CoreOP Data Protection Addendum

Last Updated: May 6, 2026

This Data Protection Addendum ("DPA") supplements the Terms of Service or other written agreement (the "Agreement") between Aviluxe Aviation LLC, a Texas limited liability company doing business as CoreOP ("CoreOP," "we," "us," or "our"), and the customer identified in the Agreement ("Customer," "you," or "your") and governs the processing of personal data by CoreOP on behalf of Customer in connection with the Service.

In the event of a conflict between this DPA and the Agreement with respect to the processing of personal data, this DPA controls. In the event of a conflict between this DPA and applicable Data Protection Law, applicable Data Protection Law controls.

1. Definitions

Capitalized terms used and not defined in this DPA have the meanings given in the Agreement. The following definitions apply in this DPA:

  • "Authorized Affiliate" means any of Customer's affiliates that is permitted to use the Service under the Agreement.
  • "Customer Personal Data" means personal data within Customer Data, as defined in the Agreement, that is processed by CoreOP on behalf of Customer in connection with the Service.
  • "Data Protection Law" means all laws and regulations applicable to the processing of personal data under the Agreement, including the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA"); the Texas Data Privacy and Security Act ("TDPSA"); the Virginia Consumer Data Protection Act, Colorado Privacy Act, Connecticut Data Privacy Act, and similar state laws; and, where applicable, the EU General Data Protection Regulation 2016/679 ("GDPR") and the UK GDPR (collectively, "European Data Protection Law").
  • "Data Subject Request" means a request from or on behalf of an individual to exercise rights under Data Protection Law with respect to that individual's personal data.
  • "Personal Data" has the meaning given to "personal data," "personal information," or similar terms under Data Protection Law.
  • "Processing" (and its derivatives) has the meaning given under Data Protection Law and includes any operation performed on personal data.
  • "Security Incident" means a confirmed breach of CoreOP's security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data while processed by CoreOP. Security Incident does not include unsuccessful attempts that do not compromise the security of Customer Personal Data.
  • "Standard Contractual Clauses" or "SCCs" means, as applicable, the European Commission's standard contractual clauses adopted in Decision 2021/914 and the UK International Data Transfer Addendum issued under the UK GDPR.
  • "Subprocessor" means a third party engaged by CoreOP that processes Customer Personal Data in connection with the Service.

The terms "controller," "processor," "service provider," "contractor," "third party," "sale," "share," "sell," "share," "targeted advertising," and similar terms have the meanings given under applicable Data Protection Law.

2. Roles and Scope

2.1 Roles

For Customer Personal Data processed under the Agreement:

  • Customer is the controller (or the equivalent role under applicable Data Protection Law, such as "business" under the CCPA).
  • CoreOP is the processor (or the equivalent role, such as "service provider" or "contractor" under the CCPA, or "processor" under the TDPSA).

To the extent Customer is itself a processor acting on behalf of a third-party controller, Customer represents that it is authorized to engage CoreOP as a sub-processor on behalf of the third-party controller.

CoreOP separately processes certain personal data as a controller for its own business purposes — for example, account contact information, billing records, and Service usage analytics. That processing is governed by the CoreOP Privacy Policy at coreop.io/legal/privacy and is not subject to this DPA.

2.2 Scope of Processing

CoreOP processes Customer Personal Data only:

(a) to provide the Service in accordance with the Agreement; (b) on Customer's documented instructions, which include the Agreement, the Service configuration selected by Customer, and any further reasonable instructions agreed in writing; (c) as necessary to comply with applicable law (in which case CoreOP will, to the extent legally permitted, inform Customer of the legal requirement before processing); (d) to detect, prevent, and respond to security incidents, fraud, abuse, and violations of the Agreement; and (e) as otherwise authorized by the Agreement or this DPA.

The subject matter, duration, nature, and purpose of processing; the types of Customer Personal Data; and the categories of data subjects are described in Annex A.

2.3 CCPA-Specific Restrictions

For Customer Personal Data subject to the CCPA, CoreOP:

  • Will not sell or share Customer Personal Data;
  • Will not retain, use, or disclose Customer Personal Data for any purpose other than the business purposes specified in the Agreement and this DPA, or as otherwise permitted by the CCPA;
  • Will not retain, use, or disclose Customer Personal Data outside the direct business relationship between CoreOP and Customer;
  • Will not combine Customer Personal Data with personal information that CoreOP receives from or on behalf of others, except as permitted by the CCPA;
  • Will comply with the obligations applicable to a service provider/contractor under the CCPA and provide the same level of privacy protection as required of Customer under the CCPA;
  • Will notify Customer if it makes a determination that it can no longer meet its obligations under the CCPA; and
  • Grants Customer the right, on reasonable notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.

