Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer," "Data Controller") and P4 Software, a division of Grupo Barrdega ("Processor," "we," "us," or "our") and governs the processing of Personal Data in accordance with the EU General Data Protection Regulation (GDPR) 2016/679 and other applicable data protection laws.

This DPA applies when P4 Software processes Personal Data on behalf of the Customer in connection with P4 Customs services.

2. Definitions

For the purposes of this DPA:

• "Personal Data" means any information relating to an identified or identifiable natural person as defined in the GDPR.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• "Data Subject" means the individual to whom the Personal Data relates.
• "Sub-processor" means any third party appointed by P4 Software to process Personal Data.
• "Data Controller" means the entity that determines the purposes and means of processing Personal Data.
• "Data Processor" means the entity that processes Personal Data on behalf of the Data Controller.

3. Scope of Processing and Roles

3.1 Roles

The parties acknowledge and agree that with regard to the processing of Personal Data:

• Customer is the Data Controller
• P4 Software is the Data Processor

3.2 Subject Matter of Processing

P4 Software will process Personal Data necessary to provide customs management services, including:

• Customs clearance documentation
• Bonded warehouse management data
• Trade compliance records
• User account information
• Transaction and audit logs

3.3 Nature and Purpose

The nature of processing includes storage, retrieval, consultation, use, disclosure by transmission, and erasure of Personal Data. The purpose is to provide cloud-based customs management software services as described in our Terms of Service.

3.4 Categories of Data Subjects

Data Subjects may include:

• Customer's employees and authorized users
• Customer's customers and business contacts
• Individuals named in customs documentation
• Importers and exporters

3.5 Categories of Personal Data

Types of Personal Data processed may include:

• Name, email address, phone number
• Job title and company information
• IP address and device identifiers
• Login credentials (encrypted)
• Business and commercial information
• Shipping and customs documentation data

4. Processor's Obligations

P4 Software shall:

• Process Personal Data only on documented instructions from the Customer, unless required by EU or Member State law
• Ensure that persons authorized to process Personal Data are subject to confidentiality obligations
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (as described in Section 6)
• Only engage Sub-processors with prior written consent from the Customer (general or specific)
• Assist the Customer in responding to Data Subject requests to exercise their rights under the GDPR
• Assist the Customer in ensuring compliance with GDPR obligations regarding security, breach notifications, and data protection impact assessments
• Delete or return all Personal Data to the Customer after termination of services, unless EU or Member State law requires storage
• Make available all information necessary to demonstrate compliance with this DPA and allow for audits

5. Data Subject Rights

P4 Software shall assist the Customer in fulfilling Data Subject requests to exercise the following rights:

• Right of Access: Right to obtain confirmation of Personal Data processing
• Right to Rectification: Right to correct inaccurate Personal Data
• Right to Erasure ("Right to be Forgotten"): Right to deletion of Personal Data
• Right to Restriction of Processing: Right to limit how Personal Data is used
• Right to Data Portability: Right to receive Personal Data in a structured format
• Right to Object: Right to object to certain types of processing

Upon receiving a Data Subject request, P4 Software will notify the Customer within 48 hours and provide necessary assistance to respond within the GDPR's 30-day deadline.

6. Security Measures

P4 Software implements the following technical and organizational measures to protect Personal Data:

6.1 Technical Measures

• Encryption: AES-256 encryption for data at rest, TLS 1.3 for data in transit
• Access Controls: Role-based access control (RBAC), multi-factor authentication
• Network Security: Firewalls, intrusion detection systems, regular vulnerability scans
• Data Backup: Automated daily backups with 30-day retention, encrypted backup storage
• Logging and Monitoring: Comprehensive audit logs, real-time security monitoring

6.2 Organizational Measures

• Staff Training: Regular data protection and security awareness training
• Confidentiality Agreements: All staff sign confidentiality and data protection agreements
• Incident Response: Documented procedures for detecting, reporting, and responding to data breaches
• Third-Party Management: Due diligence and contractual protections for Sub-processors
• Regular Audits: Annual third-party security audits and penetration testing

6.3 ISO 27001 Alignment

Our security practices align with ISO/IEC 27001:2013 information security management standards, although formal certification is in progress.

7. Data Breach Notification

In the event of a Personal Data breach, P4 Software shall:

• Notify the Customer without undue delay and no later than 48 hours after becoming aware of the breach
• Provide the following information:
  • Nature of the breach, including categories and approximate number of affected Data Subjects and records
  • Contact point for more information
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach and mitigate its effects
• Cooperate with the Customer to investigate and remediate the breach
• Document all breaches in accordance with GDPR Article 33(5)

8. Sub-processors

8.1 Authorization

The Customer provides general authorization for P4 Software to engage Sub-processors. P4 Software maintains a current list of Sub-processors on our website.

8.2 Current Sub-processors

P4 Software currently uses the following Sub-processors:

• Microsoft Azure: Cloud hosting and infrastructure (data centers in EU and US)
• Amazon Web Services (AWS): Backup and disaster recovery services
• SendGrid: Email delivery services

8.3 New Sub-processors

P4 Software will notify the Customer at least 30 days before engaging a new Sub-processor. If the Customer objects on reasonable grounds, P4 Software will either not engage the Sub-processor or provide an alternative solution.

8.4 Sub-processor Obligations

P4 Software ensures that Sub-processors are bound by data protection obligations equivalent to those in this DPA. P4 Software remains liable for Sub-processors' compliance.

9. International Data Transfers

Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States and Panama.

For transfers to countries without an EU adequacy decision, P4 Software implements the following safeguards:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Additional security measures including encryption and access controls
• Transfer Impact Assessments to ensure adequate protection
• Hosting in EU data centers where feasible

10. Data Retention and Deletion

10.1 Retention Period

P4 Software will retain Personal Data only for as long as necessary to provide the Service or as required by law.

10.2 Deletion on Termination

Upon termination of the Service agreement, P4 Software will:

• Provide the Customer with 30 days to export all Personal Data
• Delete or return all Personal Data (at Customer's choice) within 90 days of termination
• Certify deletion in writing upon request
• Retain only what is legally required by applicable law

11. Audits and Inspections

P4 Software shall make available to the Customer information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer.

Audits shall be:

• Conducted no more than once per year unless there is evidence of non-compliance
• Scheduled with at least 30 days' notice
• Conducted during business hours in a manner that does not unreasonably interfere with operations
• Subject to confidentiality obligations
• At the Customer's expense

12. Liability and Indemnification

Each party's liability under this DPA is subject to the limitations and exclusions set forth in the Terms of Service. The parties acknowledge that:

• GDPR provides for administrative fines that can be imposed on both Controllers and Processors
• P4 Software is liable only for damages caused by processing that does not comply with GDPR obligations specific to Processors or where it acted outside or contrary to lawful instructions from the Customer
• P4 Software is not liable where it proves the event giving rise to damage is not attributable to it

13. Duration and Termination

This DPA shall remain in effect for as long as P4 Software processes Personal Data on behalf of the Customer. The DPA will automatically terminate upon cessation of all processing and deletion/return of all Personal Data as described in Section 10.

14. Governing Law and Jurisdiction

This DPA is governed by the same law as the Terms of Service. However, in the event of conflict between this DPA and the GDPR, the GDPR shall prevail.

Data Subjects in the EU have the right to lodge complaints with their local Data Protection Authority.

15. Contact for Data Protection Matters

For any data protection questions or to exercise your rights under this DPA, please contact:

• Data Protection Officer: dpo@p4.software
• Email: sales@p4.software
• Phone: +507-209-6996
• Website: p4.software