Data Processing Agreement

This Data Processing Agreement (DPA) forms part of and supplements the Customer Agreement, Terms of Service, or other written or electronic agreement between Pircel P.C. (Pircel) and the Customer (the Agreement) under which Pircel provides its hosted shipping management platform (the Service). This DPA reflects the parties' agreement on the processing of Personal Data by Pircel on behalf of Customer in accordance with the requirements of European Union Data Protection Law.

In the event of any conflict between this DPA and the Agreement on data protection matters, this DPA prevails.

1. Definitions

In this DPA, capitalised terms have the meanings set out below. Terms not defined here have the meanings given to them in the GDPR or the Agreement.

Affiliate means any entity that directly or indirectly controls, is controlled by, or is under common control with a party.
Customer means the legal entity that has entered into the Agreement with Pircel.
Customer Personal Data means Personal Data that Pircel Processes on behalf of Customer in connection with the Service, as further described in Annex 1.
Data Protection Law means all applicable laws and regulations relating to the processing of Personal Data, including: (a) Regulation (EU) 2016/679 (the GDPR); (b) the GDPR as it forms part of the law of the United Kingdom by virtue of the European Union (Withdrawal) Act 2018 (the UK GDPR); (c) the Swiss Federal Act on Data Protection (FADP); and (d) Greek Law 4624/2019, each as amended or superseded from time to time.
Data Subject, Controller, Processor, Personal Data, Personal Data Breach, Processing (and Process), Special Categories of Personal Data, and Supervisory Authority have the meanings given in the GDPR.
EU SCCs means the Standard Contractual Clauses approved by the European Commission in Decision (EU) 2021/914 of 4 June 2021.
Restricted Transfer means a transfer of Personal Data from the European Economic Area, the United Kingdom, or Switzerland to a country that does not benefit from an adequacy decision under applicable Data Protection Law.
Sub-processor means any third party engaged by Pircel that Processes Customer Personal Data, as further described in Section 8.
UK Addendum means the international data transfer addendum to the EU SCCs issued by the UK Information Commissioner, version B1.0, in force 21 March 2022.

2. Scope and Roles

2.1 This DPA applies to Pircel's Processing of Customer Personal Data carried out in connection with the provision of the Service.

2.2 With respect to Customer Personal Data:

Customer is the Controller and Pircel is the Processor, except where Customer acts as a Processor on behalf of a third-party controller — in which case Pircel acts as a Sub-processor and Customer remains responsible for ensuring that the third-party controller has authorised the engagement of Pircel.
Each party is responsible for compliance with its respective obligations under Data Protection Law.

2.3 This DPA does not apply to Personal Data that Pircel Processes as a Controller in its own right (for example, Personal Data about Customer's authorised users for the purposes of account administration, billing, and security). Such Processing is governed by Pircel's Privacy Policy.

3. Subject Matter, Nature, Purpose, and Duration of Processing

3.1 The subject matter, nature, purpose, duration, types of Personal Data, and categories of Data Subjects in respect of which Pircel Processes Customer Personal Data are set out in Annex 1 (Description of Processing).

3.2 Pircel will Process Customer Personal Data for the duration of the Agreement and for such additional period as Pircel is required to retain it under Section 13 (Return or Deletion of Customer Personal Data) or by applicable law.

4. Customer's Instructions

4.1 Pircel shall Process Customer Personal Data only on documented instructions from Customer, including with regard to transfers of Customer Personal Data to a third country or an international organisation, unless required to do so by EU or Member State law to which Pircel is subject. Where Pircel relies on such a legal requirement, Pircel will inform Customer of that legal requirement before Processing (unless the law prohibits such information on important grounds of public interest).

4.2 The Agreement (including this DPA, Customer's use of the Service, and Customer's configuration of the Service) constitutes Customer's complete and final documented instructions to Pircel for the Processing of Customer Personal Data. Customer may issue additional instructions in writing, provided they are consistent with the Agreement.

4.3 If Pircel believes that an instruction from Customer infringes Data Protection Law, Pircel will inform Customer without undue delay. Pircel may, in such case, decline to follow the instruction until Customer confirms or modifies it.

