Data Processing Agreement

Last updated: 12 June 2026

This Data Processing Agreement (“DPA”) is by and between:

  • The entity or person defined as “Customer” under the LoadingCalendar Terms and Conditions (“Customer” or “Controller”); and
  • Cargoson OÜ, a private limited company incorporated under the laws of the Republic of Estonia (registry code 14545832; address Pärnu mnt 141, 11314 Tallinn, Estonia) (“Cargoson” or “Processor”).

Customer and Cargoson are referred to each as a “Party” and together as the “Parties”.

This DPA forms part of and is subject to the LoadingCalendar Terms and Conditions, available at https://www.loadingcalendar.com (“Terms”). This DPA takes effect upon the Customer’s acceptance of the Terms and shall remain in force for the duration of the Terms.

In the event of any conflict between the Terms and this DPA, the provisions of this DPA shall prevail with respect to data protection matters.

1. Background

  1. The Customer has agreed to the Terms, pursuant to which Cargoson provides the LoadingCalendar dock appointment scheduling platform and related services (“Service”).
  2. In providing the Service, Cargoson may collect, access, or otherwise process personal data of individuals on behalf of the Customer. Unless otherwise agreed between the Parties, the Customer is the data controller and Cargoson is the data processor of such personal data within the meaning of the GDPR.
  3. This DPA specifies the data protection obligations of the Parties pursuant to Article 28 of the GDPR. It applies to all activities carried out by Cargoson in connection with the Terms in which Cargoson, its staff, or a sub-processor acting on Cargoson’s behalf comes into contact with personal data as a processor on behalf of the Customer.
  4. The details of the processing activities — including the subject matter, nature, purpose, duration, categories of personal data, and categories of data subjects — are set out in Annex 1 to this DPA.

2. Definitions

  1. Capitalised terms not defined in this DPA have the meaning given to them in the GDPR or in the Terms. In this DPA:
    • “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
    • “Personal Data” means any information that is directly or indirectly related to a natural person (Data Subject) who is or can be identified, in particular by reference to a personal identification number, or on the basis of one or more physical, physiological, mental, economic, cultural or social characteristics of that person, and the processing of which the Parties have agreed upon in this DPA.
    • “Processing” (and “Process”) means any operation performed on Personal Data, such as collection, storage, accumulation, classification, grouping, combination, modification, transfer, publication, use, retrieval, distribution, destruction or any other operation or set of operations.
    • “Data Subject” means a natural person whose Personal Data is processed on the basis of this DPA.
    • “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
    • “Sub-processor” means any processor engaged by Cargoson to carry out processing activities on behalf of the Customer in the context of providing the Service.
    • “Supervisory Authority” means the competent data protection supervisory authority in the EU member state in which the Customer is established or, where the Customer is not established in the EU, in which the Customer’s data subjects are predominantly located. Where Cargoson is subject to oversight as a processor established in Estonia, the competent authority is the Data Protection Inspectorate (Andmekaitse Inspektsioon).

3. Customer’s Obligations

  1. The Customer shall:
    1. process personal data in compliance with the GDPR and all other applicable data protection legislation;
    2. ensure the existence of a valid legal basis for all personal data submitted to the Service;
    3. ensure that data subjects are duly informed about the processing of their personal data in accordance with Articles 13 and 14 of the GDPR, including personal data submitted by Third Parties via the Booking Portal;
    4. provide Cargoson with documented and lawful instructions for the processing of personal data. The Customer’s use of the Service under the Terms and this DPA constitutes the Customer’s complete processing instructions at the time of accepting the Terms; any additional or alternative instructions must be consistent with the Terms and this DPA and submitted in a form reproducible in writing;
    5. ensure that the Customer’s use of the Service and the personal data submitted to the Service does not violate any applicable laws or the rights of any data subject;
    6. handle all requests and complaints from data subjects exercising their rights under Chapter III of the GDPR; and
    7. reimburse Cargoson for reasonable costs incurred in providing assistance beyond Cargoson’s standard obligations under this DPA, including in connection with data subject requests, data protection impact assessments, or audits requested by the Customer.

4. Cargoson’s Obligations

  1. Cargoson shall:
    1. process personal data only on the documented instructions of the Customer, unless required to do so by applicable EU or national law. Where such a legal requirement exists, Cargoson shall inform the Customer thereof before processing, unless the law prohibits such notification on grounds of public interest;
    2. immediately notify the Customer if, in Cargoson’s opinion, an instruction from the Customer infringes the GDPR or other applicable data protection provisions;
    3. ensure that all personnel authorised to process personal data are bound by appropriate confidentiality obligations, whether contractual or statutory, which survive the end of their engagement;
    4. implement and maintain appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or unauthorised access, as further described in clause 8;
    5. assist the Customer, taking into account the nature of the processing and the information available to Cargoson, in responding to requests from data subjects exercising their rights under Chapter III of the GDPR, to the extent technically and legally feasible;
    6. assist the Customer in ensuring compliance with the obligations set out in Articles 32–36 of the GDPR (security, breach notification, data protection impact assessments, and prior consultation with a supervisory authority), taking into account the nature of the processing and the information available to Cargoson;
    7. not process personal data for any purpose other than the performance of the Service and the fulfilment of its obligations under the Terms and this DPA; and
    8. make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA and the obligations set out in Article 28 of the GDPR.

