Data Processing Agreement (DPA)

Last updated: July 2025

1. Introduction

This Data Processing Agreement (“DPA”) governs the processing of personal data by LoadFlow Logistics LLC (“LoadFlow”, “Processor”, “we”, or “us”) on behalf of its customers (“Customer”, “you”, or “Controller”) in connection with the services provided through the LoadFlow platform.

This DPA forms part of the LoadFlow Terms of Service and is designed to comply with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, and other equivalent regulations, as applicable.

2. Parties to the Agreement

This Agreement is entered into by and between:

• LoadFlow Logistics LLC, a Wyoming-registered company located in the United States, acting as the Data Processor
• The Customer, who has entered into a subscription or service agreement with LoadFlow and is acting as the Data Controller

Both parties agree to comply with the terms and conditions of this DPA for the duration of their contractual relationship and in accordance with applicable data protection laws.

3. Scope and Purpose of Processing

LoadFlow shall process personal data on behalf of the Customer strictly for the following purposes:

• Provision of LoadFlow’s API services and dashboard functionality
• User account creation and secure authentication
• Usage tracking and billing management via integrated systems
• Providing customer support and SLA-related communications

LoadFlow shall not process Customer Data for any purpose other than the above, and shall not sell, repurpose, mine, or make available the Customer’s end-user data for marketing or profiling.

4. Categories of Personal Data Processed

The categories of personal data processed by LoadFlow on behalf of the Customer may include:

• Email address, name, and account identifiers of authorized users
• Usage data including IP address, request logs, and access timestamps
• API key identifiers and metadata
• Support request content and message metadata
• Billing identifiers (name, company, address) as submitted through Stripe

LoadFlow does not intentionally collect or process special category data (e.g., health data, religious beliefs, biometric information) and prohibits the Customer from submitting such data into the platform.

5. Nature of Processing

LoadFlow processes personal data automatically and programmatically as part of its API infrastructure. Processing activities include:

• Receiving and storing personal identifiers during account registration and login
• Recording access logs and API usage metadata for audit and abuse protection
• Integrating with third-party payment processors to fulfill billing obligations
• Responding to support tickets and operational communications initiated by the Customer

LoadFlow does not perform profiling, automated decision-making, or downstream enrichment using Customer Data.

6. Duration of Processing

LoadFlow shall retain and process Customer Data only for the duration of the contractual relationship. Upon cancellation, expiration, or termination of the service agreement:

• Customer account data will be deleted within 90 days
• API logs will be purged based on the rolling 90–180 day retention window
• Backup archives will be destroyed within 14–30 days after deletion

Earlier deletion may be requested in writing, subject to verification and technical feasibility. LoadFlow reserves the right to retain metadata necessary for fraud prevention or legal compliance where permitted by law.

7. Subprocessors

LoadFlow engages trusted subprocessors to support service delivery. These subprocessors are contractually bound by data protection obligations equivalent to those in this DPA. As of the last update, subprocessors include:

• Stripe, Inc. – Payment processing and invoicing
• Vercel, Inc. – Frontend hosting for LoadFlow’s customer dashboard
• DigitalOcean LLC – Backend infrastructure hosting and database storage
• Mailbox provider – Transactional and support email delivery

LoadFlow may update this list from time to time and will notify active customers of material changes. The Customer may object to a new subprocessor in writing within 15 days of notification, in which case LoadFlow will work in good faith to find an acceptable solution.

8. Data Subject Rights Assistance

LoadFlow will assist the Customer in fulfilling its obligations under applicable data protection laws in responding to data subject requests, including but not limited to:

• Access to stored personal data
• Correction or deletion of data held by LoadFlow
• Export of data in a structured, machine-readable format
• Restriction or objection to processing, where required by law

The Customer remains solely responsible for identifying and authenticating the data subject. LoadFlow will respond to verified data subject access requests within a commercially reasonable timeframe, not to exceed 30 days unless otherwise required by law.

9. Processor Obligations (LoadFlow)

As the Processor, LoadFlow agrees to:

• Process personal data only on documented instructions from the Controller
• Ensure persons authorized to process personal data are bound by confidentiality
• Implement appropriate technical and organizational measures to secure data
• Assist the Controller in fulfilling their data protection obligations where applicable
• Notify the Controller promptly if LoadFlow becomes aware of an instruction that violates data protection laws
• Maintain accurate records of processing activities, as required by law
• Ensure subprocessors are contractually obligated to GDPR-equivalent standards

LoadFlow shall not disclose, sell, or share Customer Data except as required to fulfill the service or comply with a lawful legal obligation.

10. Controller Obligations (Customer)

As the Controller, you agree to:

• Comply with all applicable data protection laws, including acquiring any necessary user consent
• Not submit special category data, biometric data, or sensitive personal data unless authorized in writing
• Maintain lawful grounds for processing any personal data routed through LoadFlow
• Use LoadFlow’s platform only as intended and within published technical constraints
• Notify LoadFlow promptly of any unauthorized access to or misuse of the platform

You are solely responsible for the lawfulness of the data you collect, store, and transmit via LoadFlow. LoadFlow disclaims liability for any data misuse, overcollection, or user surveillance performed by the Controller or its agents.

