تخطي إلى المحتوى
Jistix
← Back to Jistix

Data Processing Agreement

Effective: April 7, 2026

This Data Processing Agreement ("DPA") forms part of the agreement for the Jistix platform services ("Service Agreement") between Borderless Distribution Network, LLC, a Delaware limited liability company with offices at 131 Continental Dr, Suite 305, Newark, DE 19713, United States ("Processor", "Jistix", "we", "us"), and the entity agreeing to these terms ("Controller", "Customer", "you").

This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), the Saudi Personal Data Protection Law ("PDPL"), and any other applicable data protection legislation. In the event of a conflict between this DPA and the Service Agreement, this DPA shall prevail with respect to the processing of Personal Data.

This DPA is incorporated into and subject to the Terms of Service and Privacy Policy.

1. Definitions

For the purposes of this DPA, the following definitions apply in addition to those set out in the GDPR and applicable data protection laws:

  • "Controller" means the Customer, being the entity that determines the purposes and means of the processing of Personal Data through its use of the Service.
  • "Processor" means Borderless Distribution Network, LLC (operating as Jistix), which processes Personal Data on behalf of the Controller.
  • "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject") that is processed by the Processor on behalf of the Controller in connection with the Service.
  • "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
  • "Sub-Processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
  • "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed.
  • "Standard Contractual Clauses" ("SCCs") means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission.

2. Scope and Purpose of Processing

The Processor shall process Personal Data solely for the purpose of providing the Jistix platform services as described in the Service Agreement, including:

  • Account creation, authentication, and user management
  • Freight rate quoting, shipment booking, and logistics management
  • Document upload, classification, storage, and management
  • Invoice generation, e-invoicing compliance (including ZATCA Phase 2), and financial record-keeping
  • Shipment tracking and notification delivery
  • AI-powered document extraction and classification to support Controller's freight operations
  • Payment processing facilitation through third-party payment providers
  • Customer support and platform communications
  • Regulatory compliance assistance for customs and trade operations

The Processor shall not process Personal Data for any purpose other than those specified in this DPA or as otherwise documented in writing by the Controller, unless required to do so by applicable law, in which case the Processor shall inform the Controller of that legal requirement before processing (unless prohibited by law from doing so).

3. Duration of Processing

The Processor shall process Personal Data for the duration of the Service Agreement between the Controller and the Processor. Upon termination or expiry of the Service Agreement, the Processor shall continue to process Personal Data only to the extent necessary to:

  • Complete the deletion or return of Personal Data as described in Section 12 of this DPA
  • Comply with applicable legal obligations, including tax and accounting retention requirements (minimum 7 years for financial records, minimum 6 years for ZATCA e-invoice data)
  • Establish, exercise, or defend legal claims

Any Personal Data retained after termination shall continue to be subject to the protections set out in this DPA.

4. Types of Personal Data Processed

The Processor may process the following categories of Personal Data on behalf of the Controller:

  • Contact information: names, email addresses, phone numbers, job titles, business addresses
  • Business data: company names, commercial registration numbers, tax identification numbers (including VAT/ZATCA IDs), operating country
  • Shipment details: origin and destination addresses, cargo descriptions, HS codes, weights, dimensions, shipping references, booking numbers
  • Documents: bills of lading, commercial invoices, packing lists, certificates of origin, customs declarations, and other freight documents uploaded by the Controller
  • Payment metadata: transaction identifiers, subscription status, billing history (note: payment card numbers are processed directly by Stripe and are never stored by Jistix)
  • Usage data: IP addresses, browser type, pages visited, features used, session timestamps
  • Authentication data: hashed credentials, session tokens, multi-factor authentication records

The Processor does not intentionally collect or process special categories of Personal Data (e.g., racial or ethnic origin, political opinions, health data, biometric data) in the course of providing the Service. The Controller shall not submit special category data to the Service unless separately agreed in writing.

