Data Processing Agreement

1. Parties

This Data Processing Agreement ("DPA") is between:

• Data Controller: The entity or individual subscribing to Haul Command services ("Customer")
• Data Processor: Haul Command LLC ("HC"), operating at haulcommand.com

2. Scope & Purpose

HC processes personal data on behalf of the Customer solely for:

• Operating and maintaining directory listings
• Processing payments via Stripe (PCI DSS compliant)
• Providing analytics and intelligence reports
• Facilitating ELD/telematics integration (Motive)
• Delivering communication services (email, SMS, push)

3. Sub-Processors

4. Security Measures

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Row Level Security (RLS) on all Supabase tables
• HMAC-SHA512 webhook signature verification
• OAuth 2.0 with PKCE for authentication
• Role-based access control (RBAC)
• Automated vulnerability scanning
• Annual security review

5. Data Subject Rights

HC will assist the Customer in responding to data subject requests within:

• 30 days (GDPR, Art. 12(3))
• 28 days (UK GDPR)
• 30 days (Australian Privacy Act)

Automated endpoints are available at /api/privacy/delete and /api/privacy/export.

6. Breach Notification

HC will notify the Customer of any personal data breach within 48 hours of discovery, providing category of data affected, estimated number of individuals, and remediation steps taken.

7. Standard Contractual Clauses

For international transfers to countries without an EU adequacy decision, HC relies on the EU Standard Contractual Clauses (SCCs) as adopted by the European Commission on June 4, 2021.

8. Term & Termination

This DPA remains in effect for the duration of the service agreement. Upon termination, HC will delete or return all personal data within 90 days, unless retention is required by law.