Data Processing Addendum

1. Definitions

"Personal Data" means information relating to an identified or identifiable natural person.

"Customer Personal Data" means Personal Data that Customer or its Customer Users submit to the Service or that Roadworthy HQ processes on Customer's documented instructions through Customer's use of the Service.

"Processing" has the meaning given by the applicable U.S. state privacy law and includes any operation performed on Personal Data, whether or not by automated means.

"Sub-processor" means a third party engaged by Roadworthy HQ to process Customer Personal Data in connection with the Service.

"Security Incident" means a confirmed unauthorized access to or acquisition of Customer Personal Data in Roadworthy HQ's possession or control. Unsuccessful attempts (such as scans, pings, or unsuccessful login attempts) are not Security Incidents.

2. Roles and Scope

For purposes of this DPA, Customer is the Controller of Customer Personal Data and Roadworthy HQ is the Processor. Customer is solely responsible for the accuracy, quality, and lawful basis for collecting Customer Personal Data and for the instructions Customer provides to Roadworthy HQ.

Roadworthy HQ will process Customer Personal Data only on Customer's documented instructions, including those reflected in the configuration of the Service, and only as necessary to (a) provide the Service; (b) maintain and secure the Service; (c) comply with Customer's reasonable instructions; (d) comply with Roadworthy HQ's legal obligations; and (e) operate the Service in accordance with the Terms of Service and the Privacy Policy. Roadworthy HQ will inform Customer if, in its opinion, an instruction violates applicable privacy law.

3. Subject Matter, Duration, Nature, and Purpose of Processing

Subject matter: Customer Personal Data submitted to or generated through the Service.

Duration: the term of the Customer's subscription plus the read-only window described in Section 6 of the Terms of Service plus any retention period required by the Federal Motor Carrier Safety Regulations or other applicable law.

Nature and purpose: hosting, organizing, retaining, and rendering Customer Personal Data so that Customer can comply with the Federal Motor Carrier Safety Regulations and operate its motor-carrier business; producing alerts, reports, and exports at Customer's request.

Categories of data subjects: Customer's commercial drivers, Customer Users, and other personnel of Customer whose information Customer chooses to enter into the Service.

Categories of Personal Data: identifiers (name, email, phone, address); driver-license information; medical-cert information; drug-and-alcohol test results subject to 49 CFR Part 40 confidentiality; Motor Vehicle Records to the extent Customer obtains them; Clearinghouse query records; vehicle-assignment and operations records.

4. Customer Responsibilities

Customer represents and warrants that it has provided all required notices and obtained all required consents and authorizations under applicable privacy law for Roadworthy HQ to process Customer Personal Data as contemplated by this DPA, the Terms of Service, and the Privacy Policy.

Customer is responsible for the appropriateness of the Personal Data it submits, including for limiting collection of sensitive identifiers (such as Social Security numbers, where the Service supports last-four storage and a hashed SSN) to the minimum necessary, and for capturing the consents required by 49 CFR § 40.321 before authorizing any release of drug-and-alcohol test results.

Customer is solely responsible for any Driver's Privacy Protection Act (18 U.S.C. § 2721) permissible-purpose declaration recorded in the Service. Roadworthy HQ relies on Customer's declaration in good faith.

5. Confidentiality

Roadworthy HQ will ensure that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations, whether by contract or by statutory duty.

6. Security

Roadworthy HQ will maintain administrative, physical, and technical safeguards designed to protect Customer Personal Data against accidental loss and unauthorized access, use, alteration, or disclosure. Current safeguards are summarized in the Security Annex (Section 13) and may be updated from time to time, provided that updates do not materially diminish the level of protection afforded.

7. Sub-processors

Customer authorizes Roadworthy HQ to engage the sub-processors listed in the Sub-processor List (Section 12). Each sub-processor is engaged under a written agreement that imposes data-protection obligations no less protective than those in this DPA, taking into account the nature of the services performed.

