01 Background & relationship
This Data Processing Agreement ("DPA") supplements the Terms of Service between the Customer ("Controller") and EDMA Group ("Processor") and reflects the parties' agreement on processing of personal data carried out by EDMA on the Controller's behalf in connection with the Service.
This DPA is designed to satisfy Article 28 of the EU and UK General Data Protection Regulation ("GDPR") and equivalent requirements under applicable data-protection law. Where the European Commission's Standard Contractual Clauses (Module 2: Controller-to-Processor) apply to a transfer of personal data, those Clauses are incorporated by reference into this DPA and prevail to the extent of any conflict.
02 Definitions
Terms used in this DPA have the meanings given in the GDPR (including "personal data", "processing", "data subject", "controller", "processor", "sub-processor", and "personal-data breach") and, where applicable, the equivalent terms in the UK GDPR, the California Consumer Privacy Act ("CCPA") and other applicable laws.
Customer Data has the meaning given in the Terms of Service. Customer Personal Data means Customer Data that constitutes personal data under applicable law.
03 Subject matter & nature of processing
Subject matter
EDMA processes Customer Personal Data to provide the Service to the Controller in accordance with the Terms.
Duration
For the term of the Terms of Service and the post-termination data-export window set out in the Terms, plus any retention required by law.
Nature & purpose of processing
Hosting, storage, transmission, display, querying, indexing, search, analysis, computation (including settlement waterfalls), and routing of personal data between counterparties in the Controller's tenant, for the operational, financial, and AI-assisted functions of the Service.
Types of personal data
- identification data (names, work emails, job titles, organisations) of the Controller's employees, suppliers, clients, financiers, and other counterparties;
- contact data (phone numbers, addresses);
- commercial data (order details, shipment data, document metadata, financial records);
- communications data (messages exchanged through portals);
- authentication data (account credentials, IP addresses, session identifiers).
The Service is not designed to process special categories of personal data under GDPR Article 9 (e.g. health, biometric, racial, religious data) or criminal-conviction data. The Controller agrees not to enter such data into the Service except where strictly necessary and only with appropriate safeguards.
Categories of data subjects
- Controller's employees, contractors, and authorised Users;
- individuals at the Controller's suppliers, clients, logistics providers, and financiers;
- any other individual whose personal data the Controller chooses to enter into the Service.
04 Controller obligations
The Controller is responsible for:
- establishing a lawful basis for the processing of Customer Personal Data, including obtaining any necessary consents and providing required notices to data subjects;
- the accuracy, quality, legality, and integrity of Customer Personal Data;
- configuring access controls, user permissions, and portal-visibility settings within the Service to reflect the Controller's data-protection requirements;
- responding to data-subject requests where EDMA forwards them under §9, and where the Controller is the responsible controller;
- complying with applicable data-protection law as the controller.
05 EDMA obligations
EDMA, acting as Processor, will:
- process Customer Personal Data only on documented instructions from the Controller, including the instructions implicit in the Controller's use of the Service's features, and as required by applicable law (in which case EDMA will inform the Controller of that legal requirement before processing, unless the law prohibits such notice on important grounds of public interest);
- ensure that persons authorised to process Customer Personal Data are subject to appropriate confidentiality obligations;
- implement the technical and organisational security measures described in §7 (Annex II of the SCCs is satisfied by §7);
- engage sub-processors only as set out in §6;
- assist the Controller in fulfilling its obligations regarding data-subject requests, security, breach notifications, data-protection impact assessments, and prior consultation, taking into account the nature of the processing and the information available to EDMA;
- at the Controller's choice, delete or return all Customer Personal Data at the end of the Service, as set out in §12;
- make available to the Controller the information necessary to demonstrate compliance with this DPA, subject to §11.
If EDMA believes a Controller instruction breaches applicable data-protection law, EDMA will inform the Controller without undue delay.
06 Sub-processors
The Controller authorises EDMA to engage the sub-processors listed below to process Customer Personal Data. EDMA will impose data-protection obligations on each sub-processor that are no less protective than this DPA.
Current sub-processors
| Sub-processor | Purpose | Region |
|---|---|---|
| Amazon Web Services | Hosting, compute, storage, databases | EU (Frankfurt or Ireland) |
| Cloudflare | CDN, WAF, bot management | Global edge network |
| Resend | Transactional email delivery | US / EU |
| Anthropic | AI inference (Atlas, Accounting AI) — enterprise zero-data-retention endpoints | US |
| OpenAI | AI inference fallback — enterprise zero-data-retention endpoints | US |
| Google Cloud (Vertex AI / Gemini) | AI inference fallback | EU / US |
| Stripe | Payment processing | EU / US |
| Sentry | Error monitoring, scrubbed of personal data at source | EU / US |
The authoritative live list is maintained at edma.trade/legal/dpa (this page). EDMA may engage additional sub-processors with at least thirty (30) days' prior notice to Controller administrator contacts. The Controller may object to a new sub-processor on reasonable data-protection grounds during the notice period; if EDMA cannot accommodate the objection, the Controller may terminate the affected Subscription Term with pro-rata refund of unused fees.
