Data Processing Addendum
This Data Processing Addendum (the “DPA”) forms part of, and is incorporated by reference into, the Terms & Conditions of Tarifize and/or the Software License Agreement (collectively, the “Main Agreement”) entered into between:
(1) The Customer identified in the Main Agreement (the “Controller”); and
(2) PDS Hungary Kft. (registered seat: 1052 Budapest, Deák Ferenc tér 3 MEYER LEVINSON emelet; company registration number: 01-09-441819) (the “Processor”),
each a “Party” and together the “Parties.”
This DPA is effective as of the effective date of the Main Agreement (the “Effective Date”) and shall remain in force for the duration of the Processor’s processing of Personal Data on behalf of the Controller under the Main Agreement.
1 Definitions and Interpretation
1.1 In this DPA, unless the context otherwise requires:
“Applicable Data Protection Law” means Regulation (EU) 2016/679 (the “GDPR”), and any applicable national implementing legislation, as amended or replaced from time to time.
“Controller” means the Customer, which determines the purposes and means of processing of Personal Data.
“Data Subject” means an identified or identifiable natural person to whom Personal Data relates.
“EEA” means the European Economic Area.
“Instructions” means the documented instructions of the Controller to the Processor regarding the processing of Personal Data, as set out in this DPA, the Main Agreement, or as otherwise provided by the Controller in writing.
“Personal Data” means any information relating to a Data Subject that is processed by the Processor on behalf of the Controller under this DPA.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
“Processing” (and cognate terms such as “process” and “processed”) has the meaning given in Article 4(2) GDPR.
“Processor” means PDS Hungary Kft., which processes Personal Data on behalf of the Controller.
“Service” means the software-as-a-service platform operated by the Provider under the name “Tarifize”, including all features, functionalities, interfaces, APIs, AI-based systems and related services made available to the Customer under these Terms.
“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission by Implementing Decision (EU) 2021/914, Module 2 (Controller to Processor).
“Sub-processor” means any third party engaged by the Processor (or by another Sub-processor) to process Personal Data on behalf of the Controller.
“Technical and Organisational Measures” or “TOMs” means the security measures described in Annex II.
1.2 Terms not defined in this DPA shall have the meanings given to them in the GDPR or, where not defined therein, in the Main Agreement.
1.3 In the event of any conflict between this DPA and the Main Agreement with respect to the processing or protection of Personal Data, this DPA shall prevail.
2 Scope and Roles
2.1 This DPA applies to the processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the Service under the Main Agreement.
2.2 The Controller acts as the controller of Personal Data within the meaning of Article 4(7) GDPR. The Processor acts as the processor of Personal Data within the meaning of Article 4(8) GDPR.
2.3 The subject matter, duration, nature and purpose of processing, the types of Personal Data processed, and the categories of Data Subjects are described in Annex I (Details of Processing).
2.4 This DPA does not apply to processing for which the Processor acts as an independent controller (e.g., billing data, compliance with legal obligations), which is governed by the Processor’s Privacy Notice.
3 Controller Instructions
3.1 The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by European Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest (Article 28(3)(a) GDPR).
3.2 The Parties expressly agree that the Main Agreement, including the standard automated functionalities of the Service, the data usage rights for product improvement, and the service learning and AI model training provisions, constitutes the Controller’s complete, exhaustive, and final instructions to the Processor.
3.3 The Processor is under no contractual or legal obligation to accept any additional, amended, or customized instructions from the Controller. Any requested change to the instructions must be submitted in writing and shall only become binding if explicitly agreed upon in a separate, signed written amendment. The Processor reserves the right to charge the Controller an advance assessment and implementation fee based on the Processor's standard current hourly consulting and engineering rates for reviewing any such requests.
3.4 If, in the Processor’s sole opinion, any instruction or action by the Controller poses a risk of non-compliance with Applicable Data Protection Law, or if a dispute arises regarding an instruction, the Processor may immediately, and without any liability for service disruption or breach of contract, suspend the affected processing operations or terminate the Main Agreement for cause.
