This Sky Pilot Data Processing Addendum (“DPA”) amends and supplements the Sky Pilot Terms of Service (the “Agreement”) between the Controller (as defined below) and Corknine Development Limited, operating as Sky Pilot (“Sky Pilot” or “Processor”), located at Fasken office, 550 Burrard Street, Suite 2900, Vancouver, British Columbia, Canada.

This DPA applies where Sky Pilot processes Personal Data on behalf of the Controller in connection with the Sky Pilot digital delivery application, and in particular addresses the international transfer of Personal Data from the United Kingdom and/or European Economic Area (“EEA”) to the United States, where Sky Pilot’s servers are located.

1. Definitions

“Controller” means the store owner who uses the Sky Pilot application and determines the purposes and means of the processing of Personal Data. For the purposes of the EU Standard Contractual Clauses and the UK Addendum, the Controller is the “data exporter.”

“Processor” means Corknine Development Limited (Sky Pilot), which processes Personal Data solely on behalf of and as directed by the Controller. For the purposes of the EU Standard Contractual Clauses and the UK Addendum, the Processor is the “data importer.”

“Data Protection Legislation” means all applicable data protection and privacy laws, including: (a) the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018; (b) Regulation (EU) 2016/679 (the EU GDPR); (c) the Data (Use and Access) Act 2025; and (d) any successor legislation or amendments thereto.

“Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”) that is processed by Sky Pilot on behalf of the Controller through the Sky Pilot application.

“EU SCCs” means the standard contractual clauses approved by European Commission Implementing Decision (EU) 2021/914, Module Two (Controller to Processor), as incorporated into this DPA.

“UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner’s Office under Section 119A of the Data Protection Act 2018, as incorporated into this DPA.

All other capitalized terms not defined herein shall have the meanings ascribed to them in the Agreement or the applicable Data Protection Legislation.

2. Scope, Roles, and Processing Details

2.1  The Controller is the sole owner of all Personal Data processed through the Sky Pilot application. Sky Pilot does not own, control, or make any independent decisions regarding such Personal Data. Sky Pilot processes Personal Data solely to deliver the digital file delivery services as instructed by the Controller through the Sky Pilot application.

2.2  The Controller is responsible for ensuring that it has a lawful basis for the processing of Personal Data and for providing all necessary notices and obtaining all necessary consents from Data Subjects prior to providing Personal Data to Sky Pilot. The Controller warrants that its instructions to Sky Pilot comply with all applicable Data Protection Legislation.

2.3  The details of the processing are as follows:

3. Data Protection Obligations of Sky Pilot

Sky Pilot shall:

• Process Personal Data only in accordance with the Controller’s documented instructions, including as set out in the Agreement and this DPA. Sky Pilot shall not process Personal Data for any purpose other than to deliver digital files as directed by the Controller.

• Notify the Controller if, in Sky Pilot’s reasonable opinion, an instruction infringes applicable Data Protection Legislation. Sky Pilot shall not be liable for any delay, non-performance, or consequence arising from pausing processing pending clarification from the Controller.

• Promptly notify the Controller of any Data Subject request or inquiry received by Sky Pilot. Sky Pilot shall not respond to the Data Subject directly unless instructed to do so by the Controller. The Controller shall be solely responsible for responding to such requests. Sky Pilot shall provide reasonable assistance to the Controller in fulfilling its obligations to respond to Data Subject requests; provided that where such assistance requires material effort beyond Sky Pilot’s standard operations, the Controller shall reimburse Sky Pilot’s reasonable costs.

• Implement and maintain appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, or damage, having regard to the state of the art, the costs of implementation, the nature of the data processed, and the risk to Data Subjects.

• Ensure that all personnel authorised to process Personal Data are bound by appropriate confidentiality obligations.

• Make available to the Controller information reasonably necessary to demonstrate compliance with this DPA and applicable Data Protection Legislation, subject to the audit provisions in Section 3.1 below.

• Notify the Controller without undue delay upon becoming aware of any Personal Data breach (unauthorised access, disclosure, loss, alteration, or destruction), providing sufficient detail to enable the Controller to meet its obligations under applicable Data Protection Legislation. The Controller shall be solely responsible for any notifications to supervisory authorities and Data Subjects.

• Upon termination of the Agreement, initiate the purging of all Personal Data within sixty (60) days, unless retention is required by applicable law. Upon request, Sky Pilot shall provide written confirmation of such deletion.

3.1  Audit Rights

The Controller may, at its own expense, audit Sky Pilot’s compliance with this DPA, subject to the following conditions:

• Audits shall be limited to no more than once per twelve (12) month period, unless required by a competent supervisory authority or following an actual Personal Data breach.

• The Controller shall provide Sky Pilot with at least thirty (30) days’ prior written notice of any audit.

• Audits shall be conducted during normal business hours and shall not unreasonably interfere with Sky Pilot’s business operations.

• The Controller and its auditors shall be required to enter into a confidentiality agreement reasonably acceptable to Sky Pilot before commencing any audit.