5. Categories of Data Subjects

Personal Data processed under this DPA may relate to the following categories of Data Subjects:

  • Customer employees and authorized users: individuals within the Controller's organization who access and use the Jistix platform
  • Customer's clients: shippers, consignees, importers, exporters, and other parties whose data appears in shipment records, freight documents, or invoices managed through the platform
  • End users: any natural person whose Personal Data is included in documents, communications, or records processed through the Service
  • Contact persons: individuals at carrier, customs broker, or other third-party organizations referenced in shipment or booking records

6. Processor Obligations

The Processor shall:

6.1 Documented Instructions

Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or international organization, unless required to do so by applicable law. The Service Agreement and this DPA constitute the Controller's initial documented instructions. Any additional or alternative instructions must be agreed in writing.

6.2 Confidentiality

Ensure that all persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is limited to personnel who require such access to perform their obligations under the Service Agreement.

6.3 Security Measures

Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Annex 1 of this DPA. Such measures shall include, as appropriate:

  • Encryption of Personal Data in transit (TLS 1.2 or higher) and at rest (AES-256)
  • Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems
  • The ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident
  • A process for regularly testing, assessing, and evaluating the effectiveness of security measures

6.4 Data Subject Requests

Taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests from Data Subjects exercising their rights under applicable data protection law (including access, rectification, erasure, restriction, portability, and objection). The Processor shall promptly notify the Controller if it receives a request directly from a Data Subject and shall not respond to such request except on the Controller's documented instructions or as required by applicable law.

6.5 Breach Notification

Notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Data Breach affecting Personal Data processed on behalf of the Controller. The notification requirements and procedures are set out in Section 10 of this DPA.

6.6 Assistance with Obligations

Taking into account the nature of processing and the information available to the Processor, assist the Controller in ensuring compliance with:

  • The obligation to implement appropriate security measures (GDPR Article 32)
  • The obligation to notify Data Breaches to supervisory authorities and Data Subjects (GDPR Articles 33 and 34)
  • The obligation to conduct data protection impact assessments (GDPR Article 35)
  • The obligation to consult with supervisory authorities (GDPR Article 36)

6.7 Data Deletion or Return

At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless applicable law requires storage of the Personal Data. The procedures for data deletion and return are set out in Section 12 of this DPA.

6.8 Audit Rights

Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or a qualified auditor mandated by the Controller. The audit procedures are set out in Section 11 of this DPA.

6.9 Notification of Conflicting Instructions

Immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes applicable data protection law. The Processor shall not be required to carry out the instruction until the Controller has confirmed or modified it.

7. Controller Obligations

The Controller shall:

  • Lawful basis: ensure that it has a valid legal basis under applicable data protection law for the processing of Personal Data by the Processor, including, where necessary, obtaining appropriate consents from Data Subjects
  • Instructions: provide documented, lawful instructions to the Processor regarding the processing of Personal Data, and ensure that any instructions comply with applicable data protection law
  • Data accuracy: ensure the accuracy and quality of Personal Data provided to the Processor
  • Data minimization: ensure that Personal Data provided to the Processor is limited to what is necessary for the provision of the Service
  • Notification of regulations: inform the Processor of any applicable data protection laws, regulations, or requirements specific to the Controller's industry or jurisdiction that may affect the Processor's performance of its obligations under this DPA
  • Transparency: provide appropriate privacy notices to Data Subjects regarding the processing of their Personal Data, including the involvement of the Processor
  • Data Subject rights: handle all Data Subject requests and complaints, with assistance from the Processor as set out in Section 6.4

8. Sub-Processor Management

8.1 General Authorization

The Controller provides a general written authorization for the Processor to engage Sub-Processors for the processing of Personal Data. The current list of Sub-Processors is set out in Annex 2 of this DPA.

8.2 Notification of Changes

The Processor shall notify the Controller at least 30 days in advance of any intended changes to the list of Sub-Processors, including the addition or replacement of Sub-Processors. Such notification shall include the name of the Sub-Processor, the nature of processing, and the location of processing.

8.3 Objection Mechanism

The Controller may object to the appointment or replacement of a Sub-Processor within 14 days of receiving notification. The objection must be made in writing to privacy@jistix.io and must include reasonable grounds for the objection. If the Controller objects and the Processor cannot reasonably accommodate the objection, the Controller may terminate the affected portion of the Service without penalty.

