Data Processing Agreement

Effective Date: July 1, 2021

This Data Processing Agreement (“DPA”) is incorporated into the Agreement between FourKites and the Company governing the Company’s provision and FourKites use of the Company Personal Data where and only to the extent that Privacy Laws apply to the processing by FourKites as a processor of Personal Data that forms part of the Data (“Company Personal Data“). 

  1. Relationship of the parties. The parties agree that FourKites processes Company Personal Data as a processor on behalf of Company and FourKites shall process Company Personal Data only for the limited and specified purposes under the Agreement. FourKites shall process the Company Personal Data it receives under the Agreement in accordance with the Agreement and any relevant instructions, contracts or other agreements it has in place with any direct Mutual Customer(s) or for any indirect Mutual Customer of FourKites, it has in place with the applicable Platform Partner(s). With respect to direct Mutual Customers of FourKites, in the event that FourKites receives conflicting instructions from Company and any Mutual Customer relating to its processing of the Company Personal Data, FourKites will not take any action in respect of such instructions until it has received confirmation from both Company and the Mutual Customer as to the mutually agreed upon instruction. With respect to indirect Mutual Customers of FourKites, in the event that FourKites receives conflicting instructions from Company and the applicable Platform Partner relating to its processing of the Company Personal Data, FourKites will not take any action in respect of such instructions until it has received confirmation from both Company and the applicable Platform Partner as to the mutually agreed upon instruction.  Company acknowledges that FourKites is not obliged to resolve conflicting instructions and Company agrees it shall work with the Mutual Customer or the Platform Partner (as applicable) to resolve any conflicting instructions and provide a mutually agreed upon instruction to FourKites.
  2. Authorized Persons. Any person FourKites authorises to process Company Personal Data (an “Authorised Person“) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty or otherwise), and shall not permit any person who is not under such a duty of confidentiality to process Company Personal Data.
  3. Audits. On written request from Company, FourKites shall provide written responses (on a confidential basis) to all reasonable requests for information made by Company related to its processing of Company Personal Data that are necessary to confirm FourKites’ compliance with this DPA.
  4. Sub processors. Company agrees that FourKites may engage sub-processors to process Company Personal Data on Company’s behalf to provide the Platform. A full list of the sub-processors currently engaged by FourKites and authorized by the Company are identified in the FourKites’ Sub-Processor Policy available in the Platform in the User Account. FourKites shall notify Company if it adds or removes any sub-processors by updating the list, and the Company may object in writing to the use of sub-processor on reasonable grounds relating to data protection by notifying FourKites within five calendar days. 
  5. Details of the data processing. 
    • Purpose of processing: FourKites and Company share a Mutual Customer that has directly or indirectly through a Platform Partner engaged FourKites to assist it with enhancing its transportation operations which includes automating certain aspects of its freight planning, managing, tracking and yard management capabilities.   The purpose of processing is to allow for sharing of select data through the Platform for ultimate benefit of the Mutual Customer.
    • Type of data: Data may include location data (including GPS tracking information and EDI or other status updates); contact details: name, email address, telephone number and mobile telephone number; profession and job details (employer, job title) and vehicle license plate.
    • Categories of data subjects: The data subjects may include Company personnel, including drivers transporting loads of the Mutual Customer and any of Company’s users authorized by Company to use the Platform.
  6. Company Obligations. Company agrees that it shall comply with its obligations under Privacy Laws with respect to the Company Personal Data, including,
    • Company shall have sole responsibility for determining the types of Personal Data and categories of data subjects it provides to FourKites under the Agreement, ensuring the accuracy, quality, and legality of Company Personal Data. 
    • Company shall ensure all Company Personal Data it provides to FourKites under the Agreement shall be collected and transferred to FourKites in accordance with Privacy Laws. For the avoidance of doubt, it shall be Company’s responsibility to (i) ensure it provides a notice to the data subjects of the privacy policy it applies to the Company Personal Data, which shall comply with Privacy Laws including in particular any processing information requirements relating to the processing of the Company Personal Data by FourKites and (ii) to ensure it has a legal basis for the processing  of the Company Personal Data by FourKites.
  7. International data transfers. 
    • Location of Processing. Company Personal Data that FourKites processes under the Agreement may be processed in any country in which FourKites, its Affiliates and authorized Sub-processors maintain facilities to perform the Services. As of the Effective Date this includes the USA, the Netherlands, Poland, the United Kingdom, Germany, Australia, India, Singapore, Philippines, Japan, Mexico and Brazil.  
    • Transfer Mechanism.
      • Europe. To the extent Company shall transfer to FourKites Company Personal Data protected by Privacy Laws applicable to Europe, FourKites agrees to abide by and process Company Personal Data protected by Privacy Laws of Europe in accordance with the Standard Contractual Clauses, which are incorporated by reference and form part of this Agreement. For the purposes of the Standard Contractual Clauses, the parties agree that (i) FourKites shall be the “data importer” and Company shall be the “data exporter”; (ii) Appendix 1 and Appendix 2 to the Standard Contractual Clauses shall be deemed to include the information in Section 5 and the Data Security section of the Agreement; and (iii) if and to the extent the Standard Contractual Clauses conflict with any provision of this Agreement (including this DPA) the Standard Contractual Clauses shall apply to the extent of such conflict. The parties acknowledge that Clause 10 of the Standard Contractual Clauses permits them to include additional business-related terms provided they do not contradict with the Standard Contractual Clauses. The parties agree that: (i) for the purposes of Clause 5(a) and Clause 5(b) of the Standard Contractual