Modalius ← Back to home

Data Processing Agreement

Effective date: June 1, 2026

This Data Processing Agreement ("DPA") forms part of, and is subject to, the Terms of Service or other written agreement (the "Agreement") between Modalius, LLC ("Modalius", "we", "us", or "Processor") and the customer that has entered into the Agreement ("Customer", "you", or "Controller") for the use of Modalius Partner Connect (the "Service"). This DPA governs the Processing of Personal Data that Modalius performs on behalf of Customer in connection with the Service. If there is a conflict between this DPA and the Agreement with respect to the Processing of Personal Data, this DPA controls.

1. Definitions

Applicable Data Protection Laws
All laws and regulations applicable to the Processing of Personal Data under the Agreement.
Personal Data
Information relating to an identified or identifiable individual that is contained in Customer Data and Processed by Modalius on Customer's behalf under the Agreement.
Customer Data
Data that Customer (or its users or trading partners) submits to, or that is generated by Customer's use of, the Service.
Processing
Any operation performed on Personal Data, such as collection, storage, use, transmission, or deletion.
Controller / Processor
The party that determines the purposes and means of Processing (Customer), and the party that Processes Personal Data on the Controller's behalf (Modalius), respectively.
Data Subject
The individual to whom Personal Data relates.
Subprocessor
A third party engaged by Modalius to Process Personal Data in connection with the Service.
Personal Data Breach
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

2. Roles and Scope

As between the parties, Customer is the Controller of Personal Data and Modalius is the Processor. Modalius will Process Personal Data only to provide and support the Service and only in accordance with this DPA and Customer's documented instructions. The Agreement, this DPA, and Customer's configuration and use of the Service constitute Customer's documented instructions. The subject matter, duration, nature, and purpose of the Processing, and the types of Personal Data and categories of Data Subjects, are described in Appendix A.

3. Processing Instructions

Modalius will Process Personal Data only on Customer's documented instructions, including with regard to transfers, unless required to do otherwise by applicable law (in which case Modalius will, where permitted, inform Customer of that requirement before Processing). Modalius will not Process Personal Data for its own purposes and will not sell Personal Data. Modalius will promptly inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Laws.

4. Confidentiality

Modalius will ensure that personnel authorized to Process Personal Data are bound by appropriate confidentiality obligations and access Personal Data only on a need-to-know basis to perform their duties.

5. Security

Modalius will implement and maintain appropriate technical and organizational measures designed to protect Personal Data against a Personal Data Breach, taking into account the nature of the Processing and the risks involved. A description of these measures is set out in Appendix B. Customer is responsible for securing its own credentials and for configuring the Service appropriately for its data.

6. Subprocessors

Customer provides general authorization for Modalius to engage Subprocessors to support the Service. A current list of Subprocessors is set out in Appendix C. Modalius will impose data-protection obligations on each Subprocessor that are substantially the same as those in this DPA and remains responsible for each Subprocessor's performance. Modalius will give Customer reasonable notice of any intended addition or replacement of a Subprocessor, and Customer may object on reasonable data-protection grounds.

7. Data Subject Requests

Taking into account the nature of the Processing, Modalius will provide reasonable assistance to enable Customer to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Laws. If Modalius receives such a request directly, it will, where lawful, advise the Data Subject to submit the request to Customer and will not respond on Customer's behalf except on Customer's instructions.

8. Assistance

Taking into account the nature of the Processing and the information available to it, Modalius will provide reasonable assistance to Customer with respect to security, Personal Data Breach notifications, data protection impact assessments, and consultations with supervisory authorities, to the extent these obligations apply to Customer.

9. Personal Data Breach Notification

Modalius will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer's Personal Data and will provide Customer with information reasonably available to it to assist Customer in meeting any obligations to notify supervisory authorities or affected Data Subjects.

10. Return and Deletion of Personal Data

Upon termination or expiry of the Agreement, Modalius will, at Customer's choice, delete or return Personal Data, and delete existing copies, unless retention is required by law. Data is retained for limited periods during normal operation of the Service: soft-deleted records can be restored for 7 days; EDI files are retained for a default of 730 days (configurable per partner); connection activity logs are retained for at least 45 days; processing logs are retained for approximately 90 days; and generated report files are retained for 7 days. Backups are overwritten on a rolling basis in the ordinary course.

11. Audits

Modalius will make available to Customer information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer. Audits are subject to reasonable prior notice, confidentiality obligations, and reasonable limits on scope and frequency, and must not interfere with Modalius's operations or the security of other customers' data. Modalius may satisfy this obligation by providing relevant third-party reports or summaries where available.

12. International Transfers

The Service is hosted on secure cloud infrastructure located in the United States. Where Personal Data is transferred across borders, Modalius will carry out such transfers in compliance with Applicable Data Protection Laws, including by putting in place appropriate safeguards where required.

13. Liability and Governing Law

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. This DPA is governed by the laws of the State of Georgia, without regard to its conflict-of-law rules, consistent with the Agreement.

14. Term

This DPA takes effect on the effective date above and remains in effect for as long as Modalius Processes Personal Data on Customer's behalf under the Agreement. Provisions that by their nature should survive termination will survive.

Appendix A: Details of Processing

Subject matter and duration

The provision of the Modalius Partner Connect Service to Customer for the duration of the Agreement.

Nature and purpose of Processing

Hosting, receiving, processing, mapping, transmitting, and delivering electronic data interchange (EDI) and related documents; managing Customer accounts and partner relationships; and providing reporting and analytics, all for the purpose of providing and supporting the Service.

Types of Personal Data

  • Account and user information, such as names, business email addresses, login and activity timestamps, and notification preferences;
  • Any Personal Data contained in Customer Data or transaction documents, such as contact names and addresses associated with orders or shipments.

Categories of Data Subjects

  • Customer's authorized users and administrators;
  • Individuals identified within Customer's transaction data (for example, shipping or receiving contacts).

Appendix B: Technical and Organizational Measures

Modalius maintains measures that include, as applicable:

  • Encryption of Personal Data in transit and at rest;
  • Managed secrets storage for connection credentials;
  • Role-based access controls and least-privilege access, with multi-factor authentication for sensitive operations;
  • Network isolation and segmentation between environments;
  • Logging, monitoring, and activity auditing;
  • Regular backups and tested restoration procedures;
  • Data retention and deletion controls, including configurable file lifetimes and a soft-delete reversal window;
  • Confidentiality obligations and security awareness for personnel.

Appendix C: Subprocessors

Modalius engages the following categories of Subprocessors to support the Service. A current, detailed list is available to Customer on request.

Subprocessor Purpose Location
Cloud infrastructure and hosting provider Hosting, storage, and Processing of Customer Data United States

Contact

Questions about this DPA may be sent to contact@modalius.com.