8.4 Sub-Processor Agreements

The Processor shall impose on each Sub-Processor, by way of a written contract, data protection obligations no less protective than those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organizational measures. The Processor shall remain fully liable to the Controller for the performance of each Sub-Processor's obligations.

8.5 Current Sub-Processor List

The current list of Sub-Processors is maintained in Annex 2 of this DPA and is available upon request at privacy@jistix.io.

9. International Data Transfers

9.1 Transfer Mechanisms

The Processor is established in the United States and processes Personal Data primarily within the United States. Where Personal Data originating from the European Economic Area ("EEA"), the United Kingdom ("UK"), Switzerland, or the Kingdom of Saudi Arabia is transferred to the United States or other third countries, the Processor shall ensure that appropriate safeguards are in place, including:

  • EU-US Data Privacy Framework: where the Processor or its Sub-Processors are certified under the EU-US Data Privacy Framework, the UK Extension, or the Swiss-US Data Privacy Framework, such certification shall serve as the transfer mechanism
  • Standard Contractual Clauses: where the Data Privacy Framework does not apply, the parties agree that the Standard Contractual Clauses approved by the European Commission (Decision 2021/914) are hereby incorporated by reference and shall apply to any transfer of Personal Data from the EEA to the United States or other third countries not recognized as providing an adequate level of data protection
  • UK International Data Transfer Agreement: for transfers subject to the UK GDPR, the parties agree to the International Data Transfer Agreement or the UK Addendum to the EU SCCs, as applicable

9.2 Supplementary Measures

The Processor shall implement supplementary technical and organizational measures as necessary to ensure that the level of protection of Personal Data is not undermined by the transfer, including encryption in transit and at rest, access controls, and pseudonymization where feasible.

9.3 Sub-Processor Transfers

The Processor shall ensure that any Sub-Processor to which it transfers Personal Data has appropriate transfer mechanisms in place as required by applicable data protection law.

10. Data Breach Notification

10.1 Notification Timeline

The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Data Breach affecting Personal Data processed on behalf of the Controller. Where the notification cannot be provided within 72 hours, it shall be accompanied by reasons for the delay.

10.2 Content of Notification

The breach notification shall include, to the extent available:

  • A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects and Personal Data records affected
  • The name and contact details of the Processor's data protection contact point
  • A description of the likely consequences of the Data Breach
  • A description of the measures taken or proposed to address the Data Breach, including measures to mitigate its possible adverse effects
  • A timeline of events related to the Data Breach

10.3 Cooperation

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach. The Processor shall not inform any third party of the Data Breach without first obtaining the Controller's written consent, unless notification is required by applicable law.

10.4 Contact for Breach Notification

All breach notifications shall be sent to the Controller's designated contact. Notifications to the Processor should be directed to: privacy@jistix.io (marked "URGENT: Data Breach Notification").

11. Audit Rights

11.1 Right to Audit

The Controller has the right to conduct audits, including inspections, to verify the Processor's compliance with this DPA. Audits may be carried out by the Controller or a qualified, independent third-party auditor appointed by the Controller, provided that such auditor is bound by appropriate confidentiality obligations and is not a competitor of the Processor.

11.2 Audit Frequency

The Controller may conduct one audit per calendar year under this DPA. Additional audits may be conducted where the Controller has reasonable grounds to believe that the Processor is not in compliance with this DPA, or following a Data Breach.

11.3 Notice and Scheduling

The Controller shall provide the Processor with at least 30 days' prior written notice of an intended audit, unless the audit is being conducted in connection with a Data Breach, in which case reasonable notice shall be provided. The audit shall be conducted during normal business hours and in a manner that minimizes disruption to the Processor's operations.

11.4 Confidentiality

All information obtained during an audit shall be treated as confidential and shall be used solely for the purpose of verifying compliance with this DPA. The Controller shall not disclose audit findings to third parties except to the extent required by applicable law or to a supervisory authority.

