Data Processing Agreement v1.0

Pharaday's Data Processing Agreement

Effective date: January 1, 2026

This Data Processing Agreement (the "DPA") forms an integral part of the agreement entered into between Pharaday's client identified in the applicable Order Form or Dedicated Agreement (the "Client" or the "Controller") and PHARADAY SAS (the "Service Provider" or the "Processor") — individually a "Party" and together the "Parties" — and governs the processing of personal data carried out by the Service Provider on behalf of the Client in the course of providing the Services.

This DPA is incorporated by reference into the General Terms of Service (Section 12) and into any Dedicated Agreement referring to it.

Unless otherwise expressly stated in this DPA, capitalized terms shall have the meaning given to them under Article 4 of the GDPR or, failing that, in the General Terms of Service.

1. Purpose and Scope

1.1 This DPA defines the terms and conditions under which the Service Provider processes Personal Data on behalf of the Client, in accordance with Article 28 of Regulation (EU) 2016/679 (the "GDPR") and any applicable national data protection laws. The Client, as Data Controller, determines the purposes and means of processing. The Service Provider shall process Personal Data only on documented instructions from the Client, provided that such instructions are lawful and do not place the Service Provider in breach of applicable data protection laws, unless otherwise required by applicable law.

1.2 The processing is limited to the purposes and scope described below and to what is strictly necessary for the performance of the Agreement.

Description of the processing:

  • Purpose of the processing: provision, operation, support and maintenance of the Pharaday Services subscribed to by the Client (including the preparation, collection and submission of ship pre-arrival formalities, vessel line-up management, and port call collaboration), including user account management and communications related to the Services.
  • Categories of Personal Data: identification and contact data of the Client's Users (name, business email, phone number, role); connection and usage data; and, where applicable to the Services used, personal data contained in port call documentation, such as crew and passenger list data (identity, nationality, travel document details).
  • Data subjects: the Client's personnel and authorized Users; and, where applicable, crew members and passengers of the vessels concerned by the port calls processed through the Services.
  • Retention period: for the duration of the Agreement. Sensitive personal data contained in crew and passenger lists may be anonymised earlier through the Platform's anonymisation module, either automatically upon closure of the relevant port call or after a retention period configured by the Client.

2. Obligations of the Service Provider

2.1 The Service Provider undertakes to:

a) process Personal Data only on the Client's documented instructions that are lawful and compliant with applicable data protection laws;

b) ensure that persons authorized to process the data are bound by confidentiality or are subject to an appropriate statutory obligation of confidentiality;

c) take appropriate technical and organizational security measures in accordance with Article 32 GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing;

d) assist the Client, to a reasonable extent and taking into account the nature of the processing, in ensuring compliance with its obligations under Articles 32 to 36 of the GDPR, under the conditions described in Section 7 of this DPA;

e) following the Client's choice, delete or return Personal Data at the end of the Agreement, except where retention is required by law or for the establishment, exercise or defence of legal claims;

f) throughout the contractual relationship, provide the guarantees required under applicable data protection regulations, as required under Article 28 GDPR.

2.2 The Service Provider may engage sub-processors providing sufficient guarantees, for specific processing activities, under the Client's general written authorization, provided that:

a) the Client is informed of any intended change concerning the addition or replacement of a key sub-processor and may object on reasonable data protection grounds within fifteen (15) days of such notification;

b) each sub-processor is bound by a written agreement imposing obligations at least as protective as those set out in this DPA, as required under Article 28(4) GDPR;

c) the current sub-processor list is set out in Exhibit A of this DPA.

2.3 The Service Provider shall not be liable for any processing carried out by the Client or by third parties acting under the Client's control, including where such processing results from the Client's documented instructions.

3. Obligations of the Client

3.1 The Client guarantees that it has obtained all necessary consents and legal bases to process Personal Data and to transfer such data to the Service Provider, and that its instructions comply at all times with applicable data protection laws.

3.2 The Client remains solely responsible for: its compliance with the GDPR; determining the lawfulness of the processing; the accuracy, quality and legality of the Personal Data provided; and compliance with any obligations to inform data subjects.

3.3 The Client, as Data Controller, remains solely responsible for providing information to data subjects in accordance with Articles 12 to 14 of the GDPR, and for handling and responding to requests from data subjects exercising their rights under Articles 15 to 22 of the GDPR (including rights of access, rectification, erasure, restriction, portability and objection). The Service Provider shall not respond directly to any request made by a data subject concerning Personal Data processed on behalf of the Client, unless specifically authorized in writing by the Client. The Service Provider shall not be held liable for the Client's failure to comply with its obligations under this Section.

3.4 The Client acknowledges that the Service Provider acts exclusively as a Processor and that any instruction contrary to data protection law shall release the Service Provider from any resulting liability. If, for any reason, the Processor is unable to comply with the documented instructions, it shall inform the Data Controller without undue delay, in which case the latter shall have the right to suspend access to the Personal Data. If the Processor considers that an instruction constitutes a breach of applicable data protection regulations, it shall immediately inform the Data Controller and shall be entitled to suspend the execution of such instruction until it is modified or confirmed as lawful.

4. Security Measures

The Service Provider implements and maintains appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. Such measures may include encryption, pseudonymization, access control, regular audits and data backup procedures.

A description of these measures may be provided upon written request of the Client, subject to appropriate confidentiality undertakings and to the protection of the Service Provider's security policies and trade secrets.

