Stay Informed
Receive FourKites’ exclusive ebooks, reports, industry insights and event invitations in your inbox.
Effective Date: March 2, 2022
This Data Processing Agreement (“DPA”) is incorporated into the Agreement between FourKites and the Company governing the Company’s provision and FourKites use of the Company Personal Data where and only to the extent that Privacy Laws apply to the processing by FourKites as a processor of Personal Data that forms part of the Data (“Company Personal Data“).
This Annex I forms part of the DPA and describes the processing that FourKites (as the Processor) will perform on behalf of Company (as the Controller).
Data exporter(s):
Name: | Company as defined in the DPA. | |
Address: | The address for Company as specified in the Agreement. | |
Contact person’s name, position and contact details: | The contact details for Company as specified in the Agreement. | |
Activities relevant to the data transferred under these Clauses: | FourKites and Company share a Mutual Customer that has directly or indirectly through a Platform Partner engaged FourKites to assist it with enhancing its transportation operations. Company shares Company Personal Data with FourKites for the ultimate benefit of the Mutual Customer. | |
Signature and date: | This Annex I shall automatically be deemed executed when the Agreement (which incorporates this DPA) is executed by Company. | |
Role (controller/processor): | Controller |
Data importer(s):
Name: | FourKites, Inc. | |
Address: | 300 S Riverside PlazaSuite 850
Chicago, IL 60606 USA |
|
Contact person’s name, position and contact details: | General Counsel, Michelle Meller, [email protected] | |
Activities relevant to the data transferred under these Clauses: | FourKites and Company share a Mutual Customer that has directly or indirectly through a Platform Partner engaged FourKites to assist it with enhancing its transportation operations. Company shares Company Personal Data with FourKites for the ultimate benefit of the Mutual Customer. | |
Signature and date: | This Annex I shall automatically be deemed executed when the Agreement (which incorporates this DPA) is executed by FourKites. | |
Role (controller/processor): | Processor |
Module 2 (controller to processor transfers) | |
Categories of data subjects: | Company may submit Personal Data to FourKites, the extent of which is determined and controlled by the Company in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
|
Categories of personal data: | Company may submit Personal Data to FourKites, the extent of which is determined and controlled by Company in its sole discretion, and which may include, but is not limited to,
|
Sensitive data transferred (if applicable) and applied restrictions or safeguards: | None |
Frequency of the transfer: | Continuous |
Nature of the processing: | FourKites and Company share a Mutual Customer that has directly or indirectly through a Platform Partner engaged FourKites to assist it with enhancing its transportation operations which includes automating certain aspects of its freight planning, managing, tracking and yard management capabilities. |
Purpose(s) of the data transfer and further processing: | The purpose of processing is to allow for sharing of select Company Personal Data through the Platform for the ultimate benefit of the Mutual Customer. FourKites shall process Company Personal Data only for the limited and specified purposes under the Agreement and this DPA. |
Period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: | FourKites shall retain the Company Personal Data it receives under the Agreement in accordance with the Agreement. |
Identify the competent supervisory authority/ies in accordance (e.g. in accordance with Clause 13 SCCs): | The competent supervisory authority, in accordance with Clause 13 of the New EU SCCs, must be (i) the supervisory authority applicable to the data exporter in its EEA country of establishment or, (ii) where the data exporter is not established in the EEA, the supervisory authority applicable in the EEA country where the data exporter’s EU representative has been appointed pursuant to Article 27(1) of the GDPR, or (iii) where the data exporter is not obliged to appoint a representative, the supervisory authority applicable to the EEA country where the data subjects relevant to the transfer are located. |
Description of the technical and organizational measures implemented by the Processor(s) / Data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons:
The technical and organizational security measures implemented by the data importer are set out in the table below.