5. Customer Obligations

5.1 Customer warrants and represents that:

(a) it has complied, and will continue to comply, with its obligations as a Controller under Data Protection Law, including providing all required notices to and obtaining all required consents and rights from Data Subjects;
(b) it has a valid legal basis under Data Protection Law for the Processing of Customer Personal Data (including for the disclosure to Pircel and any Sub-processor);
(c) its instructions to Pircel comply with Data Protection Law; and
(d) it has not submitted, and will not submit through the Service, any Special Categories of Personal Data, except where such data is incidentally included in fields whose primary purpose is operational (e.g., shipping addresses), or where Customer has notified Pircel in advance and the parties have agreed any additional safeguards.

5.2 Customer is solely responsible for the accuracy, quality, and legality of Customer Personal Data and for the means by which Customer acquired it.

6. Pircel's Obligations

6.1 Confidentiality

Pircel shall ensure that persons authorised to Process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Such persons shall Process Customer Personal Data only as necessary to perform the Service.

6.2 Security Measures

Pircel shall implement and maintain the technical and organisational measures set out in Annex 2 (Technical and Organisational Measures), designed to ensure a level of security appropriate to the risk in accordance with Article 32 GDPR. Customer acknowledges that these measures are subject to technical progress and development and that Pircel may update or modify them from time to time, provided that the updates do not materially diminish the overall level of protection.

6.3 Personnel

Pircel shall take reasonable steps to ensure that any of its personnel who have access to Customer Personal Data are subject to confidentiality obligations and have received appropriate training on the protection of Personal Data.

7. Data Subject Rights

7.1 Pircel shall, taking into account the nature of the Processing, assist Customer by appropriate technical and organisational measures, insofar as this is possible, to enable Customer to fulfil its obligations to respond to requests by Data Subjects exercising their rights under Chapter III GDPR (including rights of access, rectification, erasure, restriction, portability, and objection).

7.2 Where a Data Subject contacts Pircel directly with a request relating to Customer Personal Data, Pircel will, without undue delay, inform the Data Subject that the request should be directed to Customer and will forward the request to Customer where appropriate.

7.3 Customer is responsible for responding to Data Subject requests. Pircel will provide reasonable assistance, including by providing functionality within the Service or, where the functionality is unavailable, by providing reasonable support upon Customer's written request.

8. Sub-processors

8.1 General Authorisation

Customer provides Pircel with general written authorisation to engage Sub-processors to Process Customer Personal Data, subject to the requirements of this Section 8.

8.2 Current Sub-processors

The current list of authorised Sub-processors is maintained at /subprocessors (Sub-processor List), which is incorporated into this DPA by reference. The Sub-processor List sets out the identity, location, and purpose of each Sub-processor.

8.3 Sub-processor Obligations

Where Pircel engages a Sub-processor for carrying out specific Processing activities on behalf of Customer, Pircel shall:

(a) enter into a written agreement with the Sub-processor that imposes data protection obligations no less protective than those set out in this DPA, including obligations to implement appropriate technical and organisational measures;
(b) remain fully liable to Customer for the performance of that Sub-processor's data protection obligations; and
(c) where the engagement involves a Restricted Transfer, put in place the relevant transfer mechanism described in Section 9.

8.4 Changes to Sub-processors

Pircel may add or replace Sub-processors. Pircel will notify Customer of any intended change at least thirty (30) days in advance — by updating the Sub-processor List and, where Customer has subscribed to such notifications, by email — so that Customer has the opportunity to object.

8.5 Right to Object

Customer may, on reasonable grounds related to data protection, object to a new Sub-processor by providing written notice to Pircel within thirty (30) days of the notification. The parties will work together in good faith to address the objection, including by Pircel ceasing to use the relevant Sub-processor for Customer Personal Data or by Pircel offering an alternative. If the parties cannot reach a resolution within thirty (30) days of Customer's objection, Customer may, as its sole and exclusive remedy, terminate the affected portion of the Service by written notice to Pircel; pre-paid fees for the terminated portion covering the remainder of the then-current term will be refunded on a pro-rata basis.

