PoweredBy Service Provider Agreement 

This PoweredBy Data Processing Addendum (together with its annexes, the “Addendum”) supplements and forms part of the terms governing the use of FreightPOP, Inc.’s shipping logistics platform and related services (the “Provider Services”).

This Addendum applies to agreements (each a “Partner Customer Agreement”) between authorized PoweredBy resellers (each a “Partner”) and their end customers (“Partner Customers”). It governs Provider’s processing of Personal Data on behalf of a Partner or Partner Customer in connection with the Provider Services.

By using the Provider Services, the Partner Customer agrees to this Addendum, which outlines Provider’s data protection obligations and processing activities. Provider’s role as a Processor or Subprocessor (as applicable) is governed by the terms and instructions set forth in the applicable PoweredBy Service Provider Agreement (“PoweredBy Agreement”).

Depending on the Partner’s agreement with the Partner Customer, the Partner may act as a Controller and/or Processor when processing Partner Customer Data.

Provider reserves the right to amend this Addendum, including its annexes, as provided in the PoweredBy Agreement.

1. Definitions

Capitalized terms used in this Addendum have the meanings given below or, if not defined in this Addendum, in the PoweredBy Agreement. 

“CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (the “CPRA”), and any binding regulations promulgated thereunder, in each case, as amended from time to time. 

“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

“Customer Personal Data” means any Partner Data, and any Partner Customer Data (including that of Shipment Recipients) that constitutes Personal Data.

“Data Protection Laws” means, to the extent applicable to the Processing of Customer Personal Data under the PoweredBy Agreement, all applicable laws, regulations, and legal requirements governing the collection, use, processing, storage, protection, and disclosure of Personal Data, including but not limited to the General Data Protection Regulation (EU 2016/679) (GDPR), and equivalent requirements in the United Kingdom including the Data Protection Act 2018 and the United Kingdom General Data Protection Regulation (UK Data Protection Law), the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and any other data protection laws or regulations applicable to the processing of Personal Data in the jurisdictions where Provider and Partner operate.

“Data Subject” means an identified or identifiable natural person to whom Customer Personal Data relates. 

“Data Subject Request” means a Data Subject’s request to exercise rights under Data Protection Laws in respect of Customer Personal Data pertaining to such Data Subject in Provider’s possession, custody, or control.

“Personal Data” means information about an identifiable natural person or that otherwise constitutes “nonpublic personal information”, “personal data,” “personal information,” or information within the scope of similar terms defined in Data Protection Laws.

“Personal Data Breach” means a breach of Provider’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data in Provider’s possession, custody, or control. 

“Process” and inflections thereof refer to any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, and destruction.

“Processor” means a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of another individual or entity, which may be a Controller or another Processor.

“Provider Services” means the Provider shipping logistics platform and related services.

“Standard Contractual Clauses” shall mean, only as applicable to Partner and Partner Customer, (i) the UK Standard Contractual Clauses; and (ii) 2021 Standard Contractual Clauses.

“Subprocessor” means any third party engaged directly or indirectly by or on behalf of Provider to Process Customer Personal Data under Provider’s care, custody, or control.

“UK Standard Contractual Clauses” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (available as of the effective date of this Addendum at https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/international-data-transfer-agreement-and-guidance/), completed as set forth in this Addendum.

“2021 Standard Contractual Clauses" means the Standard Contractual Clauses approved by the European Commission in decision 2021/914, completed as set forth in this Addendum.

2. SCOPE OF THIS DATA PROCESSING ADDENDUM

The parties acknowledge and agree that Annex 1 (Data Processing Details) to this Addendum describes the details of Provider’s Processing of Customer Personal Data (including the respective roles of the parties relating to such Processing). Annex 2 (California Annex) to this Addendum applies to Provider’s Processing of Customer Personal Data in accordance with its terms.

