Data Processing Agreement

This Data Processing Agreement (the “DPA”) integrates into agreements between the customer (“Customer” or “Controller”) and Martide Pte. Ltd. (“Martide” or “Processor”) governing the Customer’s use of the Services (the “Agreement”).

This DPA forms part of the Customer Terms of Service available at https://www.martide.com/en/legal (the “Terms”), or any other written agreement between the parties governing the Customer’s use of the Services.

The Controller enters into this DPA on behalf of itself and, where required under Data Protection Laws, in the name of its Affiliates. All Affiliate access to and use of the Services must comply with the terms of this DPA; any violation by an Affiliate shall constitute a violation by the Controller.

If the Customer has signed a separate Data Processing Agreement with Martide or negotiated specific data protection terms in a SaaS Services Order Form, that agreement shall prevail over this DPA to the extent of any conflict.

1. Definitions

“Affiliate” means: (i) an entity in which a party directly or indirectly owns fifty percent (50%) or more of the stock or equity interest, (ii) an entity that owns at least fifty percent (50%) of a party’s stock or equity interest, or (iii) an entity under common control with a party through fifty percent (50%) or more common ownership.

“Agreement” means the SaaS Services Order Form, Customer Terms of Service, or other written agreement between the Customer and Martide governing the use of the Services.

“California Personal Information” means Personal Data that is subject to the protection of the CCPA.

“CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (California Civil Code Section 1798.100 et seq.).

“Customer” means the entity identified in the SaaS Services Order Form or the Customer Terms of Service.

“Data Privacy Framework” means the EU-U.S. Data Privacy Framework and the UK Extension, as operated by the U.S. Department of Commerce, as amended or replaced from time to time.

“Data Protection Laws” means all applicable laws and regulations relating to the use or processing of Personal Data, including: (i) the General Data Protection Regulation (EU 2016/679) (“EU GDPR” or “GDPR”); (ii) the EU GDPR as incorporated into the law of England and Wales by virtue of the European Union (Withdrawal) Act 2018 (“UK GDPR”); (iii) the UK Data Protection Act 2018; (iv) the Privacy and Electronic Communications (EC Directive) Regulations 2003; and (v) the Singapore Personal Data Protection Act 2012 (“PDPA”). The terms “Data Subject”, “Personal Data”, “Personal Data Breach”, “processing”, “processor”, “controller” and “supervisory authority” shall have the meanings given to them in the GDPR.

“Data Subject” means a natural person who can be identified, directly or indirectly, by reference to Personal Data.

“EU SCCs” means the standard contractual clauses approved by the European Commission in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 for the transfer of personal data to countries not recognised as providing an adequate level of data protection (as amended or replaced from time to time).

“Instructions” means the Controller’s lawful and reasonable written directions for the Processing of Personal Data as set out in this DPA, through the use of the Services, or as otherwise communicated in writing to the Processor.

“Personal Data” means any information relating to an identified or identifiable natural person, including identifiers such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Processing” or “to Process” means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“SCCs” means: (i) the EU SCCs where the GDPR applies; and (ii) the UK Addendum where the UK GDPR applies.

“Services” means the maritime crewing platform, SaaS services, and related services provided by Martide to the Customer as defined in the Agreement.

“Sub-processor” means any third party engaged by the Processor, or by any Sub-processor of the Processor, to Process Personal Data on behalf of the Controller.

“UK Addendum” means the International Data Transfer Addendum to the EU SCCs issued under Section 119A of the UK Data Protection Act 2018 and approved by the UK Parliament on 21 March 2022 (as amended or replaced from time to time).

2. Data Processing

2.1 The Processor agrees to comply with all applicable Data Protection Laws in respect of any Personal Data Processed on behalf of the Controller under this DPA.

2.2 The Processor shall only Process Personal Data in accordance with the Controller’s documented Instructions, unless required to do so by applicable law.

2.3 If applicable law requires the Processor to Process Personal Data other than in accordance with the Controller’s Instructions, such Processing shall not constitute a breach of this DPA. The Processor shall inform the Controller of any such legal requirement before Processing, unless notification is prohibited on grounds of public interest. The Processor shall immediately inform the Controller if, in the Processor’s opinion, an Instruction infringes Data Protection Laws. If the Processor becomes aware that it cannot Process Personal Data in accordance with the Controller’s Instructions due to a legal requirement under any applicable law, the Processor shall: (a) promptly notify the Controller of that legal requirement to the extent permitted by the applicable law; and (b) where necessary, cease all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as the Controller issues new Instructions with which the Processor is able to comply. If this provision is invoked, the Processor shall not be liable to the Controller under the Agreement for any failure to perform the affected Services until such time as the Controller issues new lawful Instructions with regard to the Processing.

