MXD Data Processing Addendum

Version: 1.0
Effective Date: March 6, 2026

This Data Processing Addendum (“DPA”) forms part of the agreement between M.X. Data, Inc. (“MXD”) and the customer identified in the applicable Master Agreement, Terms and Conditions, Order Form, or other written or electronic agreement (“Client”).

This DPA applies automatically, without further signature or opt-in, to all subscriptions for PortalMX and ShipMX, and to any other MXD subscription services expressly identified by MXD as subject to this DPA, to the extent MXD processes personal data on Client’s behalf.

1. Incorporation and Scope

This DPA is incorporated into and forms part of the applicable agreement between MXD and Client for covered subscription services.

This DPA applies only to the processing of personal data by MXD on Client’s behalf in connection with covered subscription services.

This DPA does not apply to:

  • processing for which MXD acts as an independent controller

  • products or services for which MXD does not process personal data on Client’s behalf

  • information disclosed outside the covered services, except to the extent otherwise governed by the parties’ agreement

If there is a conflict between this DPA and the main agreement, this DPA controls solely for data protection, privacy, security incident, personal data processing, and cross-border transfer matters. The main agreement and applicable order documents control for pricing, commercial scope, product entitlements, fees, support, and other non-privacy terms.

2. Covered Services

This DPA applies by default to:

  • PortalMX

  • ShipMX

It also applies to any other hosted or SaaS offering that MXD expressly designates as subject to this DPA.

3. Roles of the Parties

As between the parties, Client determines the purposes and means of processing personal data in connection with its use of the covered services.

MXD processes personal data on Client’s behalf as:

  • a processor under the GDPR and UK GDPR

  • a service provider and, where applicable, contractor under the CCPA

  • an encargado or similar processor role under other applicable law, where relevant

4. Client Instructions

This DPA and the applicable agreement constitute Client’s complete and documented instructions to MXD for the processing of personal data in connection with the covered services, including hosting, storage, use, disclosure, transfer, deletion, and other processing necessary to provide, secure, maintain, support, and administer the covered services.

Client may provide additional reasonable written instructions consistent with the agreement and the nature of the services. MXD may charge for implementing additional instructions that materially increase cost or burden, to the extent permitted by the agreement.

If MXD believes an instruction violates applicable data protection law, MXD may notify Client and decline to carry out the unlawful instruction.

5. Details of Processing

Subject Matter

Provision of the covered subscription services and related support, security, maintenance, and administration.

Duration

For the term of the applicable subscription service and any authorized transition or wind-down period.

Nature and Purpose of Processing

MXD may collect, store, organize, retrieve, use, transmit, make available, secure, back up, troubleshoot, and otherwise process personal data as necessary to provide the covered subscription services.

Categories of Personal Data

Depending on Client’s configuration and use, personal data may include:

  • name

  • phone number

  • email address

  • postal or delivery address

  • transaction and sales history

  • shipment and fulfillment information

  • support communications

  • user account information

  • device and usage logs

  • other personal data submitted to or generated through the covered services

Categories of Data Subjects

Personal data may relate to:

  • Client customers

  • Client personnel

  • Client users

  • shipment recipients

  • store personnel

  • support requestors

  • other individuals whose personal data is submitted to the covered services

Sensitive Data

Unless expressly agreed in writing, the covered services are not intended for storage or processing of sensitive or special-category data requiring heightened protections under applicable law.

6. MXD Obligations

MXD will:

  • process personal data only on documented instructions from Client, as necessary to perform the agreement, or as otherwise required by law

  • ensure that authorized personnel are subject to appropriate confidentiality obligations

  • implement and maintain reasonable and appropriate technical and organizational safeguards

  • provide reasonable assistance to Client with data subject requests, security incident response, and certain compliance-related activities, taking into account the nature of the processing and information available to MXD

7. Security Measures

MXD maintains a security program designed to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure.

Security measures may include:

  • access controls and role-based permissions

  • authentication and account management controls

  • encryption in transit and, where appropriate, at rest

  • logging and monitoring

  • backup and recovery procedures

  • vulnerability management and patching

  • personnel confidentiality and training

  • incident response procedures

  • vendor and subprocessor diligence

MXD may update its security measures from time to time, provided the overall level of protection is not materially reduced.

8. Security Incidents

MXD will notify Client without undue delay after becoming aware of a confirmed security incident involving Client personal data.

To the extent known and reasonably available, the notice may include:

  • the nature of the incident

  • the categories of data involved

  • likely consequences, if known

  • measures taken or proposed

  • a contact point for follow-up

MXD may provide information in phases as it becomes available.

Notification of a security incident is not an admission of fault or liability.

Client remains responsible for determining whether notice to regulators, individuals, or others is required, unless applicable law requires MXD to do so directly.

9. Subprocessors

Client grants MXD general authorization to engage subprocessors in connection with the covered services.

