Data processing addendum

Last updated: 2026-05-26. This is a V1 template — finalised version requires sign-off from your legal counsel.

1. Parties and roles

The customer (carrier) is the controller of personal data processed on the platform (driver data, shipper contacts). {COMPANY_LEGAL_NAME} is the processor, acting on documented instructions of the controller (GDPR Art. 28).

2. Subject matter and duration

Processing is limited to the duration of the subscription plus a 90-day retention window thereafter. The subject matter is the provision of carrier transport-management functionality.

3. Nature and purpose of processing

Storage, structured retrieval, transmission to authorised users, AI-assisted extraction (PDFs, voice notes), and outbound notification delivery (email, Telegram).

4. Categories of data subjects

  • Customer's employees (managers, accountants, owners).
  • Customer's drivers.
  • Shipper contacts entered by the customer.

5. Sub-processors

We engage the sub-processors listed in our privacy policy. Each is bound by an equivalent DPA. We will give the controller 30 days' written notice of any new sub-processor; the controller may object on reasonable grounds and terminate the subscription if no resolution is reached.

6. Security measures

  • Tenant isolation enforced via Postgres row-level security on every table.
  • Encryption in transit (TLS 1.2+) for every external connection.
  • Encryption at rest for the Postgres data volume; AES-256-GCM for third-party integration credentials.
  • Hardware-backed secrets (Vercel encrypted env vars).
  • Quarterly access review for production credentials.
  • Sentry-tracked error monitoring with no PII in scope.

7. Audit rights

The controller may request, no more than once per calendar year, a written attestation of compliance and a summary of security controls. On-site audits are subject to mutual agreement and reasonable confidentiality.

8. Personal data breach

We notify the controller without undue delay (within 72 hours of becoming aware) of a personal data breach affecting their data, including (a) categories and approximate volume of data subjects, (b) likely consequences, (c) measures taken or proposed.

9. International transfers

Where personal data is transferred outside the EEA, we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914) with the relevant sub-processor.

10. Return or deletion of data

On termination of the subscription, the controller may export all personal data via the CSV export endpoints. Upon written request, we delete remaining personal data within 30 days, save where retention is required by law.

11. Contact

DPO and DPA-related queries: {CONTACT_EMAIL}.