Data Processing Addendum.

1. Definitions

• "Applicable Data Protection Law" means all data protection and privacy laws applicable to the processing of Personal Data under this DPA, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK General Data Protection Regulation and the Data Protection Act 2018 ("UK GDPR"), the Swiss Federal Act on Data Protection ("FADP"), the California Consumer Privacy Act as amended by the CPRA ("CCPA"), and the Australian Privacy Act 1988.
• "Personal Data" means any information relating to an identified or identifiable natural person processed by Billet on behalf of the Customer in connection with the Service.
• "Data Subject," "Controller," "Processor," and "processing" have the meanings given in Applicable Data Protection Law.
• "Sub-processor" means any third party engaged by Billet to process Personal Data on behalf of the Customer. Billet's current Sub-processors are listed at billetsystems.com/subprocessors.
• "SCCs" means the Standard Contractual Clauses approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, including any UK Addendum or Swiss equivalent.

2. Scope and Roles

Customer is the Controller of Personal Data submitted to or generated by the Service. Billet is the Processor and processes Personal Data only on documented instructions from Customer, as further described in the Terms of Service, this DPA, and Customer's configuration of the Service.

3. Subject Matter, Nature, and Purpose of Processing

Subject matter: the provision of delivery ticket management software as described in the Terms of Service, including digital signature capture, GPS tracking, photo proof of delivery, multi-tenant accounting integration, payment processing, and team management.

Duration: for the duration of the Customer's subscription, plus any retention or deletion period required by this DPA or applicable law.

Nature and purpose: collection, storage, transmission, organization, structuring, alteration, retrieval, consultation, use, disclosure (only to Sub-processors), restriction, erasure, and destruction of Personal Data for the purpose of providing the Service.

4. Categories of Data Subjects and Personal Data

Categories of Data Subjects:

• Customer's employees, contractors, drivers, office staff, and authorized users of the Service
• Customer's end customers (recipients of physical deliveries)
• Customer's vendors and other business contacts entered into the Service

Categories of Personal Data:

• Identification and contact information (name, email, phone number, mailing address)
• Authentication credentials (hashed passwords, session tokens, optional 2FA codes)
• Signature images and signing metadata (timestamps, GPS coordinates, IP address, device/browser fingerprint)
• Delivery records (ticket contents, photos, signatures, status events)
• Payment-related metadata (Stripe customer/payment intent IDs; full card details are processed directly by Stripe and never touch Billet's systems)
• Integration data (customer, invoice, product, and transaction records synced from connected accounting systems on Customer's instruction)
• Usage data (login times, feature interactions, error reports)

5. Billet's Obligations

Billet shall:

• Process Personal Data only on documented instructions from Customer, including with regard to transfers to a third country or international organization, unless required to do so by Applicable Data Protection Law; in which case Billet shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
• Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations of a contractual or statutory nature;
• Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 7;
• Engage Sub-processors only in accordance with Section 6;
• Taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR;
• Assist Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to Billet;
• At the choice of the Customer, delete or return all Personal Data to the Customer after the end of the provision of services relating to processing, and delete existing copies unless storage of the Personal Data is required by law (see Section 11);
• Make available to Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and Applicable Data Protection Law, and allow for and contribute to audits, as described in Section 10.

6. Sub-processors

Customer hereby provides general written authorization to Billet to engage Sub-processors. Billet's current list of Sub-processors is maintained at billetsystems.com/subprocessors.

Billet shall provide at least thirty (30) days' prior notice of any intended addition or replacement of Sub-processors. Customer may object in writing during that notice period on reasonable grounds relating to the protection of Personal Data. If Customer objects and the parties cannot reach agreement, Customer may terminate the affected portion of the Service with no liability for unused prepaid fees, prorated from the effective date of the new Sub-processor.

Billet shall impose data protection terms on each Sub-processor that are no less protective than those set out in this DPA, and shall remain liable to Customer for any failure by a Sub-processor to fulfil its data protection obligations.

