Spoterix Spoterix

Data Processing Addendum (DPA)

Last updated: April 9, 2026

1. Parties and Roles

This DPA applies when customer acts as controller and [COMPANY_NAME] acts as processor for personal data processed through the platform.

2. Subject Matter and Duration

Processing covers hosted provision of the RFQ platform, support services, security operations, and data lifecycle handling for the duration of the service contract.

3. Nature and Purpose of Processing

  • Storage, organization, retrieval, comparison, and transmission of logistics procurement data.
  • User and permission management.
  • Security monitoring, audit logging, and incident handling.
  • Customer support and troubleshooting under documented instructions.

4. Types of Data and Data Subjects

Typical data subjects include customer users, supplier users, consignee contacts, and logistics business contacts referenced in RFQ workflows.

5. Processor Obligations

  • Process data only on documented customer instructions, unless legally required otherwise.
  • Ensure personnel confidentiality commitments.
  • Implement appropriate technical and organizational measures (TOMs).
  • Support customer in responding to data subject requests and supervisory requests.
  • Notify customer without undue delay of confirmed personal data breaches concerning customer data.

6. Annex A - Technical and Organizational Measures (TOMs)

  • Access control: role-based authorization, authentication checks, least-privilege assignment.
  • Transport security: encrypted transmission channels and secure endpoint configuration.
  • Integrity and availability: backup routines, logging, monitoring, and change traceability.
  • Confidentiality: restricted administrative access and controlled operational procedures.
  • Resilience: incident response processes and recovery playbooks.

7. Annex B - Subprocessor List

Current subprocessors and categories are maintained as part of service documentation and may include:

  • Hosting and infrastructure providers
  • Email delivery providers
  • Security logging/monitoring providers
  • Optional AI processing provider for document extraction (where feature is enabled)

We remain liable for subprocessor obligations to the extent required by law and contract.

8. Annex C - International Transfers

Where personal data is transferred outside Switzerland/EEA/UK, transfers rely on recognized mechanisms such as adequacy decisions and SCCs (as applicable).

9. Data Subject Request (DSR) Support

Customer remains primary contact for DSRs. Processor will provide reasonable support and technical assistance upon request.

10. Return and Deletion

Upon contract termination, customer data is returned or deleted according to contractual instructions and retention obligations under applicable law.

11. Contact

DPA contact: [DPO_CONTACT_EMAIL]