S
SCM·Edge Suite

Data Processing Addendum

Last updated: 14 June 2026

1. Roles

For the purposes of applicable data-protection law (including the GDPR, UK GDPR and equivalent regimes), Customer is the controller of Customer Personal Data and SCM·Edge Suite is the processor.

2. Subject matter and duration

The subject matter of processing is the provision of the SCM·Edge Suite platform. Processing continues for the term of the Customer's subscription plus a 30-day export window.

3. Nature and purpose

Personal data is processed to deliver supply-chain orchestration, messaging, document generation, AI assistance, and analytics in accordance with Customer's documented instructions (typically given through workspace configuration and API use).

4. Categories of data subjects

Workspace users, supplier and customer contacts, drivers, factory operators, and end-buyers reached through tokenized portals.

5. Categories of personal data

Name, business email, business phone, role, message content routed through the platform, truck/driver identifiers, and any personal data Customer chooses to upload.

6. Subprocessors

Customer authorizes SCM·Edge Suite to engage subprocessors. A current list and notification mechanism for new subprocessors is provided on request. Customer may object to a new subprocessor for reasonable data-protection grounds.

7. International transfers

Where personal data is transferred outside the data subject's region, transfers are made under appropriate safeguards (e.g., Standard Contractual Clauses or equivalent).

8. Security measures

  • Encryption in transit and at rest.
  • Tenant isolation via row-level security on every public table.
  • Role-based access control with least-privilege defaults.
  • Signed and rotated API keys; HMAC-signed webhooks.
  • Audit logging for sensitive actions; per-tenant observability.
  • Background screening and least-privilege access for personnel.

9. Data subject requests

SCM·Edge Suite will provide reasonable assistance to Customer in responding to data subject requests, including via the in-app tenant export tool.

10. Breach notification

SCM·Edge Suite will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data.

11. Return or deletion

On termination, Customer may export tenant data for 30 days. After that window, Customer Personal Data is deleted from active systems, subject to legal retention obligations.

12. Contact

DPA and privacy contact: privacy@scmedge.example.

Annex I — Description of processing

  • Controller: Customer (the workspace owner entity).
  • Processor: SCM·Edge Suite.
  • Categories of data subjects: as set out in §4 above.
  • Categories of personal data: as set out in §5 above.
  • Sensitive data: none required by the service. Customer must not upload special-category data without first signing a written addendum.
  • Frequency: continuous, for the duration of the subscription.
  • Nature of processing: storage, transmission, analytics, AI inference, document generation.
  • Purpose: delivery of the SCM·Edge Suite platform per Customer instructions.
  • Duration: term of the subscription plus the 30-day export window (§11).
  • Sub-processors: see /legal/sub-processors.

Annex II — Standard Contractual Clauses (EU 2021/914)

Where personal data originating in the European Economic Area, the United Kingdom, or Switzerland is transferred to a country that has not received an adequacy decision, the parties incorporate the Standard Contractual Clauses set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as follows:

  • Module: Module Two (controller-to-processor) applies between Customer (data exporter) and SCM·Edge Suite (data importer).
  • Module Three applies on a back-to-back basis between SCM·Edge Suite and each sub-processor listed at /legal/sub-processors.
  • Clause 7 (Docking clause): not applicable.
  • Clause 9 (Sub-processors): Option 2 — general written authorisation; the importer shall inform the exporter of intended changes with at least 30 days' notice via the sub-processor page and changelog.
  • Clause 11(a) (Independent dispute resolution): optional language is not included.
  • Clause 17 (Governing law): the law of Ireland.
  • Clause 18 (Forum and jurisdiction): the courts of Ireland.
  • Annex I.A (Parties): the parties identified in the master subscription agreement.
  • Annex I.B (Description of transfer): as set out in Annex I above.
  • Annex I.C (Competent supervisory authority): the Irish Data Protection Commission, or the supervisory authority of the exporter's place of establishment.
  • Annex II (Technical and organisational measures): as set out in §8 of this DPA.

For UK transfers, the parties incorporate the UK International Data Transfer Addendum to the EU SCCs (issued by the UK Information Commissioner under s.119A of the Data Protection Act 2018) with Tables 1, 2, 3 and 4 completed by reference to this Annex II.

For Swiss transfers, references to the GDPR in the SCCs are read as references to the Swiss Federal Act on Data Protection, the supervisory authority is the Swiss FDPIC, and the governing law is Swiss law in respect of data of Swiss data subjects.