Data Processing Agreement

Article 28 GDPR controller-to-processor agreement between Druma (processor) and the Customer (controller). Forms an annex to the Terms of Service.

Effective 10 June 2026 · Version 2026-06-10

This document is available in English only. The English version is the legally binding version.

1. Roles

For the personal data processed through the Druma TMS service on behalf of the Customer, the Customer is the data controller and Druma is the data processor as those terms are defined in Article 4 of the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR").

For data Druma collects in its own right (Customer account data, billing records, marketing prospects), Druma is an independent controller; that processing is governed by Druma's Privacy Notice, not by this DPA.

2. Subject matter and duration

Druma processes personal data on the Customer's behalf solely for the purpose of providing the Service. This DPA takes effect on the Customer's subscription start date and remains in force for the duration of the subscription, plus the post-termination data export and purge periods set out in section 11.

3. Categories of data and data subjects

Data subjects:

  • The Customer's employees, contractors, and drivers.
  • The Customer's clients and their contact persons.
  • The Customer's subcontracted carriers and their staff.
  • Other identifiable individuals whose data the Customer enters into the Service (consignees, dock contacts, etc.).

Categories of personal data:

  • Identification data (names, employee IDs, role).
  • Contact data (email, phone, language).
  • Location data (current GPS position per vehicle — single-row overwrite, no location history stored; ANAF e-Transport GPS buffer, retained 30 days).
  • Tachograph and driving-time data (remaining driving hours, working-state records sourced from telematics providers where connected; processed under EU Reg. 561/2006 and Reg. 165/2014 compliance obligations).
  • Operational data (orders, status taps, waiting times, delays).
  • Document content (CMR, POD, eCMR signatures, identity documents where required by compliance flows).
  • Communication content (messages between planner and driver, AI assistant transcripts).

Druma does not knowingly process special-category data (Article 9 GDPR). The Customer must not upload health, biometric, religious, or other special-category data to the Service except where strictly required by an incident or insurance flow, in which case the Customer accepts the additional Article 9 obligations.

4. Processing instructions

Druma processes Customer Data only on the Customer's documented instructions, including with respect to international transfers, unless required by EU or member-state law to do otherwise (in which case Druma will notify the Customer unless the law prohibits notification).

The Customer's documented instructions include: (a) these Terms and the DPA, (b) configuration choices made within the Service, and (c) any additional written instructions from the Customer that Druma confirms in writing.

Druma will inform the Customer if it considers that an instruction infringes GDPR or another data-protection law.

5. Sub-processors

The Customer authorises Druma to use the sub-processors listed in our Privacy Notice. The current list includes Supabase, Cloudflare, Stripe, Resend, HERE Technologies, Google Cloud (Vertex AI and Translation), Google LLC (Firebase Cloud Messaging), Sentry, e-invoice.be, Timocom, Trans.eu, and ANAF.

Druma will give the Customer at least 30 days' email notice of any new sub-processor before that sub-processor begins processing Customer Data. If the Customer reasonably objects to a new sub-processor on data-protection grounds, the Customer may terminate the affected portion of the Service on written notice.

Druma remains responsible for each sub-processor's compliance with this DPA and imposes data-protection obligations on each sub-processor that are no less protective than those in this DPA.

6. Technical and organisational measures (Annex II)

  • Encryption — TLS 1.2+ in transit; encryption at rest (AES-256) by default through our infrastructure providers.
  • Access control — row-level security on every database table; tenant isolation by company; least-privilege role-based access for staff.
  • Authentication — JWT, HMAC, or service-role tokens on every server endpoint; optional two-factor authentication available to all users.
  • Secret management — credentials stored in a managed vault, never in source control.
  • Audit logging — automatic mutation log on sensitive tables, retained 12 months.
  • Backup and recovery — daily automated backups by our database provider; recovery objectives appropriate to a SaaS application.
  • Vulnerability management — dependency upgrades, security review on each PR, error monitoring and alerting via Sentry.
  • Personnel — Druma personnel are bound by confidentiality and processing-on-instruction obligations.
  • Sub-processor diligence — review of each sub-processor's security posture before onboarding, with reliance on their published certifications (SOC 2, ISO 27001, etc.) where available.

7. Assistance with data subject rights

The Service includes built-in tools (Settings → GDPR) that the Customer can use to fulfil access, rectification, erasure, and portability requests without contacting us. For requests that cannot be fulfilled through these tools, Druma will assist the Customer using appropriate technical and organisational measures, taking into account the nature of the processing and the information available to Druma.

8. Personal data breach notification

Druma will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer Data. The notice will describe (so far as known): the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address it.

The Customer is responsible for any onward notification to data subjects and supervisory authorities under Articles 33 and 34 GDPR.

9. Audit rights

On reasonable written request and no more than once per calendar year (except when triggered by a breach or supervisory-authority demand), Druma will provide:

  • A current copy of this DPA, the Privacy Notice, and the sub-processor list.
  • Summary information about Druma's security posture sufficient to demonstrate compliance with this DPA.
  • Available certifications and attestation reports of sub-processors (SOC 2, ISO 27001, etc.) where Druma is permitted to share them.

On-site audits of Druma's infrastructure are not available because Druma relies on managed cloud sub-processors and operates with minimal physical premises. The Customer may request additional written information at the Customer's expense.

10. International transfers

Customer Data is hosted in the European Union by default. Some sub-processors (Stripe, Resend, Cloudflare, Google LLC, Sentry) are headquartered in the United States. Where Customer Data is transferred outside the EU/EEA, Druma relies on the European Commission's 2021 Standard Contractual Clauses, the EU-US Data Privacy Framework where applicable, or other lawful transfer mechanisms recognised under Chapter V GDPR. The Customer is deemed to have signed the SCCs through entering into this DPA where required.

11. Return or deletion at end of processing

On termination of the subscription, the Customer has 30 days to export Customer Data via the in-app GDPR export tool. After that window, Druma deletes Customer Data within 90 days, except records that Druma is legally required to retain (invoices and accounting records — 10 years from issue date; eCMR and eFTI consignment documents — 7 years; audit logs — 12 months), which remain isolated and access-controlled until the legal retention period expires.

12. eFTI authority access

Druma has implemented readiness for the EU eFTI Regulation (EU) 2020/1056. From 9 July 2027, competent transport-enforcement authorities may access transport consignment data linked to an eFTI unique link (UIL) during roadside inspections. Where a transport order managed through the Service is linked to a UIL, the corresponding consignment data — cargo description, route, and consignment parties — may be accessed by authorised authorities via the eFTI platform.

This access is mandated by law (Art. 6(1)(c) GDPR). Druma logs each authority-access event in the eFTI operation log as required by the Regulation and makes those logs available to the Customer on request. The Customer, as operator-controller, is responsible for informing affected data subjects of this possibility in their Article 13 notice.

13. Miscellaneous

  • Order of precedence — in case of conflict between this DPA and the Terms of Service, this DPA prevails for matters concerning personal data.
  • Liability — claims under this DPA are subject to the liability cap in section 11 of the Terms of Service.
  • Changes — Druma may update this DPA to reflect changes in law, sub-processors, or security measures, on 30 days' email notice.
  • Governing law — Romanian law; Bucharest courts.
  • Contactprivacy@druma.io.