• Where Sky Pilot holds a relevant third-party certification or audit report (e.g., SOC 2), Sky Pilot may satisfy the Controller’s audit request by providing a copy of such report in lieu of permitting an on-site audit.

4. Sub-Processors

4.1  The Controller provides Sky Pilot with general written authorisation to engage sub-processors for the processing of Personal Data. Sky Pilot shall:

• Maintain a current list of sub-processors, which shall be made available to the Controller upon written request;

• Notify the Controller of any intended addition or replacement of sub-processors at least fifteen (15) days in advance, giving the Controller an opportunity to object on reasonable data protection grounds;

• Enter into a written agreement with each sub-processor imposing data protection obligations no less protective than those set out in this DPA; and

• Remain responsible to the Controller for the performance of each sub-processor’s obligations.

4.2  If the Controller objects to a new sub-processor on reasonable and documented data protection grounds within the fifteen (15) day notice period, Sky Pilot shall use commercially reasonable efforts to make available an alternative arrangement that avoids the use of the objected-to sub-processor. If no commercially reasonable alternative is available within thirty (30) days, either party may terminate the affected services upon written notice, with no liability to either party arising solely from such termination.

4.3  The current list of sub-processors is set out in Schedule 5 of this DPA. Sky Pilot may update the list of sub-processors from time to time in accordance with this Section 4. The Controller acknowledges that the sub-processors listed in Schedule 5 are approved as of the effective date of this DPA.

5. International Data Transfers

5.1  The Controller acknowledges that Sky Pilot’s servers are located in the United States and that Personal Data originating from the United Kingdom and/or the EEA will be transferred to, and processed in, the United States.

5.2  To provide appropriate safeguards for such transfers in accordance with Article 46 of the UK GDPR and Article 46 of the EU GDPR, the parties agree that the following transfer mechanisms are incorporated into this DPA by reference and shall apply to all transfers of Personal Data:

(a) EU Standard Contractual Clauses. The EU Standard Contractual Clauses (2021/914), Module Two (Controller to Processor), are hereby incorporated by reference into this DPA. The SCCs shall be deemed completed as follows:

• Clause 7 (Docking Clause): Not used.

• Clause 9(a) (Sub-processors): Option 2 (General Written Authorisation) shall apply. Sky Pilot shall notify the Controller of intended changes to sub-processors at least fifteen (15) days in advance.

• Clause 11 (Redress): The optional language regarding independent dispute resolution shall not apply.

• Clause 13 (Supervision): Where the data exporter is not established in an EU Member State but falls within the territorial scope of the GDPR in accordance with Article 3(2), the supervisory authority of the Member State in which the Data Subjects are located shall act as the competent supervisory authority.

• Clause 17 (Governing Law): Option 1 shall apply. The SCCs shall be governed by the law of the Republic of Ireland.

• Clause 18(b) (Forum and Jurisdiction): Disputes shall be resolved before the courts of the Republic of Ireland.

• Annex I, Annex II, and Annex III: Shall be completed as set out in the Schedules to this DPA (Section 7 below).

(b) UK Addendum. For transfers of Personal Data originating from the United Kingdom, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (the “UK Addendum”), issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018, is hereby incorporated by reference into this DPA. The UK Addendum shall be completed as follows:

• Table 1 (Parties): The Controller is the Exporter; Sky Pilot is the Importer with contact details as set out in Section 8 below.

• Table 2 (Selected SCCs, Modules and Clauses): The Approved EU SCCs referenced are those incorporated under Section 5.2(a) above, Module Two (Controller to Processor).

• Table 3 (Appendix Information): As set out in the Schedules to this DPA (Section 7 below).

• Table 4 (Ending the Addendum): Neither party may end the UK Addendum in accordance with Section 19 of the UK Addendum.

5.3  In the event of any conflict between this DPA and the EU SCCs or the UK Addendum, the EU SCCs and/or the UK Addendum (as applicable) shall prevail, but only to the minimum extent required by the applicable Data Protection Legislation.

5.4  Sky Pilot warrants that, as of the date of this DPA, it has no reason to believe that the laws and practices in the United States applicable to its processing of Personal Data prevent it from fulfilling its obligations under the EU SCCs and the UK Addendum. Sky Pilot agrees to notify the Controller promptly if it becomes aware of any change in this position.

6. Liability, Indemnification, and Limitation

6.1  The Controller shall indemnify, defend, and hold harmless Sky Pilot from and against any claims, damages, losses, costs, and expenses (including reasonable legal fees) arising from or related to: (a) the Controller’s breach of its obligations under this DPA or applicable Data Protection Legislation; (b) the Controller’s instructions to Sky Pilot that are found to violate applicable law; or (c) the Controller’s failure to obtain necessary consents or provide required notices to Data Subjects.

