Data Processing Addendum

1. Definitions and Scope

1.1 Definitions. In this DPA: “Applicable Data Protection Law” means GDPR (EU 2016/679), UK GDPR, Swiss Federal Act on Data Protection, and any other applicable data protection or privacy legislation in force in the relevant jurisdiction from time to time. “Controller” means the Customer entity that determines the purposes and means of processing of personal data. “Processor” means FR8 Tech, which processes personal data on behalf of the Controller. “Personal Data” has the meaning given in Applicable Data Protection Law. “Processing” has the meaning given in Applicable Data Protection Law. “Sub-Processor” means any third party engaged by FR8 Tech to process Personal Data in connection with the Service. “SCCs” means the Standard Contractual Clauses adopted by the European Commission under GDPR, as amended from time to time.

1.2 Scope. This DPA applies to the processing of Personal Data by FR8 Tech in the course of providing the Service to Customer, as further described in Annex 1.

2. Processor Obligations (GDPR Art. 28)

2.1 Processing on instructions. FR8 Tech shall process Personal Data only on documented instructions from Customer, including as set out in the Terms of Service, this DPA, and any applicable Order Form, or as required by Applicable Data Protection Law. If FR8 Tech is required by law to process Personal Data in a manner not covered by Customer’s instructions, FR8 Tech shall inform Customer of that requirement before processing (unless prohibited by law on grounds of public interest).

2.2 Confidentiality of personnel. FR8 Tech shall ensure that all personnel authorized to process Personal Data are subject to appropriate confidentiality obligations.

2.3 Security measures. FR8 Tech shall implement and maintain the technical and organizational measures described in Annex 2 and as required by Applicable Data Protection Law.

2.4 Sub-processing. FR8 Tech shall not engage Sub-Processors except as permitted under Section 3 of this DPA.

2.5 Data subject rights. FR8 Tech shall assist Customer in responding to requests from data subjects exercising their rights under Applicable Data Protection Law, as described in Section 5.

2.6 Compliance assistance. FR8 Tech shall provide Customer with all information necessary to demonstrate compliance with GDPR Art. 28 and shall allow for and contribute to audits conducted by Customer or an auditor appointed by Customer, in accordance with Section 7.

3. Sub-Processing

3.1 Existing Sub-Processors. Customer grants FR8 Tech general written authorisation to engage the Sub-Processors listed in Annex 3 as of the effective date of this DPA.

3.2 New Sub-Processors. FR8 Tech shall give Customer at least 30 days’ prior written notice (by email to the account’s registered address or via an in-app notice) before adding or replacing any Sub-Processor. If Customer reasonably objects to a new Sub-Processor on data protection grounds, Customer must notify FR8 Tech in writing within 30 days of receiving notice. The parties will work in good faith to resolve the objection. If the objection cannot be resolved, Customer may terminate the applicable subscription with a pro-rata refund for the unused period.

3.3 Sub-Processor obligations. FR8 Tech shall impose data protection obligations on each Sub-Processor equivalent to those set out in this DPA, including appropriate technical and organizational security measures. FR8 Tech remains liable to Customer for the performance of Sub-Processors’ obligations under this DPA.

4. International Transfers

4.1 Transfer mechanism. Where FR8 Tech transfers Personal Data from the EEA, UK, or Switzerland to a country not recognized as providing an adequate level of data protection, such transfers shall be made pursuant to the applicable SCCs (Module Two: Controller to Processor, or Module Three: Processor to Sub-Processor, as applicable), which are incorporated by reference into this DPA. The parties agree that the SCCs are completed as follows: Annex 1 of this DPA serves as Annex I of the SCCs; Annex 2 of this DPA serves as Annex II of the SCCs; FR8 Tech’s applicable supervisory authority is as identified in Annex 1.

4.2 UK transfers. For transfers of Personal Data from the UK, the parties adopt the International Data Transfer Addendum issued by the ICO (the “UK Addendum”), which supplements the SCCs. In the event of conflict between the SCCs and the UK Addendum, the UK Addendum prevails in relation to UK transfers.

5. Data Subject Rights Assistance

FR8 Tech shall, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures insofar as this is possible in fulfilling Customer’s obligation to respond to requests from data subjects exercising their rights under Applicable Data Protection Law. FR8 Tech provides a self-service visitor privacy portal accessible at visitorflow.com/portal that Tenants may direct data subjects to for access, rectification, and deletion requests. For requests that cannot be handled via the portal, FR8 Tech will provide relevant Personal Data to Customer within 10 business days of a written request, to allow Customer to respond to the data subject within the statutory time limit.

6. Security and Incident Response

6.1 Security measures. FR8 Tech shall implement and maintain the technical and organizational security measures described in Annex 2, which are designed to ensure a level of security appropriate to the risks presented by the processing.

6.2 Personal data breach notification. FR8 Tech shall notify Customer without undue delay, and in any event within 48 hours of becoming aware, of any confirmed Personal Data Breach affecting Customer’s Personal Data. The notification shall include, to the extent known: (a) the nature of the breach; (b) the categories and approximate number of data subjects and Personal Data records affected; (c) the likely consequences; and (d) the measures taken or proposed to address the breach and mitigate its effects. FR8 Tech shall cooperate fully with Customer in any investigation and shall provide further information as it becomes available. Customer is solely responsible for notifying the relevant supervisory authority and affected data subjects in accordance with applicable law.

