Data Processing Agreement
Version: v1 · Effective Date: June 1, 2026 · Governing Law: State of Delaware, United States & GDPR (EU) 2016/679
This Data Processing Agreement ("DPA") supplements and forms part of the Terms of Servicebetween RIG53, Inc. and its users. It applies where RIG53 processes Personal Data on behalf of enterprise users who are Controllers under GDPR, and separately documents RIG53's own Controller obligations to all users.
Scope: This DPA applies to all processing of personal data in connection with the RIG53 platform and satisfies the requirements of GDPR Article 28.
1. Definitions
In this DPA, the following terms have the meanings given below. Terms not defined here have the meanings given in the GDPR or the Terms of Service, as applicable.
2. Controller and Processor Roles
2.1 RIG53 as Controller
For all data collected directly from registered users of the RIG53 platform (including drivers, carriers, brokers, shippers, and dispatchers) in the course of providing the Platform's core services, RIG53 acts as an independent Data Controller. RIG53's controller-side obligations are described in the Privacy Policy.
2.2 RIG53 as Processor
Where an enterprise user ("Controller") uses RIG53's API or white-label platform features to process personal data of their own end users, RIG53 acts as a Data Processor on behalf of that Controller. In this capacity, RIG53 processes Personal Data only on documented instructions from the Controller, as specified in the applicable service agreement and this DPA.
2.3 Joint Controllership
In certain contexts — such as where a carrier organisation and RIG53 jointly determine the purposes of processing driver DQ files shared via the Platform — the parties may act as Joint Controllers under GDPR Art. 26. The respective responsibilities of Joint Controllers are documented in the applicable service agreement.
3. Subject Matter, Duration, and Nature of Processing
3.1 Subject Matter
The subject matter of processing under this DPA is the operation of the RIG53 platform, including user account management, freight operations, driver qualification management, identity verification, communications, analytics, and safety-related functions.
3.2 Categories of Data Subjects
- Registered platform users (drivers, carriers, brokers, shippers, dispatchers, social users)
- Employees and contractors of carrier, broker, and shipper organisations
- Waitlist registrants and prospective users
- Support and compliance inquiry submitters
3.3 Categories of Personal Data
| Category | Examples | Legal Basis (Art. 6) |
|---|---|---|
| Identity data | Name, username, profile photo | Contract (6(1)(b)) |
| Contact data | Email, phone number, address | Contract (6(1)(b)) |
| Professional credentials | CDL, MC/DOT number, FMCSA authority | Contract + Legal obligation (6(1)(c)) |
| DQ file data | MVR records, employment history, med cert | Legal obligation (6(1)(c)); 49 CFR §391 |
| Biometric data | Facial scan, CDL photograph | Consent (6(1)(a)); see Biometric Policy |
| Location data | GPS coordinates during active loads | Contract + Consent (6(1)(a)(b)) |
| Financial data | Subscription billing (managed by Stripe) | Contract (6(1)(b)) |
| Communications | Messages, support tickets | Legitimate interests (6(1)(f)) |
| Usage data | Activity logs, analytics, Trust Score inputs | Legitimate interests (6(1)(f)) |
3.4 Duration
Processing under this DPA continues for the duration of the applicable service agreement or platform subscription, and for such additional periods as are required to fulfill legal retention obligations. Data retention periods are specified in the Privacy Policy retention table.
4. Processor Obligations
When acting as Processor, RIG53 shall:
4.1 Process only on instructions
Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law. RIG53 will inform the Controller if it believes an instruction infringes GDPR or applicable data protection law.
4.2 Confidentiality
Ensure that personnel authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.3 Security
Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 7.
4.4 Sub-processors
Not engage another processor without prior specific or general written authorization from the Controller, subject to the sub-processor provisions in Section 5.
4.5 Data subject assistance
Assist the Controller in fulfilling its obligation to respond to requests to exercise data subject rights, as described in Section 6.
4.6 Compliance assistance
Assist the Controller in ensuring compliance with Articles 32–36 of the GDPR (security, breach notification, DPIAs, prior consultation), taking into account the nature of processing and information available to RIG53.
4.7 Deletion or return
At the choice of the Controller, delete or return all Personal Data after the end of the provision of services, unless applicable law requires storage of the Personal Data.
4.8 Audit
Make available to the Controller all information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits conducted by the Controller, subject to Section 10.
