• English
    • Eesti

DATA PROCESSING AGREEMENT (DPA)

entered into between:

Waybiller OÜ
registry code 14200010
Mäealuse 2/1, Tallinn, Estonia
(hereinafter the “Processor”)

and

Client
(hereinafter the “Controller”)

This Data Processing Agreement (hereinafter the “DPA”) forms an integral part of the Service Agreement and/or the Terms of Use entered into between the parties and governs the processing of personal data in connection with the use of the Service.

Where the parties have entered into a separate Service Agreement in addition to the Terms of Use, this DPA shall also apply to the processing of personal data arising from such Service Agreement. The parties agree that the Terms of Use and, where applicable, the Service Agreement together with this DPA constitute the basis and instructions given by the Controller to the Processor for the processing of personal data (hereinafter the “Data Processing Basis”).

The terms “personal data”, “processing”, “personal data breach”, “controller” and “processor” shall have the same meaning in this DPA as under the GDPR.

1. PURPOSE AND SCOPE

This DPA governs the processing of personal data by the Processor on behalf of the Controller in connection with the provision of the Service.

The Processor shall process personal data only on the documented instructions of the Controller, unless processing is required by European Union or Member State law.

This DPA applies whenever the Controller uses the Processor’s Service and the Processor processes personal data on behalf of the Controller.

2. ROLES OF THE PARTIES

For the purposes of this DPA:

The Controller determines the purposes and means of the processing of personal data.

The Controller undertakes to ensure that it has complied with all legal requirements applicable to the processing of personal data. The Controller also ensures that it has provided the Processor with the necessary instructions, to the extent required by law, for the processing of personal data on behalf of the Controller. The parties agree that the Data Processing Basis together with this DPA constitutes the complete instructions agreed between the parties for the processing of personal data. Any additional instructions may be given only by separate written agreement between the parties.

The Controller is responsible for the personal data made available to the Processor and for ensuring that a valid legal basis exists for the processing of such personal data.

Waybiller OÜ acts as processor and processes personal data on behalf of the Controller.

The Processor shall process personal data only in accordance with applicable law. If applicable law does not permit or prohibits the Processor from processing personal data, the Processor shall comply with applicable law and notify the Controller without undue delay, providing the reasons why the instruction cannot be followed.

The Processor shall process personal data only for the purposes set out in this DPA or in the Data Processing Basis. Processing personal data for any other purpose is prohibited.

3. DESCRIPTION OF PROCESSING

The subject matter of the processing is the provision of the Processor’s electronic waybill platform.

The subject matter, duration, nature and purpose of the processing, as well as the types of personal data and categories of data subjects, are described in Annex 2.1.

4. OBLIGATIONS OF THE PROCESSOR

The Processor undertakes to:

Processing in accordance with instructions

Process personal data only on the documented instructions of the Controller.

Confidentiality

The Processor shall ensure the confidentiality of personal data processed on behalf of the Controller. To ensure the confidentiality of personal data, the Processor shall implement the following measures:

Access to personal data shall be granted only to the Processor’s representatives, employees or other persons acting on behalf of the Processor who require access to personal data strictly for the performance of their duties.

Access to personal data shall be limited to the information strictly necessary for the relevant representatives, employees or other persons acting on behalf of the Processor to perform their duties, and personal data shall be used only for the purposes of fulfilling the Data Processing Basis.

Personal data shall not be accessible to unrelated third parties, including employees or other service providers of the Processor who do not require access to personal data for the performance of their duties. The Processor shall not disclose personal data to third parties unless required by law or with the written consent of the Controller.

Persons who have access to personal data shall be subject to confidentiality obligations arising from an agreement with them or from applicable law.

Security and audit rights

Implement appropriate technical and organisational measures (TOMs) to ensure a level of security appropriate to the risk. The security measures are described in Annex 2.2.

The Controller has the right to audit the Processor’s data protection documentation no more than once per calendar year by giving at least 30 days’ prior notice.

The audit shall be carried out in a manner that does not compromise the security or confidentiality of the Processor’s systems or the data of other clients.

