Data Processing Agreement

GDPR-compliant data processing terms for enterprise customers

Last updated: December 15, 2024

1. Definitions

For the purposes of this Data Processing Agreement (DPA):

  • Controller: The entity that determines the purposes and means of processing personal data
  • Processor: routes.ai, which processes personal data on behalf of the Controller
  • Personal Data: Data relating to an identified or identifiable natural person
  • Processing: Any operation performed on personal data

2. Scope and Role of Parties

This DPA applies when routes.ai processes personal data on behalf of the Customer in connection with the provision of route optimization services.

  • • Customer acts as the Controller of personal data
  • • routes.ai acts as the Processor of personal data
  • • Processing is limited to what is necessary to provide the services

3. Categories of Data and Processing

Categories of Personal Data:

  • • Location data (addresses, coordinates)
  • • Contact information (names, phone numbers)
  • • Delivery/service scheduling information

Categories of Data Subjects:

  • • Delivery recipients
  • • Service appointment contacts
  • • Customer employees

4. Processor Obligations

routes.ai undertakes to:

  • • Process personal data only on documented instructions from the Controller
  • • Ensure confidentiality of personal data
  • • Implement appropriate technical and organizational measures
  • • Delete or return personal data at the end of the provision of services
  • • Assist the Controller with data subject rights requests
  • • Notify the Controller of any personal data breaches

5. Technical and Organizational Measures

routes.ai implements the following security measures:

  • • Encryption of personal data in transit and at rest
  • • Access controls and authentication mechanisms
  • • Regular security assessments and audits
  • • Staff training on data protection
  • • Incident response procedures

6. International Data Transfers

Personal data may be processed in the United States and other countries where routes.ai operates. We ensure adequate protection through appropriate safeguards including Standard Contractual Clauses approved by the European Commission.

7. Sub-processors

routes.ai may engage sub-processors to assist in providing the services. Current sub-processors include:

  • • Amazon Web Services (cloud infrastructure)
  • • [Other sub-processors as applicable]

We will provide 30 days notice of any new sub-processors.

8. Contact Information

For questions about this DPA or to exercise data subject rights:

Data Protection Officer: dpo@routes.ai

Legal Department: legal@routes.ai

Address: Routes AI, Inc.
c/o The Corporation Trust Company
1209 Orange Street
Wilmington, DE 19801