Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between PulseCargo.ai ("Processor") and the Customer identified in the associated SaaS Service Agreement ("Controller"). This DPA supplements the SaaS Service Agreement and governs the processing of personal data by Processor on behalf of Controller.

1. Definitions

Personal Data: Any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller through the Platform.

Processing: Any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

Data Subject: The identified or identifiable natural person to whom Personal Data relates, including Controller's employees, End Users, shippers, consignees, and their representatives.

Sub-Processor: A third-party processor engaged by PulseCargo.ai to process Personal Data on behalf of the Controller.

2. Scope and Purpose of Processing

Purpose. Processor shall process Personal Data solely for the purpose of providing the Platform services as described in the SaaS Service Agreement, including data synchronization from Controller's TMS/ERP, Synthetic Intelligence-powered analytics and predictions, shipment tracking and notifications, document processing, and payment facilitation.

Categories of Personal Data. Names, email addresses, phone numbers, job titles, company names, IP addresses, login credentials, shipment data associated with identifiable individuals, and communication records.

Categories of Data Subjects. Controller's employees and authorized users, Controller's customers (shippers, consignees, importers, exporters), and their respective employees and representatives.

Duration. Processing shall continue for the duration of the SaaS Service Agreement plus the data retention period specified therein (30 days post-termination, with full deletion within 90 days).

3. Processor Obligations

Process Personal Data only on documented instructions from the Controller, including the instructions set forth in the SaaS Service Agreement.

Ensure that persons authorized to process Personal Data have committed to confidentiality obligations.

Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including AES-256 encryption at rest, TLS 1.3 in transit, multi-factor authentication, tenant isolation, and access controls.

Not engage another processor (Sub-Processor) without prior written authorization of the Controller. A list of approved Sub-Processors shall be maintained and made available upon request.

Assist the Controller in responding to Data Subject requests (access, rectification, deletion, portability, restriction, objection) within ten (10) business days of receiving the request.

Assist the Controller in ensuring compliance with data security, breach notification, impact assessment, and prior consultation obligations.

At the Controller's choice, delete or return all Personal Data upon termination of the service agreement, and delete existing copies unless storage is required by applicable law.

Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits conducted by the Controller or a qualified third-party auditor.

4. Sub-Processors

Processor currently uses the following Sub-Processors:

Microsoft Azure — Cloud infrastructure hosting. Data processed: all Customer Data. Location: US Central (per tenant config).

Azure OpenAI — AI model processing (GPT-4o, embedding models). Data processed: Customer Data submitted to Synthetic Intelligence features. Location: US (Azure region).

SendGrid (Twilio) — Transactional email delivery. Data processed: email addresses, notification content. Location: US.

Stripe — Payment processing. Data processed: payment method data, invoice amounts. Location: US.

Google Maps Platform — Map visualization, geocoding. Data processed: address and location data. Location: US.

MarineTraffic — Vessel tracking. Data processed: vessel/container identifiers. Location: EU (Greece).

Processor shall notify Controller at least thirty (30) days before engaging a new Sub-Processor. Controller may object to a new Sub-Processor within fifteen (15) days of notification. If Controller's objection is not resolved, Controller may terminate the affected services.

5. Data Security Measures

Processor implements appropriate technical and organizational security measures to protect Personal Data against accidental or unlawful processing, including:

Encryption. AES-256 encryption at rest for all stored data; TLS 1.3 encryption in transit for all data transmissions.

Access Controls. Role-based access control (RBAC) via Azure Entra ID; multi-factor authentication (MFA) for administrative access; principle of least privilege applied to all personnel.

Monitoring and Logging. Continuous monitoring of access and security events; audit logging of all data access; retention of logs for a minimum of 90 days for investigation purposes.

Isolation. Strict tenant isolation to ensure that no Personal Data is accessible across tenant boundaries; segregation of Customer Data from PulseCargo operational data.

Backup and Recovery. Automated daily backups with point-in-time recovery (PITR) for 35 days; long-term retention (LTR) for 7 years for compliance and disaster recovery purposes.

Additional security measures are documented in Schedule C of this DPA and are reviewed and updated regularly to address emerging security threats and compliance requirements.

6. Data Breach Notification

Processor shall notify Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data breach. The notification shall include the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach.

7. International Data Transfers

Where Personal Data is transferred outside the European Economic Area (EEA), United Kingdom, or other jurisdiction with data transfer restrictions, Processor shall ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as adopted by the European Commission, or reliance on other approved transfer mechanisms.

8. Data Protection Impact Assessments

Processor shall assist Controller in conducting Data Protection Impact Assessments (DPIAs) where required, providing information about the nature, scope, and purpose of processing, the technical and organizational measures in place, and the risks to Data Subjects.

9. Term and Termination

This DPA shall remain in effect for the duration of the SaaS Service Agreement. Upon termination, Processor shall comply with the data return and deletion obligations specified in the SaaS Service Agreement and Section 3 of this DPA.

10. Governing Law

This DPA shall be governed by the same law that governs the SaaS Service Agreement (State of California, United States). For Data Subjects in the EEA, the provisions of GDPR shall apply to the extent they are more protective.

11. Audit Rights

Upon reasonable notice, Controller may audit Processor's compliance with this DPA once per calendar year. Controller may satisfy this audit requirement by relying on a current SOC 2 Type 2 report or ISO 27001 certification, if available.

Audits shall be conducted during normal business hours, with at least 30 days advance notice, and shall be limited in scope to matters directly related to Processor's compliance with this DPA. Controller's auditors shall execute a non-disclosure agreement prior to conducting any audit.

Processor shall bear the costs of audit remediation unless the audit reveals material non-compliance, in which case Processor shall bear reasonable costs of the audit itself.

12. Data Subject Rights and Assistance

Processor shall provide reasonable assistance to Controller in responding to Data Subject requests (access, correction, deletion, portability, restriction, objection) by providing functionality within the Platform or dedicated support services.

If a Data Subject contacts Processor directly, Processor shall inform the Data Subject to contact Controller and shall promptly notify Controller of the request without responding substantively without Controller's instruction.

Processor shall assist with Data Protection Impact Assessments (DPIAs) as required by applicable law, providing necessary documentation regarding processing activities and security measures. Standard documentation is available upon request.

13. Liability and Remedies

Processor's liability for breaches of this DPA shall be subject to the liability limitations in the MSA, except where mandatory law (including GDPR Article 82) imposes greater liability. To the extent permitted by law, Processor shall indemnify Controller against third-party claims and regulatory fines arising from Processor's breach of this DPA.

14. Contact and Signatures

This DPA is executed as part of the SaaS Service Agreement between the parties. To request an executed copy of this DPA, or to submit privacy-related inquiries, please contact:

PulseCargo.ai
Email: privacy@pulsecargo.ai
Legal: legal@pulsecargo.ai