A counter-signed copy of this DPA is available on request for enterprise customers. Contact [email protected].

Data Processing Addendum

Effective: May 25, 2026 · Last revised: July 9, 2026

This Data Processing Addendum ("DPA") forms part of the agreement between ShipPulse ("Processor") and you ("Controller") when ShipPulse processes personal data on your behalf. It applies where the General Data Protection Regulation (Regulation 2016/679) or analogous laws apply to the processing.

1. Processor Obligations

ShipPulse will: (a) process personal data only on documented instructions from the Controller, including instructions in the Terms of Service and dashboard configuration; (b) ensure persons authorized to process personal data are bound by confidentiality; (c) implement appropriate technical and organizational measures (see Security); (d) assist the Controller in responding to data-subject requests; (e) notify the Controller without undue delay (and within 72 hours where feasible) on becoming aware of a personal-data breach.

2. Sub-processors

The Controller authorizes the engagement of the sub-processors listed in the Privacy Policy. ShipPulse will give 14 days' notice (via the changelog and email) before adding or replacing a sub-processor; the Controller may object on reasonable grounds, in which case the parties will discuss in good faith and the Controller may terminate the affected service if no resolution is reached.

3. Security Measures

Encryption in transit (TLS 1.2+) and at rest (AES-256 via the managed-database provider). Role-based access control with least- privilege defaults. Audit logging of administrative actions. Backup encryption and offsite retention. Annual penetration test (planned; first cycle within 12 months of first paid enterprise customer). Access to production data restricted to the founder; additional personnel will be added under written authorization only.

4. Data Subject Rights

ShipPulse will assist the Controller, by appropriate technical and organizational measures, in responding to data-subject requests for access, rectification, erasure, restriction, portability, and objection. Most requests are self-service via the dashboard; for others, contact [email protected].

5. International Transfers

Primary processing occurs in the EU (Frankfurt). Transfers to sub-processors outside the EEA rely on the European Commission's Standard Contractual Clauses (Module 2 or 3 as appropriate) and any applicable adequacy decisions. A copy of the SCCs is available on request.

6. Audits

The Controller may, upon 30 days' written notice and no more than once per year (or more frequently following a material security incident), request information reasonably necessary to demonstrate compliance with this DPA. On-site audits require mutual agreement and are subject to confidentiality obligations.

7. Liability

Liability under this DPA is subject to the limitation set out in the Terms of Service. Nothing in this DPA limits liability that cannot be limited under applicable law.

8. Termination

This DPA terminates automatically when the underlying service agreement terminates. On termination, ShipPulse will, at the Controller's choice, return or delete personal data in accordance with the Privacy Policy retention schedule, unless applicable law requires further retention.