9. International Data Transfers

9.1 Order of Preference

Where the Processing of Customer Personal Data by Pircel or its Sub-processors involves a Restricted Transfer, the parties shall rely on the following mechanisms in the order of preference set out below:

(a) where the recipient is in a country benefiting from an adequacy decision under the relevant Data Protection Law, that adequacy decision (including, for transfers from the EEA to a recipient self-certified to the EU–US Data Privacy Framework, the framework decision);
(b) failing (a), the EU SCCs (and, where applicable, the UK Addendum and the FADP for Switzerland);
(c) failing (a) and (b), an applicable derogation under Article 49 GDPR.

9.2 EU SCCs Incorporated by Reference

Where the EU SCCs apply:

(a) Module Two (Controller to Processor) applies where Customer is a Controller and Pircel is a Processor;
(b) Module Three (Processor to Sub-processor) applies where Customer is a Processor acting on behalf of a third-party controller;
(c) the optional clauses in the EU SCCs are deemed selected as follows: Option 1 (general written authorisation) is selected in Clause 9(a); the optional governing law in Clause 17 is Greek law; the supervisory authority in Clause 13 is the Hellenic Data Protection Authority; the optional language in Clause 11(a) is deleted; and the optional redress in Clause 11(a) is deleted.
(d) Annex I.A (List of Parties), Annex I.B (Description of Transfer), Annex I.C (Competent Supervisory Authority), Annex II (Technical and Organisational Measures), and Annex III (List of Sub-processors) of the EU SCCs are populated by reference to Annex 1 and Annex 2 of this DPA and to the Sub-processor List.

9.3 UK Addendum and Swiss FADP

Where Customer Personal Data originates from the United Kingdom, the parties incorporate the UK Addendum into this DPA, with the EU SCCs as the "Approved EU SCCs". Where Customer Personal Data originates from Switzerland, the EU SCCs apply with the following adjustments: references to the GDPR are deemed to include the FADP where applicable; the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner; and references to EU Member States do not prevent Swiss data subjects from exercising rights in Switzerland.

10. Personal Data Breach Notification

10.1 Pircel shall notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. Notification will be made to the contact provided by Customer for security and data protection matters (or, in the absence of such contact, to the primary account email on file).

10.2 The notification will include, to the extent then known and as the investigation progresses:

(a) a description of the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects and Personal Data records concerned;
(b) the likely consequences of the Personal Data Breach;
(c) the measures taken or proposed to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects; and
(d) a contact point for further information.

10.3 Pircel's notification is not, and shall not be construed as, an acknowledgement by Pircel of any fault or liability with respect to the Personal Data Breach.

10.4 Customer is solely responsible for fulfilling its own notification obligations to Supervisory Authorities and Data Subjects under Articles 33 and 34 GDPR.

11. Data Protection Impact Assessments and Prior Consultation

Pircel shall provide reasonable assistance to Customer in carrying out data protection impact assessments and any prior consultations with Supervisory Authorities under Articles 35 and 36 GDPR, taking into account the nature of the Processing and the information available to Pircel.

12. Audits

12.1 Pircel shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and with Article 28 GDPR. On reasonable written request from Customer (not more than once per calendar year, unless required by a Supervisory Authority or following a confirmed Personal Data Breach), Pircel will provide:

(a) the most recent applicable third-party security assessments, certifications, or audit reports relating to the Service (such as ISO 27001 certificates, SOC 2 reports, or equivalents); and
(b) responses to a reasonable security questionnaire relating to the Service.

12.2 Where the information referred to in Section 12.1 is not sufficient to demonstrate compliance, Customer may, on at least thirty (30) days' prior written notice, request an audit. Audits shall:

(a) be carried out by Customer or by an independent third-party auditor mutually agreed in writing by the parties and bound by appropriate confidentiality obligations;
(b) take place during normal business hours and not interfere unreasonably with Pircel's operations;
(c) be limited to information and systems relevant to the Processing of Customer Personal Data;
(d) not require Pircel to disclose any information that would compromise its security, the confidentiality of other customers' data, or its legal obligations;
(e) be conducted at Customer's cost, unless the audit identifies a material non-compliance by Pircel, in which case the reasonable cost of the audit shall be borne by Pircel.