4 AI-Specific Data Usage and Service Optimization
4.1 In accordance with Section 7 (Service Learning and Training) of the Terms and Conditions, the Controller acknowledges and explicitly instructs the Processor that all data, documents, and transactions uploaded to the Service may be utilized by the Processor for the purposes of system maintenance, service learning, testing, and training or improving the Processor’s machine learning models, algorithms, and artificial intelligence (AI) systems. The Parties agree that the performance of the Main Agreement and the submission of data into the Service constitutes a definitive, direct, and documented instruction from the Controller for such processing under Article 28 of the GDPR. To the extent that any such data is pseudonymized, anonymized, or aggregated, it shall no longer be considered personal data, and the Processor shall retain an unrestricted, perpetual, and irrevocable right to use it for product development.
4.2 The Controller explicitly waives any right to opt out of the use of anonymized, pseudonymized, aggregated, or non-personal telemetry data derived from the Controller’s usage of the Service. The Processor is fully entitled to use such data for benchmarking, product-improvement analytics, and statistical purposes without any restriction or notification obligation.
4.3 The Service operates as an automated tool. The Controller is solely responsible for verifying the output of the Service and ensuring appropriate human oversight before relying on any AI-generated results. The Processor shall not be required to maintain specialized, bespoke logs for AI-assisted processing operations beyond its standard security and system logs.
4.4 If the Controller requires information or assistance regarding the logic or functionality of the AI elements of the Service to comply with its legal or regulatory obligations (including explainability requirements), the Processor may provide such standard documentation as is generally available. Any further customized assistance or information requests shall be provided strictly at the Processor’s discretion and shall be fully reimbursed by the Controller at the Processor's current hourly consulting rates.
5 Confidentiality
5.1 The Processor shall ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Article 28(3)(b) GDPR).
5.2 The Processor shall limit access to Personal Data to those personnel who require such access to perform their obligations under the Main Agreement and this DPA.
5.3 The confidentiality obligations under this Section 5 shall survive the termination or expiry of this DPA.
6 Security of Processing (Technical and Organisational Measures)
6.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, the Processor shall implement and maintain appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR.
6.2 The Controller agrees that the technical and organizational measures implemented by the Processor provide an adequate and sufficient level of protection for the Personal Data. The Processor reserves the right to modify, update, or optimize these security measures at its sole discretion from time to time, provided that such modifications do not fundamentally degrade the overall security level of the Service. The Processor is under no obligation to provide advance notice to the Controller regarding standard security updates or operational infrastructure changes.
6.3 Scope of Measures: Without limiting the generality of Section 6.1, the Processor’s technical and organizational measures shall generally address the following areas, as determined appropriate by the Processor based on its internal risk assessments:
• Implementing measures to restrict physical and logical access to systems processing Personal Data;
• Utilizing industry-standard encryption protocols for Personal Data in transit and at rest;
• Maintaining standard system logging practices and implementing logical data segregation between different customer environments;
• Employing standard backup procedures and maintaining business continuity arrangements designed to facilitate service restoration;
• Maintaining standard internal patch management and vulnerability mitigation practices as part of the software maintenance lifecycle; and
• Requiring standard confidentiality obligations from personnel authorized to process Personal Data and conducting standard security reviews of critical sub-processors.
7 Sub-processors
7.1 By entering into this DPA, the Controller hereby grants a general written authorisation to the Processor to engage Sub-processors (including infrastructure, cloud hosting, and technical service providers) to perform processing operations on behalf of the Controller. The current list of authorized Sub-processors is available to the Controller upon request or via the Processor’s website.
7.2 The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors at least ten (10) business days before the change takes effect, thereby giving the Controller the opportunity to object to such changes.
7.3 The Controller may object to a new Sub-processor strictly on legitimate, documented data protection grounds by notifying the Processor in writing within five (5) business days of receiving the notice. If the Controller objects, the Processor may, at its sole discretion, attempt to mitigate the concern. If no mutually acceptable alternative is found within fifteen (15) calendar days, either Party may terminate the Main Agreement for convenience. In the event of such termination, the Processor shall have no obligation to provide alternative functionalities or customized solutions and shall not be liable for any damages or refunds beyond the effective date of termination.
7.4 The Processor shall ensure that it enters into a written agreement with each Sub-processor that imposes data protection obligations substantially similar to those imposed on the Processor under this DPA, in accordance with Article 28(4) of the GDPR.
