Legal · DPA

Data Processing Addendum.

GDPR Article 28, UK GDPR, and CCPA/CPRA service-provider obligations. Available for execution under enterprise customer agreement.

Draft · counsel review pending

This Data Processing Addendum is a structurally complete draft published for public inspection. It is under review by qualified counsel and will be finalized before contract execution. Items in [SQUARE BRACKETS] mark fields that counsel must confirm before publication. Material questions: support@elyonsci.ai.

This Data Processing Addendum ("DPA") forms part of the Master Services Agreement, Order Form, or Terms of Service (collectively, the "Agreement") between Elyon SCI, LLC ("Elyon SCI" or "Processor") and the customer identified in the Agreement ("Customer" or "Controller") for the provision of the Elyon platform (the "Service").

Definitions

Capitalized terms not defined here have the meaning given in the Agreement or in applicable Data Protection Laws.

  • "Data Protection Laws" means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK Data Protection Act 2018 and UK GDPR ("UK GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA"), and other applicable U.S. state privacy laws.
  • "Customer Personal Data" means Personal Data that Elyon SCI Processes on behalf of Customer in connection with the Service.
  • "Personal Data," "Processing," "Controller," "Processor," "Data Subject," and "Supervisory Authority" have the meanings given in the GDPR.
  • "Sub-processor" means any third party engaged by Elyon SCI to Process Customer Personal Data.
  • "SCCs" means the Standard Contractual Clauses approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as amended or replaced from time to time.

Roles and scope

Customer is the Controller and Elyon SCI is the Processor of Customer Personal Data Processed in connection with the Service. The subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects are described in Annex I.

For purposes of the CCPA, Elyon SCI acts as a "Service Provider" to Customer. Elyon SCI does not sell or share Customer Personal Data, and will not retain, use, or disclose Customer Personal Data outside of the direct business relationship with Customer or for any purpose other than the specific purpose of performing the Service.

Processor obligations

  • Documented instructions. Elyon SCI will Process Customer Personal Data only on documented instructions from Customer, including those set out in the Agreement and this DPA, unless required to do otherwise by applicable law (in which case Elyon SCI will, to the extent permitted, inform Customer of that legal requirement).
  • Confidentiality. Elyon SCI will ensure that personnel authorized to Process Customer Personal Data are bound by appropriate confidentiality obligations.
  • Security. Elyon SCI will implement and maintain the technical and organizational measures described in Annex II, designed to ensure a level of security appropriate to the risk.
  • Assistance. Elyon SCI will provide reasonable assistance to Customer in fulfilling Customer's obligations under Data Protection Laws, including responding to Data Subject requests, conducting data protection impact assessments, and consulting with Supervisory Authorities.
  • Deletion or return. Upon termination of the Service, Elyon SCI will, at Customer's election, delete or return Customer Personal Data within the timeframe specified in the Agreement, and delete existing copies unless required by law to retain them.
  • Auditability. Elyon SCI will make available to Customer information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits as described in Section 8.

Sub-processors

Customer provides general authorization for Elyon SCI to engage Sub-processors. The current list of Sub-processors is available at /sub-processors. Elyon SCI will provide Customer with at least thirty (30) days' prior notice of any intended addition or replacement of a Sub-processor, except in the case of an emergency change required to preserve security or continuity of the Service.

Customer may object to a new Sub-processor on reasonable data protection grounds by written notice within fifteen (15) days of Elyon SCI's notice. The parties will work in good faith to resolve the objection. If the objection cannot be resolved, Customer may terminate the affected portion of the Service for cause.

Elyon SCI will impose data protection terms on each Sub-processor that are no less protective than those set out in this DPA, and will remain liable for the acts and omissions of its Sub-processors.

International transfers

Where Elyon SCI Processes Customer Personal Data subject to the GDPR or UK GDPR in a jurisdiction that does not have an adequacy decision, the parties will rely on the SCCs (and the UK International Data Transfer Addendum where applicable), which are incorporated into this DPA by reference. The relevant modules, options, and Annexes are set out in Annex III.

Personal Data Breach

Elyon SCI will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. Notification will include the information required by Article 33(3) of the GDPR to the extent then known, and Elyon SCI will update Customer as additional information becomes available.