Clauses, if FourKites cannot ensure compliance with the Standard Contractual Clauses it shall promptly inform Company and Company shall provide FourKites with a reasonable period of time to cure the non-compliance, during which time FourKites and Company shall reasonably cooperate to agree what additional safeguards or measures, if any, may be reasonably required, and Company shall be entitled to suspend the transfer of data and/or terminate the Agreement in the event FourKites has not or cannot cure the non-compliance before the end of the cure period; (ii) for the purposes of Clause 5(f) of the Standard Contractual Clauses, audits shall be performed in accordance with Section 3 of this DPA; (iii) for the purpose of Clause 11 of the Standard Contractual Clauses, Company consents to FourKites appointing sub processors in accordance with Section 4 of this DPA; and (iv) for the purposes of Clause 6 of the Standard Contractual Clauses, any claims brought under or in connection with the Standard Contractual Clauses shall be subject to the exclusions and limitations of liability set forth in the Agreement.
      • Brazil. To the extent applicable to Brazil, international transfer shall also follow the standard provisions of the LGPD, and instructions to be specified, updated, amended, replaced or superseded from time to time by the applicable regulatory authority or, in the lack of instructions from such authority, Company shall follow the Standard Contractual Clauses as set forth in Section 7(a)(i).
      • Argentina. To the extent applicable to Argentina, international transfers shall also follow the standard provisions of the PDPL, and all instructions (as specified, updated, amended, replaced or superseded) by the applicable Argentinean regulatory authority. Company will follow the Model Clauses as set forth in Section 7(a)(i), which contains the principles, guarantees and content related to the protection of personal data provided for in the standard contractual models approved by the Argentinean regulatory authority.
      • Hong Kong, Japan, Malaysia, Singapore, Taiwan, Thailand, The Philippines. To the extent Company shall transfer to FourKites Company Personal Data protected by Privacy Laws applicable to Chile, Colombia, Mexico, Panama, Peru, Uruguay, Hong Kong, Japan, Malaysia, Singapore, Taiwan, Thailand or the Philippines, Company confirms that it has given all necessary notices, and obtained all necessary consents, and undertaken such other compliance steps, each in accordance with applicable Privacy Laws to transfer the Company Personal Data to FourKites, and to enable the collection, use, disclosure, overseas transfer and other processing of the Company Personal Data by FourKites and its permitted Sub-processors and other transferees, as described or anticipated in this DPA.
    • Privacy Shield Frameworks. Although FourKites does not rely on the Privacy Shield Frameworks as a legal basis for transfers of Personal Data from Europe, for so long as FourKites is self-certified to the Privacy Shield Frameworks it shall continue to process Personal Data in compliance with the Privacy Shield Principles and notify Company if it makes a determination that it can no longer meet its obligations to provide the level of protection as is required by the Privacy Shield Principles.
    • Alternative Transfer Mechanism. To the extent FourKites adopts an alternative data export mechanism (including any new version of or successor to the Standard Contractual Clauses or Privacy Shield Frameworks) for the transfer of Personal Data (“Alternative Mechanism“), the Alternative Transfer Mechanism shall apply instead of any transfer mechanism described in these Terms and Conditions.
    • Additional measures or safeguards. If and to the extent that a court of competent jurisdiction or supervisory authority orders that the measures described in these Terms and Conditions cannot be relied on to lawfully transfer Personal Data to a country that does not ensure an adequate level of protection (within the meaning of Privacy Laws), FourKites may implement any additional measures or safeguards not described in these Terms and Conditions to enable the lawful transfer of such Personal Data.
  8. Definitions.
    • Europe” means for the purposes of this DPA, the European Economic Area (which comprises the member states of the European Union, Norway, Iceland and Liechtenstein), Switzerland and the United Kingdom.
    • Personal Data” means any “personal information” or “personal data” as that term is defined in applicable Privacy Laws which is processed in connection with the Purpose, as more particularly described in Section 5 above.
    • Privacy Laws” means privacy and data protection laws applicable to the processing of Company Personal Data under this DPA, including without limitation where applicable: (i) the EU Regulation 2016/679 (the “GDPR“); (ii)  Directive 2002/58/EC concerning the processing of Personal Data and the protection of privacy in the electronic communications sector; (iii) applicable national implementations of (i) and (ii); (iv) in respect of the United Kingdom, any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data privacy as a consequence of the United Kingdom leaving the European Union; (v) the Brazilian General Data Protection Law (Federal Law no. 13,709/2018 or “LGPD”); (vi) the Personal Data Protection Law of Argentina (Law No. 25.326/2000 or “PDPL”) and (vii) any other data protection law solely to the extent applicable to FourKites’ processing of Company Data.
    • Privacy Shield Framework” means the EU-US and Swiss-US Privacy Shield self-certification programs operated by the U.S. Department of Commerce, which includes the Privacy Shield Framework Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision C(2016)4176 of July 12, 2016 (as may be amended, superseded or replaced); 
    • Standard Contractual Clauses” means the standard contractual clauses for processors approved pursuant to the European Commission’s decision (C(2010)593) of 5 February 2010 and available at: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087; as amended, superseded or replaced from time to time.
  9. Miscellaneous. 
    • Company acknowledges that FourKites may disclose the Agreement and any relevant privacy provisions to the U.S. Department of Commerce, the Federal Trade Commission, and/or the applicable EEA, UK, Swiss or Brazil supervisory authority(ies) upon request. 
    • Any claims brought under this DPA shall be subject to the Agreement, including but not limited to the exclusions and limitations of liability set forth in the Agreement.
    • If any provision or part-provision of this DPA is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of the DPA.
    • This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Privacy Laws.

Start enhancing your supply chain today.

The road to stronger global supply chain management starts with FourKites. Contact our team to learn more.