Data Processing Addendum (DPA)

Last Revised: August 14th, 2025

This Data Processing Addendum (“DPA”) is incorporated into, and is subject to the terms and conditions of, the Terms of Service (the “Agreement”) between Customer and Plutou, Inc. (“Company”) (collectively, “the parties”) applicable to the Customer’s use of the Plutou Platform. This DPA shall be effective for the term of the Agreement.

  1. Definitions
    1. In this DPA:
      1. Customer Personal Data” means Personal Data provided to Company in connection with the Plutou Platform by (i) Customer or (ii) Authorized Users.
      2. Data Protection Law” means all laws that apply to the Processing of Customer Personal Data under the Agreement, including the California Consumer Privacy Act of 2018 and any binding regulations promulgated thereunder and other laws and regulations of the United States and its states, as amended from time to time.
      3. Data Subject” means the individual to whom Customer Personal Data relates.
      4. Personal Data” has the meaning given to it in the Data Protection Law, and includes “Personal Data,” “personally identifiable information,” and equivalent terms as such terms may be defined by the Data Protection Law. 
      5. Processing” (including its cognate "Process”) means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
      6. Security Incident” means a breach of Company’s security leading to the unauthorized or unlawful access by a third party, or confirmed accidental or unlawful destruction, loss or alteration, of Customer Personal Data in Company’s possession, custody or control. “Security Incidents” will not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
    2. Capitalized terms used but not defined herein have the meaning given to them in the Agreement.
  2. Customer’s Instructions
    1. Company will Process Customer Personal Data only in accordance with Customer’s instructions.  By entering into this DPA, Customer instructs Company to Process Customer Personal Data to provide the Plutou Platform and to perform its other obligations and exercise its rights under the Agreement, including without limitation to (a) carry out the Plutou Platform or the business of which the Plutou Platform are a part, (b) carry out any benefits, rights, and obligations relating to the Plutou Platform, (c) maintain records relating to the Plutou Platform, and (d) comply with any legal or self-regulatory obligations relating to the Plutou Platform.  
  3. Processing of Customer Personal Data
    1. Company serves as a service provider or processor, meaning that Company Processes Customer Personal Data at the direction of and on behalf of Customer. A description of Company’s Processing of Customer Personal Data is provided in Schedule 1 to this DPA.
    2. The extent of Customer Personal Data Processed by Company is determined and controlled by Customer in its sole discretion and may include names, email addresses, and other Personal Data that Customer may elect to upload to the Plutou Platform.
    3. Each party will comply with the obligations applicable to it under the Data Protection Law with respect to the Processing of Customer Personal Data. Customer represents and warrants that it has the necessary rights, consents and permissions to use Customer Personal Data and to enable Company to Process Customer Personal Data as intended by the parties under the Agreement.
    4. When Company Processes Customer Personal Data, it will:
      1. Except as permitted by applicable law, the Agreement or this DPA, not (a) “sell” or “share” (each as defined in the Data Protection Law) Customer Personal Data, (b) retain, use, or disclose Customer Personal Data for any purpose other than for the specific purpose of providing the Plutou Platform, (c) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Customer and Company, and (d) combine Customer Personal Data with any Personal Data other than Customer Personal Data;
      2. Require Company’s personnel who access Customer Personal Data to commit to protect the confidentiality of Customer Personal Data; 
      3. Provide reasonable assistance necessary for Customer to comply with its obligations under the Data Protection Law;
      4. Promptly notify the Customer of any request made by a Data Subject in relation to Customer Personal Data. Company will, at the Customer’s written request, provide the Customer with reasonable assistance necessary for the fulfilment of the Customer’s obligation to respond to requests for the exercise of Data Subjects’ rights under the Data Protection Law. Company shall not respond to such requests other than confirming with the Data Subject that the request relates to the Customer and Customer Personal Data. Customer shall be solely responsible for responding to such requests;
      5. Unless prohibited by law, inform Customer if Company receives a request, complaint or other inquiry regarding the Processing of Customer Personal Data;
      6. Inform Customer if it can no longer comply with its obligations under this DPA. Upon notice to Company, Customer may take reasonable and appropriate steps to remediate Company’s use of Customer Personal Data in violation of this DPA; and
      7. Upon termination of the Agreement, as instructed by Customer, delete or return Customer Personal Data, except where continued retention of Customer Personal Data is in accordance with applicable law or the Company’s policies, in which case Company shall retain such Customer Personal Data in accordance with this DPA.
  4. Subprocessing
    1. Customer agrees that Company may use third-party suppliers to Process Customer Personal Data on its behalf for the provision of the Plutou Platform (each a “Subprocessor”).
    2. When engaging any Subprocessor, Company will enter into a written contract with such Subprocessor containing data protection obligations consistent with those in this DPA with respect to the protection of Customer Personal Data to the extent applicable to the nature of the Plutou Platform provided by such Subprocessor.
  5. Data Security
    1. Company will implement and maintain technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data. A description of Company’s security measures is provided in Schedule 2. Company may update the security measures from time to time, provided the updated measures do not decrease the overall protection of Customer Personal Data.
    2. Customer agrees that, without limitation of Company’s obligations under Section 5.1 of this DPA, Customer is solely responsible for its use of the Plutou Platform, including (a) making appropriate use of the Plutou Platform to ensure a level of security appropriate to the risk in respect of Customer Personal Data; (b) securing the account authentication credentials, systems and devices Customer uses to access the Plutou Platform; (c) securing Customer’s systems and devices that Company uses to provide the Plutou Platform; and (d) backing up Customer Personal Data. Customer agrees that the Plutou Platform and Company’s security commitments under this DPA are adequate to meet Customer’s needs, including with respect to any security obligations of Customer under the Data Protection Law, and provide a level of security appropriate to the risk in respect of Customer Personal Data.
