Data Processing Agreement (DPA)
Dockflow BV — Data Processing Agreement
Last updated: March 10, 2026
This Data Processing Agreement ("DPA") forms part of the agreement between Dockflow BV ("Processor", "Dockflow") and the entity agreeing to these terms ("Controller", "Customer") for the use of the Dockflow Logistics Enablement Platform ("Platform").
This DPA applies to the extent that Dockflow processes Personal Data on behalf of the Customer in the course of providing the Platform.
1. Definitions
| Term | Definition |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person, as defined under Applicable Data Protection Law. |
| Processing | Any operation performed on Personal Data, including collection, storage, retrieval, use, transmission, and deletion. |
| Data Subject | The identified or identifiable natural person to whom Personal Data relates. |
| Applicable Data Protection Law | All applicable laws relating to the processing of Personal Data, including (as applicable) the EU General Data Protection Regulation (GDPR), the Indian Digital Personal Data Protection Act 2023 (DPDPA), and any other relevant data protection legislation. |
| Sub-processor | Any third party engaged by Dockflow to process Personal Data on behalf of the Customer. |
| Security Incident | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data. |
2. Scope and Roles
2.1. Customer as Controller: The Customer determines the purposes and means of Processing Personal Data. The Customer is responsible for ensuring that the Processing is lawful under Applicable Data Protection Law.
2.2. Dockflow as Processor: Dockflow processes Personal Data solely on behalf of the Customer and in accordance with the Customer's documented instructions, as described in this DPA and the main service agreement.
3. Categories of Data Processed
In the course of providing the Platform, Dockflow may process the following categories of Personal Data:
| Category | Examples |
|---|---|
| User account data | Name, email address, phone number, company name of Customer's users and partners |
| Shipping reference data | Bill of lading numbers, booking numbers, container numbers (may be linked to identifiable parties) |
| Document data | Uploaded shipping documents which may contain names, addresses, or other identifiers of natural persons |
| Usage data | Login timestamps, IP addresses, platform activity logs |
The Data Subjects may include: Customer's employees, Customer's partners' employees, and third parties whose data appears in shipping documentation.
4. Processing Instructions
4.1. Dockflow shall process Personal Data only on documented instructions from the Customer, unless required to do so by applicable law. If Dockflow is required by law to process Personal Data for a purpose other than as instructed by the Customer, Dockflow shall inform the Customer of that legal requirement before Processing, unless prohibited by law.
4.2. Dockflow shall immediately inform the Customer if, in Dockflow's opinion, an instruction infringes Applicable Data Protection Law.
5. Confidentiality
Dockflow shall ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
6. Security Measures
6.1. Dockflow shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
- Encryption: All data in transit is encrypted using TLS 1.2 or later. Data at rest is encrypted via the encryption mechanisms provided by our cloud infrastructure provider.
- Access control: Role-based access control with least-privilege principles.
- Infrastructure: Hosted on industry-standard cloud infrastructure.
- Network security: Firewalls and network-level access controls.
- Monitoring: Platform uptime and security monitoring. Status publicly available at status.dockflow.com.
- Personnel: Dockflow ensures that personnel with access to Personal Data are aware of their data protection obligations.
6.2. Dockflow shall regularly test, assess, and evaluate the effectiveness of these measures.
7. Sub-processors
7.1. The Customer grants Dockflow general authorisation to engage Sub-processors for the Processing of Personal Data, subject to the conditions in this section.
7.2. Dockflow maintains a current list of Sub-processors at: apidocs.dockflow.com/legal/sub-processors
7.3. Dockflow shall notify the Customer at least 30 days in advance of any intended addition or replacement of a Sub-processor, providing the Customer with the opportunity to object.
7.4. If the Customer objects to a new Sub-processor on reasonable data protection grounds, and Dockflow cannot reasonably accommodate the objection, the Customer may terminate the affected services without penalty.
7.5. Dockflow shall impose contractual obligations on each Sub-processor that are no less protective than those in this DPA.