12.3 Customer and its auditor shall comply with Pircel's reasonable on-site security and confidentiality requirements.

13. Return or Deletion of Customer Personal Data

13.1 Upon termination or expiration of the Agreement, Pircel will, at Customer's choice, delete or return all Customer Personal Data to Customer.

13.2 Unless Customer requests deletion or return within thirty (30) days after termination, Pircel will, within ninety (90) days after termination, delete Customer Personal Data from Pircel's production systems. Encrypted backups containing Customer Personal Data will be deleted in the ordinary course of Pircel's backup cycle, typically within a further thirty (30) days, after which Customer Personal Data will only be accessible (if at all) in encrypted backup form and will not be Processed except as necessary to comply with legal obligations.

13.3 Notwithstanding Sections 13.1 and 13.2, Pircel may retain Customer Personal Data to the extent and for the duration required by applicable law, in which case Pircel will continue to protect it in accordance with this DPA and will Process it only for the purpose required by that law.

13.4 On Customer's written request, Pircel will provide written confirmation that it has complied with this Section 13.

14. Liability

The liability of each party under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement, which shall apply to the parties' obligations under this DPA as if they were obligations under the Agreement.

15. Order of Precedence

In the event of any conflict or inconsistency between the documents that govern the parties' relationship in respect of Customer Personal Data, the following order of precedence applies (with the higher document prevailing):

The EU SCCs (where applicable), only as regards the obligations they impose;
This DPA;
The Agreement;
Pircel's Privacy Policy and other public documentation.

16. Term and Termination

16.1 This DPA shall commence on the Effective Date and shall continue in force for the duration of the Agreement and thereafter for so long as Pircel Processes Customer Personal Data.

16.2 Sections that by their nature should survive termination — including Sections 13, 14, 15, 16, and 17 — shall survive any termination or expiry of this DPA.

17. General Provisions

17.1 Governing law and jurisdiction

This DPA is governed by the laws of the Hellenic Republic, without regard to its conflict-of-laws principles. The courts of Athens, Greece shall have exclusive jurisdiction to settle any dispute arising out of or in connection with this DPA, except where mandatory applicable law (including the EU SCCs themselves) provides otherwise.

17.2 Notices

Notices under this DPA shall be given as set out in the Agreement. Notices to Pircel concerning data protection matters may also be sent to legal@pircel.com or privacy@pircel.com.

17.3 Severability

If any provision of this DPA is held invalid or unenforceable, the remaining provisions shall remain in full force and effect, and the invalid provision shall be interpreted to give effect to its purpose to the maximum extent permitted by law.

17.4 Entire agreement

This DPA, together with the Agreement and any documents expressly incorporated by reference (including the Sub-processor List and the EU SCCs where applicable), constitutes the entire agreement between the parties relating to the Processing of Customer Personal Data and supersedes any prior agreements between the parties on this subject matter.

17.5 Counterparts and execution

Where a signed copy of this DPA is requested by Customer, it may be executed in counterparts and signed by electronic means, each of which shall be deemed an original.

