Legal · Privacy

Data Processing Addendum

Last Modified: November 28, 2025

This Data Processing Addendum (“DPA”) amends and forms part of the written agreement between Customer and Logixboard titled the Master Services Agreement or other written agreement for the provision of Services (the “Agreement”). In the event of any conflict or inconsistency between this DPA and the Agreement, the terms of this DPA shall prevail to the extent of such conflict.

01Definitions

1.1 In this DPA:

  • Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor”, and “Supervisory Authority” have the meanings given to them in the GDPR;
  • Customer Personal Data” means any Customer Data (as defined in the Agreement) that constitutes Personal Data, the Processing of which is subject to Data Protection Laws, for which Customer or Customer’s customers are the Controller, and which is Processed by Logixboard to provide the Services;
  • Data Protection Laws” means the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC), and their national implementations in the European Economic Area (“EEA”), Switzerland, the UK General Data Protection Regulation and the UK Data Protection Act 2018, each as applicable, and as may be amended or replaced from time to time;
  • Data Subject Rights” means Data Subjects’ rights to information, access, rectification, erasure, restriction, portability, objection, and not to be subject to automated individual decision-making in accordance with Data Protection Laws;
  • International Data Transfer” means any transfer of Customer Personal Data from the EEA, Switzerland or the United Kingdom to an international organization or to a country outside of the EEA, Switzerland and the United Kingdom;
  • Services” means the services provided by Logixboard to Customer under the Agreement;
  • Subprocessor” means a Processor engaged by Logixboard to Process Customer Personal Data; and
  • SCCs” means the clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, as amended or replaced from time to time;
  • UK Addendum” means the addendum to the SCCs issued by the UK Information Commissioner under Section 119A(1) of the UK Data Protection Act 2018 (version B1.0, in force March 21, 2022).

1.2Capitalized terms used but not defined in this DPA have the meanings given to them in the Agreement.

02Scope and Applicability

2.1This DPA applies to Logixboard’s Processing of Customer Personal Data to provide the Services.

2.2The subject matter, nature and purpose of the Processing, the types of Customer Personal Data and categories of Data Subjects are set out in Appendix 1 (Description of Processing).

2.3Customer is a Controller and appoints Logixboard as a Processor on behalf of Customer. Customer is responsible for compliance with the requirements of Data Protection Laws applicable to Controllers, including, where applicable, the obligation to provide Data Subjects with sufficient notice and to obtain all necessary consents.

2.4Customer acknowledges that Logixboard may Process certain personal data relating to the operation, support, or use of the Services for its own business purposes (for example, billing, account management, security, product improvement, and compliance with law). For such Processing, Logixboard acts as an independent Controller and will Process such data in accordance with Data Protection Laws and its Privacy Policy.

2.5The Services are not designed to receive or store Protected Health Information (“PHI”) or other special categories of personal data (as defined under Data Protection Laws), and Customer agrees not to submit, transmit, or process such data through the Services. Customer will ensure that Customer Personal Data provided to Logixboard excludes PHI and special category personal data.

03Instructions

3.1Logixboard will Process Customer Personal Data only: (a) to provide the Services; (b) as documented in this DPA and the Agreement; and (c) in accordance with Customer’s documented instructions, unless otherwise required by applicable law.

3.2Customer’s instructions are documented in this DPA, the Agreement, any applicable order form or statement of work, and Customer’s configuration of the Services.

3.3Customer may reasonably issue additional documented instructions as necessary to comply with Data Protection Laws. If Logixboard considers such instructions to go beyond the scope of the Services or this DPA, Logixboard may charge a reasonable fee or refuse to follow such instructions.

3.4Unless prohibited by applicable law, Logixboard will inform Customer if Logixboard is subject to a legal obligation that requires Logixboard to Process Customer Personal Data in contravention of Customer’s documented instructions.

04Personnel

4.1Logixboard will ensure that persons authorized to Process Customer Personal Data are subject to an appropriate obligation of confidentiality.

