Data Processing Agreement
Raiden as Processor Effective date: [EFFECTIVE_DATE] Last updated: 2026-02-19
Parties
Section titled “Parties”Data Controller (“Customer”): The legal entity that has accepted Raiden’s Terms of Service.
Data Processor (“Raiden”): Raiden, [COMPANY_ADDRESS], Belgium.
This DPA forms part of the Terms of Service between the parties and applies where the Customer submits personal data to the Raiden API.
1. Definitions
Section titled “1. Definitions”- GDPR: EU Regulation 2016/679 (General Data Protection Regulation)
- Personal Data, Processing, Controller, Processor, Data Subject: As defined in GDPR Art. 4
- Customer Personal Data: Any personal data submitted by Customer to the Raiden API
- Subprocessor: Any third party engaged by Raiden to process Customer Personal Data
- Security Incident: Confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of Customer Personal Data
2. Scope and Nature of Processing
Section titled “2. Scope and Nature of Processing”2.1 Instructions
Section titled “2.1 Instructions”Raiden shall process Customer Personal Data only:
- On Customer’s documented instructions (including as set out in these Terms)
- As necessary to provide the Service (route optimization, scheduling)
- As required by EU or Member State law (Raiden will inform Customer unless legally prohibited)
Illegal instructions (GDPR Art. 28(3)(h)): If Raiden believes an instruction infringes GDPR or other applicable EU or Member State data protection law, Raiden shall immediately inform Customer and may decline to carry out that instruction until Customer provides revised lawful instructions.
2.2 Subject Matter
Section titled “2.2 Subject Matter”| Element | Detail |
|---|---|
| Subject matter | Route optimization and scheduling API |
| Duration | For the term of the Terms of Service |
| Nature | Automated processing of logistics input data to generate optimized route outputs |
| Purpose | Providing the Raiden optimization Service |
| Types of personal data | Location coordinates, stop identifiers, delivery addresses, time windows, vehicle operator references — as submitted by Customer |
| Categories of data subjects | Customer’s end-customers, employees, or contractors referenced in API payloads |
2.3 No Sale or Use for Own Purposes
Section titled “2.3 No Sale or Use for Own Purposes”Raiden shall not sell, share, or use Customer Personal Data for its own commercial purposes, advertising, or to train its own models beyond what is necessary to provide the Service.
3. Confidentiality of Processing
Section titled “3. Confidentiality of Processing”Raiden shall ensure that persons authorised to process Customer Personal Data are subject to binding confidentiality obligations (whether contractual or statutory) and have access only on a need-to-know basis.
4. Controller Obligations
Section titled “4. Controller Obligations”Customer warrants that:
- It has a lawful basis under GDPR Art. 6 to transmit Personal Data to Raiden
- It has provided all required Art. 13/14 transparency notices to its data subjects covering processing by Raiden as a sub-processor
- It will not submit Special Category data (GDPR Art. 9: health, biometric, criminal record) without a separate written agreement
- It will not submit Personal Data of children under 16 without explicit consent arrangements in place
5. Security (GDPR Art. 32)
Section titled “5. Security (GDPR Art. 32)”Taking into account the state of the art, costs, and the nature and risks of processing, Raiden implements appropriate technical and organisational measures including:
- Encryption in transit: TLS 1.3 for all API communications
- Encryption at rest: AES-256 for stored data
- Access controls: Role-based access, MFA for internal systems
- Pseudonymisation: API payload content is not logged at application layer
- Availability: 99.5% monthly uptime target; redundant Cloudflare edge infrastructure
- Testing: Regular security reviews and penetration testing
- Incident response: Documented procedures for detection, containment, and notification
Raiden may update security measures over time provided the level of protection is not materially reduced.
6. Subprocessors
Section titled “6. Subprocessors”6.1 Authorisation
Section titled “6.1 Authorisation”Customer grants Raiden general authorisation to engage Subprocessors as listed at [SUBPROCESSOR_LIST_URL].
Current key subprocessors:
| Subprocessor | Service | Location |
|---|---|---|
| Cloudflare, Inc. | Edge network, API infrastructure | USA / Global (SCCs in place) |
| Stripe, Inc. | Payment processing | USA (SCCs in place) |
| [Auth provider] | Authentication | [Location — SCCs or adequacy decision required if outside EEA] |
6.2 Notification of Changes
Section titled “6.2 Notification of Changes”Raiden will provide at least 30 days’ prior written notice of any intended addition or replacement of a Subprocessor. Customer may object within 30 days on reasonable data protection grounds. If the parties cannot resolve the objection, Customer may terminate the affected services.
6.3 Subprocessor Obligations
Section titled “6.3 Subprocessor Obligations”Raiden shall impose data protection obligations on each Subprocessor that are no less protective than those in this DPA (per GDPR Art. 28(4)) and remains liable to Customer for Subprocessor performance.
7. Data Subject Rights
Section titled “7. Data Subject Rights”Raiden shall, to the extent technically feasible and within the scope of the Service, assist Customer to fulfil requests from data subjects exercising rights under GDPR Chapter III (access, rectification, erasure, restriction, portability, objection). Given the nature of the Service (Raiden does not store API payload content beyond the request lifecycle), most rights requests will be fulfilled by Customer acting on its own systems.
