Data Processing Agreement — Sigil RMPD
Version: 1.1 Effective date: 29 May 2026 Last updated: 20 June 2026This Data Processing Agreement ("DPA") forms part of the Terms of Service between Sigil RMPD ("Processor") and the Carrier ("Controller"). It governs the processing of personal data by Sigil on behalf of the Carrier in connection with the Sigil RMPD platform.
§1. Subject Matter and Duration
1.1 This DPA governs the processing of personal data by Sigil (as Processor) on behalf of the Carrier (as Controller) in connection with the provision of the Sigil RMPD platform services as described in the Terms of Service. 1.2 This DPA is effective from the date the Carrier accepts the Terms of Service and remains in force for the duration of the service contract. Upon termination of the Terms of Service, this DPA terminates automatically, subject to §12 (return and deletion of data).§2. Nature and Purpose of Processing
2.1 The Processor processes personal data on behalf of the Controller for the following purposes:- OCR extraction of data from CMR documents uploaded by the Controller;
- Storage of CMR document images and extracted RMPD field data;
- Preparation and electronic submission of RMPD100 declarations to PUESC/SENT on the Controller's instructions;
- Storage of PUESC submission confirmation records and audit trails;
- Display of declaration data in the Controller's account interface.
2.2 The Processor shall not process personal data for any purpose other than those specified in this DPA and the Controller's documented instructions. If the Processor is required by law to process data beyond these purposes, it shall inform the Controller unless prohibited by law.§3. Types of Personal Data Processed
The following categories of personal data may be processed under this DPA:
- Full names and addresses of consignors (senders) listed in CMR documents;
- Full names and addresses of consignees (recipients) listed in CMR documents;
- Full names, nationalities, and licence numbers of drivers named in CMR documents;
- Names and addresses of transport intermediaries or notification addresses in CMR documents;
- Vehicle registration plates (tractor and trailer) where linked to identifiable individuals;
- Any other personal data present in free-text fields of CMR documents.
Special categories of personal data (GDPR Art. 9) are not intentionally processed. The Processor takes reasonable measures to flag and exclude such data if detected during OCR processing.
§4. Categories of Data Subjects
The personal data processed under this DPA relates to the following categories of individuals:
- Drivers employed by or contracted to the Controller;
- Employees of the Controller's clients acting as consignors or consignees;
- Employees of third-party companies acting as consignors, consignees, or notification parties in CMR documents.
The Processor has no direct relationship with any of these data subjects. All rights requests from data subjects shall be directed to the Controller as the responsible data controller.
§5. Obligations of the Processor
Pursuant to GDPR Art. 28(3), the Processor (Sigil) undertakes the following obligations:
(a) Process only on documented instructions. The Processor shall process personal data only on the documented instructions of the Controller (as set out in this DPA and the Terms of Service), unless required by applicable law (Ukraine and, where applicable, the GDPR). (b) Confidentiality. The Processor shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. (c) Security. The Processor shall implement all measures required pursuant to GDPR Art. 32 (see §9). (d) Sub-processors. The Processor shall not engage sub-processors without prior written authorisation from the Controller, except as listed in §6 (Approved Sub-processors). The Processor remains fully liable for the acts and omissions of its sub-processors as if it had performed the processing directly. (e) Assistance with data subject rights. The Processor shall assist the Controller in fulfilling its obligations to respond to data subject requests under GDPR Arts. 15–22, taking into account the nature of the processing (see §10). (f) Assistance with security, breach notification, DPIA. The Processor shall assist the Controller in ensuring compliance with GDPR Arts. 32–36 (security, breach notification, data protection impact assessments), taking into account the nature of the processing and information available to the Processor. (g) Return and deletion. At the Controller's choice, the Processor shall delete or return all personal data to the Controller after the end of the provision of services (see §12). (h) Audit cooperation. The Processor shall make available to the Controller all information necessary to demonstrate compliance with GDPR Art. 28 obligations and shall allow for and contribute to audits and inspections conducted by the Controller or a mandated auditor (see §13).§6. Approved Sub-processors
The Controller grants general written authorisation to Sigil to engage the following approved sub-processors:
| Sub-processor | Processing activity | Location | GDPR transfer basis |
| Supabase, Inc. | Database storage of declaration data and account data | Frankfurt, EU | EEA — no transfer |
| Render Services, Inc. | Application hosting and compute | Frankfurt, EU | EEA — no transfer |
| Cloudflare, Inc. (R2) | Storage of CMR document images and generated XML | Frankfurt EU bucket | EEA — no transfer |
| Google LLC (Cloud Document AI) | OCR processing of CMR images | EU region | EEA — no transfer |
| Anthropic, PBC | AI field mapping (CMR → RMPD structure) | USA | SCC (2021) |
| JSC CB PrivatBank (LiqPay) | Payment processing | Ukraine | Art. 46 GDPR + Law No. 2297-VI Art. 29(4) |
| Sentry, Inc. | Error and performance monitoring (may include request metadata) | USA | SCC (2021) |
§7. International Data Transfers
7.1 Personal data shall not be transferred outside the EEA except to the sub-processors listed in §6 and only where an appropriate transfer mechanism is in place. 7.2 For transfers to Anthropic and Sentry (USA), the Processor relies on the European Commission Standard Contractual Clauses (Module 3: Processor-to-Processor) adopted on 4 June 2021. A copy of the applicable SCCs is available upon request at privacy@sigil.app. 7.3 For transfers to LiqPay / PrivatBank (Ukraine), the Processor relies on Art. 46 GDPR and Law No. 2297-VI Art. 29(4). Ukraine is not an EEA country; transfers are based on the contractual clauses agreed with LiqPay and documented in the LiqPay data processing agreement. 7.4 The Processor has conducted Transfer Impact Assessments (TIAs) for transfers to US-based sub-processors and has determined that appropriate supplementary measures are in place to ensure an essentially equivalent level of protection to that in the EEA.§8. Confidentiality
The Processor shall ensure that all employees, contractors, and sub-processors involved in processing personal data under this DPA are subject to binding confidentiality obligations. Access to personal data is granted on a strict need-to-know basis.