8 Data Subject Requests
8.1 Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights under Chapter III GDPR (Article 28(3)(e) GDPR).
8.2 If the Processor receives a request directly from a Data Subject, the Processor shall without undue delay forward such request to the Controller. The Processor shall not respond to the Data Subject directly unless instructed to do so by the Controller or required by Applicable Data Protection Law.
8.3 Upon request by the Controller, the Processor shall provide reasonable cooperation in responding to Data Subject requests, including by providing relevant information and technical capabilities to facilitate access, rectification, erasure, restriction, portability, or objection, as applicable.
9 Data Protection Impact Assessments and Prior Consultation
9.1 Taking into account the nature of the processing and the information available to the Processor, the Processor shall provide reasonable assistance to the Controller with any data protection impact assessment (Article 35 GDPR) and/or prior consultation with a supervisory authority (Article 36 GDPR), to the extent that such assistance is necessary and relates to the processing performed by the Processor on behalf of the Controller.
9.2 Such assistance shall be provided at the Controller's reasonable expense, unless the assistance is required as a result of the Processor's failure to comply with its obligations under this DPA.
10 Personal Data Breach Notification
10.1 The Processor shall notify the Controller without undue delay after becoming aware of a confirmed Personal Data Breach affecting Personal Data processed under the Main Agreement. The Processor shall use commercially reasonable efforts to provide such notification within seventy-two (72) hours of confirmation, in order to assist the Controller in complying with its obligations under Articles 33 and 34 of the GDPR.
10.2 Such notification shall include, to the extent available to the Processor at the time, a general description of the nature of the breach, the Processor’s privacy contact point, the likely consequences known at the time, and the mitigation measures taken or planned by the Processor.
10.3 Where it is not possible to provide all information simultaneously, the Processor shall provide information in phases without further undue delay as it becomes available.
10.4 The Processor shall cooperate with the Controller in good faith and take reasonable commercial steps to mitigate and remediate the effects of the Personal Data Breach. To ensure the stability and security of the platform, remediation and technical mitigation measures shall be executed in accordance with the Processor's internal security and engineering protocols.
11 Records of Processing Activities
11.1 The Processor shall maintain all records required by Article 30(2) GDPR, including the name and contact details of the Processor and each Controller on whose behalf the Processor acts, the categories of processing carried out, international transfers, and a general description of the TOMs.
11.2 The Processor shall make such records available to the competent supervisory authority upon its lawful request. The Processor may provide a summary or confirmation of compliance to the Controller upon reasonable written request, provided that such disclosure does not compromise the Processor’s commercial secrets or the confidentiality of other customers' data.
12 International Transfers
12.1 Location of Processing: The Processor shall store and process Personal Data primarily within the European Economic Area (EEA).
12.2 Restricted Transfers: The Processor shall not transfer Personal Data to a country outside the EEA unless such transfer complies with Chapter V of the GDPR (including, but not limited to, transfers based on an European Commission adequacy decision, the EU-US Data Privacy Framework, or Standard Contractual Clauses). To the extent that an international transfer requires specific safeguards under Article 46 of the GDPR, the relevant Standard Contractual Clauses shall be deemed automatically incorporated into this DPA by reference.
13 Audits and Inspections
13.1 The Processor shall provide the Controller with all information reasonably necessary to demonstrate compliance with Article 28 of the GDPR. In the first instance, the Controller’s audit rights shall be exercised by reviewing the Processor’s technical security descriptions (Annex II), available third-party security certifications (such as ISO 27001, if available), or by requesting the Processor to complete a reasonable security questionnaire once per twelve (12) month period.
13.2 If the information provided under Section 13.1 does not reasonably satisfy the Controller's compliance verification needs, or if an on-site audit is explicitly mandated by a competent data protection authority, the Controller may conduct a further inspection. Any such audit or on-site visit shall require at least thirty (30) days' prior written notice, must be conducted during normal business hours without disrupting the Service, and cannot be performed by a competitor of the Processor.
13.3 The Processor shall promptly remediate any material non-compliance identified in an audit and shall report on remediation progress to the Controller within a reasonable timeframe agreed by the Parties.