5. Sub-Processors
5.1 Authorization
The Controller grants RIG53 general written authorization to engage the sub-processors listed in Section 5.3. RIG53 will inform the Controller of intended changes (additions or replacements of sub-processors) at least 30 days in advance. The Controller may object to any proposed new sub-processor within 14 days; if RIG53 proceeds, the Controller may terminate the applicable service agreement.
5.2 Sub-Processor Obligations
RIG53 shall impose the same data protection obligations on each sub-processor as are imposed on RIG53 under this DPA by way of a written contract. RIG53 remains fully liable to the Controller for the performance of sub-processors' obligations.
5.3 Current Sub-Processor List
| Sub-Processor | Service | Location | Transfer Mechanism |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, S3 storage, SES email | USA (us-east-1) | AWS DPA; SCCs Module 3 |
| Stripe, Inc. | Payment processing and subscription billing | USA | Stripe DPA; SCCs |
| Didit | Identity verification, KYC, biometric processing | USA / EU | Didit DPA; SCCs Module 3 |
| Resend | Transactional email delivery | USA | Resend DPA; SCCs |
| Checkr, Inc. | MVR and background check processing | USA | Checkr DPA; SCCs |
| Google LLC (Gemini API) | AI-powered document OCR and content generation | USA | Google Cloud DPA; SCCs |
| Sentry | Error monitoring and performance tracking | USA | Sentry DPA; SCCs |
| Vercel, Inc. | Frontend hosting and edge delivery | USA / Global edge | Vercel DPA; SCCs |
| Twilio | SMS delivery for OTP and notifications | USA | Twilio DPA; SCCs |
The current sub-processor list is maintained at rig53.com/legal/dpa and is updated when new sub-processors are added.
6. Data Subject Rights
RIG53 provides mechanisms to assist Controllers and data subjects in exercising GDPR rights. Direct users of the RIG53 platform may exercise the following rights by submitting a verifiable request to privacy@rig53.com or via the data settings in their account:
| Right | GDPR Article | RIG53 Response Time | Notes |
|---|---|---|---|
| Right to be informed | Art. 13–14 | At collection | This DPA + Privacy Policy |
| Right of access | Art. 15 | 30 days | Machine-readable export |
| Right to rectification | Art. 16 | 30 days | Corrects inaccurate data |
| Right to erasure | Art. 17 | 30 days | Subject to legal holds (49 CFR §391) |
| Right to restrict processing | Art. 18 | 30 days | Account suspend-processing option |
| Right to data portability | Art. 20 | 30 days | CSV / JSON export of user data |
| Right to object | Art. 21 | 30 days | Applies to legitimate-interests processing |
| Rights re: automated decisions | Art. 22 | 30 days | Trust Score — human review available |
RIG53 may extend the response period by a further 60 days for complex or numerous requests, notifying the data subject of the extension within 30 days of the original request per GDPR Art. 12(3).
7. Security Measures
RIG53 has implemented the following technical and organizational security measures as required by GDPR Art. 32, taking into account the state of the art, costs, and the nature of personal data processed:
7.1 Technical Measures
- AES-256 encryption at rest for all Personal Data and DQ file data;
- TLS 1.3 encryption for all data in transit;
- Field-level encryption for sensitive PII (CDL numbers, EINs, routing numbers) via CredentialVault;
- Role-based access control (RBAC) enforced at the API layer via Sanctum + Spatie permissions;
- PostgreSQL row-level security for multi-tenant data isolation;
- Immutable audit logging via Laravel Telescope for all data access and modification events;
- Multi-factor authentication available for all accounts;
- Regular automated vulnerability scanning and dependency audits;
- Rate limiting on all API endpoints to prevent brute-force and enumeration attacks.
7.2 Organizational Measures
- Access to Personal Data restricted to personnel with a documented need-to-know;
- All personnel with access to Personal Data are subject to confidentiality obligations;
- Security incident response procedures documented and tested;
- Data processing agreements with all sub-processors;
- Regular security training for personnel with access to Personal Data.
8. Data Breach Notification
8.1 Detection and Internal Response
RIG53 maintains a documented security incident response procedure. Upon becoming aware of a personal data breach (as defined in GDPR Art. 4(12)), RIG53 will immediately activate its incident response procedure, contain the breach, assess the scope and risk, and document all response actions.
8.2 Notification to Controller (when acting as Processor)
Where RIG53 acts as Processor, it will notify the Controller without undue delay and in any event within 72 hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of data subjects. Notification will include: (a) a description of the nature of the breach; (b) categories and approximate number of data subjects and records affected; (c) likely consequences; (d) measures taken or proposed to address the breach.