11.5 Certifications and Reports

The Processor may satisfy the audit obligation by providing the Controller with relevant certifications, audit reports (such as SOC 2 Type II), or other evidence of compliance, provided that such documentation is current and addresses the scope of the Controller's audit request.

12. Data Deletion and Return

12.1 Controller's Choice

Upon termination or expiry of the Service Agreement, the Controller may request in writing that the Processor either:

  • Return all Personal Data to the Controller in a commonly used, machine-readable format (JSON or CSV); or
  • Delete all Personal Data and all existing copies

If the Controller does not provide written instructions within 30 days of termination, the Processor shall delete all Personal Data.

12.2 Timeline

The Processor shall complete the return or deletion of Personal Data within 30 days of receiving the Controller's written request or, if no request is received, within 30 days following the end of the 30-day instruction period (60 days total from termination).

12.3 Certification of Deletion

Upon completion of deletion, the Processor shall provide the Controller with written certification confirming that all Personal Data has been deleted from the Processor's systems and the systems of any Sub-Processors, including backup systems, to the extent technically feasible.

12.4 Exceptions for Legal Retention

The Processor may retain Personal Data to the extent and for the duration required by applicable law, including:

  • Financial and invoice records: minimum 7 years as required by applicable accounting and tax law
  • ZATCA e-invoice data: minimum 6 years as required by Saudi tax regulations
  • Data necessary to establish, exercise, or defend legal claims

Any Personal Data retained under these exceptions shall continue to be protected in accordance with this DPA and shall be processed only for the purpose for which it is retained.

Annex 1: Technical and Organizational Measures

The Processor implements the following technical and organizational measures to protect Personal Data processed on behalf of the Controller:

A. Encryption

  • In transit: all data transmitted between the Controller and the Service is encrypted using TLS 1.2 or higher. HTTPS is enforced on all endpoints with HSTS headers.
  • At rest: all data stored in the Processor's database (Google Cloud Firestore) is encrypted at rest using AES-256 encryption managed by Google Cloud Platform.
  • Cryptographic operations: ZATCA e-invoicing uses ECDSA with secp256k1 curve and SHA-256 hashing for digital signatures.

B. Access Controls

  • Authentication: Firebase Authentication with secure session management, CSRF protection (double-submit cookies with timing-safe comparison), and session token rotation.
  • Authorization: role-based access control (RBAC) enforced through Firestore Security Rules with deny-all default. Each collection has explicit, per-path read/write rules. Multi-tenant isolation ensures that users can only access data within their own organization.
  • API security: all third-party API traffic is routed through a Backend-for-Frontend (BFF) proxy with HMAC-SHA256 request signing. No client-side API keys are exposed to end users.
  • Personnel access: access to production systems is limited to authorized engineering personnel and requires multi-factor authentication.

C. Network Security

  • Hosting: the Service is hosted on Vercel's globally distributed edge network with built-in DDoS protection and Web Application Firewall (WAF) capabilities.
  • CORS: cross-origin resource sharing is restricted to allowed origins specified in the server configuration.
  • Rate limiting: API endpoints are protected by rate limiting with configurable presets (API: 100 requests/minute, authentication: 10 requests/minute, payment: 20 requests/minute, webhook: 50 requests/minute).
  • Security headers: Content Security Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and Strict-Transport-Security headers are applied to all responses.
  • Input validation: all user input is validated using Zod schemas. HTML content is sanitized to prevent injection attacks.

D. Incident Response

  • Documented incident response procedures with defined roles and responsibilities
  • 72-hour breach notification process as set out in Section 10 of this DPA
  • Security event logging and monitoring for anomalous activity
  • Post-incident review and remediation procedures

E. Business Continuity and Availability

  • Google Cloud Firestore provides automatic data replication across multiple availability zones
  • Vercel edge deployment provides global availability with automatic failover
  • Application-level error handling and graceful degradation for service disruptions
  • Regular backups through Google Cloud Platform's managed backup infrastructure

F. Data Minimization and Pseudonymization

  • Personal Data collected is limited to what is necessary for the provision of the Service
  • Personally identifiable information is removed from server logs (no PII in log output)
  • AI processing (document classification and extraction) does not retain Personal Data beyond the processing session
  • Payment card data is not processed or stored by Jistix; all card processing is handled directly by Stripe