In connection with an audit or inspection, the Processor shall make available the information necessary for the audit or inspection. The Controller’s audit right is limited to auditing data protection documentation.

The Controller shall coordinate the audit date with the Processor. The Controller or an auditor appointed by the Controller shall conduct the audit during normal business hours and in a manner that causes minimal disruption to the Processor’s ordinary business activities.

The Processor shall bear the costs related to the audit, including auditor fees and other reasonable costs, if the audit or inspection identifies non-compliance with the Data Processing Basis, the GDPR or other applicable data protection law.

If the audit or inspection identifies deficiencies in the Processor’s security measures or data processing processes, the Processor shall:

  • remedy the identified deficiencies at its own expense without undue delay, but no later than within a reasonable period set by the Controller;
  • notify the Controller in writing once the deficiencies have been remedied and provide appropriate evidence thereof.

Records of processing activities

Maintain records of processing activities carried out on behalf of the Controller in accordance with the GDPR and Estonian law.

Cooperation

Assist the Controller in fulfilling its obligations under the GDPR.

5. USE OF ARTIFICIAL INTELLIGENCE

The Processor may, in providing the Service, use artificial intelligence-based systems, including call and chat solutions, solely to support customer support and the functioning of the Service, such as routing requests, preparing responses, transcribing and summarising, to the extent described in Annex 2.1.

The Processor shall not use the Client’s personal data for automated decision-making or profiling within the meaning of Article 22 of the GDPR and shall not make AI-based decisions that produce legal effects concerning the data subject or similarly significantly affect the data subject without meaningful human involvement.

6. ASSISTANCE TO THE CONTROLLER

The Processor shall assist the Controller, within reasonable scope, with the following matters:

  • responding to data subject requests;
  • ensuring the security of processing;
  • preparing data protection impact assessments;
  • consulting with supervisory authorities.

7. NOTIFICATION OF PERSONAL DATA BREACHES

In the event of a personal data breach affecting the Controller’s data, the Processor shall:

  • notify the Controller without undue delay;
  • provide relevant information regarding the breach;
  • cooperate in implementing measures to mitigate the damage.

8. SUB-PROCESSORS

The Controller grants the Processor a general authorisation to use sub-processors.

The Processor undertakes to:

  • notify the Controller of changes concerning sub-processors;
  • ensure that sub-processors are subject to data protection obligations equivalent to those set out in this DPA.

Current sub-processors include cloud infrastructure providers and support platforms used for the operation of the Service.

The list of sub-processors shall be made available to the Controller upon request.

9. INTERNATIONAL DATA TRANSFERS

If personal data is transferred outside the European Economic Area, the Processor shall ensure that appropriate safeguards are used.

These may include:

  • the European Commission’s Standard Contractual Clauses;
  • other lawful transfer mechanisms.

10. DATA RETENTION AND DELETION

Upon termination of the Data Processing Basis, the Processor shall:

delete or return the Controller’s personal data, unless applicable law requires the retention of such data.

Data may be retained for a limited period for security, legal or operational reasons.

11. TECHNICAL AND ORGANISATIONAL MEASURES

The Processor shall implement technical and organisational security measures in accordance with Annex 2.2.

12. LIABILITY

The parties shall be liable for breaches in accordance with the Terms of Use. This DPA shall not limit liability in cases where limitation of liability is prohibited under applicable law.

13. GOVERNING LAW

This DPA shall be governed by the laws of the Republic of Estonia.

All disputes shall be resolved in accordance with the dispute resolution procedure set out in the Terms of Use.

14. CONTACT

For data protection matters:

Waybiller OÜ
E-mail: privacy@waybiller.com

 

Annex 2.1: DETAILS OF PERSONAL DATA PROCESSING

This Annex forms an integral part of the Data Processing Agreement (DPA).

1. Categories of data subjects

The Processor may process, on behalf of the Controller, personal data relating to the following categories of data subjects:

  • employees and representatives of the Controller;
  • customers and contractual partners of the Controller;
  • subcontractors and cooperation partners of the Controller;
  • users of the Service and other persons involved in logistics processes;
  • persons related to customer support requests.