Data Subject requests

If Elyon SCI receives a request from a Data Subject related to Customer Personal Data, Elyon SCI will, unless prohibited by law, forward the request to Customer without undue delay and will not respond to the request directly except on Customer's documented instruction. Elyon SCI will provide reasonable assistance to Customer in responding to verified Data Subject requests.

Audits

Customer may, upon at least thirty (30) days' prior written notice and no more than once per twelve (12) month period (except where required by a Supervisory Authority or following a Personal Data Breach), audit Elyon SCI's compliance with this DPA. Audits may be satisfied in whole or in part by:

  • Provision of Elyon SCI's then-current independent third-party audit reports (e.g., SOC 2) under NDA
  • Provision of completed industry-standard security questionnaire responses
  • Reasonable answers to written questions concerning Elyon SCI's compliance with this DPA
  • On-site audit conducted by Customer or its designated independent third-party auditor (not a competitor of Elyon SCI), at Customer's expense, during business hours, in a manner that does not unreasonably disrupt Elyon SCI's operations and that protects the confidentiality of other customers' data

Liability

The liability of each party arising out of or in connection with this DPA is subject to the limitations of liability set forth in the Agreement.

Order of precedence

In the event of a conflict between this DPA and the Agreement on a data protection matter, this DPA controls. The SCCs, where applicable, control over both.

Annex I — Description of processing

  • Subject matter: Processing of Customer Personal Data necessary for Elyon SCI to provide the Service to Customer.
  • Duration: For the term of the Agreement, plus any post-termination retention period.
  • Nature and purpose: Hosting, transmitting, analyzing, and otherwise Processing Customer Personal Data to provide the Service.
  • Categories of Data Subjects: Customer's employees, contractors, customers, suppliers, carriers, drivers, and other counterparties whose data Customer submits to the Service.
  • Categories of Personal Data: Identifiers (names, email addresses, phone numbers); employment data; commercial information (shipment, order, and account data); geolocation (lane and stop data); communications metadata and content; and any other Personal Data Customer chooses to submit.
  • Special category data: Customer is responsible for evaluating whether the Service is appropriate for special category data. By default, the Service is not configured for special category data Processing.

Annex II — Technical and organizational measures

  • Access control. Role-based access at the application layer; least-privilege access at the infrastructure layer; MFA on production and administrative access; periodic access review.
  • Encryption. TLS 1.2 or higher in transit; AES-256 at rest via underlying cloud infrastructure.
  • Tenant isolation. Logical separation enforced by tenantId scoping across application reads, writes, and AI retrieval.
  • Logging and monitoring. Application audit logs; infrastructure logging; security monitoring on production environments.
  • Change management. Code review, automated security scanning (CodeQL, Secret Scanning, Push Protection, Dependabot), and protected-branch deployment.
  • Vulnerability management. Continuous dependency scanning; documented patch SLAs; coordinated disclosure program (see /responsible-disclosure).
  • Incident response. Documented IR plan; on-call rotation; defined severity levels and customer notification thresholds.
  • Backups and continuity. Multi-AZ replication; documented RTO/RPO available to enterprise customers under NDA.
  • Personnel. Background checks where lawful; confidentiality obligations; onboarding and annual security training; same-day access revocation upon role change or departure.
  • Vendor management. Pre-onboarding vendor review; canonical Sub-processor list; data protection terms imposed on Sub-processors.

Annex III — Standard Contractual Clauses

Where applicable, the parties agree to be bound by the SCCs, completed as follows:

  • Module(s): Module Two (Controller to Processor) and Module Three (Processor to Sub-processor), as applicable.
  • Clause 7 (docking clause): Included.
  • Clause 9 (sub-processors): Option 2 — general written authorization, as described in Section 4 of this DPA.
  • Clause 11 (redress): Option excluding independent dispute resolution body.
  • Clause 17 (governing law): Governing law of [CONFIRM JURISDICTION] (EU member state, where required).
  • Clause 18 (forum and jurisdiction): [CONFIRM JURISDICTION].
  • UK Addendum: Where the UK GDPR applies, the parties agree to the UK International Data Transfer Addendum to the SCCs, dated 21 March 2022.

Request an executed DPA.

Enterprise customers can request the current DPA for counter-signature, along with the security questionnaire and sub-processor list, via support.

Email supportSub-processors