Data Processing Agreement (DPA)
Last updated: October 2025
This Data Processing Agreement (“DPA”) is an addendum to the Terms and Conditions between
CMR Management (“Processor”) and the customer (“Controller”) using the CMR Management
software and related services (collectively, the “Services”).
This DPA reflects the parties’ agreement regarding the processing of personal data in compliance
with the EU General Data Protection Regulation (GDPR).
1. Scope and Application
This DPA applies when the Controller provides personal data to the Processor in connection with
the Services. It governs how that data is collected, stored, processed, and protected.
In case of conflict between this DPA and the main Terms and Conditions, the DPA shall prevail with
respect to data protection obligations.
2. Roles and Responsibilities
- The Controller determines the purpose and means of processing personal data.
- The Processor (CMR Management) processes data only on the Controller’s instructions and for the purposes defined in the agreement.
- Both parties agree to comply with applicable data protection laws, including GDPR (EU 2016/679).
3. Nature and Purpose of Processing
CMR Management processes personal data to provide digital CMR document management, billing, reporting, and related logistics functions.
The types of personal data may include:
- Company details (name, address, tax ID)
- Contact information (email, phone)
- Employee or driver names
- Transport and logistics data
Processing activities include storage, organization, transmission, and secure deletion.
4. Security Measures
The Processor implements appropriate technical and organizational measures to protect personal data against unauthorized access, disclosure, or loss. These include:
- Encrypted data transfer (TLS 1.3)
- Secure hosting in EU data centers (Contabo, Germany)
- Access controls and audit logs
- Regular security monitoring and vulnerability testing
- Data backups and recovery systems
5. Sub-Processors
The Processor uses vetted sub-processors to provide infrastructure, payments, and communication services.
A current list of sub-processors is available on our
Sub-Processors page.
All sub-processors are contractually bound by equivalent GDPR data protection obligations.
6. International Data Transfers
If personal data is transferred outside the European Economic Area (EEA), the Processor ensures compliance via:
- EU Standard Contractual Clauses (SCCs)
- Transfers only to countries with adequate data protection levels
- Additional security and encryption measures for all transfers
7. Data Subject Rights
The Processor assists the Controller in fulfilling data subject requests under GDPR, including:
- Access, rectification, and deletion of personal data
- Restriction or objection to processing
- Data portability requests
Requests can be submitted by contacting [email protected].
8. Data Retention and Deletion
Upon termination of the Services, or at the Controller’s written request, the Processor will:
- Delete all personal data within 30 days, or
- Return it securely to the Controller upon request.
Backups are retained for disaster recovery purposes for up to 90 days before automatic deletion.
9. Incident Notification
In case of a personal data breach, the Processor will:
- Notify the Controller without undue delay (within 72 hours)
- Provide relevant information regarding the nature and scope of the breach
- Assist with mitigation and notification to authorities as required by GDPR
10. Audits and Compliance
The Processor shall make available all information necessary to demonstrate GDPR compliance and allow for audits or inspections conducted by the Controller or an appointed auditor, provided such audits:
- Are limited to once per year
- Do not interfere with the Processor’s normal operations
- Maintain confidentiality and data security during the audit
11. Contact Information
For any questions or data protection requests, please contact:
📧 [email protected]
📧 [email protected]
Postal address:
CMR Management
Tagu Mures, Romania
www.cmr-management.eu