Data Processing Addendum

1. Definitions

Capitalized terms used and not defined here have the meanings given in the Terms of Service. "Personal Information" means any information about an identified or identifiable natural person that the Carrier provides or causes to be provided to Howdy Dispatch in connection with the Service.

For the purposes of this DPA, the Carrier is the "Controller" (or "Business" under CCPA/CPRA), and Howdy Dispatchis the "Processor" (or "Service Provider" under CCPA/CPRA, or "Contractor" under TDPSA).

2. Scope & Duration

This DPA applies to Personal Information processed by Howdy Dispatchon the Carrier's behalf during the subscription term. Processing ends on termination of the subscription, except as required to provide the 30-day export window or to comply with law.

3. Processing Instructions

Howdy Dispatch will process Personal Information only:

• To provide and operate the Service as described in the Terms of Service;
• To support, secure, troubleshoot, and improve the Service;
• To comply with the Carrier's documented written instructions (which include the Terms and this DPA);
• To comply with applicable law.

Howdy Dispatch will not sell or share Personal Information, will not retain or use it for any commercial purpose outside the direct relationship with the Carrier, and will not combine it with personal information from other sources except to provide the Service to the Carrier.

4. Confidentiality

Howdy Dispatch ensures that personnel authorized to process Personal Information are bound by appropriate confidentiality obligations and receive security and privacy training appropriate to their role.

5. Security Measures

Howdy Dispatch maintains technical and organizational measures appropriate to the risks presented by processing, including the measures described at https://howdydispatch.com/security and summarized in Schedule 2.

6. Subprocessors

The Carrier authorizes Howdy Dispatch to engage subprocessors to provide the Service. Subprocessors are disclosed by category in Schedule 3. A current named list is available to the Carrier on request under reasonable confidentiality terms.

Howdy Dispatchwill give the Carrier at least 30 days' advance notice by email before engaging a new subprocessor category that materially expands the scope of processing. The Carrier may object on reasonable data-protection grounds, in which case the parties will work in good faith to resolve the objection. If no resolution is possible, the Carrier may terminate the affected service for cause.

Howdy Dispatch remains liable for the acts and omissions of its subprocessors.

7. Data Subject Requests

The Carrier is responsible for responding to requests from data subjects (consumers, drivers, etc.) regarding their Personal Information. Howdy Dispatch will provide reasonable assistance, taking into account the nature of the processing and the information available to us, to help the Carrier respond within the timeframes required by applicable law.

8. Breach Notification

Howdy Dispatchwill notify the Carrier without undue delay, and in any event within 72 hours of confirmation, of any confirmed Personal Information breach affecting the Carrier's data. The notice will include the information reasonably available to us at the time, with additional information provided as it becomes available.

9. Deletion & Return

On termination of the subscription, Howdy Dispatchwill, at the Carrier's choice, delete or return all Personal Information processed on the Carrier's behalf within a reasonable time, except as required to be retained by law. The 30-day export window in the Terms applies.

10. Audits

Howdy Dispatch will provide the Carrier, on reasonable advance written request and no more often than once per 12 months, with a summary security report (e.g., a SOC 2 Type II report when available, or an internal security-posture summary) sufficient to demonstrate compliance with this DPA. On-site audits are not permitted. The Carrier is responsible for its own reasonable costs of review.

11. Conflict

In the event of a conflict between this DPA and the Terms of Service, this DPA controls with respect to the subject matter of this DPA. All other terms in the Terms remain in full force.

Schedule 1 – Data Categories

• Data subjects: Carrier owners, administrators, dispatchers, drivers
• Categories of Personal Information: contact information (name, email, phone), authentication signals, usage data, billing identifiers (no card numbers), Driver GPS coordinates while on assignment, driver-uploaded photos, CDL number and expiry (voluntary), device and OS metadata, support communications
• Sensitive Personal Information: precise geolocation (driver GPS while on assignment) is processed in this category; no other categories of sensitive personal information are processed
• Processing purposes: as described in Section 3
• Retention: as described in the Privacy Policy

Schedule 2 – Security Measures

Technical and organizational measures include:

• Industry-standard AES-256 encryption of data at rest
• TLS 1.2+ encryption of data in transit, with HSTS enforced
• Multi-factor authentication required for owner and admin roles
• Role-based access control with least-privilege defaults
• Multi-tenant row-level isolation by Carrier
• Signed time-limited URLs for object-storage uploads
• Comprehensive audit logging with 13-month retention
• Daily managed-database backups with point-in-time recovery
• Documented incident-response procedure
• Annual security training for personnel with production access

Schedule 3 – Subprocessor Categories

Howdy Dispatch engages subprocessors in the following categories:

• Cloud infrastructure provider (compute, managed database, object storage, identity, push notification delivery)
• Payment processor (Stripe, named because users are redirected to its hosted checkout)
• Email delivery provider (transactional and marketing email)
• Web analytics provider (consent-gated aggregate analytics on the marketing site)
• Customer-support tool (ticketing and helpdesk)
• Mapping provider (geocoding and tile rendering inside the dispatcher application)

A current list of named subprocessors is available to the Carrier on written request under reasonable confidentiality terms. Howdy Dispatchwill provide at least 30 days' advance notice before engaging a new subprocessor category that materially expands processing scope.