Data processing agreement (DPA)
The GDPR Article 28 contract between you (controller) and us (processor), published in full so your due diligence never waits on anyone. If your legal team needs a signed copy, ask us and we will send it countersigned.
1. Parties and subject matter
This data processing agreement ("DPA") forms part of theterms and conditions of service and is entered into between the customer of the service (the "Controller") andDeCA Platform (the "Processor"). It governs the processing of personal data the Processor carries out on the Controller's behalf to provide the service of issuing, managing and safekeeping electronic transport documents, in accordance with Regulation (EU) 2016/679 ("GDPR") and Spanish Organic Law 3/2018 ("LOPDGDD").
2. Duration
This DPA applies for as long as the service contract is in force and, after termination, for as long as the Processor retains the Controller's personal data under clause 9 (including the legal custody of issued documents, of at least 1 year from issuance).
3. Nature and purpose of the processing
Automated processing consisting of the collection, recording, structuring, storage, alteration, retrieval, disclosure (to transport inspection authorities and to the persons with whom the Controller shares the documents), backup and erasure of the personal data contained in transport documents and in the Controller's master data, for the sole purpose of providing the service described in the terms.
4. Data types and categories of data subjects
- Categories of data subjects: drivers; contact persons of shippers, carriers, operators and consignees; the Controller's users; where applicable, document signatories.
- Data types: identification and contact data (name, tax ID, email, phone, address), professional data (company, role), vehicle plates and vehicle data, transport operation data (origin, destination, dates, goods) and activity records on documents (events, access logs, acknowledgements).
- No special categories of data (GDPR Art. 9) are intended to be processed. The Controller undertakes not to include them in documents.
5. Obligations of the Processor
The Processor undertakes to:
- Process the data only on documented instructions from the Controller, the primary instruction being the configuration and use of the service itself. If the Processor considers an instruction infringes data protection law, it will immediately inform the Controller.
- Ensure that persons authorised to process the data are bound by a contractualduty of confidentiality.
- Implement the technical and organisational measures of Annex II (GDPR Art. 32).
- Assist the Controller, taking into account the nature of the processing: (a) in responding to data subjects' rights requests, forwarding without delay any request received; and (b) in complying with the obligations of GDPR Arts. 32 to 36 (security, breach notification, impact assessments), with the information at its disposal.
- Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by it, with reasonable notice, during business hours and without access to other customers' data. The published documentation (this page, the security pageand the trust page) is the first layer of that transparency.
- Maintain a record of processing activities carried out on behalf of the Controller (GDPR Art. 30(2)).
- Not disclose the data to third parties except on the Controller's instruction (including making documents available to transport inspection authorities, which is inherent to the service) or under a legal obligation, in which case it will inform the Controller before processing unless the law prohibits it.
6. Subprocessors
- The Controller grants a general authorisation to engage the subprocessors listed in Annex III, which is the same list published on thetrust page.
- The Processor will give notice of any addition or replacementat least 30 days in advance (publication on the website and email to account administrators). The Controller may object on reasonable data-protection grounds; if no alternative solution exists, it may terminate the contract without penalty before the change takes effect.
- The Processor imposes on each subprocessor, by contract, obligations equivalent to those of this DPA, and remains liable to the Controller for its subprocessors' compliance.
7. International transfers
Primary storage (database and documents) takes place in the European Union. Where a subprocessor is established outside the European Economic Area or may access data from outside it, the transfer relies on an adequacy decision (including the EU-U.S. Data Privacy Framework, where applicable) or on the European Commission's Standard Contractual Clauses, as detailed in Annex III.
8. Personal data breach notification
The Processor will notify the Controller, without undue delay and no later than 72 hours after becoming aware, of any security breach affecting personal data processed on its behalf, including the information under GDPR Art. 33(3) available to it (nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed), supplementing it as the investigation progresses. Contact channel:security@deca.example.
9. Deletion and return at the end of the service
Upon termination, the Controller can export its data from the panel. At the Controller's choice, the Processor will delete or return the personal data and delete existing copies, with two exceptions: (a) issued transport documents, which remain available for download during the custody period required by transport regulations (at least 1 year from each document's issuance), and (b) data whose retention is required by Union or Spanish law, which will be blocked until the corresponding period ends.
10. Liability and Controller undertakings
The Controller warrants that it has a legal basis for the data it enters into the service, that it has informed data subjects where required, and that its instructions are lawful. Each party is liable for the fines and compensation arising from its own breaches of the GDPR, in accordance with GDPR Art. 82.
Annex I — Description of the processing
| Subject matter | Issuing, managing, communicating and safekeeping electronic transport documents |
| Duration | The service contract term + the documents' legal custody period |
| Nature and purpose | Clause 3 of this DPA |
| Data and data subjects | Clause 4 of this DPA |
Annex II — Technical and organisational measures (GDPR Art. 32)
- Encryption in transit (TLS ≥ 1.2 on all services) and at rest (AES-256).
- Multi-tenant isolation enforced through row-level security (RLS) policies in the database engine itself.
- Append-only operation log with a verifiable SHA-256 hash chain (integrity and traceability of every action on documents).
- Role-based access control; scoped API keys, rotatable and revocable; keys stored only as hashes.
- Automatic daily backups and a documented restore procedure.
- Support access is logged and audited; staff never access customer keys.
- Outgoing webhooks signed (HMAC-SHA256) so customers can verify origin.
- Extended, up-to-date description on thesecurity page.
Annex III — Authorised subprocessors
| Subprocessor | Service | Data processed | Location | Safeguards |
|---|---|---|---|---|
| Cloudflare, Inc. | Delivery network (edge/CDN), public inspection download service and PDF storage (R2) | Transport document PDFs and technical access logs | Global network; data storage configured in the EU | DPA with Standard Contractual Clauses (SCCs) and EU-U.S. Data Privacy Framework certification |
| Supabase, Inc. (sobre AWS) | Database and panel user authentication | Account data, master data (customers, vehicles, drivers) and document data | EU region (AWS data centre in the European Union) | DPA with SCCs; data remains in the selected EU region |
| Stripe, Inc. | Payment processing and billing | Billing and payment data (card data is handled by Stripe only) | EU / USA | DPA with SCCs and EU-U.S. Data Privacy Framework certification |
| Resend, Inc. | Transactional email delivery (driver links, alerts, notifications) | Recipient email addresses and notification content | USA / EU | DPA with SCCs |