Data Processing Agreement

Last updated: May 2, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Ibero Logistics, LLC ("Processor" or "we") and the customer ("Controller" or "you"). This DPA applies where Processor processes personal data on behalf of Controller in connection with the Ibero.pro cargo tracking service.

1. Definitions

Capitalized terms used but not defined herein have the meanings given in the GDPR or the Terms of Service.

  • "GDPR" means Regulation (EU) 2016/679 (General Data Protection Regulation)
  • "Personal Data" means any information relating to an identified or identifiable natural person
  • "Processing" means any operation performed on Personal Data
  • "Subprocessor" means any processor engaged by Processor
  • "Security Incident" means unauthorized access to or disclosure of Personal Data

2. Scope and Purpose

Processor shall process Personal Data only on documented instructions from Controller as specified in this DPA and the Terms of Service. The subject matter, duration, nature, and purpose of Processing are:

  • Subject Matter: Cargo tracking and logistics visibility services
  • Duration: As long as Controller maintains active subscription
  • Nature: Electronic processing via cloud-based SaaS platform
  • Purpose: Real-time shipment tracking, blockchain verification, and supply chain analytics

3. Categories of Data Subjects and Personal Data

Processing may involve the following categories:

  • Data Subjects: Controller employees, contractors, end customers, shipment recipients, carrier personnel
  • Personal Data Types: Names, contact information, location data, shipment details, device identifiers

4. Processor Obligations

Processor shall:

  • Process Personal Data only on documented instructions from Controller
  • Ensure persons authorized to process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organizational measures per Article 32 GDPR
  • Assist Controller in responding to data subject rights requests
  • Notify Controller without undue delay upon becoming aware of a Security Incident
  • Delete or return all Personal Data upon termination as selected by Controller
  • Maintain records of Processing activities and make available to supervisory authorities upon request

5. Security Measures

Processor implements the following technical and organizational measures:

  • Encryption: AES-256 encryption at rest, TLS 1.3 encryption in transit
  • Access Control: Role-based access, multi-factor authentication, least privilege principles
  • Pseudonymization: Device identifiers pseudonymized where feasible
  • Resilience: Redundant infrastructure, backup systems, disaster recovery procedures
  • Testing: Regular security assessments, penetration testing, vulnerability scanning
  • Audit: Logging of access and Processing activities with tamper-evident controls

6. Subprocessors

Controller authorizes engagement of the following Subprocessors:

  • Amazon Web Services: Cloud infrastructure hosting (US-East, US-West regions)
  • Polygon Labs: Blockchain network for data anchoring
  • Datadog Inc.: Monitoring and logging services
  • Stripe Inc.: Payment processing

Processor shall notify Controller of any intended changes to Subprocessors and provide opportunity to object. Subprocessors are bound by written agreements imposing data protection obligations no less protective than those in this DPA.

7. Data Subject Rights

Processor shall assist Controller in fulfilling its obligations under Chapter III of the GDPR (data subject rights including access, rectification, erasure, restriction, portability, and objection). Processor shall:

  • Implement technical measures enabling Controller to identify and locate Personal Data
  • Respond to Controller requests within reasonable timeframes
  • Provide functionality for data export in structured, machine-readable format
  • Notify Controller if unable to comply with specific instruction due to legal requirements

8. Security Incident Notification

Upon becoming aware of a Security Incident, Processor shall:

  • Notify Controller without undue delay, and in no event later than 72 hours after becoming aware
  • Provide details including nature of incident, categories of data affected, approximate number of data subjects
  • Cooperate with Controller investigation and remediation efforts
  • Take steps to contain and mitigate effects of the incident

9. International Transfers

Where Personal Data is transferred outside the European Economic Area:

  • Transfers to the United States rely on Standard Contractual Clauses approved by the European Commission
  • Processor warrants it has implemented supplementary measures addressing US government access concerns
  • Controller acknowledges that US law may permit government access to Personal Data in limited circumstances
  • Data residency options available for Sovereign tier customers requiring EU-only Processing

10. Audit Rights

Controller may audit Processor compliance with this DPA:

  • Upon reasonable notice and during normal business hours
  • No more frequently than once annually unless triggered by Security Incident
  • Through review of third-party audit reports (SOC 2, ISO 27001) when available
  • Subject to confidentiality obligations and Processor security policies

11. Data Deletion and Return

Upon termination of the Service:

  • Controller may request export of Personal Data in CSV or JSON format within 30 days
  • Processor shall delete all copies of Personal Data from active systems within 90 days
  • Backup tapes may retain encrypted Personal Data for up to 12 months per standard rotation
  • Blockchain-anchored hashes cannot be deleted due to immutable nature of distributed ledger technology

12. Liability

Each party shall be liable to the other for damages caused by breach of this DPA. Notwithstanding anything in the Terms of Service:

  • Controller remains liable for compliance with data protection laws as data controller
  • Processor liability for data protection breaches is subject to the limitations in the Terms of Service
  • Either party may be directly liable to data subjects under GDPR Article 82

13. Term and Termination

This DPA takes effect when Controller first uses the Service and continues until termination of the Terms of Service or completion of all Processing activities, whichever is later.

14. Governing Law

This DPA is governed by the laws applicable under the Terms of Service. Where the GDPR applies, Controller may elect to bring proceedings in courts of the Member State where Controller is established or where Processor is established.

15. Contact Information

Ibero Logistics, LLC
Attn: Data Protection Officer
Indianapolis, IN
Email: dpo@ibero.pro