8. Data Subject Rights
8.1. Dockflow shall assist the Customer in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability, and objection).
8.2. Dockflow shall promptly notify the Customer if it receives a request from a Data Subject directly, and shall not respond to such request without the Customer's prior written authorisation, unless required by law.
9. Security Incident Notification
9.1. Dockflow shall notify the Customer of any Security Incident without undue delay and in any event within 72 hours of becoming aware of the incident.
9.2. The notification shall include:
- A description of the nature of the Security Incident, including the categories and approximate number of Data Subjects and records affected;
- The name and contact details of the Dockflow point of contact;
- A description of the likely consequences;
- A description of the measures taken or proposed to address the incident.
9.3. Dockflow shall cooperate with the Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the Security Incident.
10. Data Protection Impact Assessments
Dockflow shall provide reasonable assistance to the Customer with any data protection impact assessments and prior consultations with supervisory authorities that the Customer is required to carry out under Applicable Data Protection Law, to the extent that such assistance relates to the Processing performed by Dockflow.
11. International Data Transfers
11.1. Dockflow primarily processes Personal Data within the European Economic Area (EEA).
11.2. If Personal Data is transferred outside the EEA, Dockflow shall ensure that appropriate safeguards are in place in accordance with Applicable Data Protection Law, such as:
- EU Standard Contractual Clauses (SCCs);
- An adequacy decision by the European Commission;
- Other legally recognised transfer mechanisms.
11.3. Upon request, Dockflow shall provide the Customer with information about the specific safeguards applied to any international transfer.
12. Data Retention and Deletion
12.1. Upon termination or expiry of the service agreement, Dockflow shall:
- Provide the Customer with a full export of Customer Data in a standard, machine-readable format within 30 calendar days of the termination date;
- Permanently delete all Personal Data from its active systems within 60 calendar days of the termination date and provide a written confirmation of deletion upon request;
- Ensure that Personal Data in backups is deleted when those backups naturally expire according to Dockflow's standard backup retention schedule, unless retention is required by applicable law — in which case Dockflow shall notify the Customer accordingly. During the retention period, backup data remains protected by the security measures described in this DPA.
12.2. During the term of the agreement, the Customer may request deletion of specific Personal Data at any time. Dockflow shall comply with such requests within a reasonable timeframe.
13. Aggregated and Anonymised Data
13.1. Dockflow may use strictly anonymised and aggregated data derived from Customer Data solely for the purpose of improving the accuracy and performance of the Platform's tracking and predictive algorithms.
13.2. Such data must be irreversibly anonymised prior to use, such that it cannot be attributed to or associated with the Customer or any Data Subject.
13.3. This anonymised data shall not be used for any purpose beyond improving core platform functionality, unless the Customer has provided explicit prior written consent for additional uses.
14. Audits
14.1. Dockflow shall make available to the Customer all information necessary to demonstrate compliance with this DPA and Applicable Data Protection Law.
14.2. Dockflow may satisfy audit requests by providing a summary of its security measures, relevant third-party audit reports or certifications, and written responses to reasonable questions from the Customer.
14.3. If such documentation does not reasonably address the Customer's concerns, Dockflow shall allow for and contribute to an audit conducted by an independent third-party auditor mutually agreed upon by both parties, subject to reasonable notice, during normal business hours, and no more than once per year — unless a Security Incident or evidence of non-compliance necessitates an additional audit. The costs of such audit shall be borne by the Customer.
15. Term and Termination
15.1. This DPA shall remain in effect for as long as Dockflow processes Personal Data on behalf of the Customer.
15.2. The obligations in this DPA shall survive termination to the extent necessary to complete the deletion of Personal Data and to comply with Applicable Data Protection Law.
16. Liability
Liability under this DPA is subject to the limitations and exclusions set out in the main service agreement between Dockflow and the Customer.
17. Governing Law
This DPA shall be governed by the laws of Belgium. Any disputes arising from this DPA shall be submitted to the courts of Antwerp, Belgium.
18. Contact
For questions or requests regarding this DPA or data protection:
- Data Protection Contact: [email protected]
- General Contact: [email protected]
- Address: Dockflow BV, Sint-Pietersvliet 7, 2000 Antwerp, Belgium