07 Security measures
EDMA implements the following technical and organisational measures (the "TOMs"), forming Annex II to the SCCs where applicable.
Encryption
- TLS 1.2+ for all data in transit between client and server, server and sub-processor;
- AES-256 (or stronger) encryption for data at rest in primary and backup storage;
- encrypted database snapshots; key management via the hosting provider's managed KMS with rotation policy.
Access control
- multi-factor authentication for all EDMA staff with access to production environments;
- role-based access control with least-privilege defaults;
- just-in-time elevation for sensitive operations, with audit logging;
- per-tenant logical separation; cross-tenant access is denied at the application layer.
Network & perimeter
- WAF and DDoS protection in front of public endpoints;
- private network connectivity between application and data tiers;
- egress controls on outbound traffic from production.
Software development
- code review required for all production changes;
- dependency scanning and vulnerability remediation under defined SLAs;
- secrets management via the hosting provider's secret store; no secrets in source code.
Operational
- structured logging with sensitive-field redaction at source;
- continuous monitoring and alerting for security events;
- annual third-party penetration testing;
- incident-response procedures with defined roles and escalation paths;
- backup and disaster-recovery procedures with documented RPO/RTO.
People
- background checks for staff with access to production where lawful;
- security awareness training at hire and at least annually thereafter;
- contractual confidentiality obligations on staff and contractors;
- access revoked promptly on departure.
08 International transfers
Where personal data is transferred from the EEA, UK, or Switzerland to a country not deemed to provide adequate protection, the parties rely on:
- the European Commission's Standard Contractual Clauses (2021/914, Module 2: Controller-to-Processor) and the UK addendum where the UK GDPR applies;
- the technical and organisational measures in §7 as supplementary safeguards;
- the Controller's assessment of the risks of the transfer, taking into account the law and practice of the destination country.
Where EDMA engages a sub-processor located outside the EEA, EDMA ensures that the same or equivalent safeguards apply to the onward transfer.
09 Data subject rights
If EDMA receives a request directly from a data subject relating to Customer Personal Data (e.g. access, rectification, erasure, restriction, portability, objection), EDMA will, without undue delay, forward the request to the Controller and will not respond to the request directly unless instructed by the Controller or required by law.
EDMA will assist the Controller, taking into account the nature of the processing and the information available to EDMA, to respond to data-subject requests within applicable legal deadlines. Assistance includes providing technical mechanisms to access, export, or delete personal data within the Service.
10 Personal-data breach
EDMA will notify the Controller without undue delay, and in any event within 72 hours of EDMA becoming aware of a personal-data breach affecting Customer Personal Data. The notification will include, to the extent then known:
- the nature of the breach including the categories and approximate number of data subjects and records affected;
- the likely consequences;
- the measures taken or proposed to address the breach and mitigate its effects;
- contact details for further information.
EDMA will provide further updates as the investigation progresses and will cooperate with the Controller's breach-response obligations under applicable law. Notification by EDMA to the Controller is not an acknowledgement of fault or liability.
11 Audits & inspections
EDMA will make available to the Controller, upon reasonable request and not more than once in any 12-month period (except where required by a supervisory authority or following a personal-data breach), information necessary to demonstrate compliance with this DPA. EDMA will satisfy this obligation by providing:
- this DPA and the latest published version of the security measures;
- summaries of independent third-party audit reports where available;
- responses to a reasonable security questionnaire.
Where the above is insufficient, an on-site audit may be carried out subject to (a) reasonable notice; (b) confidentiality undertakings; (c) audits being conducted during business hours and not unreasonably disrupting EDMA's operations; and (d) the Controller bearing its own costs unless the audit reveals a material breach. Audits may be conducted by an independent third-party auditor agreed by both parties.
12 Return & deletion
On termination of the Subscription Term, EDMA will provide a 30-day export window during which the Controller can retrieve Customer Personal Data in a structured, commonly used machine-readable format. After that window, EDMA will delete Customer Personal Data from active systems within 30 days and from backups in accordance with EDMA's documented backup-retention cycle (typically within 90 days), except where retention is required by law.
On the Controller's written request before the export window expires, EDMA will provide a written certification of deletion.
13 Liability & precedence
The liability of each party under or in connection with this DPA is subject to the limitation of liability in the Terms of Service. To the extent any liability cap applies separately to data-protection liability, it is set out in the Terms.
In case of conflict between this DPA and the Terms, this DPA prevails on data-protection matters. Where the Standard Contractual Clauses are incorporated, the Clauses prevail to the extent of conflict.
This DPA may be updated to reflect changes in applicable law, sub-processors, or technical measures. Material changes will be notified to Controller administrator contacts at least thirty (30) days before they take effect.