8. Assistance with Compliance
Section titled “8. Assistance with Compliance”Raiden shall assist Customer with:
- Art. 32 security obligations: By maintaining the measures in Section 5
- Art. 33/34 breach notifications: By notifying Customer of Security Incidents per Section 9
- Art. 35 DPIAs: On reasonable request, providing information about Raiden’s processing
- Art. 36 prior consultations: On reasonable request
9. Security Incident Notification
Section titled “9. Security Incident Notification”Raiden shall notify Customer of a Security Incident affecting Customer Personal Data:
- Without undue delay and in any event within 48 hours of becoming aware (giving Customer time to meet its own 72-hour GDPR Art. 33 obligation to notify the supervisory authority)
- By email to the address on the Customer’s account, or via the dashboard
The notification shall include (to the extent known): nature of the incident, categories and approximate number of data subjects affected, categories and approximate number of records affected, likely consequences, measures taken or proposed.
Notification does not constitute an admission of fault or liability.
10. Return and Deletion of Data
Section titled “10. Return and Deletion of Data”Upon termination of the Terms of Service or on Customer’s written request:
- Raiden shall delete or return all Customer Personal Data within 30 days
- Raiden shall delete existing copies unless EU or Member State law requires continued storage
- Raiden shall provide written confirmation of deletion on request
Given that Raiden does not persistently store API payload content, deletion primarily applies to account data and usage logs. Any account data retained beyond 30 days is retained solely pursuant to Belgian legal or accounting obligations and is not Customer Personal Data processed on Customer’s instructions.
11. Audit Rights
Section titled “11. Audit Rights”Customer may, no more than once per year and with at least 30 days’ written notice:
- Request information from Raiden demonstrating compliance with this DPA
- Commission an audit by an independent, mutually agreed third-party auditor
Raiden may alternatively provide an up-to-date SOC 2 Type II report or equivalent as evidence of compliance. Customer shall bear audit costs unless a material breach is found.
12. International Transfers
Section titled “12. International Transfers”Raiden shall not transfer Customer Personal Data outside the EEA without ensuring an adequate level of protection via:
- EU Standard Contractual Clauses (Commission Decision 2021/914) — see Annex B
- An adequacy decision under GDPR Art. 45
- Other lawful mechanism under GDPR Chapter V
Where SCCs apply, they take precedence over this DPA to the extent of any conflict relating to those international transfers. Cloudflare’s Customer DPA (incorporating Module 3 SCCs) is available at cloudflare.com/cloudflare-customer-dpa.
13. Governing Law
Section titled “13. Governing Law”This DPA is governed by Belgian law and is subject to the jurisdiction of the courts of [GOVERNING_LAW_JURISDICTION], unless a different jurisdiction is required by applicable Data Protection Law.
14. Order of Precedence
Section titled “14. Order of Precedence”In the event of conflict between this DPA and the Terms of Service on matters of data protection, this DPA prevails. Where Standard Contractual Clauses apply to international transfers, the SCCs take precedence over this DPA to the extent of any conflict relating to those transfers.
Annex A — Technical & Organisational Measures (TOMs)
Section titled “Annex A — Technical & Organisational Measures (TOMs)”| Measure | Implementation |
|---|---|
| Pseudonymisation | API keys used instead of user identifiers in logs |
| Encryption (transit) | TLS 1.3; HSTS enforced |
| Encryption (rest) | AES-256 on Cloudflare D1 and R2 |
| Integrity & availability | Cloudflare redundant edge; 99.5% SLA |
| Access control | RBAC, MFA required for admin access |
| Audit logging | All admin actions logged with timestamp + actor |
| Vulnerability management | Dependency scanning, annual pentest |
| Incident response | Documented runbook; 48h processor notification procedure |
| Data minimisation | Payload content not stored; only metadata logged |
| Employee training | Annual data protection training |
Annex B — Standard Contractual Clauses Schedule
Section titled “Annex B — Standard Contractual Clauses Schedule”The parties agree that where Customer Personal Data is transferred to Subprocessors outside the EEA, the EU Standard Contractual Clauses adopted by Commission Decision 2021/914 (“SCCs”) apply.
Cloudflare (Module 3 — Processor to Processor): Raiden has executed (or will execute prior to any data transfer) Cloudflare’s Customer DPA v6.3 incorporating Module 3 SCCs. Customer is hereby informed of and consents to this Subprocessor arrangement.
General SCC mapping:
| SCC Clause | This DPA reference |
|---|---|
| Annex I.A — List of parties | Section 6.1 Subprocessor table |
| Annex I.B — Description of transfer | Section 2.2 Subject Matter |
| Annex I.C — Competent supervisory authority | Belgian Data Protection Authority (APD/GBA) |
| Annex II — Technical & organisational measures | Annex A of this DPA |
| Sub-processor authorisation (Clause 9) | Section 6 of this DPA |