Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between Kairos Systems LLC, which provides the FreightHQ platform ("Processor"), and the customer entity that subscribes to the Services ("Controller").

Controller decides why and how personal data is processed in connection with its freight operations. Processor hosts and operates the FreightHQ platform on Controller's instructions, as described in this DPA and the applicable service terms.

This DPA reflects the requirements of Article 28 of the EU General Data Protection Regulation ("GDPR") where GDPR applies to Processing under the Agreement.

Subject matter: Processing of personal data through Controller's use of the FreightHQ B2B SaaS platform.

Duration: For the term of the Agreement and until Processor has deleted or returned data in accordance with Section 9, unless a longer period is required by law.

Nature and purpose: Providing hosting, application logic, authentication, notifications, storage, analytics as configured, and support necessary to deliver the Services Controller has subscribed to—specifically to support freight forwarding operations (shipments, finance, documents, and portal access).

Depending on how Controller configures the Services, Processing may include:

• Shipment and operational data: references, ports, dates, carrier fields, tracking events, and similar logistics attributes
• Commercial counterparts: names, addresses, and contact details of customers, consignees, notify parties, and other business contacts Controller enters
• Financial data: invoice line items, amounts, payment status metadata, and related accounting records processed in the platform
• Documents: files Controller uploads (e.g., bills of lading, packing lists, customs-related paperwork) which may contain personal data
• Portal users: email addresses and profile fields for users Controller invites to branded portals or workspaces

Data subjects may include Controller's personnel, Controller's customers and vendors, and individuals identified in shipment or document data.

Processor will:

• Process personal data only on documented instructions from Controller (including this DPA and the Agreement), unless EU or member state law requires otherwise—in which case Processor will inform Controller unless prohibited
• Ensure persons authorized to Process data are bound by confidentiality
• Implement appropriate technical and organizational measures taking into account the state of the art, implementation costs, and risks to data subjects
• Assist Controller with responding to requests from data subjects and with DPIAs or consultations with supervisory authorities, taking into account the nature of Processing and information available to Processor
• At Controller's choice, delete or return personal data after the end of provision of Services, except where law requires retention
• Make available information reasonably necessary to demonstrate compliance with Article 28 and allow for audits conducted by Controller or an auditor mandated by Controller, subject to reasonable confidentiality and security procedures

Controller authorizes Processor to engage sub-processors to support the Services. Processor will impose data protection terms on sub-processors that are materially no less protective than this DPA. Controller may object to a new sub-processor on reasonable data-protection grounds as described in the Agreement.

Current sub-processors (illustrative):

• Vercel — application hosting and edge delivery
• Railway — managed database infrastructure
• Cloudflare R2 — object storage for documents and assets
• Resend — transactional email delivery
• Clerk — authentication and organization identity for the main application
• PostHog — product analytics (EU region deployment where configured)

The specific services, regions, and subprocessors in use may evolve; Processor will maintain a current list and notify Controller of material changes as set out in the Agreement.

Where personal data originating in the European Economic Area, Switzerland, or the United Kingdom is transferred to countries not recognized as offering an adequate level of protection, Processor will rely on appropriate safeguards, including the applicable standard contractual clauses ("SCCs") approved by the European Commission (and UK Addendum where relevant), supplemented by technical and organizational measures and transfer impact assessments where required.

Processor maintains security measures appropriate to the risk, including access controls, encryption in transit where applicable, logging, and vendor diligence for infrastructure providers.

Processor will notify Controller without undue delay after becoming aware of a personal data breach affecting Controller data and will provide information reasonably available to assist Controller in meeting its own notification obligations.

Processor retains data for as long as Controller maintains an active subscription and as needed to provide the Services. Upon termination, Processor will delete or return Controller data in accordance with the Agreement and documented procedures, except where EU or member state law requires storage.

For questions of interpretation relating to GDPR obligations and EU/UK data protection law, the parties acknowledge that supervisory authorities and courts where Controller or affected data subjects are located may have jurisdiction as provided by law. This does not limit other governing-law clauses in the Agreement for non-GDPR matters, which remain as stated there.