Data Processing Agreement

Effective Date: March 2, 2022

This Data Processing Agreement (“DPA”) is incorporated into the Agreement between FourKites and the Company governing the Company’s provision and FourKites use of the Company Personal Data where and only to the extent that Privacy Laws apply to the processing by FourKites as a processor of Personal Data that forms part of the Data (“Company Personal Data“).

Relationship of the parties. The parties agree that FourKites processes Company Personal Data as a processor on behalf of Company and FourKites shall process Company Personal Data only for the limited and specified purposes described in Annex I. FourKites shall process the Company Personal Data it receives under the Agreement in accordance with the Agreement and any relevant instructions, contracts or other agreements it has in place with any direct Mutual Customer(s) or for any indirect Mutual Customer of FourKites, it has in place with the applicable Platform Partner(s). With respect to direct Mutual Customers of FourKites, in the event that FourKites receives conflicting instructions from Company and any Mutual Customer relating to its processing of the Company Personal Data, FourKites will not take any action in respect of such instructions until it has received confirmation from both Company and the Mutual Customer as to the mutually agreed upon instruction. With respect to indirect Mutual Customers of FourKites, in the event that FourKites receives conflicting instructions from Company and the applicable Platform Partner relating to its processing of the Company Personal Data, FourKites will not take any action in respect of such instructions until it has received confirmation from both Company and the applicable Platform Partner as to the mutually agreed upon instruction. Company acknowledges that FourKites is not obliged to resolve conflicting instructions and Company agrees it shall work with the Mutual Customer or the Platform Partner (as applicable) to resolve any conflicting instructions and provide a mutually agreed upon instruction to FourKites.
Details of the data processing. The details of the processing are set out in Annex I to this DPA.
Authorized Persons. Any person FourKites authorises to process Company Personal Data (an “Authorised Person“) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty or otherwise), and shall not permit any person who is not under such a duty of confidentiality to process Company Personal Data.
Audits. On written request from Company, FourKites shall provide written responses (on a confidential basis) to all reasonable requests for information made by Company related to its processing of Company Personal Data that are necessary to confirm FourKites’ compliance with this DPA.
Sub-processors. Company agrees that FourKites may engage sub-processors to process Company Personal Data on Company’s behalf to provide the Platform. A full list of the sub-processors currently engaged by FourKites and authorized by the Company are identified in the FourKites’ Sub-Processor Policy available in the Platform in the User Account. FourKites shall notify Company at least ten days in advance if it adds or replaces any sub-processors by updating the list, and the Company may object in writing to the use of sub-processor on reasonable grounds relating to data protection by notifying FourKites within five calendar days. FourKites shall: (i) enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Company Personal Data as those in this DPA, to the extent applicable to the nature of the services provided by such Sub-processor; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause FourKites to breach any of its obligations under this DPA.
Company Obligations. Company agrees that it shall comply with its obligations under Privacy Laws with respect to the Company Personal Data, including:
1. Company shall have sole responsibility for determining the types of Personal Data and categories of data subjects it provides to FourKites under the Agreement, ensuring the accuracy, quality, and legality of Company Personal Data.
2. Company shall ensure all Company Personal Data it provides to FourKites under the Agreement shall be collected and transferred to FourKites in accordance with Privacy Laws. For the avoidance of doubt, it shall be Company’s responsibility to (i) ensure it provides a notice to the data subjects of the privacy policy it applies to the Company Personal Data, which shall comply with Privacy Laws including in particular any processing information requirements relating to the processing of the Company Personal Data by FourKites and (ii) to ensure it has a legal basis for the processing of the Company Personal Data by FourKites.
International data transfers. Company Personal Data that FourKites processes under the Agreement may be processed in any country in which FourKites, its Affiliates and authorized Sub-processors maintain facilities to perform the Services.
- European Transfer Mechanism. To the extent that the transfer of Company Personal Data from Company to FourKites involves a Restricted Transfer, the Standard Contractual Clauses shall be incorporated by reference and form an integral part of this DPA. For the purposes of the Standard Contractual Clauses, the parties agree that FourKites shall be the “data importer” and Company shall be the “data exporter”.
