GlobalLine CDS
Legal

Data Processing Addendum

Last updated: 8 May 2026

This Data Processing Addendum ("DPA") forms part of the GlobalLine CDS Terms of Service between GlobalLine CDS Ltd ("Processor") and the Customer ("Controller"). It governs Processor's processing of Personal Data on behalf of Controller in connection with the Service.

1. Definitions

"UK GDPR", "Personal Data", "Processing", "Controller" and "Processor" have the meanings given in the UK GDPR.

2. Subject-matter and duration

Processing covers customs declaration data, party details, and supporting documents uploaded by Controller, for the duration of the Service agreement plus the legally-required HMRC retention period.

3. Nature and purpose

To prepare, validate, submit and reconcile customs declarations and related trade workflows on Controller's instructions.

4. Categories of data subjects

  • Controller's employees and authorised users
  • Suppliers, consignees, hauliers and other parties named on commercial documents

5. Processor obligations

  • Process Personal Data only on documented instructions.
  • Ensure persons authorised to process are bound by confidentiality.
  • Implement appropriate technical and organisational measures (Annex II).
  • Assist Controller with data subject requests and breach notifications without undue delay (within 48 hours).
  • Delete or return Personal Data at the end of the Service, subject to legal retention.

6. Sub-processors

Controller authorises the use of: Lovable Cloud / Supabase (UK/EU hosting), Cloudflare (edge / WAF), Stripe (billing), Resend (transactional email). Updated list available on request. Processor will give 30 days' notice of new sub-processors.

7. International transfers

Where transfers outside the UK occur, Processor relies on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses.

8. Audits

Processor will make available on request the most recent SOC 2 Type II report (when issued) and pen-test summary. On-site audits permitted once per year on 60 days' notice.

9. Annex II — Security measures

  • TLS 1.3 in transit; AES-256 at rest
  • Role-based access control with least privilege
  • Multi-factor authentication for all administrators
  • Immutable audit log of every state change
  • Daily encrypted backups with point-in-time recovery
  • Annual third-party penetration testing

10. Contact

To countersign this DPA, email legal@globalline.cds.