3. Customer Obligations

Customer is responsible for:

  • The accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired it.
  • Establishing a lawful basis for processing Customer Personal Data and providing all required notices to and obtaining all required consents from data subjects (including for telephone and SMS communications, call recording, geolocation, and AI processing).
  • Configuring and using the Service in compliance with Data Protection Law.
  • Responding to Data Subject Requests with respect to Customer Personal Data, with CoreOP's reasonable assistance as set out in Section 6.
  • Determining whether the Service's security measures meet the requirements applicable to the Customer Personal Data being processed.

4. Subprocessors

4.1 General Authorization

Customer provides CoreOP with general authorization to engage Subprocessors to process Customer Personal Data, subject to this Section 4.

4.2 Current Subprocessors

The current list of Subprocessors is available on request by emailing support@coreop.io. The list is updated when Subprocessors are added or removed.

4.3 New Subprocessors

CoreOP will provide notice of new Subprocessors at least 15 days before authorizing them to process Customer Personal Data, by updating the published list. Customer can subscribe to email notifications of changes by emailing support@coreop.io with the subject line "Subprocessor Updates."

If Customer reasonably objects to a new Subprocessor on data protection grounds within 15 days after notice, CoreOP will use reasonable efforts to make available a commercially reasonable alternative. If no alternative is available, Customer may, as its sole remedy, terminate the affected portion of the Service on written notice and receive a pro-rated refund of unused, prepaid fees.

4.4 Flow-Down

CoreOP will impose contractual obligations on each Subprocessor that are no less protective of Customer Personal Data than those in this DPA. CoreOP remains responsible for the acts and omissions of its Subprocessors.

5. Confidentiality

CoreOP will ensure that personnel authorized to process Customer Personal Data are bound by appropriate written confidentiality obligations and have received training in the protection of personal data.

6. Data Subject Requests; Cooperation

6.1 Data Subject Requests

Taking into account the nature of the processing, CoreOP will provide reasonable assistance, by appropriate technical and organizational measures and to the extent possible, to enable Customer to fulfill its obligations to respond to Data Subject Requests. The Service includes self-service tools that enable Customer to access, correct, export, and delete Customer Personal Data.

If CoreOP receives a Data Subject Request directly relating to Customer Personal Data, CoreOP will, to the extent legally permitted, promptly notify Customer and not respond on Customer's behalf unless authorized to do so.

6.2 Privacy Impact Assessments and Consultation

CoreOP will, on reasonable request and to the extent reasonable, assist Customer in fulfilling its obligations to conduct privacy or data protection impact assessments and to consult with supervisory authorities, in each case to the extent applicable to CoreOP's processing of Customer Personal Data.

7. Security

7.1 Security Measures

CoreOP will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risk to data subjects. A description of CoreOP's security measures is set out in Annex B and is published at coreop.io/security.

7.2 Security Incidents

CoreOP will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Security Incident affecting Customer Personal Data. The notice will, to the extent known and to the extent permitted by law, describe the nature of the Security Incident, the categories and approximate volume of Customer Personal Data affected, the likely consequences, and the measures taken or proposed to address the incident. CoreOP will provide updates as additional information becomes available and will reasonably cooperate with Customer's investigation and any required notifications.

CoreOP's notification of, or response to, a Security Incident under this Section is not an acknowledgment of fault or liability.

8. Audits

8.1 Audit Reports

On Customer's reasonable written request no more than once per year (or more frequently if required by Data Protection Law or after a Security Incident), CoreOP will make available to Customer (a) the most recent third-party security audit report, certification, or attestation CoreOP has obtained (if any), and (b) responses to a reasonable industry-standard security questionnaire.

8.2 On-Site Audits

To the extent the information made available under Section 8.1 is not sufficient to demonstrate compliance and an on-site audit is required by Data Protection Law, Customer (or an independent third-party auditor agreed by the parties and bound by confidentiality) may conduct an on-site audit of CoreOP's facilities and procedures relevant to the processing of Customer Personal Data, on at least 30 days' prior written notice, during normal business hours, and without disrupting the operation of the Service. Customer will reimburse CoreOP's reasonable costs of such audit. Audits may not occur more than once per 12-month period unless required by a regulator or following a Security Incident.

9. International Transfers

9.1 General

CoreOP is based in the United States and processes Customer Personal Data in the United States and, through its Subprocessors, may process it in other locations available on request by emailing support@coreop.io.

9.2 European Personal Data

To the extent CoreOP processes personal data subject to European Data Protection Law and transfers it to a country that has not been deemed adequate by the European Commission (or, for UK personal data, by the UK Government):

  • The parties agree that the Standard Contractual Clauses are incorporated into this DPA. Module Two (controller-to-processor) applies where Customer is a controller, and Module Three (processor-to-processor) applies where Customer is a processor.
  • The parties select Option 2 (general written authorization) under Clause 9 of the SCCs and the time period in Section 4.3 above applies.
  • The parties agree that the supervisory authority is the supervisory authority of the EU member state in which the Customer's lead establishment is located, or, if Customer has no establishment in the EU, the supervisory authority of an EU member state in which the data subjects whose personal data is transferred are located.
  • The parties select the courts of Ireland for purposes of Clause 18 of the SCCs.
  • For UK personal data, the UK International Data Transfer Addendum supplements the SCCs as required.