  1. In relation to transfers of Company Personal Data protected by the GDPR, the EU SCCs will apply, completed as follows: (i) the Module 2 (controller to processor) terms shall apply; (ii) in Clause 7, the optional docking clause will apply; (iii) in Clause 9, Option 2 shall apply; (iv) in Clause 11, the optional language shall be deleted; (v) in Clause 17, Option 1 shall apply and the EU SCCs shall be governed by Dutch law; and (vi) in Clause 18(b), disputes shall be resolved before the courts of the Netherlands; and (vii) Annexes I and II of the EU SCCs shall be populated with the information set out in Annexes I and II of this DPA.
  2. In relation to transfers of Personal Data which are protected by UK Privacy Laws and the Swiss FDPA, the EU SCCs shall apply in accordance with sub-paragraph 1 above and the following additional modifications: (i) references to “Regulation (EU) 2016/679” and specific articles therein shall be interpreted as references to UK Privacy Laws or the Swiss FDPA and the equivalent articles or sections therein (as applicable); (ii) references to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to the “UK” or “Switzerland”, or “UK law” or “Swiss law” (as applicable); (iii) Clause 13(a) and Part C of Annex I are not used and the “competent supervisory authority” is the United Kingdom Information Commissioner or Swiss Federal Data Protection Information Commissioner (as applicable); (iv) references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Information Commissioner” and the “courts of England and Wales” or the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland” (as applicable); and (v) in Clause 17 and Clause 18(b), the EU SCCs shall be governed by the laws of and disputes shall be resolved before the courts of England and Wales or Switzerland (as applicable).
  3. To the extent that and for so long as the EU SCCs as implemented in accordance with sub-paragraph (2) above cannot be used to lawfully transfer Personal Data in accordance with UK Privacy Laws to FourKites, the UK SCCs shall be incorporated into and form an integral part of this DPA and shall apply to transfers governed by UK Privacy Laws. For the purposes of the UK SCCs, the relevant annexes, appendices or tables of the UK SCCs shall be deemed populated with the information set out in the Annexes (as applicable) of this DPA.
  4. It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement (including this DPA) the Standard Contractual Clauses shall prevail to the extent of such conflict.
- Brazil. To the extent applicable to Brazil, international transfer shall also follow the standard provisions of the LGPD, and instructions to be specified, updated, amended, replaced or superseded from time to time by the applicable regulatory authority or, in the lack of instructions from such authority, Company shall follow the Standard Contractual Clauses as set forth in Section 7(a).
- Argentina. To the extent applicable to Argentina, international transfers shall also follow the standard provisions of the PDPL, and all instructions (as specified, updated, amended, replaced or superseded) by the applicable Argentinean regulatory authority. Company will follow the Standard Contractual Clauses set forth in Section 7(a), which contains the principles, guarantees and content related to the protection of personal data provided for in the standard contractual models approved by the Argentinean regulatory authority.
- Canada, Chile, Colombia, Mexico, Panama, Peru, Uruguay, Hong Kong, Japan, Malaysia, Singapore, Taiwan, Thailand, The Philippines, Indonesia and Turkey. To the extent Company shall transfer to FourKites Company Personal Data protected by Privacy Laws applicable to Canada, Chile, Colombia, Mexico, Panama, Peru, Uruguay, Hong Kong, Japan, Malaysia, Singapore, Taiwan, Thailand, the Philippines, Indonesia or Turkey, Company confirms that it has given all necessary notices, and obtained all necessary consents, and undertaken such other compliance steps, each in accordance with applicable Privacy Laws to transfer the Company Personal Data to FourKites, and to enable the collection, use, disclosure, overseas transfer and other processing of the Company Personal Data by FourKites and its permitted Sub-processors and other transferees, as described or anticipated in this DPA.
- South Africa. To the extent FourKites processes (or causes to be processed) Company Personal Data protected by Privacy Laws applicable to South Africa in or to a country that does not provide an adequate level of protection for personal data (as described in applicable Privacy Laws), FourKites agrees to abide by and process such Company Personal Data in accordance with the Standard Contractual Clauses which imposes contractual requirements that provide for an adequate level of data protection, together with binding and enforceable commitments of the recipient.
