Data processing agreement

Last Updated: 28th June 2024

GetCargo Inc. and its customers enter into this Data Processing Agreement to outline the terms and conditions under which personal data is processed, ensuring compliance with applicable data protection laws. This agreement ensures that both parties adhere to the highest standards of data privacy and protection.

1. Background

1.1 This DPA is supplemental to any service agreement or to any other contract or relationship between the Parties (“Contract”).

​

1.2 To the extent Vendor processes any personal data, as defined under Data Protection Laws, in the scope of the provision of services under the Contract, it shall be governed in accordance with the conditions of this DPA.

​

1.3 The Parties hereby acknowledge and agree that any information, confirmations, representations and warranties issued, either verbally or in writing, prior to the conclusion of this Contract shall form part of this Contract and its respective sections, provided that such information, confirmations, representations and warranties do not weaken, degrade or undermine the protections issued and obligations taken under this Contract.

2. Definitions

2.1 ’’Adequacy Decision’’ means that the recipient, or the country or territory in which the personal data is processed, ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of the personal data as determined by the European Commission (at the effective date of the Contract, the list is available at: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en).

​

2.2 ’’CPRA’’ the California Consumer Privacy Act, as amended by the California Privacy Rights Act, Cal. Civ. Code § 1798.100 et seq.

​

2.3 “Data Protection Laws’’ means any legislation applicable to either of the Parties that protects the fundamental rights and freedoms of persons and their right to privacy with regard to the processing of personal data, such as the GDPR, US Data Protection Laws, any national implementing or supplementary legislation and any other data protection or privacy laws as applicable from time to time to Customer or Vendor. In this DPA, the terms “processing”, “personal data”, “personal data breach’’, “controller”, “processor”, “data subject”, “process”, “sub-processor” and their respective derivative terms shall have the meanings set forth in the Data Protection Laws;

​

2.4 ’’EU’’ means the European Union.

​

2.5 ’’EEA’’ means the European Economic Area.

​

2.6 ’’GDPR’’ means the regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

​

2.7 “Sold” (including Selling) and “Shared” (including Sharing) have the meanings given in the US Data Protection Laws.

2.8 ’’SCCs’’ the standard contractual clauses adopted under the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914, as may be amended or replaced from time to time by the European Commission, any applicable data protection authority, or other body with competent authority and jurisdiction.
​

2.9 ’’US Data Protection Laws’’ to the extent applicable to Customer or Vendor, United States federal and state laws (including but not limited to the CPRA) relating to data protection and/or privacy and the processing of personal data, as in force and as amended from time to time.

3. Personal Data Processing

3.1 In the course of the performance of its services, Vendor shall be acting as a data processor or sub-processor, processing personal data on behalf of Customer or its clients. Vendor shall at all times process personal data only as necessary for the purpose of providing services to Customer under the Contract and in accordance with this DPA and Customer’s instructions, unless processing is required by the law of EU, any EU member state to which Vendor is subject, in which case Vendor shall, to the extent permitted by applicable law, inform Customer before such processing.

​

3.2 Vendor acknowledges and hereby agrees that in addition to acting as a processor, it also acts as a sub-processor to Customer’s clients with Customer’s clients acting as controllers in relation to the personal data processed by Vendor for the provision of the services. Vendor acknowledges that any instructions received from Customer regarding the processing of personal data are to be considered as instructions received directly from the controller(s) and acting upon such instructions is mandatory. Vendor acknowledges and hereby agrees that Customer can issue additional instructions, limitations, and requirements (for example changes to the security requirements concerning personal data and related facilities, processes and personnel) regarding the processing of personal data within the course of validity of this DPA and the Contract. ​

3.3 Vendor acknowledges and hereby agrees that Vendor is prohibited from:

      (a) selling or sharing Customer personal data, ​
      (b) retaining, using, or disclosing Customer personal data outside of the direct business relationship between the Parties or for any purpose other than for the performance of the Contract and the DPA; and, ​
      (c) combining Customer personal data with the personal data that Vendor receives from or on behalf of other sources, including another person or persons, or collects from its own interaction with the data subject.

3.4 Vendor shall ensure its compliance with Data Protection Laws in relation to processing the personal data. Vendor shall not perform its obligations under the Contract or this DPA in such a way as to cause Customer to breach any of its obligations under Data Protection Laws. Vendor must notify Customer without undue delay in writing if it is unable to comply with its obligations under the DPA or Data Protection Laws and apply mitigation measures in coherence with this DPA for ensuring compliance where possible.