2.4 The Processor shall enable the Controller to respond to requests from Data Subjects to access, rectify, erase, restrict or port their Personal Data. The Processor shall comply with any related requests from the Controller without undue delay and in any event within thirty (30) calendar days. To the extent that the Controller is unable to independently address a Data Subject request through the Services, the Processor shall provide reasonable assistance to the Controller upon written request. The Controller shall reimburse the Processor for the commercially reasonable costs arising from such assistance, and the Processor shall notify the Controller of any applicable costs in advance.

2.5 The Processor shall notify the Controller without undue delay regarding any contact from a supervisory authority concerning or relevant to the Processing of the Controller’s Personal Data. The Processor shall not represent the Controller or act on the Controller’s behalf in dealings with supervisory authorities or third parties without the Controller’s prior written consent.

2.6 The Processor shall assist the Controller in any dealings with supervisory authorities, including by providing information as instructed by the Controller. The Processor shall not disclose Personal Data or information about Processing activities without the Controller’s prior written consent.

2.7 If a Data Subject contacts the Processor directly with a request regarding the Processing of their Personal Data, the Processor shall promptly redirect the Data Subject to the Controller and shall assist the Controller in responding to such requests in accordance with Data Protection Laws.

2.8 The Processor shall ensure that all personnel authorised to Process Personal Data are subject to appropriate confidentiality obligations, whether contractual or statutory.

2.9 The Processor shall provide reasonable assistance to the Controller to enable compliance with the Controller’s obligations under Data Protection Laws, including with respect to security measures, data protection impact assessments, and the management of Personal Data Breaches.

2.10 The Processor shall maintain records of Processing activities carried out on behalf of the Controller in accordance with Data Protection Laws. Upon request, the Processor shall make such records available to the Controller without undue delay in a generally readable electronic format.

3. Security

3.1 The Processor shall implement and maintain appropriate technical and organisational security measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, having regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing, as well as the risk to the rights and freedoms of Data Subjects. The Processor may modify or update these security measures at its discretion, provided that such modification or update does not result in a material degradation of the protection offered.

3.2 The Processor shall notify the Controller in writing without undue delay, and in any event within seventy-two (72) hours, after becoming aware of any Personal Data Breach. Such notification shall include, to the extent available: (a) a description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records affected; (b) the likely consequences of the breach; and (c) the measures taken or proposed to be taken to address the breach and mitigate its effects.

3.3 The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and applicable Data Protection Laws. The Controller acknowledges and agrees that it shall exercise its audit rights under this DPA by instructing the Processor to comply with the measures described in this clause 3.3. The Controller acknowledges that the Services are hosted by infrastructure Sub-processors who maintain independently validated security programmes (including SOC 2 Type II and ISO 27001 certifications) and that the Processor’s systems are audited annually as part of SOC 2 compliance and regularly tested by independent third-party penetration testing firms. Upon request, the Processor shall supply (on a confidential basis) its SOC 2 report and summary copies of its penetration testing report(s) to the Controller so that the Controller can verify the Processor’s compliance with this DPA. The Processor shall also provide written responses (on a confidential basis) to all reasonable requests for information made by the Controller necessary to confirm the Processor’s compliance with this DPA, provided that the Controller shall not exercise this right more than once per calendar year unless the Controller has reasonable grounds to suspect non-compliance with this DPA or is required to do so by Data Protection Laws or by order of a supervisory authority or court.

4. Sub-processing

4.1 The Controller acknowledges and agrees that the Processor may engage Sub-processors to Process Personal Data on behalf of the Controller. The Controller grants the Processor a general written authorisation to engage Sub-processors (“Authorised Sub-processors”). The Processor’s current list of Sub-processors is available at https://www.martide.com/en/subprocessors and may be updated from time to time.

4.2 When the Processor intends to engage a new Sub-processor, the Processor shall notify the Controller at least thirty (30) days in advance of any Personal Data being transferred to that Sub-processor (the “Notice Period”). The Controller may object to the engagement of a new Sub-processor during the Notice Period by providing written notice to the Processor setting out reasonable grounds for the objection. If the Controller does not object within the Notice Period, the Controller shall be deemed to have accepted the new Sub-processor. If the Controller objects and the parties are unable to resolve the objection within the Notice Period, the Controller may terminate the affected Services upon reasonable written notice, without prejudice to any other remedies available to the Controller. No Personal Data shall be transferred to the new Sub-processor during the Notice Period if the Controller has raised an objection.

