Data Protection Agreement

The parties involved in this agreement are Haulvana Inc. ("Data Controller") and the Third-Party Data Processors ("Data Processors") engaged by Haulvana Inc. for processing personal data on its behalf. Haulvana Inc. provides a cloud-based platform where waste management providers can manage their operations, including features like service booking, driver dispatch, job management, and customer communication (the "Service").

Unless otherwise agreed in writing between the parties, to the extent any third-party data processors process Personal Data on behalf of Haulvana Inc. as the Data Controller, in accordance with the General Data Protection Regulation (EU) ("GDPR") or other applicable data protection laws, this Data Processing Agreement ("DPA") applies. This DPA supplements the Principal Agreement between Haulvana Inc. and the third-party data processors (the "Agreement"). In the event of any conflict or inconsistency between this DPA and the remaining terms of the Agreement, the terms of this DPA shall prevail.

1. Definitions

1.1 The terms "Personal Data", "Data Subject", "Processing", "Controller", and "Processor" shall have the meanings defined in the GDPR, irrespective of whether the European Data Protection Legislation or Non-European Data Protection Legislation applies.

1.2 Unless stated otherwise:

• "Subprocessor" means any third party appointed by the Data Processor to assist in processing Personal Data under this Agreement.
• "Security Incident" means any unauthorized access, disclosure, alteration, or destruction of Personal Data or any similar event that compromises the security of Personal Data.
• "Third-Party Services" means any external entities or service providers that are involved in the operation of the platform and may process or store Personal Data.
• "Data Protection Laws" means all applicable laws, regulations, and rules relating to the processing of Personal Data, including but not limited to the General Data Protection Regulation (EU) and the California Consumer Privacy Act (CCPA).

2. Duration of DPA

This DPA will remain in effect until, and automatically expire upon, deletion of all Customer Data by Haulvana Inc. as described in this DPA.

3. Roles and Responsibilities

Data Controller: Haulvana Inc. acts as the Data Controller in relation to the personal data provided by the Data Subject. As the Data Controller, Haulvana Inc. determines the purposes and means of processing the personal data and is responsible for ensuring compliance with data protection laws and regulations.

Data Processor: The associated third parties act as the Data Processor. In this role, the Data Processor processes personal data on behalf of the Data Controller, in accordance with the instructions provided by the Data Controller. The Data Processor does not determine the purposes or means of processing but assists in processing the data as per the Data Controller's directives.

4. Sub-processors

At this time, Haulvana Inc. does not engage any sub-processors to handle customer data. In the event that any sub-processors are engaged in the future, Haulvana Inc. will ensure that the sub-processors are bound by contractual obligations that meet the standards set forth in this Agreement.

5. Data Protection and Security Measures

a. Encryption

• Data in Transit: All customer data transmitted between users and Haulvana Inc.'s servers is protected using Transport Layer Security (TLS 1.2 or higher), ensuring encrypted communication across both web and mobile platforms.
• Data at Rest: Sensitive data stored within Haulvana Inc.'s databases is encrypted using AES-256 encryption or better, applied within a secure cloud environment.

b. Network & Infrastructure Security

• Firewalls & Intrusion Detection: Our servers are protected by next-generation firewalls and intrusion detection systems (IDS), which monitor for unusual or malicious activity.
• Isolation of Environments: Haulvana Inc. ensures logical separation between production, development, and testing environments. Access to each environment is limited according to role and necessity.
• Regular Vulnerability Scans & Patching: Automated scans and routine manual audits are conducted to identify vulnerabilities. Patches are applied promptly based on the severity of the vulnerability.

c. Application Security

• Access Control: Role-based Access Control (RBAC) ensures that both users and staff have access only to the data and features necessary for their roles. Administrative functions are further restricted.
• Secure Coding Practices: Haulvana Inc. follows secure software development lifecycle (SDLC) standards, which include regular code reviews and security-focused QA testing to ensure applications remain secure.

