Data Processing Addendum (DPA)

Effective Date: May 12, 2025

This Data Processing Addendum (“DPA”) forms part of the Terms & Conditions, Order Form, or other written agreement between the parties governing the provision of Services (the “Agreement”) between Vally’s Afterhours Support, Chișinău, Republic of Moldova (“Processor”, “we”, “us”, “our”) and the client entity identified in the Agreement (“Controller” or “Client”). This DPA applies where Processor processes Personal Data on behalf of Controller in connection with the Services.

1. Definitions

“Applicable Data Protection Law” means all laws and regulations relating to privacy, data protection, and data security that apply to the Processing of Personal Data, including, as applicable, the EU GDPR (Regulation (EU) 2016/679), UK GDPR and the Data Protection Act 2018, the Swiss FADP, and U.S. state privacy laws (e.g., California CPRA/CCPA).

“Personal Data” means any information relating to an identified or identifiable natural person processed under the Agreement.

“Processing”, “Controller”, “Processor”, “Data Subject”, “Personal Data Breach” have the meanings given in Applicable Data Protection Law.

“SCCs” means the EU Standard Contractual Clauses adopted by the European Commission under Implementing Decision (EU) 2021/914, including applicable modules and annexes, as amended or replaced.

“UK Addendum” means the UK Information Commissioner’s International Data Transfer Addendum to the EU SCCs (version B.1 or successor). “Swiss Addendum” means required adaptations for transfers under the Swiss FADP.

2. Roles; Processing Instructions

1. Roles. For the Processing of Personal Data described in Annex I, Controller is the Controller and Vally’s Afterhours Support is the Processor.
2. Instructions. Processor will Process Personal Data only on documented instructions from Controller, including with respect to transfers to a third country, unless required to do so by law. Processor will promptly inform Controller if, in its opinion, an instruction infringes Applicable Data Protection Law.
3. Confidentiality. Processor ensures that persons authorised to Process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.

3. Security Measures

Processor will implement and maintain appropriate technical and organisational measures (“TOMs”) to protect Personal Data as described in Annex II, taking into account the state of the art, costs, the nature, scope, context and purposes of Processing, and the risks to Data Subjects.

4. Subprocessors

1. Authorisation. Controller generally authorises Processor to engage Subprocessors to perform the Services. The current list is in Annex III (or available upon request).
2. Notice & Objection. Processor will notify Controller of any intended changes concerning the addition or replacement of Subprocessors, allowing Controller 15 days to object on reasonable grounds related to data protection. If the parties cannot agree, either party may terminate the affected Services for convenience without penalty.
3. Flow-down. Processor will enter into a written contract with each Subprocessor imposing data-protection obligations no less protective than those in this DPA (including TOMs and SCCs where required). Processor remains responsible for Subprocessor performance.

5. Assistance to Controller

1. Data Subject Requests. Taking into account the nature of Processing, Processor will assist Controller by appropriate technical and organisational measures, insofar as possible, to fulfill Controller’s obligations to respond to Data Subjects’ requests under Applicable Data Protection Law. If Processor receives a request directly from a Data Subject, Processor will promptly forward it to Controller and not respond except on documented instructions.
2. DPIAs & Consultations. Processor will provide reasonable assistance to Controller with data protection impact assessments and consultations with supervisory authorities, considering the nature of Processing and information available to Processor.
3. Records & Compliance. Processor will maintain records of Processing as required by law and make them available to Controller upon request to demonstrate compliance with this DPA.

6. Personal Data Breach Notification

1. Notification. Processor will notify Controller without undue delay (and, where feasible, within 72 hours after becoming aware) of a Personal Data Breach affecting Personal Data Processed on behalf of Controller. Such notice will include information available to Processor at the time (nature of breach, categories/approximate number of Data Subjects, likely consequences, measures taken or proposed).
2. Cooperation. Processor will promptly take reasonable steps to mitigate the effects and will cooperate with Controller in meeting any breach-reporting obligations. Controller is responsible for notifications to authorities or Data Subjects unless agreed otherwise.

7. Audits & Certifications

1. Information. Upon reasonable request, Processor will make available information necessary to demonstrate compliance with this DPA (e.g., policy extracts, security overviews, results of third-party assessments where available).
2. Audits. Controller may audit Processor’s compliance once per 12-month period (and additionally following a material Personal Data Breach), on 14 days’ prior written notice, during normal business hours, and in a manner that minimises disruption and protects confidentiality and security. Audits may be conducted by Controller or an independent third party bound by confidentiality. Where possible, audits shall first be satisfied by remote reviews of documentation and/or standard industry reports.
3. Costs. Each party bears its own costs. If an on-site audit requires Processor resources beyond reasonable support, Controller will reimburse Processor’s reasonable, documented costs.

8. Return & Deletion of Data

Upon termination or expiry of the Services (or upon Controller’s written request), Processor will, at Controller’s choice, return or delete Personal Data and delete existing copies unless retention is required by law. Backups are overwritten on scheduled cycles (typically within 90 days). Processor will certify deletion upon request.