Annex 2: List of Sub-Processors

The following Sub-Processors are authorized by the Controller as of the effective date of this DPA:

Sub-ProcessorPurposeLocationData Processed
Google LLC (Firebase)Authentication, database (Firestore), cloud storage, cloud functionsUSA / Belgium (EU)Account data, authentication credentials, documents, shipment data, invoice data
Anthropic PBCAI processing: document classification, data extraction, invoice generation assistanceUSADocument content, shipment data (no PII retained after processing; data is not used for model training)
Stripe, Inc.Payment processing, subscription management, billing portalUSAPayment metadata, transaction identifiers, subscription status (card numbers processed directly by Stripe, never stored by Jistix)
Vercel, Inc.Application hosting, edge computing, content delivery network (CDN)USA / Global (edge network)Request logs, IP addresses, HTTP headers, performance metrics
Resend, Inc.Transactional email delivery (account verification, booking confirmations, notifications)USAEmail addresses, notification content, delivery metadata
Google WorkspaceSMTP email sending (Nodemailer integration for booking and operational notifications)USAEmail addresses, notification content, email metadata

The Controller acknowledges that the above Sub-Processors are authorized at the date of this DPA. The Processor shall update this list and notify the Controller in accordance with Section 8.2 of this DPA.

Annex 3: Data Processing Details

The following table sets out the specific processing activities performed by the Processor on behalf of the Controller:

Processing ActivityPurposeCategories of DataRetention Period
Account managementUser registration, authentication, profile management, session managementContact info, authentication data, operating countryDuration of account + 90 days
Freight quotingMulti-carrier rate comparison, chargeable weight calculation, landed cost estimationShipment details, HS codes, origin/destination addressesDuration of account + 90 days
Shipment bookingBooking creation, carrier coordination, internal operations notificationsShipper/consignee details, cargo info, booking references7 years (financial record retention)
Document managementUpload, AI classification, storage, compliance verificationFreight documents (bills of lading, invoices, packing lists, certificates)Until deleted by Controller or 90 days post-termination
AI data extractionAutomated extraction of structured data from documents and RFQ emailsDocument content, extracted shipment fieldsNot retained beyond processing session
Invoicing and e-invoicingInvoice generation, ZATCA Phase 2 compliance, payment trackingBusiness data, tax IDs, invoice line items, payment records7 years (accounting) / 6 years (ZATCA)
Payment processingSubscription billing, payment method management via StripePayment metadata, transaction IDs, subscription status7 years (financial records)
Shipment trackingReal-time tracking updates, timeline events, status notificationsShipment references, tracking events, location dataDuration of account + 90 days
Compliance assistanceSABER/FASAH preparation, customs documentation, regulatory checksHS codes, product classifications, certificate dataDuration of account + 90 days
CommunicationsTransactional emails, platform notifications, support correspondenceEmail addresses, notification preferences, message content12 months (logs) / duration of account (preferences)
Usage analyticsPlatform improvement, feature usage analysis, performance monitoringIP addresses, browser data, session data, page views12 months rolling

General Provisions

Governing Law

This DPA shall be governed by and construed in accordance with the laws of the State of Delaware, United States of America, without regard to its conflict of law principles. Where the GDPR or UK GDPR applies to the processing of Personal Data, the provisions of those regulations shall take precedence over conflicting provisions in this DPA.

Severability

If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

Entire Agreement

This DPA, together with the Service Agreement (including the Terms of Service and Privacy Policy), constitutes the entire agreement between the parties with respect to the processing of Personal Data.

Amendments

The Processor may update this DPA from time to time to reflect changes in data protection law, processing activities, or Sub-Processors. Material changes will be notified to the Controller at least 30 days in advance. Continued use of the Service after changes constitutes acceptance of the updated DPA.

Contact

Borderless Distribution Network, LLC

131 Continental Dr, Suite 305

Newark, DE 19713

United States

Privacy inquiries: privacy@jistix.io

Data Protection Officer: Hussein Daffa — hussein@jistix.io