The Processor shall not disclose personal data to any third party (including law enforcement) without the Controller's prior written consent, except where required by law, in which case the Processor shall notify the Controller promptly to the extent permitted by law.
§9. Security Measures (GDPR Art. 32)
The Processor implements the following technical and organisational security measures:
Technical measures:- AES-256-GCM encryption of personal data at rest;
- TLS 1.3 encryption for all data in transit;
- PUESC credentials stored in an encrypted secrets vault, never in application logs;
- Network-level isolation between customer data sets;
- Automated vulnerability scanning of application code;
- Regular penetration testing (at least annually).
Organisational measures:- Role-based access control (RBAC) with principle of least privilege;
- Access logs maintained for all data operations;
- Personnel background screening for roles with data access;
- Documented data breach response procedure;
- Regular security awareness training for staff with data access.
The Processor shall review and update these measures at least annually or when required by changes in the threat landscape.
§10. Assistance with Data Subject Rights
When the Processor receives a data subject request (access, rectification, erasure, restriction, portability, objection) that relates to personal data processed under this DPA, the Processor shall:
(a) Not respond to the request independently on behalf of the Controller;
(b) Notify the Controller promptly (within 3 business days) of the request;
(c) Provide reasonable technical assistance to enable the Controller to respond within the GDPR deadline;
(d) Not charge the Controller for reasonable assistance provided under this clause.
§11. Data Breach Notification
11.1 The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach involving data processed under this DPA. 11.2 The notification shall include, to the extent available: (a) description of the breach; (b) categories and approximate number of data subjects affected; (c) categories and approximate number of personal data records affected; (d) likely consequences; (e) measures taken or proposed to address the breach. 11.3 The Controller is responsible for notifying the competent supervisory authority (Ukrainian Parliament Commissioner for Human Rights, or the relevant EU supervisory authority where GDPR applies) and data subjects as required by GDPR Arts. 33–34 and Law No. 2297-VI Art. 21. The Processor shall provide reasonable cooperation and assistance.§12. Return and Deletion of Data
12.1 Upon termination of the Terms of Service, the Processor shall, at the Controller's choice: (a) return all personal data to the Controller in a structured, machine-readable format; or (b) securely delete all personal data. 12.2 The Controller must exercise this choice within 30 days of termination. After 30 days, the Processor shall proceed with secure deletion. 12.3 The Processor may retain personal data beyond this period only to the extent required by applicable law (Ukraine and, where applicable, GDPR), for example: accounting obligations for 7 years, SENT records for 10 years. Such retained data shall be processed only as required by the applicable legal obligation and shall be protected against unauthorised access. 12.4 Upon request, the Processor shall provide written certification of deletion to the Controller.§13. Audit Rights
13.1 The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations set out in GDPR Art. 28 and this DPA. 13.2 The Controller (or a mandated third-party auditor bound by appropriate confidentiality obligations) may conduct an audit of the Processor's data processing activities under this DPA, provided that:(a) The Controller gives the Processor at least 30 days' written notice;
(b) Audits are conducted during normal business hours and at reasonable intervals (no more than once per year unless required by a supervisory authority);
(c) Audits are conducted in a manner that minimises disruption to the Processor's operations.
13.3 The Controller shall bear the costs of any audit unless the audit reveals a material breach of this DPA by the Processor, in which case the Processor shall bear reasonable audit costs. 13.4 The Processor may satisfy the audit obligation by providing a current independent third-party audit report (e.g. SOC 2 Type II) covering the relevant processing activities, subject to any confidentiality restrictions.§14. Governing Law and Jurisdiction
This DPA is governed by the law of Ukraine and, where applicable, directly by the GDPR (EU Regulation 2016/679) and Ukrainian Law No. 2297-VI "On Personal Data Protection". Any dispute arising from this DPA shall be resolved in accordance with the governing law and jurisdiction provisions of the Terms of Service.
§15. Updates to This DPA
The Processor may update this DPA to reflect changes in applicable law or processing activities. The Controller will be notified at least 30 days before material changes take effect. The current version is always available at /legal/dpa.
*Questions about this DPA: privacy@sigil.app*