7. Audit Rights

7.1 SOC 2 in lieu of on-site audit. FR8 Tech shall, upon written request and under NDA, provide Customer with: (a) a copy of its most recent SOC 2 Type II report (when available; bridge letters available during interim periods); and (b) responses to a reasonable information security questionnaire. Provision of these documents shall satisfy Customer’s audit rights under GDPR Art. 28(3)(h) in respect of the period covered by the report.

7.2 On-site audits. Customer may request an on-site audit no more than once per calendar year upon 60 days’ prior written notice, at Customer’s expense, provided that: (a) the auditor is bound by an NDA; (b) the audit does not materially disrupt FR8 Tech’s operations; and (c) the parties agree on the scope and timing in advance. FR8 Tech may reasonably decline to grant access to systems or information unrelated to Customer’s Personal Data.

8. Return and Deletion of Data

Upon termination or expiry of the Terms of Service, and subject to the data export window described in Section 10.5 of the Terms of Service, FR8 Tech shall, at Customer’s election, return or delete all Personal Data (including copies held by Sub-Processors) within 30 days of Customer’s written request, except to the extent that applicable law requires retention for a longer period. FR8 Tech shall provide a written certification of deletion upon request. Nothing in this section prevents FR8 Tech from retaining anonymised or aggregated data that does not identify or allow identification of data subjects.

9. Term and Termination

This DPA remains in force for the duration of the Terms of Service and shall terminate automatically upon the termination or expiry of the Terms of Service. Obligations that by their nature should survive termination (including confidentiality, data deletion, and audit) shall survive accordingly.

10. Governing Law

This DPA is governed by the laws of the State of Delaware, United States, subject to any mandatory provisions of Applicable Data Protection Law that apply irrespective of the chosen governing law. For matters governed by the SCCs, the courts of the Republic of Ireland shall have non-exclusive jurisdiction as permitted by the SCCs.

Annex 1 — Subject Matter and Processing Details

A. Subject matter and duration. The processing covers Personal Data submitted to or generated through the VisitorFlow Service during the term of the agreement between Controller and Processor.

B. Nature and purpose of processing. The processing consists of collection, recording, organisation, structuring, storage, retrieval, consultation, use, disclosure by transmission, and deletion of Personal Data, for the purpose of providing visitor, driver, and contractor management services at Controller’s facilities, including kiosk check-in, identity verification, NDA acknowledgement, health screening, PPE compliance, dock assignment, and access logging.

C. Types of Personal Data. The following categories of Personal Data are processed: full name; email address; telephone number; employer or company name; vehicle registration; identity document images (e.g., driver’s licence, national ID); self-portrait photographs; biometric identifiers derived from photographs (where enabled by Controller); electronic signatures; health screening declarations; visit history and access logs; bill of lading numbers and cargo documentation.

D. Categories of data subjects. Visitors to Controller’s facilities; drivers and carriers; contractors and temporary workers; employees of Controller whose data is captured in access logs or NDA records.

E. Supervisory authority. FR8 Tech’s lead supervisory authority for EU GDPR purposes is [to be confirmed — Irish DPC if EU representative is appointed in Ireland, otherwise the DPA of FR8 Tech’s EU establishment or representative].

Annex 2 — Technical and Organizational Measures

FR8 Tech implements the following technical and organizational measures, as described in greater detail on the Security page and SOC 2 readiness documentation:

Encryption. All Personal Data is encrypted at rest using AES-256, with per-tenant AWS KMS keys for high-sensitivity data categories (photographs, identity documents, biometric data). All data in transit is protected by TLS 1.3. Database-level and storage-level encryption is applied independently of application-layer encryption.

Access control. Access to production systems is restricted to authorised personnel on a need-to-know basis via role-based access control. Mandatory two-factor authentication (TOTP) is required for all administrative accounts. SAML SSO is available for Enterprise Tenants. Quarterly access reviews with automatic revocation of dormant accounts after 90 days are enforced.

Tenant isolation. All database queries are scoped to the active tenant context via a data-access layer; cross-tenant data exposure is prevented at the application layer. FR8 Tech staff access to Tenant data requires a signed impersonation token with a stated reason, which is persisted in the immutable audit log and displayed as a banner in the Tenant’s UI.

Audit and monitoring. An append-only audit log records every privileged mutation with actor identity, IP address, user agent, reason, and timestamp. Anomalous behavior generates real-time alerts via Sentry and Axiom. The log is exportable in CSV and JSON formats.

Vulnerability management. Annual third-party penetration testing. Security patches for critical vulnerabilities are targeted within 7 days of confirmation. A responsible disclosure program is maintained at security@visitorflow.com.

Business continuity. Multi-region backups with an RPO of 5 minutes and RTO of 1 hour. Quarterly restore drills. 24/7 on-call rotation. Live status at status.visitorflow.com.

Organizational measures. Information security policy and acceptable-use policy communicated to all staff. Annual security awareness training. Background checks for staff with production access. NDA with every employee and Sub-Processor. Change-management and incident-response runbooks reviewed bi-annually.

Annex 3 — Sub-Processors

The following Sub-Processors are authorised as at the last-updated date of this DPA. The canonical up-to-date list (including hosting region, data categories, and individual DPA links) is published at visitorflow.com/legal/sub-processors. This Annex is generated from the same source of truth.