jurisdiction under Section 13.1 shall have non-exclusive jurisdiction over any dispute arising under or in connection with this DPA.

13.3 Nothing in this Section 13 shall prevent a Data Subject from bringing a claim before the courts of the Member State or country in which they have their habitual residence, in accordance with Article 79(2) of the GDPR.

13.4 Nothing in this DPA shall affect the rights of Data Subjects to lodge a complaint with a Supervisory Authority, in accordance with Article 77 of the GDPR.

14. General Provisions

14.1 Entire agreement. This DPA, together with the Terms of Service and the Privacy Policy, constitutes the entire agreement between the parties with respect to the processing of Personal Data and supersedes all prior or contemporaneous understandings regarding such subject matter.

14.2 Amendments. The Processor may update this DPA from time to time to reflect changes in data protection law, guidance from Supervisory Authorities, or changes to the Service or Sub-processors. Material changes shall be communicated to the Controller at least 30 days before they take effect. Continued use of the Service after the effective date of any amendment constitutes acceptance of the amended DPA.

14.3 Severability. If any provision of this DPA is found to be invalid or unenforceable by a court of competent jurisdiction, the remaining provisions shall continue in full force and effect. The invalid or unenforceable provision shall be replaced by a valid and enforceable provision that most closely reflects the original intent.

14.4 No waiver. The failure of either party to enforce any provision of this DPA shall not constitute a waiver of that party’s right to enforce that provision or any other provision.

14.5 Conflict. In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to matters relating to data protection and the processing of Personal Data.

14.6 Language. This DPA is drawn up in English. In the event of any discrepancy between a translated version and the English version, the English version shall prevail.

15. Contact

For any questions, requests, or complaints regarding this DPA or the processing of your Personal Data, please contact:

Sawai Gyoseishoshi Office (operating as MmowW)
Hiroshima, Japan

Email: info@mmoww.net
Feedback: mmoww.net/uk/feedback/

Supervisory Authority (UK): If you are based in the United Kingdom, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):
ico.org.uk/make-a-complaint/
Telephone: 0303 123 1113

This Data Processing Agreement is effective as of the date you first accept the MmowW Drone Terms of Service.

Sawai Gyoseishoshi Office
Hiroshima, Japan — The City of Peace
“Strong. Kind. Beautiful.”