To the extent additional documentation is reasonably required to lawfully transfer European personal data to CoreOP, the parties will cooperate in good faith to execute it.

10. Deletion or Return of Customer Personal Data

On termination or expiration of the Agreement, CoreOP will delete Customer Personal Data within the time period set out in the Agreement, except to the extent applicable law requires retention or where Customer Personal Data is contained in routine backups subject to overwrite in the normal course of business. On reasonable request before deletion, CoreOP will make Customer Personal Data available for export by Customer using the Service's standard export tools.

11. Liability

The liability of each party arising out of or related to this DPA is subject to the limitations of liability in the Agreement.

12. Order of Precedence

This DPA forms part of the Agreement. In case of conflict between this DPA and any other terms in the Agreement, this DPA prevails with respect to the processing of personal data. In case of conflict between this DPA and the SCCs (where applicable), the SCCs prevail.

13. Term

This DPA takes effect on the effective date of the Agreement and remains in effect for as long as CoreOP processes Customer Personal Data on Customer's behalf.

Annex A — Description of Processing

A.1 Subject matter and duration of processing. Provision of the Service for the duration of the Agreement.

A.2 Nature and purpose of processing. To enable Customer to operate its business through the Service, including managing customer relationships, scheduling crews, generating quotes and invoices, processing payments, capturing job documentation and photos, and using the AI Features, integrations, and other functionality made available through the Service.

A.3 Categories of data subjects.

  • Customer's employees, contractors, and other personnel (including Crew users).
  • Customer's end customers and prospects, including aircraft owners, fleet managers, and authorized contacts.
  • Other individuals whose personal data Customer chooses to upload or generate through the Service.

A.4 Categories of Customer Personal Data.

  • Identifiers and contact information (name, email address, phone number, business name, business address).
  • Account credentials and authentication tokens.
  • Customer relationship records (job notes, communications, service history, preferences).
  • Asset records (aircraft tail numbers, ownership records, equipment lists).
  • Financial and transaction information (invoice records, payment status, transaction metadata; CoreOP does not store full payment card numbers).
  • Employment and professional information (role, schedule, certifications).
  • Geolocation (precise, when crew location features are enabled by Customer).
  • Audio and visual information (call recordings where enabled by Customer; uploaded photos).
  • Device and usage information (IP address, device identifiers, log data).
  • Inputs to and outputs from AI Features.

A.5 Sensitive categories of personal data. Other than account credentials and, where enabled by Customer, precise geolocation, Customer is not permitted to upload special categories of personal data (such as health information, biometric data, government identifiers other than tax IDs, or data revealing racial or ethnic origin, religious beliefs, or sexual orientation) without separate written agreement.

A.6 Frequency of transfer. Continuous, for the duration of the Agreement.

A.7 Retention period. As set out in the Agreement, generally for the duration of the Agreement and a 30-day post-termination export period, subject to legal retention obligations and routine backups.

A.8 Subprocessors. Available on request by emailing support@coreop.io.

Annex B — Technical and Organizational Security Measures

CoreOP has implemented and will maintain at least the following technical and organizational security measures, as updated from time to time at coreop.io/security:

Encryption. Customer Personal Data is encrypted in transit using industry-standard protocols (TLS 1.2 or higher) and at rest using industry-standard encryption (AES-256 or equivalent).

Tenant isolation. The Service uses logical isolation between Customer tenants, including row-level security policies on the database layer.

Access controls. Access to Customer Personal Data is restricted to personnel with a need to know, controlled by role-based access controls, individual accounts, and multi-factor authentication for administrative access.

Authentication. End-user accounts support strong passwords, two-factor authentication, and OAuth-based sign-in.

Network security. Production systems are deployed behind firewalls; administrative access is restricted; security groups are configured following least-privilege principles.

Vulnerability management. CoreOP monitors dependencies for known vulnerabilities and applies security patches in accordance with the severity of the vulnerability.

Logging and monitoring. CoreOP logs administrative and security-relevant events and reviews logs for indicators of compromise.

Personnel. Personnel with access to Customer Personal Data are subject to background checks where permitted by law, sign confidentiality agreements, and receive periodic security and privacy training.

Vendor management. Subprocessors are evaluated for security and bound by contractual confidentiality, security, and privacy obligations.

Incident response. CoreOP maintains an incident response plan covering detection, containment, eradication, recovery, and post-incident review.

Business continuity. Customer Personal Data is backed up regularly, and CoreOP maintains documented recovery procedures.

Physical security. CoreOP relies on Subprocessor data centers (such as those of Vercel and Supabase) that maintain industry-standard physical security controls, including 24/7 monitoring, access controls, and environmental safeguards.