Data Processing Agreement

1. Definitions

Capitalised terms used but not defined here have the meaning given in the GDPR. “Customer Personal Data” means personal data contained in Customer Data that KARG processes on behalf of the Controller. “Sub-processor” means any processor engaged by KARG to process Customer Personal Data.

2. Roles & scope

The Controller acts as data controller for Customer Personal Data; KARG acts as data processor. Processing takes place to provide the KARG platform as described in the Terms of Service and only on the Controller's documented instructions, including those given through configuration of the platform.

3. Subject matter, duration, nature and purpose

• Subject matter: processing required to deliver the KARG SaaS platform to the Controller.
• Duration:the term of the Customer's subscription, plus the deletion period set out in section 11.
• Nature and purpose: hosting, transmission, retrieval, structuring, storage, deletion, and ancillary security and support operations needed to provide the platform.
• Categories of data subjects:Controller's employees and contractors (dispatchers, accountants, fleet managers); drivers; freight-exchange counterparties; end customers named on shipping or customs documents.
• Categories of personal data: identification data (name, work email, phone), professional data (role, company), location data (vehicle GPS), driver contact data, document content uploaded by the Controller.
• Special categories: none, unless the Controller uploads them in document attachments. The Controller agrees not to upload special-category data except where strictly required.

4. KARG's obligations

KARG will:

• Process Customer Personal Data only on the Controller's documented instructions, including transfers, unless required by EU or Member State law.
• Ensure that personnel authorised to process Customer Personal Data are bound by confidentiality.
• Implement and maintain the technical and organisational measures described in karg.to/security and Annex II below.
• Assist the Controller, by appropriate technical and organisational measures, in fulfilling its obligation to respond to data subject requests.
• Assist the Controller in ensuring compliance with Articles 32 to 36 GDPR (security, breach notification, DPIAs, prior consultation), taking into account the nature of processing and the information available to KARG.
• At the Controller's choice, delete or return Customer Personal Data after the end of the provision of services, and delete existing copies unless EU or Member State law requires storage.
• Make available all information necessary to demonstrate compliance with Article 28 and contribute to audits as set out in section 9.

5. Sub-processors

The Controller grants KARG a general authorisation to engage the sub-processors listed at karg.to/sub-processors. KARG will:

• Notify the Controller of any intended addition or replacement of a sub-processor at least 30 days in advance, by email to the workspace administrator and an update of the public list.
• Impose on each sub-processor data protection obligations no less protective than those in this DPA.
• Remain fully liable to the Controller for the performance of each sub-processor.

The Controller may object on reasonable grounds. If the parties cannot find an alternative within 30 days, the Controller may terminate the affected service and receive a pro-rata refund of pre-paid fees.

6. International transfers

Where Customer Personal Data is transferred outside the EEA to a country without an adequacy decision, the parties agree that the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914), Module Two (controller to processor) or Module Three (processor to processor) where KARG acts as processor and the sub-processor as sub-processor, are incorporated by reference, with the docking clause enabled and the Romanian supervisory authority designated.

7. Security

KARG implements the technical and organisational measures described in Annex II to ensure a level of security appropriate to the risk, in line with Article 32 GDPR.

8. Personal data breach

KARG will notify the Controller without undue delay, and in any case within 72 hours of becoming aware, of a personal data breach affecting Customer Personal Data. The notification will include the information required by Article 33(3) GDPR to the extent then known.

9. Audits

KARG will make available to the Controller, on reasonable written request and no more than once per year (except following a confirmed breach), the latest summary of its security controls and any third-party audit reports. The Controller may conduct an audit itself, or via an independent auditor, subject to 30 days' notice, agreement on scope, confidentiality, and reasonable reimbursement of KARG's costs. Audits must not unreasonably interfere with KARG's business or the privacy of other customers.

10. Assistance with data subject requests

The platform provides export and deletion functionality the Controller can use to fulfil access, rectification, erasure, portability and restriction requests. Where additional assistance is required, KARG will provide it within reasonable time, subject to a reasonable fee for non-trivial work.

11. Return or deletion of data

On termination of the services, the Controller can export Customer Personal Data within 30 days using the platform's export tools. After this period KARG will delete Customer Personal Data within 90 days, except for data KARG must retain to comply with applicable law (for example accounting and customs records).

12. Liability

Each party's liability under or in connection with this DPA is subject to the limitations and exclusions set out in the Terms of Service.

13. Governing law

This DPA is governed by the laws of Romania and is subject to the exclusive jurisdiction of the competent courts of Bucharest, without prejudice to mandatory rules of the GDPR.

Annex I — Description of processing

List of parties

• Controller: the customer that accepts this DPA by signing the Terms of Service or executing this document.
• Processor: DANS ONLINE SRL, CUI 43898240, J16/737/2021, Str. Independenței, Bl. 6F, Ap. 9, Craiova, Dolj, Romania 200333. Contact: privacy@karg.to.

Description of processing

See section 3 above.

Annex II — Technical and organisational measures

Access control

• Identity provided by Supabase Auth; passwords stored as bcrypt hashes.
• Role-based access inside each workspace.
• Browser extensions and partners use revocable API keys.
• Hardware-backed multi-factor authentication required for production access.

Tenant isolation

• Mandatory tenant_id filter on every database query.
• PostgreSQL Row-Level Security enforced as a defence in depth.

Encryption

• TLS 1.2+ for all data in transit.
• Database, file storage and backups encrypted at rest by hosting providers.
• Application-level encryption of long-lived integration secrets (e.g. HMRC tokens).

Logging & monitoring

• Audit logs for sensitive actions, retained at least 12 months.
• Application errors captured in Sentry with secret-scrubbing on the way in.

Backups & resilience

• Automatic daily backups with point-in-time recovery, 35-day retention.
• Quarterly restore exercises.

Software development

• Mandatory code review and automated checks for every change.
• Periodic security reviews; most recent on 22 April 2026.
• Dependency advisories monitored and patched.

Annex III — Sub-processors

The current list of authorised sub-processors is published at karg.to/sub-processors and forms part of this DPA. Changes are notified as set out in section 5.

Signatures

Once signed, please return a scanned copy to privacy@karg.to.