Data Processing Agreement — ClaimCMR

Parties

Data Controller: Customer (the business entity registered with ClaimCMR)
Data Processor: ClaimCMR, sole proprietorship, Kaunas, Lithuania, EU
Processor contact: privacy@claimcmr.com

This DPA supplements and is incorporated into the Terms of Service. In the event of any conflict between this DPA and the Terms of Service on data protection matters, this DPA prevails.

1. Scope and Purpose of Processing

Subject matter: ClaimCMR processes personal data on behalf of Customer solely to provide the freight claims management Service.
Nature of processing: Storage, retrieval, structured data extraction (OCR), deadline calculation, email notification, and analytical reporting on Customer's freight claim data.
Purpose: Enabling Customer to manage EU freight damage claims under the CMR Convention (Geneva, 1956).
Duration: For the term of Customer's active subscription, plus the 90-day post-termination retention period, unless Customer requests earlier deletion.

2. Types of Personal Data Processed

Names and business email addresses of Customer's employees and authorized users
Job titles and company affiliation of Customer's personnel
Names of logistics personnel, claims handlers, and operations managers appearing in Customer Data
Names, company names, and contact details of carriers, drivers, and consignees appearing in uploaded freight documents (CMR notes, PODs, invoices)
IP addresses of users accessing the platform
Signature data embedded in scanned freight documents

3. Categories of Data Subjects

Customer's employees and authorized users accessing the Service
Third parties named in freight documents uploaded by Customer, including: truck drivers, warehouse staff, consignors, consignees, and carrier representatives

ClaimCMR processes third-party personal data from freight documents solely on Customer's instruction. Customer, as Data Controller, is responsible for ensuring a lawful basis exists for processing this data.

4. ClaimCMR's Obligations as Data Processor (GDPR Article 28)

In accordance with GDPR Article 28, ClaimCMR shall:

(a) Process personal data only on documented instructions from Customer, unless required to do so by applicable EU or Lithuanian law
(b) Ensure all personnel authorized to process personal data are bound by confidentiality obligations
(c) Implement and maintain appropriate technical and organizational security measures in accordance with GDPR Article 32 (see Section 7)
(d) Not engage sub-processors without Customer's prior general or specific written authorization. Customer provides general authorization to use the sub-processors listed in Section 5.
(e) Assist Customer in fulfilling obligations to respond to data subject rights requests (access, rectification, erasure, portability, restriction, objection)
(f) Assist Customer with its breach notification obligations under GDPR Articles 33 and 34
(g) Assist Customer with DPIAs (Data Protection Impact Assessments) where required
(h) At Customer's choice, delete or return all personal data to Customer upon termination of the Service
(i) Provide all information necessary to demonstrate compliance with GDPR Article 28 and cooperate with Customer's audit rights

5. Sub-Processors

Customer provides general written authorization for ClaimCMR to engage the following sub-processors. ClaimCMR will notify Customer at least 14 days in advance of any additions or changes to this list, giving Customer the opportunity to object. ClaimCMR ensures all sub-processors are bound by equivalent data protection obligations and remains liable to Customer for sub-processor failures.

Sub-Processor	Purpose	Location	Safeguard	Privacy
Stripe	Payment processing	US / EU	SCCs + DPF	View
Supabase	Database infrastructure	Germany (EU)	EU region — no transfer	View
Vercel	Application hosting	US / EU	SCCs	View
Resend	Transactional email delivery	US	SCCs	View
Google (Gemini)	AI document extraction (on user instruction)	US	SCCs + DPF	View
OpenRouter	AI API routing	US	SCCs	View
Sentry	Anonymized error monitoring	US	SCCs	View
PostHog	Product analytics	EU region	EU region — no transfer	View
Cloudflare	DNS, CDN, DDoS protection	Global	SCCs + DPF	View

SCCs = Standard Contractual Clauses (EU Commission Decision 2021/914). DPF = EU-US Data Privacy Framework.

6. International Data Transfers

When ClaimCMR transfers personal data to sub-processors located outside the European Economic Area (EEA), it implements appropriate transfer mechanisms in accordance with GDPR Chapter V:

Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914)
EU-US Data Privacy Framework (DPF), where the recipient is certified
Binding Corporate Rules (BCRs), where available

ClaimCMR maintains Transfer Impact Assessments (TIAs) for all transfers to countries without EU adequacy decisions. Copies are available to Customer on written request.

7. Technical and Organizational Security Measures (Article 32 GDPR)

ClaimCMR implements and maintains the following security measures:

Encryption at rest:AES-256 encryption for all data stored in Supabase (Frankfurt, EU)

Encryption in transit:TLS 1.3 for all data transmitted between client and server

Access controls:Role-based access control (RBAC); minimum privilege principle applied

Authentication:Multi-factor authentication (MFA) required for all administrative access

Security testing:Regular security assessments and vulnerability scanning

Employee training:All personnel with data access receive data protection training

Incident response:Written incident response procedures and breach response plan maintained

Data residency:Primary database hosted in EU (Frankfurt, Germany) via Supabase

Backups:Daily automated backups stored in EU region, tested regularly

8. Data Breach Notification

In the event of a personal data breach, ClaimCMR shall:

(a) Notify Customer without undue delay and within 48 hours of becoming aware of a breach likely to result in risk to data subjects
(b) Provide in that notification: a description of the nature of the breach; categories and approximate number of data subjects and records affected; likely consequences of the breach; measures taken or proposed to address the breach and mitigate its effects
(c) Cooperate fully with Customer's breach response and regulatory notification obligations
(d) Assist Customer in notifying the Lithuanian DPA (VDAI) and affected data subjects where required under GDPR Articles 33–34

9. Data Subject Rights Assistance

ClaimCMR shall assist Customer in fulfilling requests from data subjects exercising their rights under GDPR Articles 15–22 (access, rectification, erasure, restriction, portability, objection). ClaimCMR will respond to Customer's assistance requests within 5 business days.

Data subjects wishing to exercise rights in relation to data processed by ClaimCMR on Customer's behalf should direct their requests to Customer (the Data Controller) in the first instance.

10. Audit Rights

Customer may, upon 30 days' written notice and at Customer's own cost, audit ClaimCMR's compliance with this DPA no more than once per calendar year. Audits must be conducted during normal business hours and must not unreasonably disrupt ClaimCMR's operations.

ClaimCMR may satisfy audit rights by providing its most recent third-party security audit report (ISO 27001, SOC 2, or equivalent) in lieu of a full on-site audit.

11. Deletion and Return of Data

Upon termination of the Service, Customer may request a complete export of all Customer Data in CSV and JSON format at any time during the 90-day post-termination retention window
After 90 days, ClaimCMR will permanently delete all Customer personal data from its systems, including backups (within a further 30 days for backup deletion)
ClaimCMR will provide written confirmation of deletion on request
Anonymized and aggregated data that cannot be used to identify individuals may be retained for product improvement

Data Processing Agreement (DPA)