LEGAL · OFIFLOW

Data Processing Addendum (public version)

EFFECTIVE MAY 1, 2026v2026.05.01-1

Data Processing Addendum (public version)

Effective: May 1, 2026 · Version: 2026.05.01-1

This is the public version of OfiFlow's Data Processing Addendum (DPA), posted for review by Customer procurement and security teams without requiring an NDA. The signed version executed alongside each Master Services Agreement is substantively identical to this version. Schedule A (data subject and processing details specific to the Customer) and the signature block are completed at execution time.

If you are a procurement reviewer, you may rely on this version to evaluate OfiFlow's data-processing terms. To request the signed counterpart, contact legal@ofiflow.com.

This Data Processing Addendum (the "DPA") is incorporated into and forms part of the Master Services Agreement (the "Agreement") between OfiFlow ("Processor") and Customer ("Controller"), and applies to OfiFlow's processing of Customer Personal Data on Customer's behalf in connection with the Services.

In the event of conflict between this DPA and the Agreement on matters of personal data processing, this DPA controls.

1. Definitions

Capitalized terms used but not defined in this DPA have the meanings given in the Agreement.

  • "Customer Personal Data" means personal information contained within Customer Data that OfiFlow processes on Customer's behalf, including driver names, contact details, license and medical-certificate information, hours-of-service records, location data, message content, and Authorized User account information.
  • "Personal Information" has the meaning given in the California Consumer Privacy Act (CCPA), as amended.
  • "Processing" means any operation performed on Personal Information, including collection, use, storage, disclosure, modification, transmission, or deletion.
  • "Data Subject" means an identified or identifiable natural person whose Personal Information is processed.
  • "Security Incident" means a breach of security leading to the unauthorized access to, disclosure of, or destruction of Customer Personal Data.
  • "Subprocessor" means a third party engaged by OfiFlow to process Customer Personal Data, as identified in OfiFlow's then-current Subprocessor list at /subprocessors.

2. Roles and Scope

For purposes of this DPA:

  • Customer is the Controller (or "Business" under CCPA) of Customer Personal Data.
  • OfiFlow is the Processor (or "Service Provider" under CCPA) acting on Customer's behalf.

OfiFlow processes Customer Personal Data only as necessary to (i) provide the Services per the Agreement, (ii) follow Customer's documented instructions, (iii) comply with applicable law, or (iv) generate aggregated and de-identified data per the Agreement §6.4.

3. Customer Instructions

Customer instructs OfiFlow to process Customer Personal Data:

  1. To deliver the Services as described in the Agreement, the applicable Order Form, and the Documentation;
  2. To respond to Customer's requests through the Services;
  3. As otherwise documented in writing by Customer.

OfiFlow will inform Customer if, in OfiFlow's reasonable opinion, Customer's instruction violates applicable law (where notification is permitted by law).

4. Confidentiality of Personnel

OfiFlow ensures that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations.

5. Subprocessors

5.1 Authorization

Customer authorizes OfiFlow to engage Subprocessors, provided OfiFlow:

  1. Imposes data protection terms on each Subprocessor at least as protective as this DPA;
  2. Remains liable for the acts and omissions of each Subprocessor;
  3. Maintains a current public list at /subprocessors.

5.2 Notification of changes

OfiFlow will notify Customer at least thirty (30) days before adding a new Subprocessor that processes Customer Personal Data, by email to Customer's designated contact and via update to the public list.

5.3 Right to object

Customer may object in writing to a new Subprocessor within fourteen (14) days of notice. The Parties will discuss in good faith. If OfiFlow cannot reasonably accommodate the objection within thirty (30) days, Customer may terminate the affected services without penalty with pro-rata refund of pre-paid unused fees.

6. Security

6.1 Technical and organizational measures

OfiFlow implements and maintains the technical and organizational measures described in Schedule B, including encryption (AES-256 at rest, TLS 1.2+ in transit), tenant isolation via Postgres row-level security, authentication (Supabase Auth, MFA optional, OAuth supported), append-only audit logging, vulnerability management, and personnel confidentiality obligations.

6.2 Updates

OfiFlow may update measures from time to time provided overall security is not materially diminished.

7. Security Incident Notification

OfiFlow will notify Customer of a Security Incident affecting Customer Personal Data without undue delay and in any event within seventy-two (72) hours of OfiFlow's confirmation of the Security Incident. Notification will include nature, categories of subjects, categories of data, consequences, mitigation, and a contact for further information. OfiFlow will cooperate with Customer's investigation and notification obligations. Notification is not an admission of fault.

8. Data Subject Rights

OfiFlow will provide commercially reasonable assistance to Customer (at Customer's expense for non-trivial requests) in fulfilling Customer's obligation to respond to Data Subject requests under applicable law. OfiFlow will not respond directly to Data Subject requests except to direct the Data Subject to Customer.