- Privacy Shield Frameworks. Although FourKites does not rely on the Privacy Shield Frameworks as a legal basis for transfers of Personal Data from Europe, for so long as FourKites is self-certified to the Privacy Shield Frameworks it shall continue to process Personal Data in compliance with the Privacy Shield Principles and notify Company if it makes a determination that it can no longer meet its obligations to provide the level of protection as is required by the Privacy Shield Principles.
- Alternative Transfer Mechanism. To the extent FourKites adopts an alternative data export mechanism (including any new version of or successor to the Standard Contractual Clauses or Privacy Shield Frameworks) for the transfer of Personal Data (“Alternative Mechanism“), the Alternative Transfer Mechanism shall apply instead of any transfer mechanism described in this DPA.
- Additional measures or safeguards. If and to the extent that a court of competent jurisdiction or supervisory authority orders that the measures described in this DPA cannot be relied on to lawfully transfer Personal Data to a country that does not ensure an adequate level of protection (within the meaning of Privacy Laws), FourKites may implement any additional measures or safeguards not described in this DPA to enable the lawful transfer of such Personal Data.
Definitions.
- “Europe” means for the purposes of this DPA, the European Economic Area (which comprises the member states of the European Union, Norway, Iceland and Liechtenstein), Switzerland and the United Kingdom.
- “European Privacy Laws” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “GDPR“); (ii) the Data Protection Action 2018 and the GDPR as incorporated into United Kingdom domestic law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (“UK Privacy Laws“); (iii) EU Directive 2002/58/EC on Privacy and Electronic Communications; (iv) any EU Member State or UK law made under or pursuant to items (i) – (iii); and (v) the Swiss Federal Data Protection Act (the “Swiss FDPA“), in each case as amended, superseded or replaced from time to time.
- “Personal Data” means any “personal information” or “personal data” as that term is defined in applicable Privacy Laws which is processed in connection with the Purpose, as more particularly described in Annex I to this DPA.
- “Privacy Laws” means all privacy and data protection laws applicable to the processing of Company Personal Data under this DPA, including without limitation where applicable: (i) European Privacy Laws; (ii) the Brazilian General Data Protection Law (Federal Law no. 13,709/2018 or “LGPD”; (iii) the Personal Data Protection Law of Argentina (Law No. 25.326/2000 or “PDPL”), (iv) the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) and any applicable substantially similar provincial law in either Quebec, Alberta or British Columbia; and (v) any other data protection law solely to the extent applicable to FourKites’ processing of Company Data.
- “Privacy Shield Framework” means the EU-US and Swiss-US Privacy Shield self-certification programs operated by the U.S. Department of Commerce, which includes the Privacy Shield Framework Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision C(2016)4176 of July 12, 2016 (as may be amended, superseded or replaced);
- “Restricted Transfer” means a transfer of Personal Data that is subject to European Privacy Laws to a country that does not provide an adequate level of protection for Personal Data within the meaning of European Privacy Laws.
- “Standard Contractual Clauses” (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs“); (ii) where UK Privacy Laws apply, the standard data protection clauses for processors adopted pursuant to or permitted under Article 46 of the UK GDPR (“UK SCCs“); and (iii) where the Swiss FDPA applies, the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioners (the “Swiss SCCs“); in each case as completed by the information set out in Section 5 and the Annexes to this DPA (as appropriate).
- “Sub-processor” means any third party engaged by FourKites or its Affiliates that processes Company Personal Data to assist in fulfilling FourKites’ obligations with respect to providing the Services pursuant to the Agreement. Sub-processors may include third parties or members of the FourKites Group but shall exclude any FourKites employee or consultant.
- The terms “controller”, “data subject“, “processor,” “processing“, “supervisory authority,” and “special categories of data/sensitive personal data” shall have the meanings given to them in Privacy Laws. If and to the extent that Privacy Laws do not define such terms, then the definitions given in the GDPR will apply.
Miscellaneous.
- Company acknowledges that FourKites may disclose the Agreement and any relevant privacy provisions to the U.S. Department of Commerce, the Federal Trade Commission, and/or the applicable supervisory authority(ies) upon request.
- Any claims brought under this DPA shall be subject to the Agreement, including but not limited to the exclusions and limitations of liability set forth in the Agreement. In no event shall any party exclude or limit its liability with respect to data subjects’ rights under this DPA (including the Standard Contractual Clauses) and/or Privacy Laws.
- If any provision or part-provision of this DPA is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of the DPA.
- This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Privacy Laws.