Measure | Description |
Measures of pseudonymisation and encryption of personal data | FourKites use encryption to protect personal data, both while in transit and while at rest. All data in transit is secured using HTTPS TLS 1.2 (or greater). FourKites also encrypts data at rest using the industry standard AES-256 algorithm. In practice, this means that data will not be intelligible to third parties. |
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services | FourKites performs monthly user access review on all FourKites processing systems. An Infrastructure vulnerability assessment and penetration testing is performed to identify and remediate the vulnerabilities. A periodic disaster recovery test is performed to test the recovery point objectives (RPO) and recovery time objectives (RTO). In addition, a backup integrity test is performed to validate the data backup at least once annually. |
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident | FourKites services and applications are primarily hosted in Amazon Web Services (AWS), specifically in AWS US-EAST-1 region (N. Virginia). AWS offers a reliable platform for software services used by thousands of businesses worldwide. AWS provides services in accordance with security best practices and undergoes industry-recognized certifications and audits (see aws.amazon.com/security/ for more information).A periodic disaster recovery test is performed to test the recovery point objectives (RPO) and recovery time objectives (RTO). In addition, a backup integrity test is performed to validate the data backup at least once annually. |
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing | FourKites has a dedicated internal audit team that conducts internal audits periodically to identify and assess any process deviations and to take any corrective actions to mitigate risks. In addition, and as mentioned above, FourKites undergoes an external Service Organization Controls 2 (SOC 2) Type II audit annually to evaluate the effectiveness of the security controls that have been designed and implemented. |
Measures for user identification and authorisation | FourKites uses a combination of Virtual Private Network (VPN) with Multi-Factor Authentication (MFA) and Single Sign-On (SSO), to grant access to internal support tools, infrastructure and data where personal data resides. In addition, FourKites has defined a strong password policy that is strictly enforced, requiring all passwords to meet certain complexity requirements. |
Measures for the protection of data during transmission | FourKites uses HTTPS with TLS 1.2 (or greater) to protect data in transit. |
Measures for the protection of data during storage | FourKites uses industry standard AES-256 encryption to protect data at rest. |
Measures for ensuring physical security of locations at which personal data are processed | FourKites is a 100% SaaS company, born in the cloud. Even though FourKites has a few limited office locations, there are no FourKites physical locations where personal data could be stored. All data is either stored in the cloud or with our SaaS providers that support our business (e.g. AWS, SalesForce, HRIS systems, etc.).For personal data from FourKites services and applications, Amazon controls the physical elements. To help customers better understand what controls AWS has in place and how effectively they are operating, AWS publishes on their website information surrounding their physical security and environmental controls (this can be found at aws.amazon.com/security/). |
Measures for ensuring events logging | FourKites uses a centralized log aggregation system to consolidate and monitor logs from applications, platforms, cloud and other network devices. It is designed and set up in accordance with security best practices, including logging of access and any system configuration changes. The centralized logging system does not normally come in contact with personal data and is primarily focused on performance, user, and change management monitoring. |
Measures for ensuring system configuration, including default configuration | FourKites performs periodic system configuration reviews on all processing systems to evaluate the configurations, services and default ports. Default configurations are flagged using automated monitoring using both ISO 27001 and CIS 1.3 benchmark checks. |
Measures for internal IT and IT security governance and management | FourKites conducts periodic internal audits and an annual external SOC2 Type II audit to evaluate the effectiveness of security controls that are designed and implemented. In addition, FourKites conducts annual policy reviews and revisions, including both technical and administrative controls that are a part of FourKites Information Security Management Systems (ISMS) that is based upon the ISO 27001 framework. |
Measures for certification/assurance of processes and products | FourKites undergoes each year an external SOC 2 Type II audit. This audit is focused on security to assess the effectiveness of security controls designed to protect personal and other types of data. In addition to the SOC 2 Type II audit, FourKites conducts continuous vulnerability testing at the a) endpoint, b) infrastructure & c) container level. We also employ data loss prevention (DLP) functionality at the infrastructure and endpoint level to prevent data leakage. Lastly, FourKites continually benchmarks our security program against ISO 27001, NIST 800-53, NIST CSF, and CIS 1.2/3 programs and take corrective actions as needed. |
Measures for ensuring data minimisation | FourKites collects very minimal personal information and restricts access to any type of personal data. We use both preventative and monitoring controls to enforce technical and administrative policies. In addition, FourKites requires all employees to undergo privacy training and adherence to company policy. |
Measures for ensuring data quality | All FourKites releases are rigorously tested and certified by a quality assurance (QA) team. The QA team uses automated test suites as well as manual testing techniques (including full regression testing) for all software releases. |
Measures for ensuring limited data retention | FourKites retains customer data for one (1) year but also has the capability to retain customer data in an archive format, per customer requirements. |
Measures for ensuring accountability | FourKites has controls implemented to monitor and track user activities, including flagging stale, misconfigured accounts or accounts that have excessive permissions. |
Measures for allowing data portability and ensuring erasure | FourKites strictly prohibits the portability of data, and such prohibition is enforced through company policy and at the endpoint level. All the data will exist within the AWS cloud environment. For added security, FourKites restricts the use of USB ports, thumb drives and other portable drives / devices on employee laptops. |