Data Processing Addendum
Standard DPA for customers subject to GDPR, UK GDPR, CCPA/CPRA, or PIPEDA. Forms part of QuoteFleet's main subscription agreement.
This Data Processing Addendum ("DPA") is entered into by and between the Customer identified in the QuoteFleet subscription agreement (the "Controller") and MR Commerce & Trade, d/b/a QuoteFleet (the "Processor"), together the "Parties." It supplements the Parties' existing subscription agreement (the "Principal Agreement") and applies to all Personal Data processed by the Processor on behalf of the Controller.
1. Definitions
Unless otherwise defined here, terms have the meanings given in Article 4 of the EU General Data Protection Regulation 2016/679 ("GDPR"). For the avoidance of doubt:
- "Personal Data" means any information relating to an identified or identifiable natural person processed by the Processor on the Controller's behalf under the Principal Agreement.
- "Processing" has the meaning in Article 4(2) of the GDPR.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data on the Controller's behalf.
- "Data Protection Laws" means GDPR, UK GDPR, the California Consumer Privacy Act as amended by CPRA ("CCPA"), Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA"), and any other applicable data protection or privacy laws.
2. Subject matter, duration, nature, and purpose of processing
- Subject matter: the Processor's provision of the QuoteFleet platform and related services to the Controller.
- Duration: for the term of the Principal Agreement plus any post-termination retention period set out in §10 below.
- Nature and purpose: hosting, storage, retrieval, transmission, analysis, and display of Personal Data so the Controller can operate its quote-tool, communicate with its end-customers, and manage its rate book.
3. Categories of Personal Data and data subjects
| Category | Data subjects |
|---|---|
| Authentication data: name, email, hashed password | Controller's employees / staff users |
| Contact + business data: company name, phone, contact email | Controller and its representatives |
| Quote-request data: customer name, email, phone, company, shipment origin / destination, equipment, weight, commodity, notes | Controller's end-customers (lead submitters) |
| Conversation logs: AI-assisted chat between Controller's end-customer and the Controller's auto-reply assistant | Controller's end-customers |
| Operational metadata: IP, user-agent, request timestamps, audit-log entries | Both Controller's staff and end-customers |
The Processor does not knowingly process special categories of Personal Data (Article 9 GDPR). The Controller will not submit such data to the Service.
4. Processor obligations
- Process Personal Data only on documented instructions from the Controller, including transfers to third countries (the Principal Agreement and this DPA constitute such instructions).
- Ensure all personnel authorized to process Personal Data are bound by confidentiality obligations.
- Implement and maintain appropriate technical and organizational measures (see §6 below).
- Engage Sub-processors only under §7.
- Assist the Controller in fulfilling its obligations to respond to data subjects exercising their rights (Articles 12–22 GDPR; equivalent under UK GDPR, CCPA, PIPEDA).
- Assist the Controller with data protection impact assessments and consultations with supervisory authorities (Articles 35–36 GDPR).
- At the Controller's choice, delete or return all Personal Data after the end of the provision of services (see §10).
- Make available all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits as set out in §11.
5. Controller obligations
- Establish and maintain a lawful basis under Article 6 GDPR (and any other applicable legal basis) for the processing carried out via the Service.
- Provide all required notices to data subjects, including its end-customers who submit quotes via the QuoteFleet widget.
- Not submit Personal Data outside the categories listed in §3 without prior written agreement.
- Promptly notify the Processor if it becomes aware of any Personal Data breach affecting the Service.
6. Security measures (Annex II)
The Processor implements the following technical and organizational measures:
- Encryption in transit: TLS 1.2 or higher with HSTS for all traffic between data subjects, the Controller, and the Service.
- Encryption at rest: AES-256-GCM authenticated encryption for sensitive secrets (e.g. third-party API keys, custom-domain verification tokens) before they are written to the database.
- Access control: opaque-token sessions stored server-side, HttpOnly + Secure cookies, bcrypt cost-12 password hashing, role-based access enforced at the API layer.
- Tenant isolation: every Personal Data record is keyed to a tenant identifier and queries are middleware-scoped to the authenticated tenant; cross-tenant access is structurally impossible through normal API paths.
- Audit logging: every change to a Controller's rate book or customer-facing assets is recorded with actor, timestamp, before / after values, and reason.
