Data Processing Agreement

This Data Processing Agreement (“DPA”)supplements and forms part of the Terms of Service between Standard Tonnage Limited (“Processor”, “we”) and the customer identified in the applicable Order Form or accepted online subscription (“Controller”, “you”). Where a customer is itself processing personal data on behalf of its own end customers, Standard Tonnage acts as sub-processor.

This DPA governs the processing of personal data by Standard Tonnage in the course of providing the Service. It is designed to satisfy Article 28 of the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018.

1. Definitions

Terms defined in the UK GDPR (including “personal data”, “data subject”, “processing”, “controller”, “processor”, “personal data breach”, and “supervisory authority”) have the same meaning in this DPA. Terms defined in the Terms of Service have the same meaning here. “Sub-processor” means a third party engaged by Standard Tonnage to process personal data on the Controller’s behalf. “UK IDTA” means the UK International Data Transfer Agreement issued by the Information Commissioner. “UK Addendum” means the UK Addendum to the EU Standard Contractual Clauses.

2. Subject matter and duration

The subject matter of the processing is the provision of the Standard Tonnage service as described in the Terms of Service. The duration of the processing is the term of the Controller’s subscription, plus the retention periods set out in our Privacy Policy and section 9 below, after which personal data will be deleted or returned in accordance with section 10.

3. Nature and purpose of processing

The nature of the processing comprises storage, retrieval, analysis, enrichment with carrier-provided tracking data, derivation of risk scores, generation of alert text, and transmission of alerts via SMS, WhatsApp, and email. The purpose is to provide the Controller with timely visibility of its container movements and proactive alerting before demurrage and detention charges accrue.

4. Categories of data subjects and personal data

Categories of data subjects:

• The Controller’s authorised users (employees, contractors).
• The Controller’s business contacts named on booking documents or forwarded emails (for example, shipping coordinators, hauliers).

Categories of personal data:

• Contact data: names, business email addresses, business telephone numbers.
• Account data: job title, role, authentication metadata.
• Operational data: communications content where forwarded by the Controller (booking confirmations, alert recipient lists).
• Usage data: log and access records linked to authorised users.

No special-category data (UK GDPR Article 9) is requested or required. Controllers must not submit special-category data, criminal-offence data, or children’s data to the Service.

5. Roles and instructions

The Controller is the controller of the personal data. Standard Tonnage processes personal data only on the Controller’s documented instructions, which consist of (i) the Terms of Service, (ii) this DPA, (iii) the Controller’s configuration of the Service, and (iv) any additional instructions the Controller issues in writing and that we accept in writing. If we believe an instruction infringes data protection law, we will inform the Controller without undue delay.

6. Confidentiality

Standard Tonnage ensures that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7. Security measures (Annex II)

Standard Tonnage implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The measures are described in our Security & Trust Center at /security and include:

• Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256).
• Role-based access controls and mandatory multi-factor authentication on administrative consoles.
• Row-level security on the primary database to enforce tenant isolation.
• Regular automated backups with tested restore procedures (RTO 4h / RPO 24h target).
• Vulnerability management including Dependabot, npm audit, and planned annual penetration testing.
• Security-hardened HTTP response headers (HSTS, CSP, X-Frame-Options, etc.).
• Documented Incident Response Plan and Business Continuity Plan.
• Periodic internal review of the Information Security Management System, aligned with ISO/IEC 27001:2022.

8. Sub-processors (Annex III)

The Controller authorises Standard Tonnage to engage the sub-processors listed at /sub-processors, which forms part of this DPA. We will give the Controller at least 30 days' advance notice of any intended change in sub-processors. The Controller may object on reasonable data-protection grounds; where the objection cannot be resolved, the Controller may terminate the affected subscription without penalty.

9. Assistance with data subject rights and DPIAs

Taking into account the nature of the processing, Standard Tonnage will assist the Controller by appropriate technical and organisational measures to respond to requests from data subjects exercising their rights under Articles 15 to 22 of the UK GDPR. We will also provide reasonable assistance with data protection impact assessments (Art. 35) and prior consultations with the ICO (Art. 36), taking into account the information available to us.

10. Return or deletion of personal data

On termination or expiry of the Controller’s subscription, Standard Tonnage will, at the Controller’s choice, delete or return all personal data processed on its behalf within 30 days, subject to applicable law requiring continued retention (for example, UK tax law requires retention of financial records for six years). The Controller may request an export at any time through the application or by emailing info@standardtonnage.co.uk.

11. Personal data breaches

Standard Tonnage will notify the Controller without undue delay, and in any event within 72 hours, of becoming aware of a personal data breach affecting the Controller’s data. The notification will include, to the extent known at the time: the nature of the breach, categories and approximate numbers of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address and mitigate the breach.

12. Audits

Standard Tonnage will make available to the Controller all information necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, conducted by the Controller or a mutually agreed auditor. Audits are subject to reasonable notice (at least 30 days, save in the case of an incident), a confidentiality undertaking, and a maximum frequency of once per 12-month period, save where required more frequently by a supervisory authority or following a material breach. The Controller is responsible for its own costs of audit. Where the Controller’s reasonable requirements can be satisfied by Standard Tonnage’s third-party assurance reports (for example, ISO 27001 certification or SOC 2 reports once available), these may be provided in lieu of an on-site audit.

13. International transfers

The Controller authorises the international transfers required to engage the sub-processors listed at /sub-processors. Each such transfer is made subject to an appropriate safeguard under Articles 44 to 49 of the UK GDPR, including one or more of: UK adequacy, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or certification under the UK Extension to the EU-US Data Privacy Framework. The specific mechanism for each sub-processor is identified on the sub-processors page.

14. Liability and relationship to the Terms of Service

The liability provisions of the Terms of Service apply to the subject matter of this DPA and are not duplicated here. In the event of any conflict between this DPA and the Terms of Service in respect of the processing of personal data, this DPA prevails to the extent of the conflict.

15. Governing law

This DPA is governed by the laws of England and Wales. Disputes arising out of or in connection with this DPA are subject to the exclusive jurisdiction of the courts of England and Wales.

16. Signed counterpart

A PDF counterpart of this DPA, signed by Standard Tonnage Limited for execution by the Controller, is available on request by emailing info@standardtonnage.co.uk.