3. PROCESSING OF CUSTOMER PERSONAL DATA

Provider shall Process Customer Personal Data only according to Partner’s instructions or as required by applicable Data Protection Laws.  Partner instructs Provider to Process Customer Personal Data to provide the Provider Services and as authorized by the PoweredBy Agreement.  The PoweredBy Agreement and Partner’s use of the Provider Services’ settings and features in accordance with the PoweredBy Agreement are the complete expression of such instructions, and Partner’s additional instructions shall be binding on Provider only pursuant to an amendment to this Addendum signed by both parties.  Where Provider receives an instruction from Partner that, in its reasonable opinion, violates Data Protection Laws, Provider shall notify Partner.

4. INTERNATIONAL DATA TRANSFER MECHANISMS
   1. Partner and Partner Customer authorize Provider and its Subprocessors to transfer Customer Personal Data across international borders, including from the European Economic Area or the United Kingdom to the United States. Any cross- border transfer of Customer Personal Data subject to the GDPR or the UK Data Protection Law must be supported by an approved adequacy mechanism.
   2. UK Standard Contractual Clauses
      1. The parties acknowledge and agree that to the extent that Provider Processes any Customer Personal Data under the PoweredBy Agreement, any related Order Forms, or exhibits, that are subject to the UK Standard Contractual Clauses, Provider and Partner hereby enter into the UK Standard Contractual Clauses for Controllers to Processors and/or or Processors to Processors, as applicable (and incorporated into this Addendum by reference). The UK Standard Contractual Clauses shall be interpreted in a manner consistent with the terms of this Addendum and Data Protection Law(s). If any terms of this Addendum directly contradict the UK Standard Contractual Clauses, the UK Standard Contractual Clauses will control.
      2. The UK Standard Contractual Clauses will apply to (i) the Partner and the legal entity that has entered into a Partner Customer Agreement incorporating this Addendum and entered into the UK Standard Contractual Clauses as a data exporter, as set forth in the Partner Customer Agreement, and (ii) all affiliates of Partner Customer established within the United Kingdom, which have signed Order Forms for the Provider Services. For purposes of the UK Standard Contractual Clauses, one or the other aforementioned entities will act as the “data exporters” and Provider will act as the “data importer”. The UK Standard Contractual Clauses shall be deemed completed as follows (with undefined capitalized terms meaning the definitions in the UK Standard Contractual Clauses):

• Table 1 of the UK Standard Contractual Clauses: (a) the parties’ details shall be the parties and their affiliates to the extent any of them is involved in such transfer, including those set forth in the Annex of this Addendum; and (b) the key contact shall be the contacts set forth in the Annex of this Addendum.
• Table 2 of the UK Standard Contractual Clauses: The Approved EU SCCs referenced in Table 2 shall be the 2021 Standard Contractual Clauses.
• Table 3 of the UK Standard Contractual Clauses: Annex 1A, 1B, II, and III shall be set forth in Section 3(e) and the Appendix of this Addendum.
• Table 4 of the UK Standard Contractual Clauses: Either party may end this Addendum as set out in Section 19 of the UK Standard Contractual Clauses.
• By entering into this Addendum, the parties are deemed to be signing the UK Standard Contractual Clauses and its applicable Tables and Appendices.
  1. 2021 Standard Contractual Clauses: General.
     1. The parties acknowledge and agree that to the extent that Provider Processes any Customer Personal Data transferred from the European Economic Union or Switzerland under the PoweredBy Agreement, any related Order Forms, or exhibits, outside the European Economic Area in a country that has not been designated as providing an adequate level of protection for Personal Data, including the United States, Provider and Partner hereby enter into the 2021 Standard Contractual Clauses for Controllers to Processors, and/or Processors to Processors as applicable (and incorporated into this Addendum by reference). The 2021 Standard Contractual Clauses shall be interpreted in a manner consistent with the terms of this Addendum and Data Protection Law(s). If any terms of this Addendum directly contradict the 2021 Standard Contractual Clauses, the 2021 Standard Contractual Clauses will control.
     2. The 2021 Standard Contractual Clauses will apply to (i) the Partner and legal entity that has entered into a Partner Customer Agreement incorporating this Addendum and entered into the Standard Contractual Clauses as a data exporter and, (ii) all affiliates of Partner Customers established within the European Economic Area or Switzerland, which have signed Order Forms for the Provider Services. For purposes of the 2021 Standard Contractual Clauses: (i) when the Partner acts as Controller and Provider acts solely as its Processor, Module 2 of the 2021 Standard Contractual Clauses shall apply; and (ii) in instances where Provider functions as a Processor-to-Processor (or Subprocessor) for the transferred data, Module 3 shall apply. With respect to the 2021 Standard Contractual Clauses:

• in Clause 7, the optional docking clause does not apply;
• in Clause 9, Option 2 applies; the time period for prior notice of Subprocessor changes will be as set forth in Section 9 (Subprocessing) of this Addendum;
• in Clause 11, the optional requirement that data subjects be permitted to lodge a complaint with an independent dispute resolution body does not apply;
• in Clause 17 (Option 1), the 2021 Standard Contractual Clauses will be governed by Irish law; if I were to put
• In Clause 18(b), disputes will be resolved before the courts of Ireland; and
• Annexes I and II of the 2021 Standard Contractual Clauses are set forth in the Annex of this Addendum. Annex III is not applicable as the parties have chosen general authorization under Clause 9.
• By entering into this Addendum, the parties are deemed to be signing the 2021 Standard Contractual Clauses and its applicable Annexes.
  1. Revisions. In the event that the European Commission or the United Kingdom requires the use of revised standard contractual clauses that are applicable to this Addendum, such revised standard contractual clauses shall automatically be deemed to replace the UK Standard Contractual Clauses or 2021 Standard Contractual Clauses, as applicable, without the need for any further action, unless otherwise agreed to by the parties.
  2. Termination. The Standard Contractual Clauses shall automatically terminate once the Customer Personal Data transfer governed thereby becomes lawful under Data Protection Laws in the absence of such Standard Contractual Clauses on any other basis, and Provider has implemented any measures necessary to comply with such basis.

5. PROVIDER PERSONNEL

Provider shall ensure that all Provider personnel who access Customer Personal Data are subject to contractual or other legal duties of confidentiality with respect to such Customer Personal Data.

6. SECURITY

Provider shall maintain technical, organizational, and physical measures designed to protect the confidentiality, integrity, and availability of Customer Personal Data (the “Security Measures”) as described in Annex 2 (Security Measures) of this Addendum and as otherwise required by Data Protection Laws.  Provider may modify the Security Measures from time to time so long as the modifications do not decrease the overall protection of Customer Personal Data.

7. DATA SUBJECT REQUESTS

Partner is solely responsible for ensuring that Partner or Partner Customer has responded to Data Subject Requests as required by Data Protection Laws. Taking into account the nature of the Processing of Customer Personal Data, and employing appropriate technical and organizational measures, Provider shall provide Partner with such assistance as Partner may reasonably request in writing to enable Partner to perform its obligations under Data Protection Laws to respond to Data Subject Requests, provided such request identifies the Data Protection Laws applicable to the Data Subject Request. Provider shall promptly forward to Partner any Data Subject Request that Provider receives, and Provider shall not be obligated to respond to any Data Subject Request but may instruct the Data Subject to submit the request to Partner.

8. PERSONAL DATA BREACHES

Provider shall notify Partner of a Personal Data Breach within forty-eight (48) hours after becoming aware of the occurrence thereof.  Provider’s notification of or response to a Personal Data Breach shall not be construed as Provider’s acknowledgement of any fault or liability with respect to the Personal Data Breach. If Partner determines that notice of a Personal Data Breach must be given to any governmental authority, any Data Subject, the public or others in a manner that directly or indirectly refers to or identifies Provider, where permitted by applicable laws, Partner shall notify Provider prior to giving such notice and in good faith consult with Provider regarding such notice and consider any clarifications or corrections of any such notification that Provider may reasonably request.