5. International Transfers

The Service Provider hosts the Personal Data processed on behalf of the Client within the European Union. The Service Provider may transfer Personal Data outside the European Economic Area (EEA) only where it ensures adequate protection under applicable law (e.g. an adequacy decision, Standard Contractual Clauses or an equivalent mechanism), including by relying on onward transfer mechanisms implemented by its sub-processors.

6. Personal Data Breaches

6.1 In the event of a personal data breach affecting the Personal Data processed on behalf of the Client, the Service Provider shall notify the Client without undue delay after becoming aware of the breach, and in any event within a reasonable timeframe taking into account the information available at the time of notification.

6.2 This notification shall, to the extent reasonably possible, include: a description of the nature of the breach, including, where feasible, the categories and approximate number of data subjects concerned; the likely consequences of the breach; and the measures taken or proposed by the Service Provider to address the breach and mitigate its possible adverse effects.

6.3 The Service Provider's obligation to notify is limited to breaches within its reasonable knowledge and control. The Service Provider shall not be responsible for any delay or failure to notify caused by the Client, its affiliates or third parties under its control, and this obligation does not apply to incidents attributable to the Client, its systems or third parties under its responsibility.

6.4 The Client remains solely responsible for making any notifications required to data protection authorities or data subjects under Articles 33 and 34 of the GDPR.

7. Assistance Obligations

7.1 The Service Provider shall, upon written request from the Client and to the extent reasonably necessary, assist the Client in fulfilling its obligations regarding: security of processing; data protection impact assessments (DPIA); and prior consultations with supervisory authorities, as required by Articles 32 to 36 of the GDPR.

7.2 Such assistance shall be provided on a reasonable-efforts basis, taking into account the nature of the processing and the information available to the Service Provider, and shall not require the Service Provider to disclose confidential information relating to other clients or its internal security architecture.

7.3 Any assistance requiring more than standard effort or customization shall be subject to a separate written agreement and additional fees based on the Service Provider's applicable rates.

8. Liability

8.1 Each Party shall be liable for the damages it causes in connection with the processing of Personal Data, in accordance with Article 82 GDPR.

8.2 The Service Provider's liability under this DPA is subject to the liability cap defined in the main Agreement, unless otherwise required by law, and shall in any event exclude indirect, consequential or punitive damages to the extent permitted by applicable law.

8.3 The Client shall indemnify and hold the Service Provider harmless from any claim, loss or sanction resulting from the Client's breach of its obligations as Data Controller.

9. Audit and Inspection

9.1 The Client, or an independent auditor mandated by the Client — provided that such auditor is not a competitor of the Service Provider, is bound by prior confidentiality obligations, and is approved by the Service Provider (such approval not to be unreasonably withheld) — may audit the Service Provider's compliance with this DPA no more than once per contractual year, upon at least thirty (30) days' prior written notice.

9.2 Any audit shall be limited in scope, duration and subject matter to what is strictly necessary to verify compliance with this DPA, shall be conducted during normal business hours, in accordance with the Service Provider's security policies, without disrupting its business operations, and shall not grant access to information relating to other clients, trade secrets or sensitive infrastructure.

9.3 The Service Provider may, at its sole discretion, satisfy audit obligations by providing relevant third-party certifications or audit reports in lieu of an on-site audit.

9.4 All audits shall be conducted at the Client's sole expense, including any reasonable costs and internal resources incurred by the Service Provider in facilitating such audit.

9.5 The Service Provider may suspend any audit request for as long as the Client remains in material breach of the Agreement, including in the event of overdue payment.

9.6 A minimum period of twelve (12) months shall elapse between two audits, except where a Personal Data Breach or a decision of a competent supervisory authority justifies an earlier audit.

10. Duration and Termination

10.1 This DPA remains in force for the duration of the Agreement.

10.2 Upon expiry or termination of the Agreement, the Service Provider shall, at the Client's written request and within a reasonable period not exceeding sixty (60) days, subject to full payment of all outstanding amounts due under the Agreement, either delete all Personal Data processed on behalf of the Client, or return such data to the Client in a commonly used electronic format.

10.3 The Service Provider may retain copies of Personal Data strictly to the extent required for compliance with applicable law, for the establishment, exercise or defence of legal claims, or for legitimate audit and record-keeping purposes. Once deletion or return has been completed, the Service Provider shall, upon written request, provide a deletion certificate confirming that all remaining data has been securely erased from its active systems. The Service Provider shall not be responsible for retaining any Client data beyond the contractual term, except as expressly required by law or by the Client's written instructions.

11. Governing Law and Jurisdiction

This DPA is governed by the same law and subject to the same jurisdiction as the main Agreement.

Exhibit A — Pharaday's Sub-Processors

To carry out its activities, Pharaday relies on service providers acting as sub-processors within the meaning of the GDPR (Regulation (EU) 2016/679). These providers process Personal Data on Pharaday's behalf and in accordance with its instructions.

Pharaday only engages sub-processors offering sufficient guarantees as required by the GDPR and enters into contractual arrangements with them under the conditions set out in Article 28 of the GDPR.

Current sub-processors:

  1. AWS — hosting of data and servers — France
  2. WorkOS — authentication platform — US
  3. Resend — emailing platform — US

This list may be updated in accordance with Section 2.2 of this DPA.

For any question regarding this DPA, please contact us at contact@pharaday.net.