  6. Security Incidents
    1. If Company becomes aware of a Security Incident, Company will: (a) notify Customer of the Security Incident without undue delay after becoming aware of it; and (b) take reasonable steps to identify the cause of such Security Incident, minimize harm and prevent a recurrence.
    2. Customer is solely responsible for complying with incident notification requirements applicable to Customer. Company’s notification of or response to a Security Incident under this Section will not be construed as an acknowledgement by Company of any fault or liability with respect to the Security Incident.
  7. Audit
    1. Company will make available to Customer, at Customer’s request, reasonable information as necessary to demonstrate compliance with this DPA. 
    2. To the extent Company makes available to Customer confidential summary reports ("Audit Report") prepared by third-party security professionals, upon request from Customer, Company may provide such Audit Report in satisfaction of any audit rights accorded to Customer pursuant to the Data Protection Law. The Audit Report shall be considered Company’s confidential information. 
    3. If Customer can demonstrate that it requires additional information, beyond the Audit Report, then Customer may request, at Customer's cost, Company to provide for an audit subject to reasonable confidentiality procedures. Such audit shall: (i) not include access to any information that could compromise confidential information relating to other Company’s customers or suppliers, Company's technical and organizational measures, or any trade secrets; and (ii) be performed upon not less than thirty (30) days’ notice, during regular business hours, and in such a manner as not to unreasonably interfere with Company’s normal business activities.
  8. General
    1. If there is any conflict between this DPA and the Agreement, this DPA will prevail to the extent of that conflict in connection with the Processing of Customer Personal Data.
    2. If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
    3. Notwithstanding anything to the contrary in the Agreement or this DPA, the liability of each party under this DPA is subject to the limitations of liability set out in the Agreement. Customer acknowledges that Company is reliant on Customer for direction as to the extent to which Company is entitled to Process Customer Personal Data on behalf of Customer in the provision of the Plutou Platform. Consequently, Company will not be liable under the Agreement for any claim brought by individuals to whom Customer Personal Data relates arising from (a) any action or omission by Company in compliance with Customer’s instructions, or (b) from Customer’s failure to comply with its obligations under the Data Protection Law.
    4. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement. 
SCHEDULE 1
  1. Categories of Data Subjects. This DPA applies to Company’s Processing of Customer Personal Data relating to Customer’s employees, contractors or representatives.
  2. Types of Personal Data. The extent of Customer Personal Data Processed by Customer is determined and controlled by Customer in its sole discretion and includes driver and vehicle information, such as driver’s license information and vehicle information, location data, such as drop off and pick up location, container metadata and content types.
  3. Subject-Matter and Nature of the Processing. Customer Personal Data will be subject to the Processing activities that Company needs to perform in order to provide the Plutou Platform pursuant to the Agreement.
  4. Purpose of the Processing. Company will Process Customer Personal Data for purposes of providing the Plutou Platform and performing other business or operational functions in support of the Platform provision.
  5. Duration of the Processing. Customer Personal Data will be Processed for the duration of the Agreement, subject to Section 3.4(g) of the DPA.
  6. Rights and Obligations of the parties. The rights and obligations of the parties relating to the Processing of Customer Personal Data are set forth in the DPA.
SCHEDULE 2
  1. Organizational management and dedicated staff responsible for the development, implementation and maintenance of the Company’s information security program.
  2. Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Company’s organization, monitoring and maintaining compliance with the Company’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
  3. Data security controls which include, at a minimum, logical segregation of data, restricted (e.g. role-based) access and monitoring, and utilization of commercially available industry standard encryption technologies for Personal Data that is transmitted over public networks (i.e. the Internet) or when transmitted wirelessly or at rest or stored on portable or removable media (i.e. laptop computers, CD/DVD, USB drives, back-up tapes).
  4. Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g. granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).
  5. Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that the Company’s passwords that are assigned to its employees:  (i) be at least eight (8) character in length, (ii) not be stored in readable format on the Company’s computer systems; (iii) must have defined complexity; (iv) must have a history threshold to prevent reuse of recent passwords; and (v) newly issued passwords must be changed after first use.
  6. System audit or event logging and related monitoring procedures to proactively record user access and system activity.
  7. Physical and environmental security of data centers, server room facilities and other areas containing Personal Data designed to:  (i) protect information assets from unauthorized physical access, (ii) manage, monitor and log movement of persons into and out of the Company’s facilities, and (iii) guard against environmental hazards such as heat, fire and water damage.
  8. Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from the Company’s possession.
  9. Change management procedures and tracking mechanisms designed to test, approve and monitor all material changes to the Company’s technology and information assets.
  10. Incident management procedures design to allow Company to investigate, respond to, mitigate and notify of events related to the Company’s technology and information assets.
  11. Network security controls that provide for the use of enterprise firewalls and layered DMZ architectures, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
  12. Vulnerability assessment, patch management and threat protection technologies, and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
  13. Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergencies or disasters.

SCHEDULE 3 - List of Subprocessors
Name Description
Nextbillion.ai Pte. Ltd.Route optimization
Supabase, Inc.Data storage
WorkOS, Inc.Authentication & SSO
Google LLCWorkspace & Maps (address autofill)
Mapbox, Inc.Map rendering
OpenAI, LLCAI features
Linear Orbit, Inc.Product planning
PostHog, Inc.Product analytics
Functional Software, Inc. (also known as Sentry)Error tracking
Stripe, Inc.Billing & payments
HubSpot, Inc.Sales CRM
Astrodon Corporation (also known as Loops)Email marketing
Granola, Inc.Meeting notes (AI notetaking)