9. International Transfers

1. Mechanisms. Where Processor’s Processing involves transfers of Personal Data from the EEA to countries without an adequacy decision, the parties agree that the SCCs (Module 2: Controller-to-Processor, and where applicable Module 3: Processor-to-Processor for Subprocessors) are incorporated by reference and apply, with Annexes to this DPA populating the SCC appendices.
2. UK & Switzerland. For transfers subject to UK law, the UK Addendum to the EU SCCs is incorporated and shall be deemed completed using the information in this DPA. For transfers subject to Swiss FADP, references to the GDPR in the SCCs shall be read to include the FADP, and the Swiss Federal Data Protection and Information Commissioner shall be the competent authority where applicable.
3. Docking Clause. Additional Controller group entities may accede to the SCCs as data exporters by written notice to Processor.

10. U.S. State Privacy (Service Provider)

To the extent Processor Processes Personal Data subject to U.S. state privacy laws (e.g., CPRA/CCPA), Processor acts as a “service provider”/“processor” and will:

• Process Personal Data solely to perform the Services or as permitted by law and the Agreement;
• Not “sell” or “share” Personal Data (as defined by applicable law) or combine it with other data except as permitted to perform the Services;
• Assist Controller in responding to consumer requests where required;
• Flow down equivalent obligations to Subprocessors.

11. Liability & Precedence

Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. In case of conflict between this DPA and the Agreement, this DPA controls with respect to data protection. In case of conflict between this DPA and the SCCs, the SCCs control.

12. Miscellaneous

• Governing Law. This DPA is governed by the law specified in the Agreement; where the SCCs apply, they are governed by the law selected therein.
• No Third-Party Beneficiaries. Except as required by law or the SCCs.
• Counterparts & Electronic Signatures. This DPA may be executed electronically and in counterparts.

Annex I – Details of Processing

A. Parties

Data Exporter (Controller): The Client entity identified in the Agreement.
Contact: As stated in the Agreement or Client’s notice details.
Data Importer (Processor): Vally’s Afterhours Support, Chișinău, Republic of Moldova.
Contact: info@vallysupport.com

B. Subject Matter and Duration
Subject matter is afterhours dispatch and operational support services as described in the Agreement. Duration is the term of the Agreement and until deletion/return of Personal Data.

C. Nature and Purpose of Processing
Receiving, storing, viewing, updating, and transmitting operational information to coordinate afterhours support: driver assistance, broker communications, lumper coordination, recovery support, and related activities.

D. Categories of Data Subjects
Client’s employees and contractors (e.g., drivers, dispatchers), broker/shipper contacts, and other individuals whose data are provided by Client in connection with loads and operations.

E. Categories of Personal Data
Contact data (name, phone, email), role/title, load identifiers, lane and location details, communications content/metadata, approval records for lumper/maintenance, and operational notes. Sensitive data are not intentionally collected; any processing of special categories requires prior written approval by Controller.

F. Frequency and Storage
Continuous Processing during Afterhours periods and as needed for coordination. Operational records generally retained for 24 months unless longer required by law or for legal claims.

G. Transfers
Personal Data may be transferred outside of the EEA/UK/Switzerland as necessary to provide the Services, subject to Section 9 (Transfers) of this DPA.

H. Competent Supervisory Authority
As determined by the SCCs based on the Controller’s established location in the EEA/UK (if applicable).

Annex II – Technical & Organisational Measures (TOMs)

• Access Control & Authentication: least-privilege principles; role-based access; unique accounts; strong passwords/MFA where supported; timely de-provisioning.
• Encryption: TLS 1.2+ in transit; encryption at rest where supported by the hosting platform; key-management following platform best practices.
• Data Minimisation & Segregation: collect/process only data needed for the Services; logical segregation between client datasets; restricted use of production data in non-prod environments.
• Logging & Monitoring: access and activity logs for key systems; anomaly monitoring; periodic review.
• Backup & Continuity: regular backups; recovery testing; defined RPO/RTO targets proportionate to the Services; geo-redundant storage where feasible.
• Secure Development & Change Management: code review; change approvals; separation of duties; version control; dependency patching cadence.
• Vulnerability & Patch Management: risk-based patching SLAs; critical patches expedited; periodic vulnerability scanning; remediation tracking.
• Incident Response: documented incident runbooks; on-call coverage during Afterhours; breach assessment and notification flows per Section 6.
• Vendor & Subprocessor Oversight: due diligence; contractual DP/Sec requirements; SCCs or equivalents for transfers; periodic reassessment.
• Physical Security: data centres with access controls, CCTV, and environmental safeguards (via hosting providers); office access controls for staff devices.
• Employee Security: background checks where lawful and appropriate; onboarding/offboarding processes; confidentiality commitments; regular security and privacy training.
• Data Deletion & Return: defined deletion workflows; secure erasure of media; backup expiry/overwrites on schedule.

Annex III – Subprocessors

Processor may use the following categories of Subprocessors to deliver the Services (specific vendors available upon request):

• Cloud hosting and infrastructure providers;
• Email delivery and communications platforms;
• Customer relationship management (CRM) tools;
• Telephony/call routing and recording tools (where permitted by law);
• Loadboards, maintenance, and payment facilitation vendors (as instructed by Controller).

Processor will maintain an up-to-date list upon request and provide prior notice of new Subprocessors in accordance with Section 4.

Execution

This DPA is effective as of the Effective Date above and is incorporated by reference into the Agreement. If required for your records, sign and return a copy to info@vallysupport.com.

© Vally’s Afterhours Support. All rights reserved.