5. Sub-processors

  1. The Customer grants Cargoson a general written authorisation to engage the sub-processors listed in Annex 2 to this DPA. Cargoson shall impose data protection obligations on each sub-processor that are at least equivalent to those set out in this DPA, by way of a written agreement concluded with each sub-processor in accordance with Article 28(4) of the GDPR. Cargoson remains fully liable to the Customer for the acts and omissions of its sub-processors as if they were Cargoson’s own.
  2. Cargoson shall inform the Customer of any intended changes to the sub-processor list — whether additions or replacements — at least 30 days before the change takes effect. Notification shall be sent by email to the contact address designated by the Customer in its account. Cargoson shall also update Annex 2 and publish the revised DPA on its website with an updated “Last updated” date.
  3. The Customer may object to a new or replacement sub-processor within 30 days of receipt of the notification under clause 5.2 by notifying Cargoson in writing. If the Customer raises a reasonable objection and Cargoson is unable to accommodate it, the Customer may terminate the Terms by giving written notice, with termination taking effect at the end of the ongoing billing period. The Customer shall not be charged a penalty for such termination.

6. Data Subject Rights

  1. Cargoson shall promptly notify the Customer if Cargoson receives any request, complaint, or inquiry from a data subject or a supervisory authority relating to personal data processed under this DPA. Cargoson shall not respond to such requests or inquiries on its own behalf without the Customer’s prior approval, unless required by applicable law.
  2. Cargoson shall, taking into account the nature of the processing, provide the Customer with such technical assistance as is reasonably necessary to enable the Customer to respond to data subject requests within the timeframes prescribed by the GDPR.

7. Personal Data Breach Notification

  1. In the event of a Personal Data Breach affecting personal data processed under this DPA, Cargoson shall notify the Customer without undue delay and in any event no later than 24 hours after becoming aware of the breach.
  2. The notification shall include, to the extent information is available at the time of notification: (a) a description of the nature of the breach, including the categories and approximate number of data subjects and personal data records affected; (b) the name and contact details of Cargoson’s data protection contact point; (c) the likely consequences of the breach; and (d) the measures taken or proposed to address the breach and to mitigate its possible adverse effects.
  3. The Customer is solely responsible for assessing whether the breach must be reported to the Supervisory Authority and for notifying affected data subjects in accordance with Articles 33 and 34 of the GDPR. Cargoson shall provide the Customer with reasonable assistance for this purpose.

8. Security

  1. Cargoson shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk posed by the processing, having regard to the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing. These measures include, at a minimum:
    • (a) encryption of personal data in transit using TLS;
    • (b) role-based access controls limiting access to personal data to authorised personnel only;
    • (c) access logs recording date, time, user identity, and operations performed;
    • (d) secure, one-way hashed storage of user passwords;
    • (e) near real-time data replication and automated backup procedures;
    • (f) regular security assessments and vulnerability testing by Cargoson and its infrastructure provider; and
    • (g) encryption of Customer Data at rest in the database, available on selected hosting plan tiers offered by Cargoson’s infrastructure provider.
  2. Cargoson shall regularly test, assess, and evaluate the effectiveness of the technical and organisational measures in place.

9. International Data Transfers

  1. Cargoson shall not transfer personal data to a third country outside the European Economic Area (“EEA”) unless an appropriate transfer mechanism under Chapter V of the GDPR applies.
  2. Where Cargoson or its sub-processors process personal data outside the EEA, the applicable transfer mechanism for each sub-processor is specified in Annex 2. Cargoson shall ensure that sub-processors receiving personal data from the EEA provide an adequate level of protection for such data.

10. Audit Rights

  1. The Customer may request information from Cargoson necessary to verify compliance with this DPA. Where Cargoson or its infrastructure sub-processors hold relevant third-party certifications or audit reports applicable to the processing of Customer Data (such as the ISO 27001, SOC 2 or SOC 3 reports held by Cargoson’s hosting provider, Salesforce/Heroku), Cargoson shall make these available or facilitate the Customer’s access to them upon written request, and they shall be deemed sufficient evidence of compliance unless the Customer demonstrates a specific need for further verification.
  2. The Customer may conduct an on-site audit of Cargoson’s processing activities, either itself or through an independent third-party auditor who is not a competitor of Cargoson and who has executed an appropriate non-disclosure agreement, subject to the following conditions: (a) the Customer gives Cargoson at least 30 calendar days’ prior written notice; (b) audits are conducted during Cargoson’s normal business hours and must not unreasonably interfere with Cargoson’s operations; (c) audits are limited to once per calendar year, unless a Personal Data Breach justifies an additional audit; and (d) the Customer bears the full costs of the audit.