Annex I Data Processing / Transfer Description

This Annex I forms part of the DPA and describes the processing that FourKites (as the Processor) will perform on behalf of Company (as the Controller).

A. LIST OF PARTIES

Data exporter(s):

	Name:	Company as defined in the DPA.
	Address:	The address for Company as specified in the Agreement.
	Contact person’s name, position and contact details:	The contact details for Company as specified in the Agreement.
	Activities relevant to the data transferred under these Clauses:	FourKites and Company share a Mutual Customer that has directly or indirectly through a Platform Partner engaged FourKites to assist it with enhancing its transportation operations. Company shares Company Personal Data with FourKites for the ultimate benefit of the Mutual Customer.
	Signature and date:	This Annex I shall automatically be deemed executed when the Agreement (which incorporates this DPA) is executed by Company.
	Role (controller/processor):	Controller

Data importer(s):

	Name:	FourKites, Inc.
	Address:	300 S Riverside PlazaSuite 850 Chicago, IL 60606 USA
	Contact person’s name, position and contact details:	General Counsel, Michelle Meller, [email protected]
	Activities relevant to the data transferred under these Clauses:	FourKites and Company share a Mutual Customer that has directly or indirectly through a Platform Partner engaged FourKites to assist it with enhancing its transportation operations. Company shares Company Personal Data with FourKites for the ultimate benefit of the Mutual Customer.
	Signature and date:	This Annex I shall automatically be deemed executed when the Agreement (which incorporates this DPA) is executed by FourKites.
	Role (controller/processor):	Processor

B. DESCRIPTION OF TRANSFER

	Module 2 (controller to processor transfers)
Categories of data subjects:	Company may submit Personal Data to FourKites, the extent of which is determined and controlled by the Company in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects: Company personnel, including drivers transporting loads of the Mutual Customer and any of Company’s users authorized by Company to use the Platform.
Categories of personal data:	Company may submit Personal Data to FourKites, the extent of which is determined and controlled by Company in its sole discretion, and which may include, but is not limited to, location data (including GPS tracking information and EDI or other status updates); contact details: name, email address, telephone number and mobile telephone number; profession and job details (employer, job title); and vehicle license plate
Sensitive data transferred (if applicable) and applied restrictions or safeguards:	None
Frequency of the transfer:	Continuous
Nature of the processing:	FourKites and Company share a Mutual Customer that has directly or indirectly through a Platform Partner engaged FourKites to assist it with enhancing its transportation operations which includes automating certain aspects of its freight planning, managing, tracking and yard management capabilities.
Purpose(s) of the data transfer and further processing:	The purpose of processing is to allow for sharing of select Company Personal Data through the Platform for the ultimate benefit of the Mutual Customer. FourKites shall process Company Personal Data only for the limited and specified purposes under the Agreement and this DPA.
Period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:	FourKites shall retain the Company Personal Data it receives under the Agreement in accordance with the Agreement.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance (e.g. in accordance with Clause 13 SCCs):

The competent supervisory authority, in accordance with Clause 13 of the New EU SCCs, must be (i) the supervisory authority applicable to the data exporter in its EEA country of establishment or, (ii) where the data exporter is not established in the EEA, the supervisory authority applicable in the EEA country where the data exporter’s EU representative has been appointed pursuant to Article 27(1) of the GDPR, or (iii) where the data exporter is not obliged to appoint a representative, the supervisory authority applicable to the EEA country where the data subjects relevant to the transfer are located.

Annex II: Technical and Organizational Security Measures

Description of the technical and organizational measures implemented by the Processor(s) / Data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons:

The technical and organizational security measures implemented by the data importer are set out in the table below.