9. SUBPROCESSING
   1. Authorization; Current Subprocessors. Partner generally authorizes Provider to engage Subprocessors in accordance with this Section 9, including the Subprocessors listed as of the Effective Date at the following web page or such other web page as Provider may provide to Partner from time to time: www.freightpop.com/legal/third-party-subprocessors  
      (the “Subprocessor Page”).

9. 1. Provider shall enter into a written contract with each Subprocessor imposing on such Subprocessor data protection obligations at least as protective as those in this Addendum with respect to Customer Personal Data to the extent applicable to the nature of the services such Subprocessor provides.  Provider shall be liable for all Processing of Customer Personal Data that Provider delegates to the Subprocessor, and its actions and omissions related thereto. 
   2. New Subprocessors. When Provider engages any Subprocessor not listed on the Subprocessor Page as of the Effective Date, Provider shall notify Partner of the engagement at least 30 days before such Subprocessor Processes Customer Personal Data, which notification may be given by updating the Subprocessor Page.  If Partner objects to such Subprocessor’s Processing of Customer Personal Data in a written notice to Provider on reasonable grounds relating to the protection of Personal Data, Partner and Provider shall work together in good faith to consider a mutually acceptable resolution to such objection.  If the parties have not resolved such objection to their mutual satisfaction within a timeframe acceptable to Partner, Partner’s sole and exclusive remedy shall be to terminate the PoweredBy Agreement and cancel the Provider Services by notifying Provider in writing of such termination and paying Provider for all amounts that shall be due and owing under the PoweredBy Agreement as of the date of such termination.
10. COMPLIANCE ASSISTANCE; AUDITS
    1. Compliance assistance. Taking into account the nature of the Processing and the information available to Provider, Provider shall provide such information and assistance as Partner may reasonably request to enable Partner to perform its obligations under Data Protection Laws in relation to Provider’s Processing of Customer Personal Data, including in relation to (i) the security of Customer Personal Data, (ii) the investigation and reporting of Personal Data Breaches, (iii) the demonstration of Provider’s compliance with this Addendum, and (iv) the performance of any data protection assessments and consultations with Supervisory Authorities or other government authorities regarding such assessments in relation to Provider’s Processing of Customer Personal Data.
    2. Information and audits. Provider shall cooperate with audits (including inspections) of Provider’s technical and organizational measures to verify compliance with Partner’s obligations under Data Protection Laws and Provider’s compliance with this Addendum, provided that such audits shall be performed (i) at Partner’s sole cost and expense, (ii) by Partner or a qualified and independent third party auditor appointed by Partner in accordance with a recognized audit control standard or framework, (iii) subject to a non-disclosure agreement acceptable to Provider in respect of information made available to participants in the audit, (iv) during normal business hours, (v) no more than once in any calendar year during the term of the PoweredBy Agreement unless Partner is required to perform the audit under Data Protection Laws, (vi) in accordance with Provider’s safety, security or other relevant policies, and (vii) without unreasonably interfering with Provider’s business activities.  Partner shall not conduct any scans or technical or operational testing of Provider’s applications, websites, Provider Services, networks, or systems without Provider’s prior approval. Partner shall promptly provide Provider with a copy of any report created by an independent auditor engaged by Partner in respect of such an audit. This Section 10 shall not be construed to require Provider to violate a duty of confidentiality to any third party.
    3. Audit reports. If the controls or measures to be assessed in the requested audit are assessed in an audit performed by a qualified and independent third-party auditor pursuant to a recognized audit control standard or framework within twelve (12) months of Partner’s audit request and Provider has confirmed in writing that there have been no known material changes to the controls audited and covered by such audit, Partner agrees to accept the auditor’s report regarding such audit (“Audit Report”) in lieu of requiring an audit of such controls or measures.  Such Audit Report and any other information obtained by Partner in connection with an audit under this Section 9 shall constitute confidential information of Provider, which Partner shall use only for the purposes of confirming compliance with the requirements of this Addendum or performing Partner’s obligations under Data Protection Laws. Provider shall provide Partner with any relevant Audit Report upon Partner’s written request.
11. RETURN AND DELETION   