Annex 1 — Description of Processing

Item	Description
Subject matter	The provision of the Pircel hosted shipping management platform to Customer pursuant to the Agreement.
Nature of the Processing	Receiving, storing, transmitting, transforming, analysing, and otherwise Processing Customer Personal Data as necessary to provide the Service, including: receiving shipment data from Customer; canonicalising postal addresses; generating shipping vouchers and labels; transmitting shipment data to the Carrier chosen by Customer or its End Recipient; tracking shipment status; sending shipment notifications; reconciling carrier invoices; and providing dashboard, analytics, and audit functionality.
Purpose of the Processing	To enable Customer to operate its delivery and fulfilment workflow through the Service.
Categories of Data Subjects	(a) Customer's authorised users (employees, contractors, or other personnel of Customer who use the Service); (b) End Recipients (natural persons to whom Customer ships parcels); (c) senders (where the sender is a natural person, e.g., for return shipments).
Categories of Personal Data	(a) Identification data: first name, last name, company name where applicable. (b) Contact data: postal address (street, city, postcode, country), telephone number, email address. (c) Shipment data: order reference, parcel dimensions and weight, COD amount, payment method, delivery notes, sender details, recipient details, voucher (tracking) code, shipment status events. (d) Document data: customs documents, carrier invoices, and other shipping documents containing Personal Data, where uploaded by Customer. (e) Account data: name, email, role, and authentication metadata of Customer's authorised users (Processed by Pircel as Processor to the extent it relates to Customer's account administration; otherwise Processed by Pircel as Controller under the Privacy Policy).
Special Categories of Personal Data	None intentionally. Customer undertakes not to submit Special Categories of Personal Data through the Service except as permitted by Section 5.1(d) of this DPA.
Frequency of the Processing	Continuous, for the duration of the Agreement.
Duration of the Processing	The duration of the Agreement plus the retention period set out in Section 13 of this DPA.
Permitted Sub-processors	As set out in the Sub-processor List at /subprocessors.
Competent Supervisory Authority (for EU SCCs purposes)	The Hellenic Data Protection Authority (HDPA) — Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα — 1–3 Kifisias Avenue, 115 23 Athens, Greece.

Annex 2 — Technical and Organisational Measures

Pircel implements and maintains the following technical and organisational measures to ensure a level of security appropriate to the risk of the Processing.

A. Encryption

In transit: all Customer Personal Data transmitted to or from the Service is encrypted using TLS 1.2 or higher.
At rest: Customer Personal Data stored at rest is encrypted using AES-256 or equivalent.

B. Access Controls

Authentication: access to the Service requires individual user accounts authenticated via one-time passcodes and signed session tokens (ES256). Service-to-service authentication uses scoped API credentials.
Authorisation: access to Customer Personal Data within Pircel is role-based and granted on a least-privilege basis. Production access is limited to a small number of authorised personnel and is logged.
Multi-factor authentication is enforced for Pircel personnel accessing critical systems.

C. Personnel

All Pircel personnel are bound by written confidentiality obligations.
Pircel personnel receive periodic training on data protection and information security.
Access to Customer Personal Data is removed promptly upon termination of an individual's role.

D. Network and Application Security

Pircel maintains a layered set of network controls, including firewalls and segmentation.
Application code is reviewed prior to deployment.
Pircel monitors for vulnerabilities in its dependencies and applies critical patches in a timely manner.
Production secrets are stored in dedicated secret-management systems and are not stored in source code.

E. Audit Logging and Monitoring

Administrative actions and access events affecting Customer Personal Data are logged.
Logs are protected against unauthorised modification and retained for a period appropriate to the purposes of detection and investigation.

F. Sub-processor Management

Pircel maintains a current list of Sub-processors and assesses each Sub-processor's security posture prior to engagement.
Pircel imposes contractual obligations on Sub-processors that are no less protective than those set out in this DPA.

G. Data Residency

Pircel's principal infrastructure Sub-processors are configured such that Customer Personal Data is Processed within the European Economic Area, as set out in the Sub-processor List. Where Restricted Transfers occur, the safeguards described in Section 9 of this DPA apply.

H. Incident Response

Pircel maintains an incident response plan covering detection, escalation, investigation, mitigation, and notification.
Pircel will notify Customer of Personal Data Breaches affecting Customer Personal Data in accordance with Section 10 of this DPA.

I. Backup and Recovery

Customer Personal Data is backed up regularly. Backups are encrypted and access-controlled.
Restoration procedures are tested periodically.

J. Physical Security

Pircel does not operate its own data centres. Physical security of the underlying infrastructure is provided by the Sub-processors identified in the Sub-processor List, each of which maintains certifications (such as ISO 27001 or equivalent) covering physical and environmental controls.

K. Continuous Improvement

Pircel reviews and updates its technical and organisational measures on an ongoing basis, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of the Processing, and the risks to Data Subjects.

Annex 3 — Authorised Sub-processors

The list of authorised Sub-processors, together with their location, role, and the data they process, is published and maintained at:

https://www.pircel.com/subprocessors

This list is incorporated by reference into this DPA. Pircel will update the list and notify Customer of any addition, replacement, or removal of a Sub-processor in accordance with Section 8.4.