14 Data Return and Deletion
14.1 Within ninety (90) days following the termination or expiration of the Main Agreement, the Processor shall delete all Personal Data in its possession or control, including any copies held by Sub-processors, unless European Union or Member State law requires the continued storage of such personal data.
14.2 Personal Data contained in automated backup, disaster recovery, or archival systems shall be deleted or overwritten in accordance with the Processor's standard backup retention and rotation cycles, provided that such data remains protected in accordance with this DPA until it is completely overwritten.
14.3 For the avoidance of doubt, the deletion obligations set forth in Section 14.1 shall not apply to any fully anonymized, system telemetry, or aggregated data utilized by the Processor for service learning, product optimization, or machine learning model training.
14.4 Notwithstanding Section 14.1, the Parties expressly agree that automated AI processing logs and system performance data containing pseudonymized data may be retained for a maximum period of twelve (12) months from the date of creation (as specified in Annex I) for troubleshooting, auditability, and compliance purposes. Upon the expiry of this twelve (12) month period, such data must be either permanently deleted or fully anonymized/aggregated, after which the Processor retains an unrestricted, perpetual right to use it for product development.
15 Liability
15.1 The liability of each Party under or in connection with this DPA shall be subject to the limitations and exclusions of liability set out in the Main Agreement, and any reference to a Party's liability in the Main Agreement shall include liability under this DPA.
15.2 Nothing in this DPA shall be construed to limit or exclude either Party's liability for damages arising from breaches of Applicable Data Protection Law to the extent such limitation or exclusion is not permitted by law.
15.3 Each Party shall indemnify the other Party against any fines, costs, claims, or damages arising from the indemnifying Party's breach of this DPA or Applicable Data Protection Law, subject to the liability limitations in the Main Agreement.
16 Order of Precedence
16.1 In the event of any conflict or inconsistency between the provisions of this DPA and the Main Agreement (including the Terms & Conditions and/or the Software License Agreement), the provisions of this DPA shall prevail with respect to matters relating to the processing and protection of Personal Data and information security.
16.2 In all other matters, the order of precedence set out in the Main Agreement shall apply.
17 Governing Law and Dispute Resolution
17.1 This DPA and any dispute or claim arising out of or in connection with it (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of Hungary.
17.2 Any dispute arising out of or in connection with this DPA shall be submitted to the exclusive and final decision of the Permanent Arbitration Court attached to the Hungarian Chamber of Commerce and Industry (Commercial Arbitration Court Budapest), in accordance with its Rules of Proceedings. The number of arbitrators shall be one. The language of the arbitral proceedings shall be English.
18 General Provisions
18.1 This DPA may be amended only by a written instrument signed by both Parties.
18.2 If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect and the invalid provision shall be modified to the minimum extent necessary to make it valid.
18.3 Notices under this DPA shall be delivered in accordance with the notice provisions of the Main Agreement.
18.4 This DPA, together with its Annexes, constitutes the entire agreement of the Parties with respect to the subject matter hereof and supersedes all prior agreements, representations, and understandings relating to data processing between the Parties.
18.5 This DPA shall be binding upon and inure to the benefit of the Parties and their respective successors and permitted assigns.
ANNEX I — Details of Processing
(This Annex forms part of the DPA and describes the processing carried out by the Processor on behalf of the Controller.)
A. List of Parties
| Field | Details |
| Data Exporter (Controller) | The Customer identified in the Main Agreement. |
| Contact Person | As designated in the Main Agreement or the Customer’s account settings. |
| Data Importer (Processor) | PDS Hungary Kft., (registered office: 1052 Budapest, Deák Ferenc tér 3 MEYER LEVINSON emelet, Hungary) |
| Contact Person (Processor) | Data Protection Officer / Privacy Contact: jozsef.dulai@tarifize.com |
B. Description of Processing
| Element | Description |
| Subject Matter | Processing of Personal Data in connection with the Service. |
| Duration | For the term of the Main Agreement, plus any post-termination retention period as set out in Section 14 of the DPA. |
| Nature and Purpose | Collection, storage, organisation, retrieval, consultation, use, disclosure by transmission, and erasure of Personal Data as necessary to provide and operate the Service, process customs documents, perform AI-assisted tariff classification, generate reports, provide technical support, maintain system logs and conduct automated service learning, product optimization, and AI/machine learning model training as authorized under the Main Agreement and this DPA. |
| Types of Personal Data | Names of shippers, consignees, customs agents, and employees; business contact details (email, phone, postal address); company names and registration numbers; signatures (electronic or scanned); transaction and shipment reference data; user account data (name, email, role, login credentials); system usage logs and IP addresses. |
| Categories of Data Subjects | Controller’s employees, agents, and contractors; shippers and consignees; customs representatives and brokers; business contacts of Controller’s trading partners; end users of the Service designated by the Controller. |
| Sensitive Data | Not anticipated. The Controller shall not upload special categories of data (Article 9 GDPR) unless agreed in a separate written addendum. |
| Frequency of Transfer | Continuous, as determined by the Controller’s use of the Service. |
| Retention Period | General Rule: All Personal Data processed under the Main Agreement shall be deleted within ninety (90) days following the termination or expiration of the Main Agreement, as set out in Section 14.1 of the DPA.