05Security and Personal Data Breaches

5.1Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing as well as the risks for Data Subjects, Logixboard will implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the measures listed in Appendix 2 (Security Measures).

5.2Customer acknowledges that the security measures in Appendix 2 are appropriate in relation to the risks associated with Customer’s intended Processing of Customer Personal Data through the Services. Customer will notify Logixboard prior to any intended Processing for which Logixboard’s security measures may not be appropriate.

5.3Logixboard will notify Customer without undue delay after becoming aware of a Personal Data Breach involving Customer Personal Data. Where reasonably possible, such notice will include details of the nature of the breach, the categories and approximate number of affected Data Subjects, likely consequences, and any measures taken or proposed to address the breach. If such information cannot be provided at the same time, Logixboard may provide it in phases without undue further delay.

06Subprocessing

6.1Customer hereby authorizes Logixboard to engage Subprocessors to Process Customer Personal Data. A list of Logixboard’s current Subprocessors is set out in Appendix 0 (Subprocessors) and may be updated from time to time.

6.2Logixboard will enter into a written agreement with each Subprocessor that imposes data protection obligations no less protective than those set out in this DPA as required by Data Protection Laws.

6.3Logixboard will notify Customer (for example, via email, the Services, or posting on Logixboard’s website) before authorizing any new Subprocessor to Process Customer Personal Data. Customer may object to the addition of a Subprocessor on reasonable grounds relating to data protection by providing written notice to Logixboard within thirty (30) days of the notification. Customer and Logixboard will work together in good faith to address Customer’s objection. If Logixboard chooses to retain the Subprocessor, Logixboard will notify Customer, and Customer may discontinue use of the affected Services and terminate the affected portion of the Services within thirty (30) days. Logixboard will refund any prepaid, unused fees for the terminated portion of the Services.

07Assistance

7.1Taking into account the nature of the Processing and the information available to Logixboard, Logixboard will provide reasonable assistance to Customer in fulfilling Customer’s obligations under Data Protection Laws, including to:

  • respond to requests to exercise Data Subject Rights;
  • conduct data protection impact assessments;
  • consult with Supervisory Authorities where required; and
  • notify Personal Data Breaches.

7.2Logixboard will maintain records of Processing of Customer Personal Data as required by Data Protection Laws.

7.3Logixboard may charge a reasonable fee for assistance under this Section 7 to the extent such assistance is not already included in the Services. If Logixboard is at fault for the event giving rise to the assistance, each party will bear its own costs.

08Audit

8.1Upon reasonable request and subject to reasonable confidentiality obligations, Logixboard will make available to Customer information reasonably necessary to demonstrate Logixboard’s compliance with its obligations under this DPA. This may include most recent third-party certifications or audit reports (such as SOC 2 Type II).

8.2Where such reports do not provide sufficient information, Customer (or an independent auditor mandated by Customer, not a competitor of Logixboard) may conduct an on-site audit or inspection of Logixboard’s facilities and systems that Process Customer Personal Data, no more than once per year, during normal business hours, with reasonable advance notice, and in a manner that does not unreasonably interfere with Logixboard’s operations. The scope of any audit will be agreed in advance.

8.3If Logixboard believes an audit request infringes Data Protection Laws or any other customers’ rights, Logixboard may suspend the audit or withhold information until Customer and Logixboard have modified the scope of the audit to be lawful and appropriate.

8.4Each party will bear its own costs related to an audit, and Customer will reimburse Logixboard for any time spent by Logixboard, at Logixboard’s then-current professional services rates, unless the audit reveals a material breach of this DPA.

09International Data Transfers

9.1As of the effective date of this DPA, Logixboard does not intentionally perform International Data Transfers of Customer Personal Data from the EEA, Switzerland, or the United Kingdom to third countries in connection with the Services. If Customer instructs Logixboard to Process Customer Personal Data in a manner that involves International Data Transfers, this Section 9 will apply.