Measure	Description
Measures of pseudonymisation and encryption of personal data	FourKites use encryption to protect personal data, both while in transit and while at rest. All data in transit is secured using HTTPS TLS 1.2 (or greater). FourKites also encrypts data at rest using the industry standard AES-256 algorithm. In practice, this means that data will not be intelligible to third parties.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services	FourKites performs monthly user access review on all FourKites processing systems. An Infrastructure vulnerability assessment and penetration testing is performed to identify and remediate the vulnerabilities. A periodic disaster recovery test is performed to test the recovery point objectives (RPO) and recovery time objectives (RTO). In addition, a backup integrity test is performed to validate the data backup at least once annually.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident	FourKites services and applications are primarily hosted in Amazon Web Services (AWS), specifically in AWS US-EAST-1 region (N. Virginia). AWS offers a reliable platform for software services used by thousands of businesses worldwide. AWS provides services in accordance with security best practices and undergoes industry-recognized certifications and audits (see aws.amazon.com/security/ for more information).A periodic disaster recovery test is performed to test the recovery point objectives (RPO) and recovery time objectives (RTO). In addition, a backup integrity test is performed to validate the data backup at least once annually.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing	FourKites has a dedicated internal audit team that conducts internal audits periodically to identify and assess any process deviations and to take any corrective actions to mitigate risks. In addition, and as mentioned above, FourKites undergoes an external Service Organization Controls 2 (SOC 2) Type II audit annually to evaluate the effectiveness of the security controls that have been designed and implemented.
Measures for user identification and authorisation	FourKites uses a combination of Virtual Private Network (VPN) with Multi-Factor Authentication (MFA) and Single Sign-On (SSO), to grant access to internal support tools, infrastructure and data where personal data resides. In addition, FourKites has defined a strong password policy that is strictly enforced, requiring all passwords to meet certain complexity requirements.
Measures for the protection of data during transmission	FourKites uses HTTPS with TLS 1.2 (or greater) to protect data in transit.
Measures for the protection of data during storage	FourKites uses industry standard AES-256 encryption to protect data at rest.
Measures for ensuring physical security of locations at which personal data are processed	FourKites is a 100% SaaS company, born in the cloud. Even though FourKites has a few limited office locations, there are no FourKites physical locations where personal data could be stored. All data is either stored in the cloud or with our SaaS providers that support our business (e.g. AWS, SalesForce, HRIS systems, etc.).For personal data from FourKites services and applications, Amazon controls the physical elements. To help customers better understand what controls AWS has in place and how effectively they are operating, AWS publishes on their website information surrounding their physical security and environmental controls (this can be found at aws.amazon.com/security/).
Measures for ensuring events logging	FourKites uses a centralized log aggregation system to consolidate and monitor logs from applications, platforms, cloud and other network devices. It is designed and set up in accordance with security best practices, including logging of access and any system configuration changes. The centralized logging system does not normally come in contact with personal data and is primarily focused on performance, user, and change management monitoring.
Measures for ensuring system configuration, including default configuration	FourKites performs periodic system configuration reviews on all processing systems to evaluate the configurations, services and default ports. Default configurations are flagged using automated monitoring using both ISO 27001 and CIS 1.3 benchmark checks.
Measures for internal IT and IT security governance and management	FourKites conducts periodic internal audits and an annual external SOC2 Type II audit to evaluate the effectiveness of security controls that are designed and implemented. In addition, FourKites conducts annual policy reviews and revisions, including both technical and administrative controls that are a part of FourKites Information Security Management Systems (ISMS) that is based upon the ISO 27001 framework.
Measures for certification/assurance of processes and products	FourKites undergoes each year an external SOC 2 Type II audit. This audit is focused on security to assess the effectiveness of security controls designed to protect personal and other types of data. In addition to the SOC 2 Type II audit, FourKites conducts continuous vulnerability testing at the a) endpoint, b) infrastructure & c) container level. We also employ data loss prevention (DLP) functionality at the infrastructure and endpoint level to prevent data leakage. Lastly, FourKites continually benchmarks our security program against ISO 27001, NIST 800-53, NIST CSF, and CIS 1.2/3 programs and take corrective actions as needed.
Measures for ensuring data minimisation	FourKites collects very minimal personal information and restricts access to any type of personal data. We use both preventative and monitoring controls to enforce technical and administrative policies. In addition, FourKites requires all employees to undergo privacy training and adherence to company policy.
Measures for ensuring data quality	All FourKites releases are rigorously tested and certified by a quality assurance (QA) team. The QA team uses automated test suites as well as manual testing techniques (including full regression testing) for all software releases.
Measures for ensuring limited data retention	FourKites retains customer data for one (1) year but also has the capability to retain customer data in an archive format, per customer requirements.
Measures for ensuring accountability	FourKites has controls implemented to monitor and track user activities, including flagging stale, misconfigured accounts or accounts that have excessive permissions.
Measures for allowing data portability and ensuring erasure	FourKites strictly prohibits the portability of data, and such prohibition is enforced through company policy and at the endpoint level. All the data will exist within the AWS cloud environment. For added security, FourKites restricts the use of USB ports, thumb drives and other portable drives / devices on employee laptops.