4.3 The Processor shall enter into written agreements with all Sub-processors on terms substantially similar to those set out in this DPA, including appropriate data protection obligations and the Controller’s audit rights as set out in clause 3.3 (or ensuring the Sub-processor conducts an independent external audit at least annually). The Processor shall remain fully liable for the acts and omissions of its Sub-processors as if they were the acts and omissions of the Processor.

4.4 Upon request, the Processor shall provide the Controller with information about each Sub-processor, including name, address and the nature of the Processing activities performed.

5. Transfer of Personal Data Outside the EEA, the UK and Singapore

5.1 If the Processing involves the transfer of Personal Data to countries outside the European Economic Area (“EEA”), the United Kingdom (“UK”) or Singapore that have not been recognised as providing an adequate level of data protection under applicable Data Protection Laws, the transfer mechanisms set out in this clause 5 shall apply.

5.2 Where the EU SCCs are required, the Controller and the Processor agree that the transfer shall take place in accordance with the EU SCCs, Module Two (Controller to Processor), which are hereby deemed entered into and incorporated by reference, completed as follows:

(a) The optional docking clause in Clause 7 shall apply.
(b) Clause 9, Option 2 (general written authorisation) shall apply. The minimum notice period for Sub-processor changes shall be as set out in clause 4.2 of this DPA.
(c) The optional language in Clause 11 shall not apply.
(d) All square brackets in Clause 13 are removed.
(e) Under Clause 17 (Option 1), the EU SCCs shall be governed by Singapore law.
(f) Under Clause 18(b), disputes arising under the EU SCCs shall be resolved before the courts of Singapore.
(g) Exhibit B to this DPA contains the information required for Annex I and Annex III of the EU SCCs.
(h) Exhibit C to this DPA contains the information required for Annex II of the EU SCCs.
(i) By entering into this DPA, the parties are deemed to have signed the EU SCCs, incorporating the Annexes, as of the effective date of the Agreement.

5.3 If the Processing involves the transfer of Personal Data subject to the UK GDPR and the UK Data Protection Act 2018, such transfers shall take place in accordance with the EU SCCs (as completed in clause 5.2 above) together with the UK Addendum, which is hereby deemed entered into and incorporated by reference.

5.4 If the Processing involves the transfer of Personal Data to Sub-processors in countries outside the EEA, the UK or Singapore that have not been recognised as providing an adequate level of data protection under applicable Data Protection Laws, the Processor shall enter into appropriate agreements incorporating the relevant SCCs with such Sub-processors before any Personal Data is transferred.

5.5 In the event of any conflict or inconsistency between the provisions of the EU SCCs or the UK Addendum and any other provision of this DPA or the Agreement, the provisions of the EU SCCs or the UK Addendum (as applicable) shall prevail.

5.6 The Customer acknowledges that the hosting facilities for the Services are situated in the United States of America. Transfers of Personal Data to the United States shall be protected by appropriate safeguards, including the EU SCCs and, where applicable, the Data Privacy Framework.

5.7 In the event that the Processor is required to adopt an alternative transfer mechanism under Data Protection Laws, in addition to or other than the mechanisms described in this clause 5, such alternative transfer mechanism shall apply automatically instead of (or in addition to) the mechanisms described in this clause 5, but only to the extent such alternative transfer mechanism complies with applicable Data Protection Laws. The Controller agrees to execute such other documents or take such action as may be reasonably necessary to give legal effect to such alternative transfer mechanism.

6. Liability

6.1 Each party’s liability, taken in aggregate, arising out of or in connection with this DPA (including any applicable SCCs), whether in contract, tort or under any other theory of liability, shall be subject to the exclusions and limitations of liability set out in the Agreement. Any reference in the Agreement to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement (including this DPA).

6.2 Notwithstanding clause 6.1, in no event shall either party’s liability be limited with respect to any individual’s data protection rights under applicable Data Protection Laws, this DPA, or the SCCs (where applicable). This carveout ensures that Data Subjects retain the ability to seek full compensation for damage suffered as a result of a violation of their rights under the GDPR (including under Article 82 GDPR), the UK GDPR, or other applicable Data Protection Laws, and that the limitations of liability in the Agreement do not restrict or prejudice any such claims by Data Subjects.

