Data Processing Agreement

Capitalised terms not defined here have the meanings given to them in applicable data-protection laws (the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, the California Consumer Privacy Act ("CCPA"), and equivalents).

• Personal Data — any information relating to an identified or identifiable natural person.
• Processing — any operation performed on Personal Data (collection, storage, use, transmission, etc.).
• Customer Personal Data — Personal Data that Customer provides to us, or that we receive from Customer's integrations (e.g. webhook URLs that include user identifiers), in connection with the Service.
• Subprocessor — a third party engaged by us to process Customer Personal Data on Customer's behalf.

For Customer Personal Data covered by this DPA, Customer is the Controller and ShipRadar is the Processor. We process Customer Personal Data only on Customer's documented instructions — which are generally embodied in Customer's use of the Service and the configuration choices Customer makes (watchlist definitions, webhook URLs, API key scopes, etc.).

Note: this DPA does not change our role as Controller for the data we collect directly about Customer's individual users (account email, billing info, etc.) — that's covered by the Privacy Policy.

Categories of Personal Data:

• Identifiers Customer chooses to associate with watchlist or webhook configurations (labels, URLs)
• API key prefixes and last-used timestamps
• Container reference numbers Customer looks up
• Customer's account email and authentication metadata where Customer is itself a data subject (sole proprietor, etc.)

Categories of data subjects: Customer's authorised users; individuals identifiable from configurations Customer chooses to provide.

Excluded: AIS broadcasts themselves are public radio signals identifying vessels (not natural persons); they are not Personal Data under most regimes. Where a vessel's position could indirectly identify a known individual (e.g. a private yacht owner), that processing is governed by the public-data exemption applicable to AIS broadcasts.

We maintain technical and organisational measures appropriate to the risk of processing, including:

• Encryption in transit (TLS 1.3, HSTS) and at rest for sensitive datastores
• Argon2id password hashing
• AES-256-GCM encryption for admin-managed secrets in the platform settings table
• Network segmentation: databases unreachable from the public internet; application traffic only via reverse proxy
• Role-based access (the admin role is gated by an explicit DB column; revocable via the admin UI)
• Audit logging of admin actions, retained indefinitely
• Daily backups with encryption at rest
• Production deployment via Docker images built from version-controlled source

We engage the following Subprocessors to deliver the Service. Customer authorises these on signing up for the Service. We'll give 30 days' notice (via the email on file) before adding new Subprocessors that handle Customer Personal Data, and Customer may object in writing.

Subprocessors are bound by data-protection terms at least as restrictive as this DPA.

To the extent Customer is unable to address a data subject request through Customer's own use of the Service (e.g. via the account-deletion flow), we'll provide reasonable assistance — including by retrieving, rectifying, or deleting Customer Personal Data on request. Customer is responsible for responding to data subjects directly.

We will notify Customer without undue delay (and, where feasible, within 72 hours of becoming aware) of a Personal Data breach affecting Customer Personal Data. The notification will describe (a) the nature of the breach, (b) categories and approximate numbers of data subjects affected, (c) likely consequences, and (d) measures taken to address it.

Notification will be sent to the email address Customer has on file. Keep that address current.

Where Customer Personal Data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, the transfer is governed by the EU Standard Contractual Clauses (Module 2: controller-to-processor) or the UK International Data Transfer Addendum, as applicable. We supplement these with appropriate technical measures (encryption in transit and at rest).

On reasonable request and no more than once per calendar year, we'll make available information necessary to demonstrate compliance with this DPA. Where Customer requires an on-site audit, the parties will agree on scope, timing, and reasonable confidentiality terms in advance, and Customer will bear the out-of-pocket costs.

This DPA is in effect for as long as Customer uses the Service. On termination, Customer Personal Data will be deleted within 90 days unless retention is required by law (e.g. tax records). Customer may export their data via API or by request to support before termination.

For DPA-related questions or to exercise rights under this agreement:

See also: Terms of Service · Privacy policy