11. Data Return and Deletion

  1. Upon termination of the Terms for any reason, Cargoson shall, at the Customer’s election, delete or return all personal data processed on behalf of the Customer in accordance with clause 9.3 of the Terms (retention for up to 90 calendar days following termination, after which all data is permanently deleted). Cargoson shall also delete all existing copies from its systems, unless continued storage is required by applicable EU or national law.
  2. During the term of the Terms, the Customer may export its data at any time in accordance with the functionality provided within the Service. Cargoson shall provide reasonable assistance if the Customer requests support with data export.

12. Liability

  1. Each Party’s liability under this DPA is subject to the limitations of liability set out in the Terms. Nothing in this DPA limits either Party’s liability to the extent that it cannot be limited under applicable law, including liability for breaches of the GDPR.

13. Term and Termination

  1. This DPA takes effect upon the Customer’s acceptance of the Terms and remains in force for the duration of the Terms.
  2. Termination of the Terms automatically terminates this DPA, subject to Cargoson’s obligations relating to the return or deletion of personal data under clause 11.
  3. This DPA shall also terminate:
    1. if the Controller and the Processor agree to terminate the DPA; and
    2. if the Processor or the Controller loses its right to process Personal Data (e.g. if a supervisory authority orders a Party to stop the Processing of Personal Data).
  4. Any provision of this DPA that is expressed or by its nature required to survive termination (including clauses 11, 12, and 16) shall do so.

14. Amendments

  1. Cargoson may update this DPA from time to time to reflect changes in applicable law or in Cargoson’s processing activities. Cargoson shall publish the revised DPA on its website and update the “Last updated” date. Material changes — including changes to the sub-processor list, data transfer mechanisms, or the security measures set out in clause 8 — shall take effect no earlier than 30 days after Cargoson notifies the Customer of updating this DPA by email to the contact address designated by the Customer in its account. Non-material changes, such as corrections of typographical errors or administrative clarifications that do not affect the substance of the Parties’ obligations, shall take effect upon publication of the revised DPA on Cargoson’s website. The Customer’s continued use of the Service after the applicable effective date constitutes acceptance of the revised DPA. If the Customer does not accept a material change, the Customer may terminate the Terms in accordance with the Terms.

15. Severability

  1. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect. The Parties shall endeavour to replace any invalid or unenforceable provision with a valid and enforceable provision that reflects the original intent and economic purpose of the replaced provision.

16. Governing Law and Jurisdiction

  1. This DPA is governed by the laws of the Republic of Estonia.
  2. Any dispute arising out of or in connection with this DPA shall be resolved in accordance with the dispute resolution clause of the Terms.

Annex 1 — Description of Processing

1. Identity of the Parties

Data Controller (Customer) Data Processor (Cargoson)
Identity The entity or person defined as “Customer” under the Terms. Cargoson OÜ, registry code 14545832, Pärnu mnt 141, 11314 Tallinn, Estonia.
Contact for data protection matters As provided by the Customer upon registration or in the Terms of the Subscription. privacy@loadingcalendar.com
Role Controller Processor

2. Nature and Purpose of Processing

Cargoson processes personal data on behalf of the Customer for the following purposes in the context of providing the Service:

  • (a) enabling the Customer’s Users to create accounts and manage dock appointments through the Platform;
  • (b) enabling Third Parties (carriers, suppliers, clients) to access the Booking Portal, authenticate via email magic link, and submit or manage booking information;
  • (c) sending automated email notifications to Users and Third Parties regarding bookings and changes to bookings;
  • (d) storing and transmitting documents and files attached to bookings;
  • (e) maintaining access and audit logs for platform security and operational purposes; and
  • (f) providing customer support to the Customer in connection with the Service.

3. Categories of Data Subjects

Category of Data Subject Description
Users Employees, agents, and representatives of the Customer who use the Platform on behalf of the Customer.
Third Parties Carriers, suppliers, clients, and other external parties who interact with the Booking Portal at the Customer’s invitation.