3.5 Processing outside the scope of this DPA will require prior written agreement between Vendor and Customer as additional instructions for processing.

4. Data Security, Audits And Security Notifications

4.1 Vendor shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including any measure set out in the Contract and any other relevant measures seen necessary by the Vendor. Upon request, Vendor shall provide copies of proof of relevant security measures (e.g. external certification, audit report or other documentation reasonably required by Customer to verify Vendor’s compliance with this DPA). Vendor shall respond to any Customer (or Customer’s client) security questionnaires and address follow-up questions.

4.2 Customer may, upon a 30 days’ prior notice and at Vendor’s regular business hours, audit (either by itself, Customer’s client or using independent third party auditors) Vendor's compliance with this DPA and with the Data Protection Laws. The Parties shall bear their own costs related to the audit. The Parties will mutually agree on the timing and scope of any audits under this Section 6.2, which will be:
      (i) carried out in such a way as to not disrupt Vendor’s business;
      (ii) limited to 2 audits per calendar year (unless otherwise required by government regulator or supervisory authority or unless good cause for additional audits exists);
      (iii) and subject to reasonable confidentiality protections requested by Vendor. Any executive summaries, audit reports or other information obtained by Customer in connection with any audit will be considered Vendor’s confidential information, however Customer is entitled to disclose such information to its relevant clients, government regulators and (supervisory) authorities as required.

4.3 Vendor shall immediately notify Customer in writing if it becomes aware or believes that any data processing instructions from Customer violates Data Protection Laws.

4.4 If Vendor becomes aware of any personal data breach in regards to the processing of Customer personal data, Vendor will:
      (a) notify Customer of the personal data breach without undue delay (however, no later than 48 hours after discovery of the incident),
      (b) investigate the incident and provide such reasonable assistance to Customer (and any law enforcement or regulatory official) as required to investigate the incident,
      (c) and take steps to remedy any non-compliance with this DPA and Data Protection Laws. Vendor shall cooperate on any notice of incident to the public, supervisory authority or data subjects with Customer.

4.5 Parties shall treat Customer personal data as confidential and shall ensure that any employees or other personnel that have access to Customer personal data:

       (a) have agreed in writing to protect the confidentiality and security of Customer personal data and do not process such personal data other than in accordance with this DPA,
       (b) are subject to background checks and controls, as allowed under applicable laws, as designated and determined by Customer and communicated from time to time to Vendor;
       (c) are not subject, directly or indirectly, to any sanctions issued by the country of their residence, EU, United States of America, United Kingdom or by any other countries which sanctions may apply to Customer.

4.6 Both Parties certify that:
      (a) it has not purposefully created back doors or similar programming that could be used to access the system and/or personal data,
      (b) it has not purposefully created or changed its business processes in a manner that facilitates access to personal data or systems,
      (c) and that national law or government policy does not require the Party to create or maintain back doors or to facilitate access to personal data or systems or for the Party to be in possession or to hand over the encryption key.

Notwithstanding other applicable rights of Customer, Customer shall have the right to immediately terminate the Contract and the DPA if Vendor acts in violation of (a) to (c) of this section.

5. Access Requests And Data Subject Rights

5.1 To the extent permitted under applicable law, Vendor shall immediately notify Customer in writing via email of any request received by Vendor from a data subject, whether directly or through a sub-processor, in respect of their personal data included in Customer personal data, and shall direct the data subject to Customer. Vendor will not communicate with the data subject regarding the request without prior instruction from Customer.

5.2 Vendor will provide Customer with assistance as necessary for Customer to fulfill its obligation under Data Protection Laws, including if applicable, the obligation to respond to requests for exercising the rights set out in Data Protection Laws. Vendor acknowledges and hereby agrees that Customer’s clients may request the exercising of data subjects rights under various time frames which have to be complied with by Vendor. Customer will notify Vendor of such time frames together with forwarding the specific requests received from its clients concerning exercising of data subjects rights.

