Data Processing Agreement

Legal Document

Karls Transport Management System Ltd · Company No. 17085260 · Version 1.0 · April 2026

This Data Processing Agreement ("DPA") forms part of the Terms and Conditions between the Company and the Customer.

Parties

Data Processor:Karls Transport Management System Ltd, Company No. 17085260 ("Processor")

Data Controller:The Customer as identified in the KTMS account registration ("Controller")

1. Background and Purpose

1.1 The Controller uses the KTMS platform (the "Platform") provided by the Processor to manage freight operations, including job management, invoicing, load board, fleet management, and carbon reporting.

1.2 In providing the Platform, the Processor will process personal data on behalf of the Controller. This DPA sets out the terms on which the Processor processes that data, as required by Article 28 of the UK General Data Protection Regulation ("UK GDPR").

1.3 This DPA is incorporated into and forms part of the Terms and Conditions between the parties. In the event of any conflict between this DPA and the Terms and Conditions, this DPA shall prevail in relation to data processing matters.

2. Definitions

In this DPA, terms defined in the UK GDPR have the meanings given there. In addition:

"Personal Data" means any information relating to an identified or identifiable natural person that the Controller inputs into or generates through the Platform.
"Processing" has the meaning given in the UK GDPR and includes any operation performed on Personal Data.
"Sub-processor" means any third party engaged by the Processor to process Personal Data on the Processor's behalf.
"Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

3. Details of Processing

Item	Detail
Subject matter	Transport management operations carried out by the Controller using the KTMS platform
Duration	For the duration of the subscription and any applicable retention period thereafter
Nature of processing	Storage, retrieval, organisation, display, and export of operational and financial data
Purpose	To provide the Controller with the KTMS platform services as described in the Terms and Conditions
Types of personal data	Names, contact details, email addresses, job addresses, driver information
Categories of data subjects	The Controller's employees, customers, suppliers, and drivers

4. Controller's Obligations

4.1 The Controller warrants that it has all necessary legal bases under UK GDPR to input Personal Data into the Platform and to instruct the Processor to process it on their behalf.

4.2 The Controller is responsible for ensuring that data subjects whose data is entered into the Platform have been provided with appropriate privacy notices.

4.3 The Controller is responsible for responding to data subject rights requests in relation to Personal Data for which they are the Controller.

5. Processor's Obligations

The Processor shall:

Process Personal Data only on documented instructions from the Controller, including as set out in this DPA and the Terms and Conditions
Ensure that persons authorised to process Personal Data are subject to appropriate confidentiality obligations
Implement appropriate technical and organisational security measures as described in Clause 6
Not engage sub-processors without the Controller's general or specific prior authorisation (as provided in Clause 7)
Assist the Controller in responding to data subject rights requests to the extent reasonably practicable
Assist the Controller with security obligations, breach notifications, DPIAs, and consultations with the ICO where relevant
Delete or return all Personal Data on termination of the subscription in accordance with the Terms and Conditions
Make available to the Controller all information necessary to demonstrate compliance with this DPA

6. Security Measures

The Processor implements the following technical and organisational measures to protect Personal Data:

Encrypted connections (HTTPS/TLS) for all data in transit between users and the Platform
Encrypted storage via Supabase (PostgreSQL with encryption at rest)
Role-based access control — each user accesses only data appropriate to their role
Row-level security policies preventing cross-tenant data access
Access credentials protected by hashed passwords
Regular review of access controls and security configurations

7. Sub-Processors

7.1 The Controller provides general authorisation for the Processor to engage the following sub-processors:

Sub-Processor	Location	Purpose
Supabase	EU (AWS eu-west-1)	Database hosting and storage
Railway	EU	Application hosting
OpenRouteService	Germany	Route calculation (postcode data only)
Netlify	Global CDN	Website hosting

7.2 The Processor will notify the Controller of any intended changes to the sub-processors listed above with reasonable advance notice.

7.3 The Processor ensures all sub-processors are bound by data protection obligations equivalent to those in this DPA.

8. Data Breaches

8.1 The Processor will notify the Controller without undue delay, and in any event within 72 hours, upon becoming aware of a Data Breach affecting Personal Data processed under this DPA.

8.2 The notification will include, to the extent available: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

8.3 The Controller is responsible for assessing whether the breach requires notification to the ICO or affected data subjects.

9. Data Subject Rights

9.1 The Processor will assist the Controller in fulfilling their obligations to respond to data subject rights requests, including requests for access, rectification, erasure, restriction, and portability.

9.2 If the Processor receives a request directly from a data subject, it will promptly forward it to the Controller without responding directly, unless instructed otherwise.

10. Termination and Data Return

10.1 On termination of the subscription, the Controller may request an export of their Personal Data within 30 days.

10.2 Following the 30-day period, the Processor will delete or anonymise all Personal Data in accordance with its data retention policy, unless retention is required by law.

10.3 The Processor will provide written confirmation of deletion on request.

11. Governing Law

This DPA is governed by and construed in accordance with the laws of England and Wales. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

Signatures

This DPA is agreed between the parties as follows. For a signed copy of this agreement, please contact karl@ktms.co.uk.

For the Processor

Karls Transport Management System Ltd

Company No. 17085260

Signed: _______________________

Name: Karl

Date: _______________________

For the Controller

Company: _______________________

Company No.: _______________________

Signed: _______________________

Name: _______________________

Date: _______________________

This Data Processing Agreement is published by Karls Transport Management System Ltd in accordance with Article 28 UK GDPR. For a countersigned copy, please contact karl@ktms.co.uk.