4. Categories of Personal Data

Category Data elements Applies to
Identification data First name, last name, email address, phone number Users and Third Parties
Professional data Company name, address (city, postal code, country), role or title Users and Third Parties
Booking and operational data Dock appointment details (date, time, dock, loading type, status), cargo description, reference numbers Third Parties (submitted via Booking Portal)
Transport data Vehicle registration number (truck plate), driver name and contact details Third Parties (submitted via Booking Portal)
Technical and log data IP address, browser type and version, device identifiers, date and time of access, operations performed within the Platform Users
Uploaded documents Content of files and documents attached to bookings by the Customer or Third Parties (nature and content determined solely by the Customer) Users and Third Parties

5. Special Categories of Personal Data

The Customer shall not submit special categories of personal data within the meaning of Article 9 of the GDPR to the Service without prior written agreement with Cargoson. Cargoson does not knowingly process special categories of personal data on behalf of the Customer under this DPA.

6. Frequency and Duration of Processing

Processing is carried out on a continuous basis for the duration of the Terms. Upon termination of the Terms, personal data is retained for up to 90 calendar days in accordance with clause 9.3 of the Terms, after which all data relating to the Customer’s account is permanently deleted.

Annex 2 — Sub-processors and Data Transfer Mechanisms

The following sub-processors are engaged by Cargoson in the context of providing the Service.

Sub-processor Purpose Transfer mechanism (if outside EEA)
Salesforce, Inc. (operating as Heroku) Platform hosting — application servers, databases, and related infrastructure EU-US Data Privacy Framework (Salesforce certified; verifiable at www.dataprivacyframework.gov). Supplementary safeguards: Salesforce Processor Binding Corporate Rules (approved by EU data protection authorities) and Standard Contractual Clauses (EU Commission Implementing Decision 2021/914).
Amazon Web Services, Inc. (AWS S3) Storage of files and documents uploaded to bookings by the Customer and Third Parties EU-US Data Privacy Framework (Amazon.com, Inc. certification; verifiable at www.dataprivacyframework.gov).
Stripe Payments Europe, Ltd. (Ireland) Processing of subscription payments and Service Fee billing N/A (EU)
Twilio Inc. (SendGrid) Transactional and notification email delivery EU-US Data Privacy Framework (Twilio Inc. certified; verifiable at www.dataprivacyframework.gov). Supplementary safeguard: Standard Contractual Clauses (EU Commission Implementing Decision 2021/914).
Cloudflare, Inc. Content delivery network and web security services EU-US Data Privacy Framework (Cloudflare, Inc. certified; verifiable at www.dataprivacyframework.gov). Supplementary safeguard: Standard Contractual Clauses (EU Commission Implementing Decision 2021/914).
Honeybadger Industries, LLC Application error and exception monitoring Standard Contractual Clauses (EU Commission Implementing Decision 2021/914). Production data may be processed in Honeybadger’s EU region (AWS eu-central-1).
Scout APM (Scout Monitoring) Application performance monitoring Standard Contractual Clauses (EU Commission Implementing Decision 2021/914).
Better Stack, Inc. Aggregation and storage of application logs Customer Data is stored in EU regions by default. Standard Contractual Clauses (EU Commission Implementing Decision 2021/914) apply to any processing outside the EEA.
Pipedrive OÜ CRM for Cargoson’s sales and account management activities N/A (EU)
PostHog Inc. Product analytics and feature-usage telemetry Standard Contractual Clauses (EU Commission Implementing Decision 2021/914). Where the EU Cloud option is used, data is hosted in the EU (Frankfurt).
Freshworks Inc. (Freshdesk) Customer support ticketing and communications EU-US Data Privacy Framework (Freshworks Inc. certified; verifiable at www.dataprivacyframework.gov). Supplementary safeguard: Standard Contractual Clauses (EU Commission Implementing Decision 2021/914).

Cargoson may update this list from time to time in accordance with clause 5.2 of this DPA. Customers may subscribe to notifications of sub-processor changes by contacting Cargoson at privacy@loadingcalendar.com.

Produktas
Laiko intervalų valdymas
TMS integracija
API integracija
Kainos
Nemokamas bandomasis laikotarpis
Pramonės šakos
Gamyba
Didmeninė prekyba ir platinimas
Logistika ir 3PL
Maistas ir gėrimai
Palyginimai
LoadingCalendar vs GoRamp
LoadingCalendar vs Opendock
LoadingCalendar vs DataDocks
LoadingCalendar vs Arrivy
LoadingCalendar vs C3 Reservations
Ištekliai
Sandėlio planavimo vadovas
Sąrankos vadovas
Atvejo studija
Tinklaraštis
Ar sandėlio pakrovimo planavimo sistema skirta man?
TMS integracijos vadovas
Geriausia pakrovimo zonų rezervavimo programinė įranga
Pakrovimo zonų rezervavimas vs kiemo valdymas
Įmonė
Susisiekite su mumis
Cargoson TMS
LoadingCalendar logotipas
© 2026 Loadingcalendar.com. Visos teisės saugomos.
Capterra - LoadingCalendar
GetApp - LoadingCalendar
Software Advice - LoadingCalendar
Naudojimo sąlygos Privatumo politika Duomenų tvarkymo sutartis