- Network protection: Cloudflare-fronted DNS, rate-limited public endpoints, shared-secret authentication on the Worker → origin path to prevent direct-deployment spoofing.
- Backups: encrypted automated backups handled by the Processor's managed Postgres provider; backups are deleted within 30 days of account termination.
- Vulnerability management: documented vulnerability disclosure policy at /security and
/.well-known/security.txt; reports answered within 48 hours. - Supply-chain hygiene: dependencies pinned via lockfile; no third-party analytics or tracking scripts injected into the dashboard or hosted widget.
7. Sub-processors (Annex III)
The Controller authorizes the Processor to engage the following Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Anthropic, PBC | AI inference (Claude API) for quote summaries, customer chat, and operator rate-tuning. Customer's end-customer text and rate metadata may transit. | USA |
| Cloudflare, Inc. | DNS, edge proxy, Workers (wildcard subdomain routing), TLS termination at edge. | Global edge / USA HQ |
| Neon, Inc. | Managed PostgreSQL database hosting for all Personal Data at rest. | USA / EU regions (configurable per project) |
| Replit, Inc. | Compute hosting (Reserved VM Deployment) for the application server. | USA |
| Stripe, Inc. | Payment processing if the Controller subscribes to a paid plan. Payment card data goes to Stripe directly; the Processor never sees it. | USA / EU |
| Email provider (SMTP — provider per Controller's configuration; e.g. Resend, AWS SES, or SMTP relay) | Outbound email delivery for AI auto-replies and operational notifications. | Per provider |
The Processor will notify the Controller of any intended addition or replacement of a Sub-processor at least 30 days in advance. The Controller may object on reasonable data-protection grounds within 14 days of notice; the Processor will work in good faith to address the objection or, failing that, terminate the affected service line and refund any prepaid fees pro-rata.
8. International data transfers
Where Personal Data of EU/UK data subjects is transferred outside the EEA / UK, the Parties agree:
- The European Commission's Standard Contractual Clauses (SCCs) Module 2 (Controller-to-Processor), as adopted by Decision (EU) 2021/914, are incorporated by reference and shall apply to such transfers.
- The UK International Data Transfer Addendum to the SCCs (as published by the ICO) shall apply to transfers of UK personal data.
- Annexes to the SCCs are populated by reference to §3 (data categories), §6 (security measures), and §7 (sub-processors) of this DPA.
9. Personal Data breach notification
- The Processor will notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of a Personal Data breach affecting the Controller's data.
- The notice will describe (to the extent known): the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed to address it and mitigate adverse effects.
- The Processor will cooperate with the Controller's reasonable requests for further information and remediation.
10. Return or deletion of Personal Data
- On termination of the Principal Agreement and at the Controller's election, the Processor will (a) return all Personal Data to the Controller in a commonly used machine-readable format (CSV / JSON), and / or (b) delete it.
- Deletion is completed from production systems within 30 days of the termination date and from encrypted backups within 90 days.
- Audit-log entries containing the Controller's identifying data may be retained where reasonably required for the Processor's legitimate compliance, security, or accounting purposes, in pseudonymized or aggregate form.
11. Audits
- The Processor will, on the Controller's reasonable written request and not more than once per 12-month period (or in response to a documented breach), provide the Controller with a written summary of the Processor's then-current security and privacy controls.
- If the Controller requires a more in-depth audit, the Parties will agree on scope, timing, and cost in advance, and the Controller bears the audit's reasonable costs unless a material non-compliance is found.
- Once the Processor obtains independent attestations such as SOC 2 Type II, the Processor will make those attestations available to the Controller on request, in lieu of bilateral audit where reasonable.
12. Liability and term
This DPA's term and any liability arising under it follow the Principal Agreement. Where Data Protection Laws require an additional remedy not capped by the Principal Agreement (e.g. statutory damages), this DPA does not limit such remedies.
13. Order of precedence
If there is a conflict between this DPA and the Principal Agreement, this DPA prevails on data-protection matters; otherwise the Principal Agreement controls. The SCCs (where applicable) prevail over both.
Signatures
Either Party may sign this DPA by countersignature, electronic signature, or by clear acceptance through the QuoteFleet dashboard's "Accept DPA" flow.
Name · Title · Date
Managing Director · MR Commerce & Trade · Date: 2026-05-08