Roadworthy HQ will give at least thirty (30) days' notice (by email and by updating the Sub-processor List on roadworthyhq.com/legal/dpa) before adding or replacing a sub-processor that processes Customer Personal Data. Customer may object to a new sub-processor on reasonable data-protection grounds within the notice period; if the parties cannot resolve the objection in good faith, Customer may terminate the affected portion of the Service for convenience and receive a pro-rata refund of any prepaid fees attributable to the unused term.

8. Data-Subject Rights

Roadworthy HQ will provide reasonable assistance to Customer, taking into account the nature of the processing and the information available to Roadworthy HQ, in fulfilling Customer's obligations to respond to data-subject requests under applicable privacy law. To the extent the Service exposes self-service tooling for export, correction, or deletion, Customer is expected to use that tooling first.

9. Security Incidents

Roadworthy HQ will notify Customer without undue delay after becoming aware of a Security Incident affecting Customer Personal Data. The notice will, to the extent then available, describe the nature of the incident, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed. Notification of a Security Incident is not an admission of fault or liability.

10. Return or Deletion

On termination of the Customer's subscription and at the end of the read-only window described in Section 6 of the Terms of Service, Roadworthy HQ will, at Customer's choice, delete or return Customer Personal Data, except to the extent that retention is required by applicable law, including the retention periods of the Federal Motor Carrier Safety Regulations referenced in Section 9 of the Terms of Service. Records retained for legal-compliance reasons remain subject to this DPA for the duration of the retention.

11. Audit Rights

On Customer's reasonable written request no more than once per twelve-month period, and subject to confidentiality obligations, Roadworthy HQ will make available the most recent third-party audit reports, certifications, or summaries it then maintains (such as a Trust / Security summary, a SOC 2 report when issued, or sub-processor attestations). Where Customer reasonably believes those materials are insufficient and applicable law requires further audit, the parties will agree on a mutually acceptable scope, timing, and confidentiality terms for an on-site audit at Customer's expense.

12. Sub-processor List

Supabase, Inc. — managed Postgres database, authentication, file storage. United States.

Stripe, Inc. — payment processing, subscription billing, sales-tax determination and remittance via Stripe Tax. United States.

Resend Inc. — transactional email delivery (account, billing, alert, and compliance notifications). United States.

Vercel Inc. — application hosting, edge networking, build-and-deploy infrastructure. United States.

Functional Software, Inc. (Sentry) — error monitoring and performance telemetry. United States.

Additional sub-processors will be added on the notice described in Section 7 before they begin processing Customer Personal Data. Twilio (SMS delivery) and an Optical Character Recognition vendor are anticipated future additions and will be subject to that notice when they begin processing Customer Personal Data.

13. Security Annex

Encryption: Customer Personal Data is encrypted in transit using TLS 1.2 or higher and at rest using disk-level encryption provided by Roadworthy HQ's cloud infrastructure providers.

Access controls: production access is restricted to authorized personnel on a least-privilege basis. Multi-factor authentication is required for production access. Database access for application traffic is mediated by row-level security policies that enforce tenant isolation by carrier_id.

Logging: administrative actions and authentication events are logged. Compliance-event records are append-only and may be corrected only by reversing entries that preserve the original record.

Backups: routine backups are taken by Roadworthy HQ's database provider and retained for the provider's standard period.

Incident response: Roadworthy HQ maintains a documented incident-response process that includes detection, containment, eradication, recovery, post-incident review, and notification under Section 9 of this DPA.

Personnel: personnel with access to Customer Personal Data are bound by confidentiality obligations and complete security-awareness training.

14. Liability and Term

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in Section 15 of the Terms of Service, including the twelve (12)-month fees-paid cap and the exclusion of consequential and similar damages. This DPA takes effect with the Customer's acceptance of the Terms of Service and remains in effect for the duration of Customer's subscription and until all Customer Personal Data has been deleted or returned in accordance with Section 10.