9. Audits

Customer may audit OfiFlow's compliance with this DPA once per twelve-month period, on at least thirty (30) days' prior written notice, during normal business hours, in a manner that does not unreasonably interfere with operations. More-frequent audits are permitted following a confirmed Security Incident. OfiFlow may satisfy audit rights by providing recent third-party assessments (e.g., SOC 2 Type II reports from primary infrastructure providers) under confidentiality. Customer bears its own audit costs and OfiFlow's reasonable cooperation costs, except where audit reveals a material breach by OfiFlow.

10. International Transfers

OfiFlow processes Customer Personal Data in the United States (primary: AWS us-west-2, Oregon). If Customer's deployment requires international data transfer, the Parties will enter into appropriate transfer mechanisms (e.g., Standard Contractual Clauses, supplementary measures) before such transfer occurs.

11. Deletion and Return of Customer Personal Data

Customer may export Customer Personal Data through the Services at any time during the Subscription Term. Upon termination, OfiFlow will, at Customer's election, return Customer Personal Data to Customer in a commercially-reasonable format during the thirty (30)-day Export Window or delete from production systems within sixty (60) days after the Export Window and from backup systems within one hundred eighty (180) days after termination, except as required by law. OfiFlow will provide written certification of deletion upon request.

12. CCPA-Specific Terms (defensive)

OfiFlow:

  1. Will not sell or share Customer Personal Data;
  2. Will not retain, use, or disclose Customer Personal Data for any purpose other than providing the Services (or as otherwise permitted by CCPA);
  3. Will not retain, use, or disclose Customer Personal Data outside the direct business relationship between Customer and OfiFlow;
  4. Will not combine Customer Personal Data with personal information OfiFlow receives from another business or collects from its own interactions, except as permitted by CCPA;
  5. Certifies that it understands these restrictions and will comply.

13. Liability

This DPA does not amend or extend the liability cap in the Agreement (§12). Each Party's liability under this DPA is subject to the Agreement's limitations, except where applicable law provides otherwise. Customer indemnifies OfiFlow for claims arising from Customer's instructions that OfiFlow follows in good faith but that violate applicable law (provided OfiFlow has notified Customer of the apparent violation per §3 where legally permitted).

14. Term

This DPA begins on the Agreement's Effective Date and terminates upon termination of the Agreement or completion of the obligations in §11 (whichever is later).

15. General

In case of conflict between this DPA and the Agreement on matters of personal data processing, this DPA controls. The Agreement controls on all other matters. This DPA may be amended only by written agreement of both Parties. If any provision is held invalid, the remainder continues in effect. This DPA is governed by the law selected in the Agreement.

Schedule A — Subject Matter and Details of Processing

(Schedule A is completed at execution time, customized to the specific Customer's data sources and Authorized Users. The information in this public version describes the categories that may be included.)

Subject matter: OfiFlow's provision of the Services to Customer.

Duration: The Subscription Term plus any post-termination period required for return/deletion under §11.

Nature and purpose of processing: Hosting, storing, transmitting, displaying, processing, and analyzing Customer Personal Data to deliver the OfiFlow vertical-software platform for frac-sand hauling operations, including dispatch, billing, compliance, communications, and analytics.

Categories of Data Subjects:

  1. Customer's drivers (commercial truck drivers employed or contracted by Customer)
  2. Customer's Authorized Users (dispatchers, managers, finance, executives, administrators)
  3. Customer's customer contacts (third-party shippers, brokers, sand mines, frac sites)

Categories of Customer Personal Data:

  • For drivers: identifying information (name, employee ID); contact information (phone, optional email); credentials (CDL details, medical-certificate details, drug test dates, MVR/clearinghouse/DQ status); employment metadata (hire date, status); operational data (HOS, vehicle/trailer assignment, location implicit through events); communications (message content + media); identity documents (license/medical-cert photos).
  • For Authorized Users: name, email, optional phone, optional avatar; role assignments, MFA status; account activity logs.
  • For customer contacts: name, email, optional phone, role/title; operational interaction metadata.

Special categories: None. Driver medical-certificate expiration date is regulatory compliance fact, not health information.

Schedule B — Technical and Organizational Measures

See the public Security Disclosure at /security for the current detailed measures. Highlights:

  • Encryption: AES-256 at rest, TLS 1.2+ in transit
  • Tenant isolation: Postgres row-level security per tenant
  • Authentication: Supabase Auth with magic-link + optional MFA + OAuth
  • Authorization: role-based, least-privilege, audited service-role access
  • Logging: append-only audit log, application errors (Sentry), product analytics (Vercel Analytics)
  • Vulnerability management: Dependabot dependency scanning, secrets scanning, planned penetration testing post-revenue
  • Personnel: confidentiality obligations + security awareness review
  • Backups: Supabase point-in-time recovery 7-day window + daily snapshots 30-day window
  • Incident response per published Security Disclosure

Schedule C — Subprocessors and Data Locations

Current Subprocessors: see the public list at /subprocessors. Primary data location: AWS us-west-2 (Oregon, United States). 30-day notification of changes per §5.2.

This is the public version of the OfiFlow DPA, version 2026.05.01-1. The signed counterpart is substantively identical with Schedule A completed for the specific Customer. Contact legal@ofiflow.com to request the signed counterpart.