Upon expiration or earlier termination of the PoweredBy Agreement, Provider shall return and/or delete all Customer Personal Data in Provider’s care, custody, or control in accordance with the terms of the PoweredBy Agreement. Notwithstanding the foregoing, Provider may retain Customer Personal Data where required by law, provided that Provider shall (a) maintain the confidentiality of all such Customer Personal Data and (b) Process the Customer Personal Data only as necessary for the purpose and duration specified in the applicable law requiring such retention.  

12. CUSTOMER RESPONSIBILITIES
    1. Partner is solely responsible for its use of the Provider Services, including (i) making appropriate use of the Provider Services to maintain a level of security appropriate to the risk posed to Partner Customer Data; (ii) securing the account authentication credentials, systems and devices that Partner, Customer or other end users use to access the Provider Services; and (iii) backing up Partner Customer Data.
    2. Legal basis. Partner will not instruct Provider to Process Partner Customer Data in violation of Data Protection Laws. Provider has no obligation to monitor the compliance of Partner’s or Customer’s use of the Service with Data Protection Laws. Partner shall ensure that all notices have been given to, and all consents and permissions have been obtained from, Data Subjects and others as are required, including under Data Protection Laws, for Provider to Process Customer Personal Data as contemplated by the PoweredBy Agreement.
    3. Prohibited data. Partner acknowledges that the Provider Services are not designed to comply with, and shall ensure that Partner Customer Data does not contain any of the following categories of data, except to the extent expressly described in Annex 1 (Data Processing Details): (i) Social Security numbers or other government-issued identification numbers; (iii) credentials to any financial accounts; (iv) payment card information; (v) tax return data; (vi) “consumer reports” as defined under the Fair Credit Reporting Act; (vii) fingerprints, facial geometry, iris scans, voice prints or other information that constitutes biometric data, biometric information or biometric identifiers under Data Protection Law, (viii) genetic information; (ix) health information, including “protected health information” as defined by the Health Insurance Portability and Accountability Act (HIPAA); (x) Personal Data of children under 16 years of age; (xi) criminal histories; (xii) “personally identifiable information” protected by the Video Privacy Protection Act; or (xiii) information that constitutes “special categories of data”, “sensitive personal information” or “sensitive data” as defined in Data Protection Laws.
    4. Additional assistance. If Partner requests cooperation, information or assistance pursuant to Sections 6, 9, or 10 of this Addendum beyond Provider’s provision of self-service features as part of the Provider Services that Partner can use to obtain the requested cooperation, information or assistance, then Partner shall reimburse Provider for any costs and expenses reasonably incurred by Provider in the course of responding to such requests and pay Provider’s applicable fees for professional services required to fulfill such requests upon receipt of invoices therefor.
13. PRECEDENCE; MISCELLANEOUS

In the event of any conflict or inconsistency between this Addendum and the PoweredBy Agreement, this Addendum shall prevail. References to “including” mean “including, without limitation”.

Annex 1 – Data Processing Details

PARTNER DETAILS

Name: As provided in the PoweredBy Agreement or applicable ordering document.

Role: Controller (or if Partner uses the Provider Services on behalf of a Controller, Processor).

PARTNER CUSTOMER DETAILS

Name: As provided in the Partner Customer Agreement or applicable ordering document.

Role: Controller.

PROVIDER DETAILS

Name: FreightPOP, Inc.

Role: Processor (or if Partner uses the Provider Services on behalf of a Controller, Partner’s subprocessor).

DETAILS OF PROCESSING

Categories of Data Subjects: Partners, Partner Customers, prospective Partners and Partner Customers, Partner Customer end users, Shipment Recipients, website visitors.

