Data Processing Agreement (DPA)

Preamble

This Data Processing Agreement ("DPA") forms part of the Licensing Agreement (the "Agreement") between Felix Bächle, sole proprietor trading as "Trailo" ("Processor"), and the customer identified in the Agreement ("Controller").

This DPA reflects the Parties' agreement with regard to the Processing of Personal Data by Processor on behalf of Controller in connection with the provision of the Software (as defined below). In case of conflict between this DPA and the Agreement with respect to the Processing of Personal Data, this DPA prevails.

1. Definitions

• "Software" means the SaaS field service management and route optimization platform operated by Trailo under the brand name "Trailo", including all features, integrations, APIs, and related services provided to Controller under the Agreement.
• "Controller", "Processor", "Data Subject", "Personal Data", "Processing", "Sub-Processor" and "Supervisory Authority" have the meanings given in the GDPR.
• "GDPR" means Regulation (EU) 2016/679.
• "Personal Data Breach" has the meaning given in Article 4(12) GDPR.
• "End User Personal Data" means Personal Data of Controller's employees, drivers, dispatchers, and customers (and their representatives) that is processed via the Software.
• "SCCs" means the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914.
• "EU-US DPF" means the EU-US Data Privacy Framework adopted under Commission Implementing Decision (EU) 2023/1795.

The terms "Controller" and "Processor" as used in this DPA refer to Customer and Trailo, respectively.

2. Scope and Roles

2.1 This DPA applies to all Processing of End User Personal Data by Processor on behalf of Controller in connection with the Software.

2.2 Controller's Role. Controller determines the purposes and means of Processing End User Personal Data and is responsible for the lawfulness of such Processing.

2.3 Processor's Role. Processor processes End User Personal Data only on documented instructions from Controller (as defined in Section 4.2), unless required to do so by Union or Member State law to which Processor is subject. In such a case, Processor shall inform Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

3. Details of Processing

4. Controller's Obligations and Instructions

4.1 Controller shall ensure it has a lawful basis under Article 6 GDPR for the Processing carried out via the Software (e.g., consent, contract, legitimate interest), and shall comply with all transparency, information and Data Subject rights obligations under the GDPR.

4.2 Controller's documented instructions to Processor consist of: (a) the terms of the Agreement and this DPA; (b) Controller's use of the Software's functionality and features (e.g., creating tasks, assigning drivers, generating routes); (c) any other written instructions Controller may issue from time to time.

4.3 Processor shall promptly inform Controller if, in Processor's opinion, an instruction infringes the GDPR or other applicable Union or Member State data protection laws.

5. Processor's Obligations

Processor shall:

• (a) Process End User Personal Data only on documented instructions from Controller, including with regard to transfers to a third country or international organisation, unless required by law;
• (b) Ensure that persons authorized to Process End User Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
• (c) Implement and maintain appropriate technical and organizational measures (TOMs) as described in Section 6;
• (d) Respect the conditions for engaging Sub-Processors (Section 7);
• (e) Taking into account the nature of the Processing, assist Controller by appropriate technical and organizational measures in fulfilling its obligation to respond to Data Subject requests (Section 8);
• (f) Assist Controller in ensuring compliance with Articles 32–36 GDPR (security, breach notification, DPIA, prior consultation), taking into account the nature of Processing and the information available to Processor;
• (g) Delete or return all Personal Data after the end of provision of services (Section 10);
• (h) Make available to Controller all information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits (Section 11).

6. Technical and Organizational Measures (TOMs)

6.1 Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

6.2 Processor shall review and update the TOMs regularly to ensure ongoing effectiveness in light of evolving risks and the state of the art.

6.3 Processor relies on the security certifications and assurance reports of its Sub-Processors where applicable (e.g., Supabase ISO 27001 / SOC 2, Vercel SOC 2 Type II, Stripe PCI-DSS Level 1). Upon Controller's reasonable request, Processor shall provide summary documentation evidencing compliance with this Section 6 and pointers to the publicly available Sub-Processor reports.

7. Sub-Processors

7.1 General Authorization. Controller grants Processor general authorization to engage Sub-Processors, subject to the conditions in this Section 7.

7.2 Current Sub-Processors. Processor's current Sub-Processors are listed in Appendix 1 to this DPA. The current list is also available upon request via subprocessors@trailo.io.

7.3 Notification of New Sub-Processors. Before engaging any new Sub-Processor, or replacing an existing one, Processor shall: (a) Provide Controller with at least 30 days' prior written notice, including the Sub-Processor's name, location, and Processing activities; (b) Allow Controller to object on reasonable data protection grounds within 15 days of notice; (c) If Controller objects, the Parties shall discuss in good faith to resolve the concern; if unresolved, Controller may terminate the affected services for a pro-rata refund of any pre-paid fees.

7.4 Sub-Processor Obligations. Processor shall: (a) Bind each Sub-Processor by written contract imposing data protection obligations no less protective than those in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organizational measures; (b) Remain fully liable to Controller for the performance of each Sub-Processor's data protection obligations.

8. Data Subject Rights

8.1 Processor shall, taking into account the nature of the Processing and to the extent legally permitted, assist Controller through appropriate technical and organizational measures in fulfilling Controller's obligation to respond to Data Subject requests under Articles 15–22 GDPR, including:

• Right of access (Art. 15) — supported via in-product data export at /api/export/personal and via direct database access for Controller administrators
• Right to rectification (Art. 16) — supported via in-product editing
• Right to erasure / "right to be forgotten" (Art. 17) — supported via in-product deletion of records and account
• Right to restriction (Art. 18) — supported by deactivation of affected records
• Right to data portability (Art. 20) — supported via JSON / CSV export
• Right to object (Art. 21) — Controller-managed in line with the lawful basis applicable to the Processing

8.2 If a Data Subject directly contacts Processor with a request, Processor shall promptly forward the request to Controller without responding substantively to the Data Subject (unless otherwise instructed by Controller).