9.2To the extent an International Data Transfer occurs and no adequacy decision applies, the parties agree that they conclude Module 2 (controller-to-processor) of the SCCs, which are hereby incorporated by reference and completed as follows: the “data exporter” is Customer; the “data importer” is Logixboard; the optional docking clause in Clause 7 is implemented; Option 2 of Clause 9(a) is implemented and the time period therein is specified in Section 6.3 above; the optional redress clause in Clause 11(a) is not used; Option 1 in Clause 17 is implemented and the governing law is the law of Ireland; the courts in Clause 18(b) are the courts of Ireland; and Annex I, II and III to Module 2 of the SCCs are Appendix 1, Appendix 2, and Appendix 0 to this DPA respectively.

9.3For International Data Transfers from the UK that require appropriate safeguards, the parties agree that the UK Addendum is incorporated by reference and applies as follows: (i) in Table 1, the “Exporter” is Customer and the “Importer” is Logixboard; (ii) in Table 2, the Approved EU SCCs are those referenced in Section 9.2; (iii) in Table 3, the Appendices are as set out in Appendix 1, 2 and 0 to this DPA; and (iv) in Table 4, both the Exporter and Importer may terminate the UK Addendum as set out therein.

9.4If Logixboard’s compliance with Data Protection Laws applicable to International Data Transfers is affected by circumstances outside of Logixboard’s control (including invalidation, amendment, or replacement of the SCCs or UK Addendum), Customer and Logixboard will work together in good faith to implement alternative or additional safeguards. Logixboard may update this DPA as reasonably necessary to ensure continued compliance with Data Protection Laws.

10Notifications

10.1Customer will send all notifications, requests, and instructions under this DPA to privacy@logixboard.com (or such other contact as Logixboard may notify to Customer from time to time).

11Liability

11.1The limitations of liability set out in the Agreement apply to this DPA. To the extent permitted by applicable law, where Logixboard has paid compensation, damages, or fines arising out of or in connection with Logixboard’s Processing of Customer Personal Data, Logixboard is entitled to claim back from Customer that part of the compensation, damages, or fines corresponding to Customer’s part of responsibility.

12Termination and Deletion

12.1This DPA will automatically terminate upon termination or expiry of the Agreement.

12.2Upon termination or expiry of the Agreement, Customer is responsible for extracting any Customer Personal Data it wishes to retain from the Services before the effective date of termination. Unless applicable law requires continued storage, Logixboard will delete Customer Personal Data from its production systems within thirty (30) days after termination of the Agreement.

12.3Back-ups and logs containing Customer Personal Data will be deleted in accordance with Logixboard’s standard retention and deletion cycles. Logixboard may retain aggregated, de-identified data that does not identify Customer or any Data Subject.

13Modification of this DPA

13.1This DPA may only be modified by a written amendment signed by both Logixboard and Customer, except that Logixboard may update the Appendices (including Subprocessors and Security Measures) from time to time, provided such updates do not materially reduce the protection of Customer Personal Data.

14Invalidity and Severability

14.1If any provision of this DPA is found by a court or administrative body of competent jurisdiction to be invalid or unenforceable, the invalidity or unenforceability of such provision will not affect any other provision of this DPA, and the remaining provisions will remain in full force and effect.

A0Appendix 0 — Subprocessors

Below is a list of Logixboard’s current Subprocessors that may Process Customer Personal Data on behalf of Customer in connection with the Services. A standalone, regularly updated version is also maintained on our Subprocessors page.

Name Location Description of Processing
Amazon Web Services, Inc. (AWS) United States Cloud infrastructure provider for hosting, storage (e.g., RDS, S3), networking, and logging.
Sentry (Functional Software, Inc.) United States Application error tracking and monitoring.
Segment.io, Inc. United States Customer and product analytics routing and event collection.
Mixpanel, Inc. United States Product usage analytics and onboarding experience insights.
HubSpot, Inc. United States Website forms and lead tracking; certain customer contact information.
Google LLC (Google Analytics) United States / Global Website and product usage analytics.
Datadog, Inc. United States Centralized logs, metrics, and application performance monitoring.
SendGrid (Twilio Inc.) United States Transactional email delivery (notifications, alerts, system emails).
Intercom R&D Unlimited Company Ireland / United States In-app messaging and customer support communications.
Salesforce, Inc. United States / Global CRM system for managing sales and certain customer contact details.

