Legal

Data Processing Addendum

Last updated: April 18, 2026

This Data Processing Addendum ("DPA") forms part of the Master Subscription Agreement or Terms of Service (the "Agreement") between Haulia, Inc. ("Haulia") and the customer identified on the Order Form ("Customer") and applies to Haulia's Processing of Personal Data on Customer's behalf.

1. Definitions

Capitalized terms not defined here have the meaning in the Agreement or, where applicable, in the GDPR. "Personal Data", "Processing", "Controller", "Processor", "Data Subject", and "Supervisory Authority" have the meanings given in Article 4 of the GDPR.

2. Roles of the parties

Customer is the Controller of Personal Data included in Customer Data. Haulia is the Processor acting on Customer's instructions. Each party will comply with its obligations under Data Protection Laws.

3. Scope and purpose of Processing

Haulia Processes Personal Data solely to provide and support the Service, as described in the Agreement and in Annex 1 below, and in accordance with Customer's documented instructions.

4. Processor obligations

  • Process Personal Data only on documented instructions from Customer, including with regard to international transfers, unless required otherwise by applicable law.
  • Ensure personnel authorized to Process Personal Data are under a duty of confidentiality.
  • Implement appropriate technical and organizational measures described in Annex 2 to protect Personal Data.
  • Assist Customer in responding to Data Subject requests and in complying with obligations under Articles 32–36 of the GDPR.
  • Notify Customer without undue delay and no later than 72 hours after becoming aware of a Personal Data Breach.

5. Sub-processors

Customer provides a general authorization for Haulia to engage sub-processors listed in Annex 3. Haulia will impose data-protection obligations on each sub-processor that are substantively the same as those in this DPA.

Haulia will give Customer at least 30 days' prior notice of new or replacement sub-processors. If Customer objects on reasonable grounds related to data protection, the parties will work in good faith to resolve the objection; if they cannot, Customer may terminate the affected portion of the Service without penalty.

6. International transfers

Where Haulia transfers Personal Data out of the EEA, UK, or Switzerland to a country without an adequacy decision, the parties agree to the EU Standard Contractual Clauses (Module Two, Controller-to-Processor) and, for UK transfers, the UK International Data Transfer Addendum, which are incorporated by reference.

7. Data Subject rights

Taking into account the nature of the Processing, Haulia will assist Customer by appropriate technical and organizational measures, insofar as possible, in the fulfillment of Customer's obligations to respond to Data Subject requests.

8. Audits

Haulia will make available to Customer, on request, the information necessary to demonstrate compliance with this DPA, including up-to-date SOC 2 reports and summary penetration-test results. Customer may conduct an audit no more than once per year, on reasonable prior notice, under reasonable confidentiality controls and at Customer's cost.

9. Deletion and return

On termination or expiration of the Agreement, Haulia will, at Customer's choice, delete or return all Personal Data to Customer, and delete existing copies unless applicable law requires storage. Deletion is completed within 30 days across production systems and within 90 days from backups.

10. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set forth in the Agreement.

Annex 1 — Details of Processing

Subject matter: Provision of the Haulia freight operations platform.

Duration: For the term of the Agreement plus any period required for deletion or legal hold.

Nature and purpose: Hosting, indexing, routing, AI-assisted generation of communications, tracking, reporting, and support.

Categories of Data Subjects:Customer's personnel (Authorized Users), Customer's end customers, carrier contacts, drivers, and other individuals whose information is included in Customer Data.

Categories of Personal Data: Name, business contact details, role/title, communication content, IP and device metadata, approximate location from tracking signals, and any other data Customer uploads.

Special categories: None intended. Customer will not upload special categories of data absent prior written agreement.

Annex 2 — Technical and organizational measures

Haulia maintains an information security program consistent with industry standards. See our Security page for the current description, which includes:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Role-based access control, SSO, and mandatory MFA for personnel
  • Single-tenant data boundaries and least-privilege IAM
  • Centralized logging, anomaly detection, and tamper-evident audit trails
  • Annual third-party penetration testing and continuous vulnerability scanning
  • Documented incident response plan, tested twice per year
  • Secure SDLC with code review and automated SAST/DAST/SCA
  • Background checks and annual security training for personnel

Annex 3 — Approved sub-processors

Current as of the date of this DPA:

Sub-processorPurposeLocation
Amazon Web Services, Inc.Cloud hosting, storage, managed databasesUnited States, European Union
Google Cloud PlatformSecondary compute, ML APIsUnited States
OpenAI, L.L.C.LLM inference (zero-retention endpoint)United States
Anthropic, PBCLLM inference (zero-retention endpoint)United States
Twilio Inc.SMS, voice, WhatsApp for carrier communicationsUnited States
SendGrid / TwilioTransactional and service emailUnited States
Stripe, Inc.Payment processingUnited States
Datadog, Inc.Application monitoring and loggingUnited States

To subscribe to sub-processor change notifications, email trust@haulia.ai.

Contact

Haulia, Inc. — DPO / Privacy contact: privacy@haulia.ai
Legal: legal@haulia.ai
Security: security@haulia.ai