8.3 Assistance under this Section 8 going beyond what is provided by standard Software functionality may be subject to reimbursement of Processor's reasonable costs.

9. Personal Data Breaches

9.1 Processor shall notify Controller without undue delay after becoming aware of a Personal Data Breach affecting Controller's End User Personal Data, in line with Article 33(2) GDPR. Processor will use reasonable efforts to provide an initial notification as soon as practicable, taking into account the nature of the breach and the information then available; no specific timeframe is contractually guaranteed.

9.2 The notification shall include, to the extent then available: (a) Description of the nature of the breach, including categories and approximate number of Data Subjects and records affected; (b) Name and contact point for further information; (c) Description of likely consequences; (d) Description of measures taken or proposed to address the breach and mitigate adverse effects. Information may be provided in phases as further details become available.

9.3 Processor shall reasonably cooperate with Controller in investigating, mitigating, and remediating the breach and in notifying Supervisory Authorities and Data Subjects as required by the GDPR; Processor's responsibility under Article 33(2) GDPR is limited to the notification owed to Controller, and any direct notification of Supervisory Authorities or Data Subjects remains the responsibility of Controller as Controller.

9.4 Processor shall document all Personal Data Breaches and make such documentation available to Controller and competent Supervisory Authorities upon request.

10. Deletion and Return of Personal Data

10.1 Upon termination or expiration of the Agreement, or upon Controller's earlier written request, Processor shall, at Controller's election: (a) Delete all End User Personal Data Processed on behalf of Controller; or (b) Return all End User Personal Data to Controller in a structured, commonly used, machine-readable format (e.g., JSON / CSV).

10.2 Processor shall complete such deletion or return within 30 days of the effective termination date and shall confirm completion in writing on request.

10.3 Processor may retain copies of End User Personal Data only to the extent and for the period required by applicable Union or Member State law, in which case such Personal Data remains subject to confidentiality obligations and is processed only as required by that law.

11. Audits and Compliance

11.1 Controller (or an independent auditor mandated by Controller and subject to confidentiality obligations) may, upon at least 30 days' prior written notice and no more than once per calendar year (except in case of a Personal Data Breach attributable to Processor), audit Processor's compliance with this DPA.

11.2 Audits shall be conducted during normal business hours, in a manner that minimizes disruption to Processor's operations, and shall not include access to data of other Processor customers or to Processor's confidential information unrelated to compliance with this DPA.

11.3 In lieu of an on-site audit, Processor may provide Controller upon request with summary security documentation and, where applicable, certifications or reports of its Sub-Processors (e.g., SOC 2, ISO 27001, PCI-DSS), which Controller may reasonably rely upon.

11.4 Each Party bears its own costs for audits, unless the audit reveals material non-compliance with this DPA attributable to Processor, in which case Processor shall reimburse Controller's reasonable audit costs.

12. International Data Transfers

12.1 Primary Processing Location. The primary database storing End User Personal Data is hosted in the European Union (Frankfurt, Germany) by Processor's infrastructure Sub-Processor (see Appendix 1).

12.2 Transfers to Third Countries. Where Processor or its Sub-Processors transfer End User Personal Data to a country outside the European Economic Area, Processor ensures that an appropriate transfer mechanism under Chapter V GDPR is in place, including: (a) An adequacy decision under Article 45 GDPR (e.g., EU-US Data Privacy Framework certification); or (b) Appropriate safeguards under Article 46 GDPR (in particular the Standard Contractual Clauses, with supplementary measures as required by the case law of the CJEU); or (c) An applicable derogation under Article 49 GDPR.

12.3 For US-based Sub-Processors, Processor relies on EU-US DPF certification where the Sub-Processor is certified, and on the Standard Contractual Clauses combined with technical and organizational supplementary measures (encryption in transit and at rest, access controls, audit logging) where it is not. Processor maintains a Transfer Impact Assessment (TIA) for such transfers and makes a summary available to Controller on request.

12.4 Processor shall provide details of the transfer mechanisms in place for any international data transfers upon Controller's reasonable request.

13. Liability and Indemnification

13.1 Each Party's liability arising out of or related to this DPA (including in relation to data protection) shall be subject to the limitation of liability provisions in the Agreement.

13.2 Where Controller is held liable to pay damages to a Data Subject or Supervisory Authority arising directly from a breach by Processor of its obligations under this DPA, Processor shall indemnify Controller for such damages, subject to (i) the liability cap and exclusions set out in the Agreement, and (ii) the apportionment of liability under Article 82(5) GDPR.

14. Governing Law and Jurisdiction

14.1 This DPA is governed by the laws of the Portuguese Republic, without regard to its conflict-of-laws principles. Any dispute arising out of or in connection with this DPA shall be subject to the non-exclusive jurisdiction of the courts of Lisbon, Portugal.

14.2 Mandatory provisions of the Controller's local data protection law and Article 79 GDPR (Data Subject's right to a judicial remedy in their place of habitual residence) remain unaffected.

15. Term and Termination

This DPA shall remain in effect for the duration of the Agreement, or until all End User Personal Data is deleted or returned pursuant to Section 10, whichever is later.

Appendix 1: List of Sub-Processors

Appendix 2: Technical and Organizational Measures (Reference)

This appendix is a non-exhaustive summary of the TOMs implemented by Processor as of the date above. The current TOMs are described in Section 6.