Data Processing Agreement

Effective Date: May 13, 2026 | Last Updated: May 13, 2026

⚠️ Template — Pending Attorney Review. This DPA is published as a transparent draft so prospective Customers can begin their procurement and security review. The text will be finalized by a SaaS-specialized privacy attorney before any Enterprise contract is countersigned. If you have feedback or wish to redline this template, email sc@neumaxtech.com.

This Data Processing Agreement ("DPA") supplements the Vantage Terms of Service between NEUMAX LLC ("Vantage") and the Customer entity that has accepted those Terms ("Customer"). This DPA governs Vantage's processing of Customer Data on Customer's behalf.

1. Definitions

"Customer Data" has the meaning given in the Terms of Service §18.1.
"GDPR" means Regulation (EU) 2016/679.
"UK GDPR" means the GDPR as incorporated into UK law under the Data Protection Act 2018.
"Standard Contractual Clauses" / "SCCs" means the European Commission's Standard Contractual Clauses (Module 2: Controller-to-Processor) approved by Implementing Decision (EU) 2021/914.
"Sub-processor" means a third party engaged by Vantage to process Customer Data on Vantage's behalf.

2. Roles

Customer is the controller (GDPR) / business (CCPA/CPRA). Vantage is the processor / service provider. Each party complies with applicable data protection laws in its respective role.

3. Scope and Purpose of Processing

Vantage processes Customer Data solely to provide the Service in accordance with the Terms of Service and Customer's documented instructions (the Terms themselves constitute documented instructions). Vantage will not sell or share Customer Data within the meaning of CCPA/CPRA.

4. Categories of Data Subjects

Customer's employees (clerks, yard drivers, forklift operators, managers, dispatchers, administrators).
Carrier drivers and dispatchers who interact with the Service.
End-recipients of cargo whose names or signatures appear on transaction records.

5. Categories of Personal Data

Identity data: name, email, employee ID, driver license number, license expiration, license class.
Contact data: phone, address (carrier records).
Operational data: gate transaction timestamps, container/trailer assignments, inspection records.
Biometric-adjacent data: photographs (incidental face capture), electronic signatures. (See Privacy Policy §16.)

6. Sub-processors

Vantage uses the sub-processors listed in the Sub-Processor list in our Privacy Policy. Vantage will provide at least fourteen (14) days' prior notice via in-app notification and email before adding a new sub-processor that processes Customer Data. Customer may object to a new sub-processor in good faith; if the objection is unresolved, Customer's sole remedy is to terminate the affected portion of the Service.

7. International Transfers

For Customer Data originating in the EEA, UK, or Switzerland, the SCCs (Module 2: Controller-to-Processor) are incorporated into this DPA by reference and apply to transfers to the US or any third country not subject to an adequacy decision. Customer is the data exporter; Vantage is the data importer.

8. Security Measures

Vantage maintains the technical and organizational measures listed in Privacy Policy §8, including:

TLS 1.3 in transit / AES-256 at rest
Row-Level Security (RLS) for multi-tenant isolation
One-way password hashing
API key hashing (SHA-256)
Principle of least privilege access controls
Access logging and audit

9. Personal Data Breach

Vantage will notify Customer of any confirmed Personal Data Breach affecting Customer Data without undue delay and in any event within seventy-two (72) hours of confirmation. Notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.

10. Data Subject Rights

Vantage will provide reasonable assistance to enable Customer to respond to data subject requests (access, rectification, erasure, portability, restriction, objection) under GDPR Articles 12-22 and equivalent CCPA/CPRA rights, through the Service's built-in features (App Settings → My Profile, Export Data, Delete Account).

11. Audit Rights

Customer may, no more than once per twelve (12) month period (and additionally following any Personal Data Breach affecting Customer Data), request an audit of Vantage's compliance with this DPA. Vantage may satisfy this obligation by providing the results of its most recent third-party audit (when available) or by responding in writing to a reasonable security questionnaire.

12. Deletion

Upon termination, Vantage will delete or return Customer Data in accordance with Terms of Service §18.5.

13. Liability and Order of Precedence

The liability provisions in Terms of Service §11 apply to this DPA. In case of conflict between this DPA and the Terms of Service with respect to processing of Customer Data, this DPA controls.

14. Contact

Vantage Data Protection Contact: support@vantageyms.com (a dedicated dpa@vantageyms.com address will be provisioned before General Availability).