Corpus Logic← Back to home

Data Processing Agreement

Last updated: 15 June 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between Corpus Logic (“Processor”, “we”, “us”) and the customer (“Controller”, “you”) under which we provide the Corpus Logic platform (the “Services”). It governs our processing of personal data on your behalf and reflects the requirements of UK GDPR Article 28 and the Data Protection Act 2018.

This DPA is a published template. The signed customer agreement, once executed, is the binding version and prevails where it differs. Final company details and signature blocks will be added on execution. This page is not legal advice; seek qualified advice before relying on it.

1. Definitions

Terms such as “personal data”, “processing”, “controller”, “processor”, “data subject”, and “personal data breach” have the meanings given in UK GDPR. “Sub-processor” means any third party engaged by us to process personal data in providing the Services. “Applicable Data Protection Law” means UK GDPR, the Data Protection Act 2018, and PECR as amended.

2. Roles of the parties

You are the controller and we are the processor for personal data contained in your tenant account and processed under the Services. Where we determine the purposes and means of processing (for example, our website and demo enquiries), we act as a controller under our Privacy Policy, not under this DPA.

3. Scope and instructions

We process personal data only on your documented instructions, including as set out in this DPA and the agreement, and as necessary to provide and secure the Services, unless required by law (in which case we will inform you unless legally prohibited). Your use and configuration of the Services constitute instructions. We will tell you if, in our opinion, an instruction infringes Applicable Data Protection Law.

4. Details of processing (Annex 1)

Subject matterProvision of AI-assisted freight intelligence software to the Controller.
DurationFor the term of the agreement, plus the deletion/return period in section 11.
Nature & purposeHosting, storage, extraction, route planning, communications, analytics, and support relating to freight operations.
Types of personal dataNames, business contact details, job and account identifiers, driver and vehicle records, location/GPS data, and the contents of documents and communications the Controller ingests.
Data subjectsThe Controller's staff and authorised users, drivers, customer contacts, and counterparties whose data appears in the tenant.

The Controller must not upload special category data unless it has a valid Article 9 condition and has informed us where additional safeguards are needed.

5. Our obligations

  • Process personal data only on documented instructions, as described in section 3.
  • Ensure persons authorised to process personal data are bound by confidentiality.
  • Implement appropriate technical and organisational security measures (Annex 2, section 6).
  • Respect the conditions for engaging sub-processors (section 7).
  • Assist you, taking account of the nature of processing, in responding to data subject requests (section 8).
  • Assist you with security, breach notification, data protection impact assessments, and prior consultation (sections 8–9).
  • Delete or return personal data at the end of the Services (section 11).
  • Make available information necessary to demonstrate compliance and allow for audits (section 12).

6. Security measures (Annex 2)

Taking account of the state of the art, costs, and the nature and risk of the processing, we maintain measures including:

  • Tenant isolation enforced at the database layer using row-level security, so no customer can access another customer’s data.
  • Encryption of personal data in transit using TLS, and encryption at rest provided by our hosting and database providers.
  • Role-based, least-privilege access controls and protected handling of secrets; service credentials are never exposed to browsers.
  • An append-only audit ledger recording material AI-worker actions.
  • Logging, monitoring, and error tracking to detect and investigate security events.
  • Secure development practices, dependency review, and change controls.

7. Sub-processors

You give general authorisation for us to engage sub-processors to provide the Services. Our current sub-processors are listed on our Sub-processors page. We impose data-protection obligations on each sub-processor that are no less protective than this DPA, and we remain responsible for their performance. We will give you a reasonable opportunity to be notified of intended changes (additions or replacements) so you can object on reasonable data-protection grounds; if we cannot resolve a reasonable objection, you may terminate the affected Services.

8. Assistance with data subject rights

Taking into account the nature of the processing, we will assist you by appropriate technical and organisational measures, insofar as possible, to respond to requests to exercise data subject rights (access, rectification, erasure, restriction, portability, and objection). If a data subject contacts us directly about your data, we will direct them to you and not respond substantively except on your instruction or as required by law.

9. Personal data breach

We will notify you without undue delay after becoming aware of a personal data breach affecting your personal data, and provide information reasonably available to help you meet your own notification obligations. Report security concerns to support@corpuslogic.com.

10. International transfers

Where providing the Services involves transferring personal data outside the UK, we use a valid transfer mechanism such as UK adequacy regulations, the UK International Data Transfer Agreement, or the EU Standard Contractual Clauses with the UK Addendum, together with any supplementary measures required by a transfer risk assessment. Details of provider locations are on our Sub-processors page.

11. Return and deletion

On termination or expiry of the Services, and at your choice, we will delete or return personal data and delete existing copies, unless retention is required by law. We provide export tooling so you can retrieve your data before deletion. Routine backups are deleted on their normal cycle.

12. Audits

We will make available information reasonably necessary to demonstrate compliance with this DPA, and contribute to audits conducted by you or an auditor you mandate, on reasonable prior notice, subject to confidentiality and without compromising other customers' security. Where available, we may satisfy audit requests by providing existing reports, certifications, or documentation.

13. Liability and order of precedence

Liability under this DPA is subject to the limitations and exclusions in the agreement. In the event of conflict on data protection matters, this DPA prevails over the rest of the agreement; on all other matters the agreement prevails. Nothing limits liability that cannot be limited under Applicable Data Protection Law.

14. Governing law

This DPA is governed by the laws of England and Wales, consistent with the agreement and our Terms of Use.

15. Contact

Data protection enquiries: support@corpuslogic.com. Contractual notices: support@corpuslogic.com.