Note: Certain third-party TMS or email systems (e.g., CargoWise, Microsoft 365/Outlook) may receive Customer Personal Data where Customer elects to integrate such systems with the Services. Those systems are typically configured and controlled by Customer and are not treated as Subprocessors of Logixboard under this DPA.

Logixboard will update this Appendix 0 as necessary and notify Customer of new Subprocessors in accordance with Section 6 of the DPA.

A1Appendix 1 — Description of the Processing

Categories of Data Subjects

Customer Personal Data Processed may concern, for example:

  • Employees and contractors of Customer (including users of the Services)
  • Employees and contacts of Customer’s customers (e.g., shippers, consignees, logistics contacts)
  • Other individuals whose data appears in shipment records, communications, or documents processed through the Services

Categories of Customer Personal Data

Customer Personal Data Processed may include:

  • Basic identification and contact details (name, email, phone number, job title, company name, address)
  • Authentication data (username, hashed password, audit logs)
  • Account and profile information
  • Shipment-related contact information (e.g., consignees, shippers, carrier contacts)
  • Technical identifiers (IP address, device/browser information, log data)
  • Usage data relating to how Authorized Users interact with the Services
  • Communications metadata and content (for example, messages or emails processed for routing/automation when Customer enables such features)

Customer will not instruct Logixboard to Process, and Logixboard does not intentionally Process, special categories of personal data or Protected Health Information (PHI) via the Services.

Nature and Purpose of Processing

Logixboard Processes Customer Personal Data for the following purposes:

  • Provision, operation, and maintenance of the Services
  • Authentication, authorization, and account management
  • Shipment visibility, tracking, and analytics
  • Customer support and incident response
  • Security monitoring, logging, and fraud prevention
  • Service improvement and product development
  • Internal reporting and compliance with applicable laws

Duration of Processing

Logixboard will Process Customer Personal Data for the duration of the Agreement and as otherwise required or permitted by this DPA and Data Protection Laws. After termination, Customer Personal Data will be deleted in accordance with Section 12 of this DPA.

A2Appendix 2 — Security Measures

Logixboard maintains a comprehensive information security program designed to protect Customer Personal Data. Key technical and organizational measures include:

Physical and Infrastructure Security
  • Hosting on Amazon Web Services (AWS) with industry-standard physical and environmental safeguards.
  • Use of Virtual Private Clouds (VPCs) and network segmentation to restrict access.
Access Control and Authentication
  • Role-based access controls limiting access to systems and data to authorized personnel with a business need.
  • Strong authentication for administrative access to production systems.
  • Regular access reviews and revocation of access upon role change or termination.
Data Encryption
  • Encryption of Customer Personal Data in transit using TLS or equivalent.
  • Encryption of Customer Personal Data at rest using industry-standard encryption algorithms.
Application and Network Security
  • Use of firewalls, security groups, and related mechanisms to limit inbound and outbound network traffic.
  • Logging and monitoring of key security events.
  • Vulnerability management, including regular security scans and timely patching of critical systems.
Organizational Security
  • Information security policies covering acceptable use, data handling, access control, and incident response.
  • Security and privacy training for employees with access to Customer Personal Data.
  • Background checks for employees in accordance with applicable law and role.
Change Management and Development Practices
  • Use of version control and change management procedures for infrastructure and application changes.
  • Code review and testing practices designed to reduce security and stability issues.
  • Separation of development, staging, and production environments.
Incident Response and Business Continuity
  • Incident response procedures for identification, investigation, mitigation, and notification of security incidents.
  • Backup and recovery procedures to support availability and resilience of the Services.
Certifications and Assessments
  • Maintenance of a SOC 2 Type II information security program, with periodic independent audits.

Logixboard may update these security measures from time to time, provided that such updates do not materially reduce the overall level of protection for Customer Personal Data.

For any questions about this DPA, or to send notifications, requests, or instructions under it, contact us at privacy@logixboard.com.