6.2  Sky Pilot’s total aggregate liability arising out of or in connection with this DPA (including under the EU SCCs and the UK Addendum) shall be subject to the limitation of liability provisions in the Agreement. Nothing in this clause limits liability that cannot be excluded or limited under applicable Data Protection Legislation, including liability to Data Subjects under the EU SCCs.

6.3  In no event shall Sky Pilot be liable for any indirect, incidental, consequential, special, or exemplary damages arising out of or in connection with this DPA, including loss of revenue, loss of data (except Personal Data), or loss of business opportunity, even if advised of the possibility of such damages.

7. Miscellaneous

7.1  This DPA prevails over any conflicting provisions of the Agreement with respect to the processing of Personal Data. Sky Pilot may update this DPA, including the Schedules hereto (such as the list of sub-processors and the technical and organisational measures), from time to time by posting an updated version on its website. Sky Pilot shall use reasonable efforts to notify the Controller of material changes. The Controller’s continued use of the Sky Pilot application following such update shall constitute acceptance of the revised DPA.

7.2  Except as modified by this DPA, the terms of the Agreement remain in full force and effect.

7.3  This DPA shall be governed by and construed in accordance with the laws of the Province of British Columbia and the applicable laws of Canada, without prejudice to the governing law provisions of the EU SCCs and/or UK Addendum where applicable to international transfers of Personal Data.

 

8. Schedules to the Standard Contractual Clauses

The following Schedules complete the Annexes to the EU Standard Contractual Clauses and the Tables of the UK Addendum.

Schedule 1 — List of Parties (Annex I.A)

Data Exporter (Controller)

The Data Exporter is the store owner who has accepted the Sky Pilot Terms of Service and uses the Sky Pilot application to deliver digital products to their customers. The Data Exporter acts as a Controller in respect of the Personal Data processed through the Sky Pilot application. The identity and contact details of each Data Exporter are those provided by the store owner upon registration for the Sky Pilot application.

Data Importer (Processor)

Schedule 2 — Description of Transfer (Annex I.B)

Schedule 3 — Competent Supervisory Authority (Annex I.C)

For transfers subject to the EU GDPR: The supervisory authority of the EU Member State in which the Data Subjects whose Personal Data is transferred are located shall act as the competent supervisory authority.

For transfers subject to the UK GDPR: The Information Commissioner’s Office (ICO) shall act as the competent supervisory authority.

 

Schedule 4 — Technical and Organisational Measures (Annex II)

Sky Pilot implements and maintains the following technical and organisational measures to ensure the security of Personal Data:

• Encryption: Personal Data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using industry-standard encryption algorithms.

• Access Controls: Access to Personal Data is restricted to authorised personnel on a need-to-know basis. Multi-factor authentication is required for administrative access to production systems.

• Infrastructure Security: Sky Pilot’s US-based servers are hosted in data centres with SOC 2-compliant physical and logical security controls, including facility access controls, environmental safeguards, and network security monitoring.

• Data Minimisation: Sky Pilot collects only the minimum Personal Data necessary to perform digital file delivery (name, email, order ID, purchased items, IP address, download timestamp).

• Logging and Monitoring: Systems maintain access logs and security event logs. Logs are reviewed regularly for anomalous or unauthorised access.

• Incident Response: Sky Pilot maintains an incident response plan covering detection, assessment, notification, and remediation of Personal Data breaches.

• Personnel: All Sky Pilot personnel with access to Personal Data are bound by contractual confidentiality obligations and receive data protection training.

• Business Continuity: Regular backups of Personal Data are maintained, with tested restore procedures to ensure availability and resilience of processing systems.

• Data Deletion: Automated purge processes are initiated within sixty (60) days of termination of the Agreement, and data deletion is certified upon request.

Schedule 5 — List of Sub-Processors (Annex III)

The Controller has authorised the use of the following sub-processors. Sky Pilot may update this list from time to time in accordance with Section 4 of this DPA.

 

9. UK Addendum — Mandatory Clauses

Pursuant to Section 119A of the Data Protection Act 2018, and in accordance with the International Data Transfer Addendum issued by the ICO (Version B1.0, in force 21 March 2022), the following tables are completed:

Table 1: Parties

The Exporter is the Controller (store owner) who has accepted the Sky Pilot Terms of Service. The identity and contact details of each Exporter are those provided upon registration for the Sky Pilot application.

Table 2: Selected SCCs, Modules and Clauses

The Approved EU SCCs incorporated into this DPA are the EU Commission’s Standard Contractual Clauses (Implementing Decision 2021/914), Module Two (Controller to Processor), with the selections specified in Section 5.2(a) above.

Table 3: Appendix Information

The Appendix Information for the purposes of the UK Addendum is set out in Schedules 1 through 5 of this DPA (Section 8 above).

Table 4: Ending the Addendum

Neither party may end the UK Addendum in accordance with Section 19 of the UK Addendum. The UK Addendum shall remain in effect for so long as the EU SCCs are incorporated into this DPA and Personal Data originating from the United Kingdom is transferred to Sky Pilot.