Data Processing Addendum

Effective Date: January 01, 2026

Version: 1.0


This Data Processing Addendum ("DPA") forms part of and is incorporated into the applicable Master Services Agreement, Subscription Agreement, or Terms of Service (the "Agreement") between Green Mountain Technology, LLC ("Green Mountain") and the customer entity identified in the Agreement ("Customer").

This DPA applies where Green Mountain processes Personal Data on behalf of Customer in its role as a service provider of parcel and less-than-truckload (LTL) audit, analytics, optimization, reporting, and related logistics services.

1. Definitions


"Applicable Privacy Laws" means all applicable data protection and privacy laws, including the EU General Data Protection Regulation (GDPR), UK GDPR, the California Consumer Privacy Act as amended by the CPRA ("CCPA"), and other applicable U.S. state privacy laws.

"Controller", "Processor", “Sub-Processor”, "Personal Data", "Processing", "Personal Data Breach", and "Data Subject" shall have the meanings given under the GDPR.

"Business", "Consumer", "Personal Information", "Service Provider", "Sell", and "Share" shall have the meanings given under the CCPA.


2. Roles of the Parties


2.1 GDPR. For purposes of the GDPR, Customer acts as the Data Controller and Green Mountain acts as the Data Processor. The Controller is responsible for the lawfulness of data collection and instructions. The Processor processes data only on documented instructions from the Controller. 

2.2 CCPA / CPRA. For purposes of the CCPA, Customer is a Business and Green Mountain acts as a Service Provider.

2.3 Green Mountain shall process Personal Data and Personal Information solely on documented instructions from Customer and shall not Sell or Share Personal Information as defined under the CCPA.


3. Scope and Purpose of Processing


Green Mountain processes data solely for the purpose of providing Customer with logistics-related services, including:
  • Parcel and LTL freight audit and validation; 
  • Spend analytics, reporting, and benchmarking; 
  • Network and carrier optimization; 
  • Dispute management and resolution support; 
  • Platform support, monitoring, and service improvement.

4. Details of Processing


The subject matter, duration, nature, and purpose of Processing, as well as the categories of Data Subjects and types of Personal Data processed, are described in Schedule 1.


5. Processing Instructions


Green Mountain shall process Personal Data only in accordance with documented instructions from Customer, including the Agreement, this DPA, and Customer’s configuration and use of the services.


6. Confidentiality


Green Mountain shall ensure that personnel authorized to process Personal Data are subject to appropriate confidentiality obligations and receive training on privacy and data protection.


7. Security Measures


Green Mountain maintains a SOC 2 Type II control environment. Data is encrypted at rest and in transit using industry-standard protocols. Regular security training and background checks for staff. Continuous monitoring and regular security assessments. 


Green Mountain shall implement appropriate technical and organizational measures designed to protect Personal Data against unauthorized access, loss, alteration, or disclosure. Such measures include access controls, encryption where appropriate, monitoring, and incident response procedures.


8. Sub-processors


Customer authorizes Green Mountain to engage Sub-processors to assist in providing the services. Green Mountain shall ensure that Sub-processors are bound by written agreements imposing data protection obligations no less protective than those set forth in this DPA and remain responsible for their acts and omissions. The Processor will notify the Controller of any intended changes concerning sub-processors.


9. Data Subject and Consumer Rights


Green Mountain shall reasonably assist Customer in responding to Data Subject requests such as access, rectification, erasure, etc. under GDPR and Consumer requests under CCPA, taking into account the nature of the processing and the information available to Green Mountain.


10. Personal Data Breach


Green Mountain shall notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of Customer and shall cooperate in remediation efforts.


11. International Data Transfers


Where Personal Data is transferred outside the European Economic Area or the United Kingdom, Green Mountain shall ensure appropriate safeguards are in place, including Standard Contractual Clauses where required.


12. Return or Deletion of Personal Data


Upon termination or expiration of the Agreement, Green Mountain shall, at Customer’s option, return or securely delete Personal Data, unless retention is required by applicable law.


13. Liability


Liability arising out of or in connection with this DPA shall be subject to the limitations of liability set forth in the Agreement, except where prohibited by Applicable Privacy Laws.


14. Governing Law


This DPA shall be governed by the governing law specified in the Agreement.


Schedule 1 – Details of Processing


Categories of Data Subjects: Customer employees, contractors, carrier personnel, and shipment recipients.
Types of Personal Data: Names, contact information, shipment identifiers, delivery addresses, tracking events, billing and audit-related metadata.
Nature of Processing: Collection, ingestion, validation, analysis, reporting, and optimization of logistics data.
Duration: For the term of the Agreement.

Success with a proven process

5860 Ridgeway Ctr Pkwy, Ste 401 Memphis, TN 38120

877.397.2834

About
Green Mountain CertifiedCareersContact Us
EventsPrivacy Policy
Resourcesresources
Benchmark Report
Case Studies
News
Reports
Webinars
Services
Parcel Spend Management
Audit and Process Automation
Advisory Services
work with us
Login

©️ 2026 Green Mountain Technology, LLC DBA Green Mountain