7. Additional Provisions for California Personal Information

7.1 This clause 7 shall apply only with respect to Personal Data that is subject to the protection of the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (the “CCPA”) (“California Personal Information”). The terms “Business”, “Consumer”, “Sell”, “Service Provider” and “Share” shall have the meanings given to them in the CCPA.

7.2 When Processing California Personal Information in accordance with the Controller’s Instructions, the parties acknowledge and agree that the Controller is a Business and the Processor is a Service Provider for the purposes of the CCPA.

7.3 The Processor certifies that it shall Process California Personal Information as a Service Provider strictly for the purpose of performing the Services under the Agreement (the “Business Purpose”) or as otherwise permitted by the CCPA. The Processor certifies that it shall not: (a) Sell or Share California Personal Information; (b) Process California Personal Information outside the direct business relationship between the parties, unless required by applicable law; or (c) combine California Personal Information included in Personal Data with Personal Data that the Processor collects or receives from another source (other than information the Processor receives from another source in connection with its obligations as a Service Provider under the Agreement).

7.4 The Processor shall: (a) comply with the obligations applicable to it as a Service Provider under the CCPA; (b) provide the same level of protection for California Personal Information as is required by the CCPA; and (c) notify the Controller if the Processor makes a determination that it can no longer meet its obligations as a Service Provider under the CCPA.

7.5 The Controller shall have the right to take reasonable and appropriate steps to help ensure that the Processor uses California Personal Information in a manner consistent with the Controller’s obligations under the CCPA. Upon notice, the Controller shall have the right to take reasonable and appropriate steps in accordance with the Agreement to stop and remediate any unauthorised use of California Personal Information.

7.6 The parties acknowledge and agree that the disclosure of California Personal Information by the Controller to the Processor does not form part of any monetary or other valuable consideration exchanged between the parties.

8. Term and Data Deletion

8.1 Upon termination or expiry of the Services, the Controller may delete or request the return of all Personal Data. The Processor shall comply with any such request without undue delay. If the Controller has not deleted or requested the return of Personal Data within thirty (30) days following termination or expiry of the Services, the Processor may delete all Personal Data, unless the Processor is required by applicable law to retain such data.

8.2 Where the Processor is required to retain Personal Data by applicable law, the Processor shall isolate and protect such data from further Processing (except as required by law) until deletion becomes possible.

8.3 This DPA shall remain in force from the effective date of the Agreement until all Personal Data has been deleted or returned in accordance with clause 8.1.

9. Dispute Resolution

9.1 This DPA shall be governed by and construed in accordance with Singapore law, and any dispute arising out of or in connection with this DPA shall be referred to arbitration in Singapore, in accordance with the Agreement.

9.2 For disputes arising under the EU SCCs, the courts of Singapore shall have jurisdiction. For disputes arising under the UK Addendum, the courts of England and Wales shall have jurisdiction.

10. Conflict

In the event of any conflict or inconsistency between the following documents, the order of precedence shall be: (1) the applicable SCCs or UK Addendum; (2) this DPA; (3) the Agreement.

11. Updates

Martide may update the terms of this DPA from time to time, provided that any such update does not materially diminish the overall data protection rights of the Customer. Martide shall notify the Customer of any material changes in accordance with the Agreement.

Exhibit A — Data Processing Description

This Exhibit A forms part of the Controller’s Instructions to the Processor and describes the scope, nature and purpose of the Processing of Personal Data.

1. Scope of Processing

The Processor shall Process Personal Data exclusively within the scope of the provision of the Services.

2. Purpose of Processing

The Processor shall Process Personal Data as necessary to: (a) enable the Controller to manage maritime crewing, recruitment and workforce operations through the Services, including the sourcing, vetting, placement and management of seafarers; and (b) develop, support and improve the Services through machine learning and artificial intelligence, subject to the Controller’s right to opt out of such processing in accordance with the Agreement.

3. Categories of Data Subjects

Seafarer candidates (current, former and prospective)
Employed seafarers (officers and ratings)
Manning agent personnel
Customer employees and authorised users
External recruitment consultants

4. Types of Personal Data

Full name
Address and contact details (email, telephone)
Date of birth
Nationality and passport details
Seafarer identification and certificate numbers (STCW certificates, Certificates of Competency, flag state endorsements)
Medical and fitness certificates (PEME results, drug and alcohol test results, vaccination records)
Sea-service records and employment history
Rank, qualifications and training records
Photographs and profile images
Salary and contract terms
Travel and visa information
IP address and platform usage data
Username and password (encrypted)

5. Special Categories of Personal Data

The Services are expected to process special categories of Personal Data as defined by Article 9 of the GDPR, including medical fitness certificates, health-related information, and pre-employment medical examination (PEME) results provided by the Controller or Data Subjects through the Services in connection with Maritime Labour Convention requirements. The Controller is responsible for ensuring a valid legal basis for such processing under applicable Data Protection Laws, including obtaining explicit consent from Data Subjects where required. The Processor shall apply additional technical and organisational safeguards to protect such data, including encryption in transit and at rest and role-based access controls.