11. Data Security

LoadFlow implements technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of all data in transit using TLS 1.2 or higher
• Hashed and salted storage of passwords using bcrypt
• Least-privilege access controls for infrastructure and support systems
• Daily encrypted backups and restricted access to backup volumes
• Automated logging and anomaly detection for API access

For full technical details, please refer to our Security Policy. LoadFlow shall evaluate and improve its security controls as industry standards evolve or new risks are identified.

12. Personal Data Breach Notification

In the event of a personal data breach involving Customer Data, LoadFlow shall:

• Notify the Customer without undue delay, and no later than 72 hours after confirmation of the breach
• Provide details about the nature, scope, and affected data categories
• Describe remediation steps taken and risk mitigation efforts
• Assist the Customer in fulfilling their breach reporting obligations under applicable law

LoadFlow shall document all incidents internally and, upon request, share summaries with the Customer. The Customer is responsible for notifying their own users, regulators, or data protection authorities, unless agreed otherwise.

13. International Data Transfers

LoadFlow is headquartered and operated in the United States. By using LoadFlow services, the Customer authorizes LoadFlow to transfer and process personal data in the U.S. in accordance with this DPA.

Where required under applicable data protection laws, LoadFlow shall implement appropriate safeguards for international transfers, which may include:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Equivalent mechanisms approved under UK GDPR or Swiss DPA frameworks
• Data localization or regional routing for Enterprise plans (where available)

Customers who require supplementary measures or geographic processing restrictions must request such requirements in writing prior to onboarding. LoadFlow is not liable for data residency assumptions made without written agreement.

14. Data Return & Deletion

Upon termination of service, or at the Customer’s written request, LoadFlow shall:

• Export account metadata in a machine-readable format upon request
• Delete Customer Data from all production systems within 90 days of termination
• Delete encrypted backup data within 14–30 days of removal from production

LoadFlow may retain anonymized or aggregated usage metadata that does not identify individuals or organizations, solely for analytics and abuse prevention. All deletions are logged and subject to internal audit.

15. Audits & Inspection Rights

Upon written request and with at least 30 days’ notice, LoadFlow shall provide Customers with documentation sufficient to demonstrate compliance with this DPA, including:

• Policy overviews for data retention, breach response, and access controls
• Summarized audit logs (excluding sensitive user data)
• Descriptions of technical and organizational security measures

Physical audits, in-person inspections, or intrusion testing are not permitted unless required by law, regulator order, or written contractual agreement under a signed Enterprise plan. LoadFlow reserves the right to redact sensitive information in any shared materials.

16. Liability

Each party shall be liable for its own acts and omissions under this DPA and applicable data protection laws. LoadFlow shall not be liable for:

• Controller-side data misclassification, overcollection, or misuse
• Loss of data resulting from customer misconfiguration or unauthorized access
• Actions taken by third-party subprocessors acting in accordance with contracted roles
• Indirect, incidental, or consequential damages including lost revenue or goodwill

LoadFlow’s total cumulative liability under this DPA shall be limited to the total fees paid by the Customer in the 3-month period preceding the event giving rise to the claim, or $100, whichever is greater.

17. Indemnification

The Customer agrees to indemnify, defend, and hold harmless LoadFlow Logistics LLC, its officers, employees, contractors, and affiliates from and against any and all claims, damages, losses, costs, liabilities, and expenses (including legal fees) arising out of or relating to:

• Controller’s failure to comply with applicable data protection laws
• Use of LoadFlow services in violation of this DPA, the Terms of Service, or the API License Agreement
• Controller’s misuse, overcollection, or unauthorized disclosure of personal data
• Any third-party claim that LoadFlow’s processing on behalf of Controller violated a data subject’s rights due to Controller’s instruction or inaction

This indemnity survives the termination of this DPA and applies regardless of negligence or strict liability unless prohibited by applicable law.

18. Governing Law & Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of the State of Wyoming, United States, without regard to conflict of law provisions.

Any dispute or claim arising under this DPA shall be resolved exclusively in the state or federal courts located in Laramie County, Wyoming. Each party irrevocably submits to the personal jurisdiction of those courts.

If either party initiates arbitration instead of litigation, the arbitration shall be conducted under the Commercial Arbitration Rules of the American Arbitration Association (AAA) in English, with one arbitrator seated in Wyoming. The prevailing party shall be entitled to reasonable legal fees and costs.

19. Termination

This DPA shall remain in effect for as long as the Customer maintains an active subscription or account with LoadFlow, and shall automatically terminate upon:

• Termination or expiration of the Master Subscription Agreement or Terms of Service
• Termination initiated by either party with thirty (30) days’ written notice

Termination of this DPA shall not relieve either party of obligations that, by their nature, survive termination. This includes obligations around confidentiality, data deletion, indemnification, and liability.

20. Contact & Legal References

For questions, data processing concerns, or legal inquiries, contact:

• Email: legal@loadflowlogistics.com
• Support Contact: support@loadflowlogistics.com
• Business Entity: LoadFlow Logistics LLC
• Jurisdiction: State of Wyoming, United States

This Data Processing Agreement is part of LoadFlow’s broader legal framework. Please also review:

• Terms of Service
• Privacy Policy
• API License Terms
• Service Level Agreement
• DMCA Policy
• Security Overview