8.3 Notification to Supervisory Authority (when acting as Controller)
Where RIG53 acts as Controller and a breach is likely to result in a risk to data subjects, RIG53 will notify the relevant Supervisory Authority within 72 hours of awareness per GDPR Art. 33.
8.4 Notification to Data Subjects
Where a breach is likely to result in a high risk to data subjects, RIG53 will notify affected data subjects without undue delay per GDPR Art. 34, unless the notification is not required due to applicable exceptions.
9. Deletion and Return of Data
9.1 End of Service
Upon termination of the service agreement or upon the Controller's written request, RIG53 shall, at the Controller's choice, delete or return all Personal Data processed on behalf of the Controller within 30 days, and delete existing copies unless applicable law requires continued storage.
9.2 User-Initiated Deletion
Registered users who request account deletion via account settings or by emailing privacy@rig53.com will have their Personal Data deleted within 30 days, subject to legal retention requirements.
9.3 Legal Retention
Certain data is subject to mandatory retention requirements that override deletion requests. FMCSA DQ file data is retained for 7 years (49 CFR §391.51). Audit logs are retained for 7 years for regulatory compliance. Financial transaction records are retained per applicable tax and accounting law.
10. Audit Rights
10.1 Documentation
RIG53 will make available to the Controller all information reasonably necessary to demonstrate compliance with Article 28 GDPR, including this DPA, security documentation, and sub-processor agreements (subject to confidentiality).
10.2 Audits
RIG53 will allow for and contribute to audits or inspections conducted by the Controller or a mandated auditor, provided that: (a) the Controller gives at least 30 days' prior written notice; (b) the audit is conducted during normal business hours; (c) audits are conducted no more than once per 12 months unless required by law; (d) the auditor is bound by a confidentiality agreement; and (e) the audit does not unreasonably disrupt RIG53's operations.
10.3 Certification
To the extent RIG53 holds relevant security certifications (e.g., SOC 2, ISO 27001), RIG53 may satisfy audit requests by providing a current certification report in lieu of an on-site audit.
11. International Data Transfers
11.1 Transfer Mechanisms
Where RIG53 transfers Personal Data from the European Economic Area (EEA) or the United Kingdom to third countries (including the United States), such transfers are made pursuant to:
- The European Commission's Standard Contractual Clauses (SCCs) — Module 2 (Controller to Processor) or Module 3 (Processor to Processor) as applicable, adopted pursuant to Commission Implementing Decision (EU) 2021/914;
- UK International Data Transfer Agreements (IDTAs) for transfers from the United Kingdom;
- Adequacy decisions by the European Commission where applicable;
- Binding Corporate Rules where applicable.
11.2 Transfer Impact Assessments
RIG53 conducts Transfer Impact Assessments (TIAs) for transfers to third countries where required by applicable guidance from the EDPB or national supervisory authorities. TIAs are available to Controllers upon reasonable request.
11.3 SCC Reference
Upon written request to legal@rig53.com, RIG53 will provide the applicable SCCs for review. SCCs are incorporated by reference into this DPA.
12. Liability
Each party is liable for its own breach of this DPA and applicable data protection law. As between Controller and Processor: (a) if RIG53, as Processor, bears responsibility for a data protection violation, its liability is limited to the extent it has not complied with its obligations under GDPR Article 28 or has acted outside or contrary to the Controller's lawful instructions; (b) each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service, to the extent permitted by applicable law.
13. Term and Termination
This DPA is effective for the duration of the service agreement between RIG53 and the Controller. This DPA terminates automatically upon termination of the applicable service agreement, subject to survival of provisions relating to data deletion, audit rights, and breach notification. Upon termination, RIG53 will perform its deletion or return obligations within 30 days as described in Section 9.
14. Data Protection Officer and Contact
RIG53 has designated a Data Protection Officer (DPO) responsible for overseeing GDPR compliance.
RIG53 Data Protection Officer
Email: dpo@rig53.com
Privacy team: privacy@rig53.com
Legal: legal@rig53.com
RIG53, Inc. · Wilmington, Delaware, United States
Data subjects in the EU/EEA may also lodge a complaint with their local Supervisory Authority. A list of EU/EEA Supervisory Authorities is available at edpb.europa.eu.
15. Governing Law
This DPA is governed by the laws of the State of Delaware, United States, without regard to conflict-of-law provisions, except that where GDPR or UK GDPR applies to the processing, those regulations take precedence over any conflicting provisions of this DPA. Disputes arising under this DPA are subject to the dispute resolution provisions in the Terms of Service.