LEGAL & COMPLIANCE

DATA PROCESSING ADDENDUM (DPA) [cite: 122]

Effective Date: January 2026 [cite: 123]

This Data Processing Addendum ("DPA") forms part of the agreement between: [cite: 124]
SFL Tech ("Processor" or "Sub-Processor") [cite: 125] and [cite: 126] The Customer ("Controller" or "Client") [cite: 127]

This DPA applies where SFL Tech processes Personal Data on behalf of the Customer in connection with its services, including but not limited to supply chain technology implementation, managed services, system integration, analytics, and support. [cite: 128]

1. Definitions [cite: 129]

  • Personal Data: Any information relating to an identified or identifiable natural person. [cite: 130]
  • Processing: Any operation performed on Personal Data. [cite: 131]
  • Controller: The entity determining purposes and means of processing. [cite: 132]
  • Processor: The entity processing Personal Data on behalf of the Controller. [cite: 133]
  • Applicable Data Protection Laws: Includes GDPR, UK GDPR, CCPA/CPRA, and other relevant regulations. [cite: 134]

2. Scope and Roles [cite: 135]

For the purposes of GDPR: [cite: 136]

  • The Customer is the Controller. [cite: 137]
  • SFL Tech acts as Processor (or Sub-Processor where applicable). [cite: 138]

SFL Tech processes Personal Data only on documented instructions from the Customer. [cite: 139]

3. Nature and Purpose of Processing [cite: 140]

Processing activities may include: [cite: 141]

  • Implementation and configuration of supply chain platforms [cite: 142]
  • Data migration and integration services [cite: 143]
  • Managed support services [cite: 144]
  • System monitoring and troubleshooting [cite: 145]
  • Hosting and infrastructure management (if applicable) [cite: 146]

Types of Personal Data may include: [cite: 147]

  • Names [cite: 148]
  • Email addresses [cite: 149]
  • Contact information [cite: 150]
  • Employee IDs [cite: 151]
  • Business communication data [cite: 152]
  • Logistics or shipment-related contact data [cite: 153]

Categories of Data Subjects: [cite: 154]

  • Customer employees [cite: 155]
  • End users [cite: 156]
  • Business contacts [cite: 157]
  • Suppliers and partners [cite: 158]

4. Processor Obligations [cite: 159]

SFL Tech shall: [cite: 160]

  • Process Personal Data only per documented instructions. [cite: 161]
  • Ensure personnel are bound by confidentiality obligations. [cite: 162]
  • Implement appropriate technical and organizational security measures. [cite: 163]
  • Assist the Controller in responding to data subject requests. [cite: 164]
  • Notify the Controller without undue delay of any Personal Data Breach. [cite: 165]
  • Support compliance with Data Protection Impact Assessments (DPIAs) where required. [cite: 166]

5. Security Measures [cite: 167]

SFL Tech maintains: [cite: 168]

  • Access control mechanisms [cite: 169]
  • Role-based access policies [cite: 170]
  • Encryption in transit (TLS) [cite: 171]
  • Secure hosting environments [cite: 172]
  • Incident response procedures [cite: 173]
  • Regular monitoring and vulnerability management [cite: 174]

Security measures are periodically reviewed and updated. [cite: 175]

6. Sub-Processors [cite: 176]

SFL Tech may engage Sub-Processors for: [cite: 177]

  • Cloud infrastructure [cite: 178]
  • Email services [cite: 179]
  • Analytics tools [cite: 180]
  • IT support [cite: 181]

SFL Tech ensures Sub-Processors are bound by equivalent data protection obligations. [cite: 182] A list of Sub-Processors will be provided upon request. [cite: 183]

7. International Transfers [cite: 184]

Where Personal Data is transferred outside the EEA/UK: [cite: 185]

  • Standard Contractual Clauses (SCCs) or equivalent safeguards shall apply and transfers shall comply with applicable cross-border transfer requirements. [cite: 186]

8. Data Subject Rights [cite: 187]

SFL Tech shall assist the Customer in responding to: [cite: 188]

  • Access requests [cite: 189]
  • Rectification [cite: 190]
  • Erasure [cite: 191]
  • Restriction [cite: 192]
  • Portability [cite: 193]
  • Objection requests [cite: 194]

9. Data Breach Notification [cite: 195]

In the event of a Personal Data Breach, SFL Tech shall: [cite: 196]

  • Notify the Customer without undue delay [cite: 197]
  • Provide details of the breach [cite: 198]
  • Outline mitigation measures [cite: 199]
  • Cooperate in regulatory reporting if required [cite: 200]

10. Data Retention & Deletion [cite: 201]

Upon termination of services, SFL Tech shall: [cite: 202]

  • Return or delete Personal Data as instructed [cite: 203]
  • Confirm deletion in writing (upon request) and retain data only where legally required [cite: 204]

11. CCPA/CPRA Specific Provisions [cite: 205]

SFL Tech: [cite: 206]

  • Does not sell Personal Data. [cite: 207]
  • Processes Personal Data solely for business purposes. [cite: 208]
  • Does not retain, use, or disclose Personal Data outside the direct business relationship. [cite: 209]
  • Complies with CPRA "service provider" obligations. [cite: 210]

12. Audit Rights [cite: 211]

Upon reasonable notice, the Customer may request documentation demonstrating compliance. [cite: 212] On-site audits may be permitted subject to confidentiality and security restrictions. [cite: 213]

13. Governing Law [cite: 214]

This DPA is governed by the governing law specified in the Master Services Agreement between the parties. [cite: 215]

Company

About Us
Certifications

Solutions

Supply Chain Transformation
CargoWise Implementation & Optimisation
Integrations Solutions
Care by SFL
Master Data Management

Policies & Compliance

Privacy Policy
Cookie Policy
Security & Compliance
Employment Policy
Data Processing Addendum (DPA)
Sub-Processor List
connectwithus@sfltech.ai
Unit 201, Level 1, Gate Avenue, South Zone, Dubai International Financial Centre, United Arab Emirates
+971 52 909 4505
© 2026 SFL Tech PVT LTD. All rights reserved.