Data Processing Addendum (DPA)
This Data Processing Addendum ("DPA") forms part of the Terms of Service between MS Consolidated Pty Ltd (ACN 688 688 011) as trustee for the MS Trust (ABN 20 330 986 807), trading as TrakOps ("Processor", "we") and the customer identified in the applicable subscription ("Controller", "you"), and applies where we process personal data contained in Customer Data on your behalf and the GDPR, UK GDPR, or similar law applies.
1. Roles and scope
1.1 You are the controller (or a processor acting for another controller) of personal data within Customer Data; we are your processor. We are an independent controller of account, billing, and usage data as described in our Privacy Policy.
1.2 Details of processing (Annex 1):
- *Subject matter and nature:* hosting, storage, computation, backup, and display of Customer Data via the TrakOps SaaS platform.
- *Duration:* the subscription term plus the deletion periods in the Terms of Service.
- *Purpose:* provision of the Service under the Terms of Service.
- *Data subjects:* your personnel, drivers, contractors, and other individuals whose personal data you include in Customer Data.
- *Categories of data:* as determined by you; typically identification and professional data embedded in engineering files, telemetry, and project records. You must not upload special category data unless agreed in writing.
2. Our obligations
We will: (a) process personal data only on your documented instructions (the Terms of Service and your use of the Service constitute instructions), unless required by law, in which case we will inform you unless prohibited; (b) ensure persons authorised to process the data are bound by confidentiality; (c) implement appropriate technical and organisational measures per Article 32 GDPR, as described in Annex 2 (Security & Confidentiality Statement); (d) assist you, taking into account the nature of processing, in responding to data subject requests and in meeting your obligations under Articles 32–36 (security, breach notification, DPIAs); (e) notify you without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach affecting your Customer Data, providing information reasonably required for your own notification obligations; (f) at your choice, delete or return personal data at the end of the Service per the Terms of Service, unless law requires retention; and (g) make available information necessary to demonstrate compliance and allow audits per clause 5.
3. Subprocessors
3.1 You authorise the subprocessors listed in Annex 3. We will give at least 30 days' notice of any addition or replacement; you may object on reasonable data-protection grounds, and if we cannot resolve the objection you may terminate the affected services with a pro-rata refund.
3.2 We impose data protection obligations on subprocessors no less protective than this DPA and remain liable for their performance.
4. International transfers
Customer Data is hosted with Supabase in Tokyo, Japan (which benefits from an EU adequacy decision), with other subprocessors operating in the United States. Where processing involves transfer of EU/UK personal data to a country without an adequacy decision, the parties incorporate the EU Standard Contractual Clauses (Module 2: controller-to-processor) and the UK Addendum/IDTA as applicable, with the annexes above supplying the required information. [Confirm transfer mechanisms with counsel.]
5. Audit
No more than once per year (or following a material breach), you may audit our compliance with this DPA by reviewing our then-current security documentation and completed security questionnaires. Where these are insufficient to demonstrate compliance, you may conduct an audit on reasonable notice, during business hours, under confidentiality, at your cost, and without access to other customers' data.
6. Liability and order of precedence
Liability under this DPA is subject to the limitations in the Terms of Service, except where prohibited by law. If this DPA conflicts with the Terms of Service regarding processing of personal data, this DPA prevails.
Annex 1: Details of processing (clause 1.2)
Annex 2: Security measures — see Security & Confidentiality Statement
Annex 3: Approved subprocessors:
- Supabase, Inc. — database and file storage — Tokyo, Japan (AWS ap-northeast-1)
- Vercel Inc. — application hosting — United States / global edge
- Stripe, Inc. — payment processing — United States
- Resend (Plus Five Five, Inc.) — transactional email — United States
- Anthropic, PBC — AI feature processing — United States