Data Processing Agreement

1. Parties

This Data Processing Agreement ("DPA") is entered into between the Customer ("Data Controller") and YARDtwin Ltd, registered in Ireland ("Data Processor"), collectively the "Parties". This DPA forms part of, and is subject to, the YARDtwin Terms of Service.

2. Scope & Purpose

The Processor processes personal data on behalf of the Controller solely for the purpose of providing the YARDtwin yard management platform: dock scheduling, gate operations, digital twin yard visualisation, carrier and driver management, GMP-compliant audit trail, analytics, and integrations. Processing is performed for the duration of the Controller's subscription and any retention period required by Section 11.

3. Categories of Data Subjects

• Controller's employees and administrators (named users of the platform)
• Drivers and logistics personnel checked in at the Controller's gates
• Carrier representatives and dispatch contacts
• Gate-security and warehouse-operator personnel

4. Types of Personal Data

• Identity data: names, email addresses, phone numbers, position/job title, company name and address
• Authentication data: bcrypt-hashed passwords (12 rounds), JWT access & refresh tokens, session timestamps, IP addresses, SSO identifiers (Google, Microsoft)
• Operational data: appointments, dock allocations, trailer movements, inspection records, documents, task assignments, vehicle registrations
• Driver data: licence numbers, licence images, optional face images for biometric gate verification (special-category data, Art. 9 GDPR — processed only where the Controller has enabled biometric verification at the gate and has captured explicit consent at point-of-capture)
• Audit data: user actions, timestamps, IP addresses, user-agent strings, old/new value diffs, GMP-flagged records

5. Obligations of the Processor

• Process personal data only on documented instructions from the Controller (the platform UI and API constitute documented instructions)
• Ensure persons authorised to process data are bound by confidentiality agreements
• Implement appropriate technical and organisational security measures (Art. 32) — see Section 7 below
• Not engage sub-processors without prior written authorisation; provide 30 days' advance notice of any new sub-processor (right to object)
• Assist the Controller with data subject requests (Art. 15–22) via the DSAR endpoints described in Section 9
• Notify the Controller of personal-data breaches without undue delay and within 72 hours (Section 8)
• Delete or return all personal data upon termination of services (Section 11)
• Make available all information necessary to demonstrate compliance and support audits (Section 12)

6. Sub-processors

The Processor currently engages the following sub-processors, each acting under a Data Processing Agreement and (where applicable) Standard Contractual Clauses 2021:

Customers are notified at least 30 days before any new sub-processor is added, with the right to object and terminate without penalty.

7. Security Measures (Art. 32)

• Encryption in transit: TLS 1.2+ on every endpoint; certificates managed by Microsoft Azure (DigiCert)
• Encryption at rest: Azure Postgres Flexible Server transparent data encryption; Azure Blob Storage encryption
• Field-level encryption: AES-256-GCM for biometric data (driver licence images, signature images), keys held in Azure Key Vault
• Password hashing: bcrypt, 12 rounds
• Authentication: JWT access tokens (1-hour expiry) + refresh tokens (7-day expiry, rotation on use); SSO via Google and Microsoft for MFA-equivalent
• Tenant isolation: enforced on every API route, regression-tested by 25-vector cross-tenant audit on every release
• Role-based access control: six roles (admin, ops_manager, gate_guard, warehouse_operator, carrier, super_admin), least-privilege middleware
• Web Application Firewall: Azure Front Door + managed WAF (OWASP Core Rule Set, bot-protection, L7 DDoS)
• Rate limiting: per-route limits, tighter on auth endpoints; in-memory + persisted attempt tracking
• Audit trail: append-only at the application layer, 6-year retention, GMP-relevant entries flagged separately, pseudonymised (not deleted) on Art. 17 erasure under Art. 17(3)(b)
• Continuous monitoring: Azure Application Insights, schema-drift alert (15-minute window), end-to-end /health/db-write probe, breach-monitor anomaly worker (failed-login spikes, multi-IP attacks, country-change logins, 5xx-rate)
• Software supply chain: npm audit, Trivy, Semgrep, gitleaks, OWASP ZAP on every PR. Secrets: Azure Key Vault accessed via App Service managed identity; no secrets in code, env files, or container images

8. Personal Data Breach Notification

The Processor shall notify the Controller without undue delay and no later than 72 hours after becoming aware of a personal-data breach affecting the Controller's data (Art. 33). Notification shall include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, measures taken or proposed, and the breach-register reference. Detected anomalies route to Azure Monitor Action Group yardtwin-breach-actions; confirmed incidents are tracked in the breach-register table with a 72-hour DPC countdown.

9. Data Subject Rights

The Processor provides the Controller with the following endpoints to fulfil data-subject rights within the 30-day Art. 12(3) deadline:

• POST /api/v1/dsar/export/by-email — machine-readable export covering Art. 15 (access) and Art. 20 (portability)
• POST /api/v1/dsar/erase/by-email — pseudonymisation across all PII tables, with audit-log retention preserved per Art. 17(3)(b)
• Self-service request portal at /data-request

10. International Transfers

Operational data is stored within the European Economic Area (Microsoft Azure, Sweden Central + Norway East). Onward transfers to non-EEA sub-processors (Resend, Anthropic) are governed by Standard Contractual Clauses 2021 with documented Transfer Impact Assessments. Stripe contracts via Stripe Ireland (EEA primary).

11. Duration, Termination & Data Return

This DPA remains in effect for the duration of the service agreement. Upon termination:

• The Controller may export all of its data within 30 days via the in-product export functions or by request
• After 30 days, the Processor will delete all of the Controller's operational personal data
• Audit logs are retained for 6 years post-event in a pseudonymised state, as required by 21 CFR Part 11 / EU GMP Annex 11 (Art. 17(3)(b) legal-obligation override)
• Backups are purged within 7 days of operational deletion, in line with the point-in-time recovery window

12. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR. Customers may request: copies of relevant security certifications and audit reports (where in place), the current sub-processor register, the latest tenant-isolation regression-test report, the latest external pen-test summary (when issued, see GDPR Policy 11.1), and answers to a vendor security questionnaire. Reasonable on-site or remote audits may be arranged with at least 30 days' notice, conducted by the Controller or an independent third party bound by confidentiality. The Processor will give priority to ISO 27001 / SOC 2 Type II reports as substitute evidence once those certifications are in place.

13. Liability & Governing Law

Liability under this DPA is subject to the limitations set out in the YARDtwin Terms of Service. This DPA is governed by the laws of Ireland and the EU General Data Protection Regulation (GDPR). Any disputes are subject to the exclusive jurisdiction of the courts of Ireland.

14. Contact

For questions about this DPA, to request a countersigned copy, or to exercise any of the rights set out above, contact admin@yardtwin.com or the Data Protection Officer at dpo@yardtwin.com. An external fractional DPO is being contracted (GDPR Policy 11.2); until appointment, mail sent to dpo@yardtwin.com routes to admin@yardtwin.com.