6. Processing Activities

Collection and registration
Storage and organisation
Retrieval, consultation and use
Transmission and disclosure to authorised recipients (employers, manning agents, flag state authorities)
Alignment, combination and structuring
Erasure and destruction

7. Duration of Processing

Personal Data shall not be Processed for longer than is necessary for the purposes set out in this Exhibit. For Processing activities other than storage, Processing shall cease upon the expiry or termination of the Services. For storage, Processing shall cease in accordance with clause 8 of this DPA.

8. Sub-processors

The Processor has engaged Sub-processors for specific Processing activities. The current list of Sub-processors is available at: https://www.martide.com/en/subprocessors

9. Processing Location

Processing takes place in: United States of America, Singapore, and such other locations as disclosed in the Sub-processor list.

Exhibit B — Party Information and Transfer Description

This Exhibit B contains the information required for Annex I and Annex III of the EU SCCs and Tables 1 and 4 of the UK Addendum.

1. List of Parties

Data Exporter (Controller):

Field	Details
Name	Customer’s entity as identified in the SaaS Services Order Form or Agreement
Address	Customer’s address as identified in the SaaS Services Order Form or Agreement
Contact person	As identified in the SaaS Services Order Form or Agreement
Signature and date	Date of execution of the SaaS Services Order Form or Agreement
Role	Controller

Data Importer (Processor):

Field	Details
Name	Martide Pte. Ltd.
Address	1 HarbourFront Place, HarbourFront Tower One, #14-05/06, Singapore 098633
Contact person	Data Protection Officer — software.support@martide.com
Activities relevant to transferred data	Maritime crewing platform and SaaS service provider
Signature and date	Date of execution of the SaaS Services Order Form or Agreement
Role	Processor

2. Description of Transfer

Categories of Data Subjects whose Personal Data is transferred:

Seafarer candidates (current, former and prospective)
Employed seafarers (officers and ratings)
Manning agent personnel
Customer employees and authorised users
External recruitment consultants

Categories of Personal Data transferred:

Full name, address and contact details
Date of birth, nationality and passport details
Seafarer identification and certificate numbers
Medical and fitness certificates
Sea-service records and employment history
Rank, qualifications and training records
Photographs and profile images
Salary and contract terms
Travel and visa information
IP address and platform usage data
Username and password (encrypted)

Sensitive data transferred and restrictions/safeguards:

The Services are expected to process special categories of Personal Data, including medical fitness certificates and health-related information provided through the Services in connection with PEME and MLC requirements. Such data shall be subject to additional technical and organisational safeguards, including encryption in transit and at rest and role-based access controls.

Frequency of transfer: Continuous for the duration of the Agreement.

Nature of Processing: The Processor will Process and access Personal Data on a routine basis as necessary to provide the Services. Processing activities include collection, registration, storage, retrieval, consultation, use, transmission, alignment, combination, erasure and destruction.

Purpose of data transfer and further Processing: The Processor will Process Personal Data as necessary to provide the Services under the Agreement, including enabling the Controller to manage maritime crewing, recruitment and workforce operations.

Period for Personal Data retention: The Processor will retain Personal Data for the duration of the Services or until the Controller elects to delete the data via the platform. Following termination or expiry, retention shall be governed by clause 8 of this DPA.

3. Competent Supervisory Authority

The competent supervisory authority shall be the supervisory authority of the EU Member State in which the Controller is established or, where the Controller is not established in the EEA, the supervisory authority of the EU Member State in which the Controller’s EU representative is appointed. For transfers subject to the UK GDPR, the competent supervisory authority is the UK Information Commissioner’s Office (ICO).

4. List of Authorised Sub-processors

The Controller has authorised the Sub-processors identified at: https://www.martide.com/en/subprocessors

Exhibit C — Technical and Organisational Security Measures

This Exhibit C contains the information required for Annex II of the EU SCCs and Table 3 of the UK Addendum.

The Processor’s technical and organisational security measures are set out in full at: https://www.martide.com/en/security

Last updated: 13th February 2026