d. Physical & Cloud Provider Security

• Cloud Infrastructure Providers: Haulvana Inc. uses secure, U.S.-based cloud infrastructure providers, such as Amazon Web Services (AWS), Google Cloud Platform (GCP), or Microsoft Azure Cloud, which maintain certifications such as ISO 27001, SOC 2, and PCI-DSS.
• Physical Access Control: Physical access to data centers is tightly controlled by biometric access and surveillance to prevent unauthorized access.

e. Operational Security Protocols

• Employee Access Audits: Internal access to systems is logged, audited, and reviewed periodically to ensure compliance with security protocols.
• Security Training: All employees undergo ongoing training in data privacy and security practices and sign confidentiality agreements as a condition of employment.
• Incident Response: Haulvana Inc. has established an Incident Response Plan to detect, assess, and mitigate security breaches promptly. Affected users will be notified in accordance with applicable data breach notification laws.

6. Data Processing and Use

Scope of Data Processing: The Data Processor/Controller will process personal data in accordance with the documented instructions. The personal data provided by the Data Subject will be used for the purposes outlined in the Principal Agreement between the Parties.

Purpose of Data Processing: The Data Processor/Controller will process the personal data solely to provide the services requested by the Data Subject and in compliance with applicable data protection laws.

7. Data Subject Rights

In compliance with GDPR and CCPA, the Data Controller will assist the Data Subject in exercising their rights under applicable data protection laws. These rights include, but are not limited to:

• Right to Access: The Data Subject has the right to obtain confirmation as to whether their Personal Data is being processed and access to the Personal Data being processed.
• Right to Rectification: The Data Subject has the right to request correction or completion of inaccurate or incomplete Personal Data.
• Right to Erasure: The Data Subject has the right to request the deletion of their Personal Data in certain circumstances (e.g., when the data is no longer necessary for the purposes for which it was collected).
• Right to Restrict Processing: The Data Subject has the right to request the restriction of processing of their Personal Data under certain conditions (e.g., while verification of data accuracy is underway).
• Right to Data Portability: The Data Subject has the right to receive their Personal Data in a structured, commonly used, and machine-readable format, and to transmit that data to another data controller.
• Right to Object: The Data Subject has the right to object to the processing of their Personal Data under certain conditions, including for marketing purposes.
• Right to Non-Discrimination: The Data Subject shall not be discriminated against for exercising any of their rights under the CCPA or GDPR.

Haulvana Inc. shall assist the Data Subject in fulfilling these rights by providing necessary tools and processes, including enabling the Data Subject to submit requests for their rights under GDPR and CCPA.

8. Data Retention and Deletion

Data Retention:
Haulvana Inc. will retain personal data only for as long as necessary to fulfill the purposes outlined in this Agreement or as required by law. In accordance with GDPR and CCPA, personal data will be retained for no longer than is necessary to fulfill the agreed-upon purposes or as required by applicable laws or regulations.

• For GDPR compliance, the data will be kept in a form that permits identification of the Data Subject for no longer than necessary for the purposes for which the personal data is processed.
• CCPA mandates that personal data be deleted or anonymized upon the Data Subject's request, subject to the exception of any data retention obligations imposed by law.

Data Deletion:
Upon termination of the Principal Agreement or upon request from the Data Controller, the Data Processor shall either delete or return all personal data and delete existing copies unless retention is required by applicable law. In the case of GDPR and CCPA obligations, the data deletion request will be honored in accordance with the applicable law, subject to retention periods or other legal requirements.

9. Liability

Both Parties agree that each Party will be responsible for the damages arising from any breach of this Agreement or the applicable data protection laws. The liability of the Data Processor/Controller shall be limited to the amount paid by the Customer for the services in the 3 months preceding the incident giving rise to the claim.

10. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of the jurisdiction specified in the Principal Agreement between the Parties. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts specified in the Principal Agreement.

11. Miscellaneous

• Severability: If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.
• Entire Agreement: This DPA constitutes the entire agreement between the Parties regarding data protection and supersedes any prior agreements or understandings.

Last edited on May 9, 2025