Categories of Personal Data: 

• Identification Information: Names, titles
• Contact Information: Addresses, email addresses, phone numbers
• Electronic Network Activity: IP addresses, device identifiers, cookies
• Business Information: Company names, business contact details

Nature and Purpose of the Processing: Processing required to provide the Provider Services in accordance with the PoweredBy Agreement.

Duration of Processing / Retention Period: Processing continues during the Term. Within 30 days following termination of the PoweredBy Agreement, Provider will securely delete or anonymize all Partner Customer Data, including Personal Data, in accordance with the terms of the PoweredBy Agreement and all applicable legal requirements. Exceptions may apply if retention is required for compliance with legal or regulatory obligations.

Annex 2 – Security Measures 

1. Organizational management and dedicated staff responsible for the development, implementation, and maintenance of Provider’s information security program. 
2. Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Provider’s organization, monitoring and maintaining compliance with Provider’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
3. Data security controls that include, at a minimum, logical segregation of data, restricted (e.g., role-based) access and monitoring, and utilization of commercially available and industry standard encryption technologies for Customer Personal Data.
4. Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions.
5. Password controls designed to manage and control password strength, expiration and usage.
6. System audit or event logging and related monitoring procedures to proactively record user access and system activity. 
7. Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Provider’s possession.
8. Change management procedures and tracking mechanisms designed to test, approve, and monitor all material changes to Provider’s technology and information assets.
9. Incident management procedures designed to allow Provider to investigate, respond to, mitigate, and notify of events related to Provider’s technology and information assets. 
10. Network security controls and procedures for network services and components. 
11. Vulnerability assessment and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate, and protect against identified security threats, viruses, and other malicious code.
12. Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disaster.
13. Provider shall undergo an annual SOC 2 Type 2 audit and maintain controls that meet industry-recognized standards, and shall provide a SOC 2 report or a summary thereof upon request.

California Annex

This Annex 3 (California Annex) applies only to Provider’s Processing of Customer Personal Data subject to the CCPA.

1. Capitalized terms used in this California Annex but not defined in the PoweredBy Agreement shall have the meanings given in the CCPA. As used in this California Annex, “Personal Information” means Customer Personal Data that constitutes “personal information” under the CCPA. 
2. It is the parties’ intent that Provider is a Service Provider with respect to its Processing of Personal Information.  Provider (a) acknowledges that Personal Information is disclosed by Partner only for limited and specified purposes described in the PoweredBy Agreement; (b) shall comply with applicable obligations under the CCPA and shall provide the same level of privacy protection to Personal Information as is required by the CCPA; (c) agrees that, upon Partner’s reasonable written request, Provider will provide sufficient information to confirm that it's use of Personal Information aligns with the obligation set forth in this Addendum and the CCPA; (d) shall notify Partner in writing of any determination made by Provider that it can no longer meet its obligations under the CCPA; and (e) agrees that Partner has the right, upon notice, including pursuant to the preceding clause, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information.
3. Provider shall not (a) Sell or Share Personal Information; (b) retain, use, or disclose any Personal Information for any purpose other than for the business purposes specified in the PoweredBy Agreement, including retaining, using, or disclosing Personal Information for a commercial purpose other than the business purpose specified in the PoweredBy Agreement, or as otherwise permitted by CPPA; (c) retain, use or disclose Personal Information outside of the direct business relationship between Provider and Partner; or (d) combine Personal Information received pursuant to the PoweredBy Agreement with Personal Information (i) received from or on behalf of another person, or (ii) or collected from Provider’s own interaction with any Consumer to whom such Personal Information pertains.  Provider hereby certifies that it understands its obligations under this paragraph and shall comply with them.
4. Giving Partner notice of Subprocessor engagements in accordance with Section 8 of the Addendum shall satisfy Provider’s obligation under the CPRA to give notice of such engagements.
5. The parties acknowledge that Provider’s Processing of Personal Information authorized by Partner’s instructions described in this Addendum is integral to the Provider Services and the parties’ business relationship.
6. Access to Personal Data does not form part of the consideration exchanged between the parties in respect of the PoweredBy Agreement or any other business dealings.