MXD will maintain a current list of subprocessors at:
[INSERT SUBPROCESSOR URL]

Where required by law or where MXD has committed to do so, MXD will provide reasonable notice before authorizing a new subprocessor to process Client personal data.

If Client has a reasonable data protection objection to a new subprocessor, Client must notify MXD in writing within [10/15/30] days after notice. The parties will work in good faith to address the objection. If MXD cannot reasonably accommodate the objection, Client may stop using the affected service or terminate the affected portion in accordance with the agreement.

MXD will impose data protection obligations on subprocessors that are no less protective than those set out in this DPA, to the extent applicable to the services performed.

10. Data Subject Requests

Client is responsible for responding to data subject requests, except where applicable law requires MXD to respond directly.

If MXD receives a request relating to Client personal data, MXD may:

  • direct the requester to Client, or

  • notify Client and provide reasonable assistance, to the extent legally permitted

Where available, Client may use service functionality to access, correct, delete, export, or restrict personal data.

11. Return and Deletion

Upon expiration or termination of the applicable covered subscription service, MXD will, at Client’s election and subject to the agreement:

  • return personal data in a commonly used format if such return is available or reasonably feasible, and/or

  • delete personal data from MXD systems within a reasonable period after any applicable transition or retrieval period

MXD may retain data where required by law or reasonably necessary for security, fraud prevention, dispute resolution, or backup cycling.

Residual backup copies may remain until overwritten in the ordinary course, provided they remain protected under this DPA.

Upon written request, MXD will confirm deletion when reasonably practicable.

12. Audits and Compliance Information

MXD will make available information reasonably necessary to demonstrate compliance with this DPA. This may include security summaries, certifications, third-party audit reports, or completed questionnaires, where available and appropriate.

Where required by applicable law and where the information provided is insufficient, Client may request a reasonable audit of relevant processing activities, subject to reasonable notice, confidentiality protections, frequency limits, and other reasonable safeguards.

13. Cross-Border Transfers

Client authorizes MXD and its subprocessors to process personal data in the United States and other jurisdictions where MXD or its subprocessors operate, subject to this DPA and applicable law.

To the extent required for restricted transfers under the GDPR or UK GDPR, the parties agree that the applicable standard contractual clauses and, where required, the UK addendum or another lawful transfer mechanism are incorporated by reference into this DPA.

If a transfer mechanism becomes invalid or commercially impractical, the parties will cooperate in good faith to implement another lawful mechanism.

14. Regional Terms

European Economic Area and United Kingdom

To the extent GDPR or UK GDPR applies, MXD will process personal data only on documented instructions, maintain confidentiality, implement appropriate security measures, assist with data subject rights and related compliance obligations, and support return or deletion at the end of services, subject to lawful retention.

California

To the extent the CCPA applies and MXD acts as a service provider or contractor, MXD:

  • will not retain, use, or disclose personal information except for the business purposes and services specified in the agreement and this DPA, or as otherwise permitted by law

  • will not sell or share personal information

  • will not use personal information outside the direct business relationship between Client and MXD except as permitted by law

  • will provide the same level of privacy protection required by law

  • will notify Client if MXD determines it can no longer meet its obligations

  • will support reasonable steps by Client to monitor compliance and stop unauthorized use, as required by law

Canada

To the extent Canadian privacy law applies, MXD will protect personal data using safeguards appropriate to the sensitivity of the information and will support Client’s efforts to ensure a comparable level of protection when data is processed by MXD or its subprocessors.

Mexico

To the extent Mexico’s private-sector personal data law applies, MXD will process personal data in accordance with Client’s instructions and the agreed purposes, maintain confidentiality, implement appropriate security measures, and support Client as reasonably requested in connection with rights requests, incident response, and applicable compliance duties.

15. Client Obligations

Client is responsible for:

  • having the legal basis, notices, and rights necessary to disclose personal data to MXD

  • using the covered services in compliance with applicable law

  • configuring the services consistent with its compliance obligations

  • managing user access controls under its control

  • determining whether the covered services are appropriate for particular categories of data

  • responding to data subject requests except where law requires otherwise

16. Government Requests

If MXD receives a legally binding request from a public authority for Client personal data, MXD will, unless prohibited by law:

  • notify Client promptly

  • use commercially reasonable efforts to limit disclosure and preserve available objections or protections

17. Liability

This DPA is subject to the liability limitations, exclusions, disclaimers, and indemnity provisions of the applicable agreement, except to the extent prohibited by applicable law.

18. Updates to This DPA

MXD may update this DPA from time to time to reflect changes in law, regulation, guidance, the covered services, or MXD’s processing practices.

The version of this DPA in effect at the DPA URL on the applicable order date will govern that order, unless a later version is required by law or implemented as permitted by the agreement.

Contact

For privacy or data processing inquiries relating to this DPA, please contact: info@mxdata.com