AI Processing Logs: Notwithstanding the general rule, automated AI processing logs containing pseudonymized data may be retained for a maximum period of twelve (12) months from the date of creation for troubleshooting and auditability purposes, after which they shall be either permanently deleted or fully anonymized. Anonymized Data: System performance and automated AI processing logs may be retained indefinitely without time limitations, provided they are kept strictly in a fully anonymized or aggregated form for product improvement and benchmarking purposes. |
ANNEX II — Technical and Organisational Measures
(This Annex describes the minimum TOMs implemented by the Processor. The Processor may implement additional or enhanced measures.)
This Annex describes the general technical and organizational security measures implemented and maintained by the Processor to ensure a level of security appropriate to the risks associated with the processing. The Processor may update these measures from time to time at its sole discretion, provided that the overall security posture is not materially degraded.
1. Access Control and Authentication
• Implementation of role-based access controls to restrict data access to authorized personnel on a need-to-know basis.
• Use of standard secure authentication mechanisms (including passwords and multi-factor authentication where commercially reasonable) for systems processing Personal Data.
2. Data Protection and Encryption
• Protection of Personal Data during transmission using industry-standard encryption protocols (e.g., TLS).
• Storage of Personal Data within secured cloud environments utilizing logical data segregation to isolate the Controller’s data from other customers.
3. Infrastructure and Physical Security
• Reliance on major tier-1 cloud infrastructure providers (e.g., AWS, Microsoft Azure, or Google Cloud) whose data centers maintain independent industry certifications (such as ISO 27001 or SOC 2) covering physical security and environmental controls.
• Use of automated backup procedures to prevent accidental data loss and facilitate standard disaster recovery.
4. Vulnerability and Incident Management
• Continuous monitoring of system performance and logical security anomalies.
• Implementation of standard patch management and vulnerability mitigation practices. The Processor shall use commercially reasonable efforts to address and mitigate confirmed critical vulnerabilities without undue delay, in accordance with its internal security risk assessment.
• Maintenance of internal procedures to identify, respond to, and document suspected or confirmed security incidents.
5. Personnel Security
• Imposition of statutory or contractual confidentiality obligations on all internal staff and personnel authorized to access or process Personal Data.
ANNEX III — Authorised Sub-processors
As of the Effective Date of the Main Agreement, the Controller acknowledges and approves the engagement of the following core infrastructure Sub-processors:
| Sub-processor Name | Location | Description of Processing | Transfer Mechanism |
| [Cloud Provider, e.g., AWS / Azure / GCP] | EU (Frankfurt / Ireland) | Cloud hosting, compute, and storage infrastructure | Adequacy / N/A (intra-EEA) |
| [AI/ML Provider, if applicable] | [Location] | AI model inference for tariff classification | [SCCs Module 2 / Adequacy] |
| [Email/Notification Provider] | [Location] | Transactional email delivery | [Transfer Mechanism] |
| [Support Tooling Provider] | [Location] | Customer support ticketing system | [Transfer Mechanism] |
For a complete, up-to-date, and detailed list of all current technical Sub-processors (including transactional email delivery, AI inference models, and customer support tooling), the Controller may at any time consult the Processor’s dedicated sub-processor page at: https://tarifize.com or request the updated list via email from the Processor.