Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") forms part of the Terms of Service between SYG Yachts LLC ("Processor") and the subscriber ("Controller") and governs the processing of personal data by HELM Fleet Command on behalf of the Controller. This DPA is entered into pursuant to Article 28 of Regulation (EU) 2016/679 (GDPR) and the UK GDPR. Where the Controller is not subject to GDPR, this DPA applies to the extent required by applicable data protection law. Applicable to: Management and Management Pro plan subscribers; all EU/EEA subscribers; any subscriber handling crew personal data.

"Personal data", "processing", "controller", "processor", "data subject", "supervisory authority", and "personal data breach" have the meanings given in the GDPR. "Controller data" means personal data provided by or collected on behalf of the Controller through use of the HELM Platform, including crew personal data, vessel operator data, and charter guest data.

Subject matter: Operation of the HELM Fleet Command Platform Duration: For the term of the subscription agreement Nature: Storage, access, retrieval, transmission, AI processing Purpose: Providing the Platform services as described in the Terms of Service Type of personal data: Names, contact details, professional qualifications, employment records, medical data (if entered into Medical Bay module), financial data, location data, vessel operational data Categories of data subjects: Crew members, officers, vessel owners, charter guests, management company personnel

The Processor (SYG Yachts LLC) shall: (a) Process Controller data only on documented instructions from the Controller, including with regard to transfers to third countries (b) Ensure that persons authorised to process Controller data are bound by confidentiality obligations (c) Implement appropriate technical and organisational security measures as described in our Privacy Policy (d) Not engage sub-processors without the Controller's prior written consent (general consent is given by accepting these Terms; current sub-processors are listed in our Privacy Policy) (e) Assist the Controller in fulfilling data subject rights requests (f) Notify the Controller within 72 hours of becoming aware of a personal data breach affecting Controller data (g) Make available all information necessary to demonstrate compliance with this DPA on reasonable written request (h) Delete or return all Controller data upon termination of the subscription, subject to legal retention obligations

The Controller shall: (a) Ensure it has a lawful basis for all personal data entered into the Platform, including crew data and charter guest data (b) Ensure that any crew members or data subjects whose data is entered into the Platform have been informed of such processing (c) Not instruct the Processor to process personal data in a way that would violate applicable data protection law (d) Be responsible for any penalties, claims, or liabilities arising from the Controller's own non-compliance with applicable law

Controller data is processed on servers in the United States. Such transfers from the EEA/UK are conducted under Standard Contractual Clauses (SCCs) as approved by the European Commission (Commission Decision 2021/914). The SCCs are incorporated into this DPA by reference. On request, we will provide copies of executed SCCs at hello@helm-command.com.

The Controller has the right to conduct audits of the Processor's data protection practices, subject to 30 days' advance written notice and execution of a non-disclosure agreement. Audits shall be conducted during business hours, no more than once per year, and at the Controller's expense. The Processor may provide third-party audit certifications in lieu of direct audit where available.

8.1 Return. Upon termination of your subscription, we shall, at your choice, return or delete all personal data processed on your behalf, except where Union or Member State law requires storage of the data. 8.2 Deletion Procedure. Deletion shall be carried out in a secure manner consistent with industry standards. We shall provide written confirmation of deletion upon request.

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. Where both parties are subject to the GDPR, each party shall be liable for the damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to lawful instructions of the Controller.

For questions about this Data Processing Agreement, please contact us at: SYG Yachts LLC d/b/a HELM Fleet Command Email: hello@helm-command.com Subject line: Data Processing Agreement Last updated: 1 May 2026