5.3 Vendor shall notify Customer of any request for the disclosure of Customer personal data by a governmental or regulatory body or law enforcement authority (including any data protection supervisory authority) unless otherwise prohibited by law or a legally binding order of such body or agency. If Vendor receives a subpoena, court order, warrant or other legal demand from a third party (including regulatory body, law enforcement or other public or judicial authorities) seeking the disclosure of personal data, Vendor shall not disclose any information but shall immediately notify Customer in writing of such request, and reasonably cooperate with Customer if it wishes to limit, challenge or protect against such disclosure, to the extent permitted by applicable laws.

6. Assistance

6.1 Taking into account the nature of the processing, and to the extent required under Data Protection Laws:

6.2 Parties shall use all reasonable endeavors and not hinder the other Party's efforts towards compliance, to assist each other by implementing appropriate technical and organizational measures and all other necessary compliance measures, insofar as this is possible, for the fulfillment of the Parties obligation to comply with Data Protection Laws and to respond to requests for exercising data subject rights laid down in the Data Protection Laws;

6.3 Vendor shall provide reasonable assistance to Customer with any data protection impact assessments and with any prior consultations to any supervisory authorities, in each case solely in relation to the processing of the personal data and considering the information available to Customer.

6.4 Taking into account the nature of the processing of the Personal Data, each Party will provide the other Party with reasonable assistance in connection with its compliance obligations under Data Protection Laws.

7. International Transfers

7.1 Vendor shall not transfer Customer personal data to a recipient in a country or territory outside the EU/EEA unless it has Customer’s prior written approval and:
       (a) the transfer can be based on an Adequacy Decision; or
       (b) the transfer is based on the SCCs, or any subsequent version released by the European Commission, or another legally recognised transfer method.

7.2 Vendor ensures that any onward transfers also obey the rules of SCCs and Vendor documents the required additional safeguards (for example, transfer impact assessment).

7.3 If Customer adopts an alternative transfer mechanism to the mechanisms described in this DPA, including any new version of or successor to SCCs, e.g. in case an Adequacy Decision or other transfer mechanism is amended or withdrawn, resulting in the inability to rely on the transfer mechanism, then such alternative transfer mechanism shall apply automatically instead of the mechanisms described in this DPA, and Vendor shall fully cooperate with Customer to sign an amendment to this DPA and/or take such other action as may be necessary to give legal effect to such alternative transfer mechanism. To the extent Vendor or Customer have adopted and certified compliance with such alternative transfer mechanism, Vendor represents and warrants that Vendor will comply with all legal principles and terms of such alternative transfer mechanism. In addition, in the event that a court of competent jurisdiction or supervisory authority orders (for whatever reason) that the measures described in this DPA cannot be relied on to lawfully transfer personal data cross-border, then upon request from either Party, the other Party shall fully cooperate to take such action as may be necessary to remedy such non-compliance.

7.4 Provided that Vendor is located in a country outside EU/EEA and is not covered by an Adequacy Decision by the European Commission, the Parties hereby acknowledge that the SCCs apply to transfers between the Parties and the Parties incorporate by reference the Module 1 (controller to controller), Module 2 (controller to processor) and the Module 3 (processor to processor) provisions of the SCCs into this DPA. The Parties concluding the DPA referencing to the SCCs shall be deemed as signing of the SCCs and their Annexes. In the event of a conflict between any of the provisions of this DPA and the SCCs, the provisions of the SCCs shall prevail. With regard to the Module 1, Module 2, and Module 3 of the SCCs, the parties agree that:
      (a) Clause 7 (Docking clause) is not incorporated,
      (b) under Clause 9 (a) (Use of Sub-Processors) option 1 - a prior specific written authorization is required from the data importer in case of Modules 2 and 3 of SCCs. The data importer shall inform the data exporter in writing of any intended changes to sub-processors at least 30 days in advance,
      (c) Clause 11 (Redress) optional part is not incorporated,
      (d) under Clause 17 (Governing Law) the SCCs shall be governed by the laws of France,
      (e) under Clause 18 (Choice of Forum and Jurisdiction) any disputes arising from the SCCs will be resolved in the courts of France,
      (f) details required under the Module 1, Module 2, Module 3 of the SCCs’ Annexes 2-4 are provided in schedule 1 of this DPA, forming an integral part of the Contract.

8. Duration And Termination

8.1 This DPA enters into force upon signing between the Parties and shall remain in force until termination, or end of validity, of the Contract or until Vendor no longer processes personal data provided or made available by Customer, whatever occurs later. In case the processing of personal data governed by this DPA began before the conclusion of this DPA, this DPA will acquire retrospective effect in relation to such processing.

