This Data Processing Agreement (“DPA”) forms part of the agreement between you (“Customer”, the data controller) and Marius Cristoiu trading as FreightUtils (“FreightUtils”, the data processor) governing FreightUtils's processing of personal data on the Customer's behalf in the course of providing the FreightUtils API service.
This DPA takes effect automatically when you create a FreightUtils account or upgrade to a Pro subscription — no separate signature flow is required. The structure follows UK GDPR Article 28(3); a separate signed copy is available on request to contact@freightutils.com.
1. Subject Matter and Duration
FreightUtils processes Customer personal data only to provide the API service to the Customer. Processing continues for as long as the Customer maintains an active account, plus the retention windows set out in our privacy policy.
2. Nature and Purpose of Processing
To deliver authenticated API access, billing for Pro subscriptions, transactional email (API key delivery, magic-link sign-in, billing), rate-limit enforcement, and account self-service via the dashboard.
3. Categories of Personal Data and Data Subjects
- Data subjects: Customer end-users who sign up for a FreightUtils account or whose details the Customer submits in the course of using the service.
- Categories of data: email address, API key, plan tier, signup timestamp, request counters, IP address (transient, for rate limiting), Stripe customer ID and billing metadata.
4. Customer (Controller) Obligations
The Customer warrants that it has a lawful basis under UK GDPR Article 6 for any personal data it submits, and that the data has been collected and disclosed to FreightUtils in compliance with applicable data protection law.
5. FreightUtils (Processor) Obligations
FreightUtils shall:
- Process personal data only on documented instructions from the Customer (including those set out in the Customer's use of the API and account features).
- Ensure that personnel authorised to process the personal data are bound by confidentiality obligations.
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk — including encryption in transit (TLS 1.2+), encryption at rest for stored credentials and tokens, access logging, and least-privilege access controls.
- Assist the Customer, taking into account the nature of processing, in responding to data subject requests under UK GDPR Articles 15–22.
- Assist the Customer with data protection impact assessments and prior consultations with the ICO where applicable.
- Notify the Customer without undue delay (and in any event within 72 hours of becoming aware) if a personal data breach affects the Customer's data.
- At the Customer's choice, delete or return all personal data after the end of the provision of services, except where retention is required by law.
- Make available to the Customer all information necessary to demonstrate compliance with this clause and allow for and contribute to audits.
6. Sub-processors
The Customer provides general written authorisation for FreightUtils to engage the sub-processors listed in our privacy policy. Current sub-processors: Vercel, Upstash (via Vercel KV), Cloudflare, Stripe, Resend, Sentry, UptimeRobot.
FreightUtils will give the Customer at least 30 days' notice via email of any new or replaced sub-processor. The Customer may object on reasonable data-protection grounds; if the parties cannot agree on a remedy, the Customer may terminate the Pro subscription with a pro-rata refund of unused subscription time.
7. International Transfers
FreightUtils is operated from the United Kingdom. Sub-processors may store and process data in the United States, European Union, or other regions. Where personal data is transferred outside the UK, transfers are protected by the UK addendum to the EU Standard Contractual Clauses, the UK International Data Transfer Agreement, or another lawful transfer mechanism recognised under UK data protection law.
8. Data Subject Rights
FreightUtils will, on request, assist the Customer in fulfilling its obligations to respond to data subject access, rectification, erasure, restriction, portability, and objection requests. Direct requests from data subjects may also be sent to contact@freightutils.com.
9. Personal Data Breach
FreightUtils will notify the Customer at the email on file without undue delay, and within 72 hours of becoming aware, of a personal data breach affecting the Customer's data. Notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.
10. Audit
The Customer may request, no more than once per twelve-month period, a written summary of the technical and organisational measures FreightUtils has implemented. Where the Customer can demonstrate that this summary is insufficient, the parties will agree on a more detailed audit at the Customer's reasonable cost.
11. Return or Deletion of Data
On termination of the FreightUtils account, the Customer may request return or deletion of the Customer's personal data within 30 days. Backups containing the data will be overwritten on the standard backup rotation cycle (no longer than 90 days).
12. Liability
Liability under this DPA is governed by the limitation of liability set out in our Terms of Service, save where a higher cap is required by law (for example, fines imposed under UK GDPR for which the parties are jointly liable).
13. Governing Law
This DPA is governed by the laws of England and Wales. Any disputes are subject to the exclusive jurisdiction of the courts of England and Wales.
Contact
For all DPA enquiries: contact@freightutils.com.
This DPA is structured to follow UK GDPR Article 28(3) directly. It is not derived from any other SaaS company's template.