7. Security Measures

Billet implements and maintains the following technical and organizational measures to protect Personal Data:

• Encryption in transit: TLS 1.2 or higher for all client-server and server-Sub-processor communications
• Encryption at rest: AES-256 for database storage, S3-managed encryption for photos and files
• Authentication: bcrypt password hashing (12 rounds), 30-day JWT sessions, optional SMS-based two-factor authentication
• Access control: role-based access within the Service (platform_admin, admin, manager, office, driver, counter); least-privilege access to production systems for Billet personnel
• Network security: firewall (Hetzner Cloud, ports 22, 80, 443 inbound only); Web Application Firewall via Cloudflare; rate limiting at the application layer
• Tenant isolation: every database query filters by company_id to ensure complete data segregation between Customers
• Logging and monitoring: error tracking via Sentry; uptime monitoring via UptimeRobot; session activity logging for fraud detection
• Backups: daily encrypted Hetzner Cloud snapshots; nightly pg_dump backups retained for 30 days
• Vulnerability management: dependency scanning via npm audit; security patches applied within published vendor SLAs
• Personnel security: all Billet personnel are bound by confidentiality obligations

8. Personal Data Breach Notification

In the event of a Personal Data Breach involving Personal Data processed under this DPA, Billet shall notify Customer without undue delay and in any event within seventy-two (72) hours of becoming aware of the breach. Notification will include, to the extent known: the nature of the breach (including categories and approximate number of Data Subjects and records concerned), the likely consequences, and the measures taken or proposed to address the breach and mitigate its possible adverse effects. Billet shall provide reasonable assistance to Customer in fulfilling its own breach notification obligations to supervisory authorities and Data Subjects.

9. International Data Transfers

Personal Data is stored and processed on servers located in Ashburn, Virginia, United States. Photos are stored in Amazon Web Services S3 (Cloudflare R2 is being phased in as of 2026) in the United States. Multi-region availability (EU and AU) is planned but not yet live as of the date above.

Where Personal Data originating in the European Economic Area, United Kingdom, or Switzerland is transferred to Billet in the United States, the parties agree that the EU Standard Contractual Clauses (Module Two — Controller to Processor), the UK International Data Transfer Addendum, and the Swiss FADP equivalent are hereby incorporated by reference into this DPA. The Customer is the "data exporter" and Billet is the "data importer" for purposes of those clauses. Optional clauses are not selected. The governing law and jurisdiction in Clauses 17 and 18 are the laws of Ireland and the courts of Ireland.

10. Audit Rights

Customer may, no more frequently than once per twelve (12) month period (or more frequently following a confirmed Personal Data Breach affecting Customer's data), audit Billet's compliance with this DPA. Billet may satisfy this audit obligation by providing, at Customer's request:

• A current SOC 2 Type II report or comparable third-party attestation, when available;
• A completed industry-standard security questionnaire (e.g., SIG, CAIQ);
• Written responses to reasonable security inquiries.

On-site audits, where strictly necessary, shall be conducted with at least thirty (30) days' advance written notice, during normal business hours, by qualified personnel bound by reasonable confidentiality obligations, and at Customer's cost. Audits shall not unreasonably interfere with Billet's business operations or with other customers' data.

11. Term, Termination, and Return or Deletion of Personal Data

This DPA shall remain in effect for the duration of the Terms of Service. On termination of the Terms of Service, Billet shall, at Customer's written election, either return all Personal Data to Customer or delete all Personal Data, including from backups, within ninety (90) days of such election. If no election is made within thirty (30) days of termination, Personal Data will be deleted by default. Notwithstanding the above, Billet may retain Personal Data to the extent and for the duration required by Applicable Data Protection Law or other applicable law, provided such Personal Data continues to be protected in accordance with this DPA.

Customer may also delete its account at any time during the Service term from the dashboard Account Settings, which initiates the same deletion timeline.

12. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set forth in the Terms of Service. Nothing in this DPA limits or excludes liability that cannot be limited or excluded under Applicable Data Protection Law, including liability under Article 82 of the GDPR.

13. Governing Law and Order of Precedence

This DPA is governed by the laws specified in the Terms of Service, except that the SCCs incorporated in Section 9 are governed by the laws of Ireland (or, for UK Addendum purposes, the laws of England and Wales) to the extent required by Applicable Data Protection Law.

In the event of a conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to processing of Personal Data. In the event of a conflict between this DPA and the SCCs, the SCCs shall prevail.

14. Updates

Billet may update this DPA from time to time to reflect changes in Applicable Data Protection Law, Sub-processor relationships, or Service practices. Material changes will be communicated via email to account administrators and reflected in the "Last updated" date at the top of this DPA. Continued use of the Service after changes take effect constitutes acceptance.

15. Contact

Questions about this DPA or requests for a countersigned copy:
Billet Systems LLC
6121 General Store Way, Fort Worth, TX 76179, United States
[email protected]