2. Categories of personal data

Depending on the use of the Service and the activated functionality, the Processor may process, among other things, the following categories of personal data:

  • identification data – first name and surname, user account identifiers;
  • contact details – e-mail address, telephone number;
  • role and employment-related data – job title, company name, user role in the Service;
  • data related to the provision of the Service – waybill and logistics data, workflow records, Service usage data;
  • customer support data – content of requests, communication history, request metadata;
  • AI-based call and chat data – call audio, where recording is enabled, transcripts, summaries and technical metadata;
  • technical data – IP address, system and access logs;
  • breach-related data – information relating to contractual breaches, suspected fraud or payment delays.

The Processor does not process special categories of personal data within the meaning of Article 9 of the GDPR or biometric personal data, unless the parties have separately agreed so in writing and applicable law permits such processing.

3. Nature and frequency of processing

The processing of personal data is continuous, as it takes place throughout the term of the Terms of Use and is inseparably linked to the daily use of the Service.

4. Purposes of processing personal data

The Processor processes personal data on behalf of the Controller solely for the following purposes:

  • provision of the Processor’s Service in accordance with the Terms of Use and/or the Service Agreement;
  • management of electronic waybills and logistics documents;
  • management of user accounts and access rights;
  • ensuring the technical operation, reliability and security of the Service;
  • provision of customer support, including the use of artificial intelligence-based call and chat solutions where necessary;
  • activities related to ensuring the quality and security of the Service.

5. Processing operations

The Processor may carry out the following processing operations with personal data on behalf of the Controller:

  • collection and receipt of data;
  • recording and structuring;
  • storage and retention;
  • use for the provision of the Service;
  • disclosure to the Processor’s sub-processors in accordance with the DPA;
  • restriction, anonymisation or pseudonymisation of data, where necessary;
  • deletion or return upon termination of the Agreement.

Processing may be automated or non-automated and is carried out by means of information systems.

6. Retention of personal data

The Processor processes and retains personal data:

during the term of the Service Agreement or Terms of Use; and

after termination of the Agreement only to the extent and for the period necessary to return or delete personal data in accordance with the Controller’s instructions, unless retention of personal data is required under applicable law.

AI-based call recordings and transcripts are retained only to the minimum and proportionate extent necessary and in accordance with the functionality of the Service and the terms agreed between the parties.

 

Annex 2.2: TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

This Annex forms an integral part of the Data Processing Agreement (DPA).

The Processor shall implement at least the following measures to ensure the confidentiality, integrity and availability of Personal Data:

  • Access control and authentication

Access to development environments, servers and databases must be protected by multi-factor authentication (MFA), where supported and technically feasible.

The Processor shall grant its developers access only to such data as is strictly necessary for the performance of a specific task.

Individual user accounts are mandatory; the use of shared accounts is prohibited. Upon termination of employment, access rights shall be revoked immediately and no later than within 24 hours.

  • Protection against malware and unauthorised access

The Processor uses firewalls on its servers, where applicable and technically feasible, to help prevent malware attacks and support an appropriate level of security, including through automatic updates where available.

All developers’ laptops must use full-disk encryption, such as BitLocker or FileVault.

Personal data shall not be stored locally on developers’ devices or external storage media unless reasonably necessary for a specific operational, support or development task. Any temporary local storage must be appropriately protected and removed once no longer required.

  • Information security incident management

The Processor shall notify the Controller of information security incidents as soon as possible.

All employees of the Processor are informed of the procedure for reporting information security incidents and of the person to whom such incidents must be reported.

  • Organisational measures

The Processor shall ensure that employees and contractors with access to personal data are bound by confidentiality obligations and are granted access only to the extent necessary for the performance of their duties.

The Processor may perform role-appropriate background checks where legally permitted and proportionate.

The Processor shall require its sub-processors to implement comparable personnel security measures.

Version: 1.0
Effective date: 01.05.2026