Legal

Data Processing Agreement

Last updated 2026-06-03

The terms under which Customs OS processes personal data on your behalf as your processor — including the Standard Contractual Clauses, our security measures, and the sub-processor list. It forms part of your agreement with us.

This Data Processing Agreement (“DPA”) is between Customs OS, Inc. (“Processor”, “we”) and the customer identified in the agreement (“Controller”, “you”). It forms part of, and is governed by, the Customs OS Terms of Service or your signed order form (the “Agreement”). If there is a conflict on data protection, this DPA controls. By accepting the Agreement, or by signing a counterpart, you agree to these terms on behalf of yourself and the controllers you represent.

1. Definitions

Terms such as “personal data”, “processing”, “controller”, “processor”, “data subject”, and “personal data breach” have the meanings in the EU GDPR (2016/679) and the UK GDPR. “Data Protection Law” means the EU GDPR, UK GDPR, the Swiss FADP, and any successor or implementing law, as applicable. “SCCs” means the Standard Contractual Clauses in Commission Implementing Decision (EU) 2021/914. “UK Addendum” means the ICO's International Data Transfer Addendum to the SCCs.

2. Roles and scope

You are the controller (or a processor acting for your own controllers) of the Customer Personal Data. We are the processor (or sub-processor) and process Customer Personal Data only to provide the Services. The subject matter, duration, nature, and purpose of processing, the types of personal data, and categories of data subjects are described in Annex I. We separately act as a controller for account, authentication, and usage data as described in our Privacy Policy; that data is outside this DPA.

3. Our obligations as processor

  • Process Customer Personal Data only on your documented instructions, and tell you if we believe an instruction infringes Data Protection Law.
  • Ensure persons authorised to process the data are under a duty of confidentiality.
  • Implement and maintain the technical and organizational measures in Annex II, appropriate to the risk (Art 32).
  • Respect the conditions in section 5 for engaging sub-processors.
  • Assist you, taking into account the nature of processing, in responding to data-subject requests and in meeting your obligations under Articles 32–36 (security, breach notification, DPIAs, prior consultation).
  • At your choice, delete or return all Customer Personal Data at the end of the Services, except where law requires retention (section 8).
  • Make available the information necessary to demonstrate compliance and allow for and contribute to audits as set out in section 7.
  • Never process the data for our own purposes, sell it, or use it to train AI models other than the inference required to deliver the Services.

4. Your obligations as controller

  • Ensure you have a lawful basis and any required notices or consents for the data you provide.
  • Issue instructions that are lawful.
  • Not upload special-category data (Art 9) unless agreed in writing, and not upload data you are not entitled to share.

5. Sub-processors

You give general authorisation for us to engage the sub-processors listed at /subprocessors (also Annex III). We impose data-protection obligations on each sub-processor no less protective than this DPA, and we remain liable for their acts and omissions. We give at least 30 days' notice before adding or replacing a sub-processor that processes Customer Personal Data. You may object on reasonable data-protection grounds within that period; we will work in good faith to resolve it, and failing resolution you may terminate the affected Services.

6. International transfers

Where we process Customer Personal Data originating in the EEA, UK, or Switzerland in a country without an adequacy decision, the SCCs apply and are incorporated by reference:

  • Module Two (controller-to-processor) where you are a controller; Module Three (processor-to-processor) where you are a processor.
  • Annex I of this DPA populates SCC Annex I; Annex II populates SCC Annex II; Annex III lists sub-processors for Clause 9.
  • Clause 7 (docking) applies. Clause 9: Option 2, general authorisation, 30 days' notice. Clause 11 optional body does not apply.
  • Clause 17 governing law and Clause 18 forum: Ireland. For UK data, the UK Addendum applies, Table 4 “neither party”.
  • For Swiss data, references to the GDPR are read as the FADP and to supervisory authorities as the FDPIC.

We implement supplementary measures (encryption, access control) as reflected in Annex II.

7. Audits

We make available a summary of our security measures (Annex II) and, on your reasonable written request no more than once per year (or after a breach affecting you), respond to a reasonable security questionnaire and/or provide available third-party reports. On-site audits, where strictly required by Data Protection Law, will be on reasonable notice, during business hours, subject to confidentiality, and at your cost.

8. Deletion and return

On termination, and on request during the term, we delete or return Customer Personal Data within 30 days, including from active systems, and delete backup copies within the backup cycle (no more than a further 30 days), except where law requires retention — in which case we isolate and protect that data and stop active processing.

9. Personal data breach

We notify you without undue delay and within 72 hours of becoming aware of a personal data breach affecting Customer Personal Data, with the information available (nature, categories and approximate numbers affected, likely consequences, measures taken). We reasonably assist your own Article 33/34 obligations.

10. Liability and term

This DPA takes effect on acceptance of the Agreement and lasts as long as we process Customer Personal Data. Liability under this DPA is subject to the limitations in the Agreement, except where Data Protection Law prohibits such limitation. The Annexes form part of this DPA.

Annex I — Description of processing

  • Subject matter: provision of the Customs OS document-validation and related customs-operations Services.
  • Duration: the term of the Agreement plus the deletion window in section 8.
  • Nature and purpose: ingestion, storage, AI-assisted extraction and validation, and presentation of document packets; account and access management; support.
  • Categories of data subjects: your personnel (users); and individuals named in uploaded documents — shippers, consignees, contacts, signatories, agents.
  • Types of personal data: names, business contact details, job roles; identifiers and references on customs/trade documents (which may include addresses, signatures, and tax/EORI identifiers of natural persons); document content; product usage and access logs.
  • Special categories: none intended; you agree not to upload special-category data without prior written agreement.
  • Frequency: continuous, for the term.

Annex II — Technical and organizational measures

We maintain, in summary: encryption in transit (TLS 1.2+) and at rest (AES-256); encrypted storage of authentication secrets and OAuth tokens; application- and database-layer tenant isolation; least-privilege access with authentication; rate limiting and bot protection; logging and monitoring; a secure development lifecycle; backup and recovery; sub-processor due diligence; and breach detection and response within 72 hours. A current, detailed summary is available to customers on request.

Annex III — Sub-processors

The list at /subprocessors is incorporated here as Annex III.

Contact

For a signed counterpart or any question about this DPA, contact legal@customsos.com.