8.2 Notwithstanding the exercising of rights of the data subjects as set forth under Section 7 of this DPA, Vendor ensures the deletion of personal data
       (i) during the validity of the Contract within the timeframe of 1 (one) day upon Customer’s request; and
       (ii) immediately, the latest within 7 (seven) days of the date of termination of the Contract. Upon Customer’s written request, Vendor returns the personal data (subject to applied retention limitations).

8.3 Subject to a prior written notification to Customer, Vendor and its sub-processors may retain Customer personal data to the extent required by applicable law provided that such Customer personal data is retained only to the extent and for such period as required by applicable laws and always provided that Vendor shall ensure the confidentiality of all such Customer personal data.

9. Liability And Miscellaneous

9.1 Notwithstanding anything else to the contrary in the Contract, Vendor acknowledges and agrees that:
       (a) it shall be liable for any breach of this DPA, including loss of Customer personal data arising under or in connection with the Contract and this DPA to the extent such breach results from any failure of Vendor (or its sub-processors) to comply with its obligations under this DPA and/or Data Protection Laws;
       (b) any provisions that seek to exclude or limit Vendor’s liability in the Contract shall not apply to Vendor’s liability arising under or in connection with this DPA; and
       (c) to the fullest extent permitted by applicable law and considering (b) above, Vendor shall indemnify, defend, and hold Customer and each of its partners, principals, officers, directors, employees, sub-processors and agents harmless against any claims, suits, or proceedings and any resulting liabilities, fines, losses, damages, costs and expenses (including reasonable attorney's fees) that Customer may suffer or incur as a result of any act or omission on the part of Vendor or its sub-processors that leads to Customer being liable for breach of Data Protection Laws or a third-party contract.

9.2 The Parties acknowledge and agree that any breach by Vendor of this DPA shall constitute a material breach of the Contract, in which event and without prejudice to any other right or remedy available to it, Customer may elect to immediately terminate the Contract in accordance with the termination provisions in the Contract.

9.3 This DPA supersedes any other agreements or arrangements in force or concluded regarding the same subject matter.

9.4 In the event of a conflict between any of the provisions of this DPA and the provisions of the Contract, the provisions of this DPA shall prevail. Any elements not regulated under this DPA are to be read, understood and solved in accordance with the Contract.

9.5 Provided that Customer is required to create, sign, reproduce and or submit any documentation, legal inquiries or other relevant material for the usage of the services under the Contract and processing of personal data under this DPA, including for transferring personal data to Vendor (for example Transfer Impact Assessment), Vendor agrees to cooperate with Customer for the successful execution of such material.

9.6 In case the Contract is governed by multiple applicable laws and/or choice of courts, This Agreement shall be governed by the laws of the State of California without regard to its conflict of laws provisions..

Annex 1. Technical and Organisational Measures to Ensure the Security of the Data Herewith Vendor confirms that when processing Customer Personal Data within the scope of the DPA and the Contract, it abides by the technical and organisational measures as stipulated in Section 4 of this DPA to ensure the level of security appropriate to the risk related to processing of the personal data.

Annex 2. Implementation of Standard Contractual Clauses (SCCs) to Ensure Compliance with Data Transfer Requirements Herewith, Vendor confirms that when transferring Customer Personal Data outside of the EU/EEA within the scope of the DPA and the Contract, it abides by the Standard Contractual Clauses (SCCs), as stipulated in Section 7 of this DPA. Vendor ensures compliance with these clauses to provide legal safeguards for data transfers, maintaining an adequate level of data protection as required by European data protection laws. Vendor commits to regular review and adjustment of these measures in alignment with any changes to the SCCs or applicable law, thereby ensuring ongoing compliance with the data transfer obligations.

Annex 3. List of Vendor’s Sub-processors

       • GuardDuty: Security application used for automated intrusion detection (IDS)

       • Datadog: Monitoring application used to provide monitoring, alert, and notification services for Cargo platform

       • Amazon Web Services: Cloud service provider

       • Datadog: System capacity monitoring

       • GitHub: Code repository

       • Google Workspace: Internal document storage

       • Vanta: Compliance automation

       • Rudderstack: Event logging for analytics

       • Intercom: Support services

       • Snowflake: Data warehouse for analytics

       • Stripe: Third-party payment processor

       • Slack: Internal communication

       • Notion: Internal communication

       • Metabase: Business analytics