DispatchDeck
Data Processing Addendum
Version 1 · Effective: April 22, 2026
This Data Processing Addendum ("DPA") is incorporated into and forms part of the DispatchDeck Partner Agreement between Blue Collar Coding LLC (operating as DispatchDeck) and Partner. It governs how Partner handles personal data that belongs to Clients (the motor carriers Partner administers inside the Platform) when Partner accesses that data through the Partner portal.
1. Roles of the Parties
Under this DPA and for the purposes of applicable data protection laws (including the CCPA/CPRA and comparable state privacy laws):
- The Client (the motor carrier) is the controller/business with respect to its own driver and operational data.
- DispatchDeck is a service provider/processor that hosts the Platform on the Client's behalf.
- Partner is an independent contractor engaged by the Client (directly or through the Client's assignment of Partner as compliance manager within the Platform) to provide DOT compliance services. When Partner accesses Client personal data through the Platform, Partner does so as an authorized agent of the Client. Partner is not a sub-processor of DispatchDeck, and DispatchDeck does not direct Partner's professional work or compliance judgments. As between DispatchDeck and Partner, Partner is solely responsible for Partner's own acts and omissions when processing Client personal data, whether inside or outside the Platform.
To the extent Partner uses personal data obtained through the Platform to maintain its own professional records, work-product files, or consulting deliverables outside the Platform, Partner acts as a separate controller/business with respect to that data, and Partner is independently responsible for complying with applicable data protection laws.
Partner is not authorized to process Client personal data for any purpose other than providing DOT compliance services to that specific Client. Partner may not sell or share (as those terms are defined under the CCPA/CPRA) Client personal data, and may not retain it outside the Platform for marketing, advertising, product-development, or model-training purposes.
1A. Order of Precedence Between This DPA and Client-Partner Agreements
Partner may have a separate direct engagement agreement with a Client covering compliance services. Nothing in this DPA overrides the Client-Partner agreement as between those two parties. However, as between Partner and DispatchDeck, this DPA governs Partner's access to Client personal data through the Platform. If a Client-Partner agreement purports to grant Partner broader rights to Client personal data accessed via the Platform than this DPA allows, the narrower of the two controls with respect to data accessed through the Platform.
2. Types of Personal Data Partner May Access
Through the Partner portal, Partner may have access to the following categories of personal data about drivers, applicants, and other Client personnel:
| Category | Examples |
|---|---|
| Identifiers | Full name, phone number, email address, home address, driver license number, date of birth |
| Sensitive identifiers | Social Security Number (on driver qualification file pages only), government-issued ID images |
| Employment and qualification data | CDL class, endorsements, restrictions, medical examiner's certificate, employment history, accident history, prior employer responses |
| Regulatory records | Motor vehicle records (MVRs), drug and alcohol testing results, Clearinghouse query responses, safety performance history |
| Operational data | Hours-of-service logs, DVIRs, incident reports, training records |
3. Purpose Limitation
Partner may process personal data only to:
- Review and maintain driver qualification files.
- Track and respond to compliance deadlines (medical card, CDL, MVR, drug test, Clearinghouse).
- Prepare the Client for audits and roadside-inspection events.
- Communicate with the Client's drivers about compliance items, through the Platform, when the Client authorizes.
- Provide ancillary compliance services that the Client separately engages Partner to perform.
Partner will not use personal data to train any machine learning model, build any profile for resale, or develop any product outside the Platform.
4. Security Obligations
Partner will implement and maintain reasonable administrative, technical, and physical safeguards to protect Client personal data, including:
- Account security. Unique strong password for the Partner portal. Multi-factor authentication as soon as DispatchDeck makes it available. No sharing of Partner-portal credentials.
- Device security. Accessing the Partner portal only from devices that are password- or biometrically locked, run supported operating system versions, and have disk encryption enabled where available.
- Network. No access over unsecured public Wi-Fi for sessions that expose Social Security Numbers or other sensitive identifiers.
- Personnel. Limiting access to personnel who need it to perform compliance services for the applicable Client, and imposing on such personnel confidentiality obligations at least as protective as this DPA.
- Export. Not exporting Client data out of the Platform (downloads, copies, screenshots, screen recordings) except where specifically needed to deliver a compliance service to that Client, and deleting any such exports as soon as the service is complete.
- No reuse. Not transferring Client data into any other system, CRM, or spreadsheet except systems that Partner itself operates and secures, and that Partner uses solely to service that Client.
5. Confidentiality
Partner will treat Client personal data as strictly confidential. Partner's personnel, contractors, and agents who access Client personal data are bound by written confidentiality obligations at least as protective as this DPA.
6. Data Subject Requests
If Partner receives a request from a driver, applicant, or other individual about personal data stored in the Platform (a request to access, correct, delete, or restrict processing), Partner will:
- Not respond to the request substantively on DispatchDeck's or the Client's behalf.
- Forward the request to both DispatchDeck (chris@dispatchdeck.app) and the applicable Client within 5 business days.
- Reasonably assist DispatchDeck and the Client in responding, to the extent the Platform data is under Partner's control.
7. Security Incident Notification
If Partner knows of or reasonably suspects any unauthorized access, disclosure, loss, or alteration of Client personal data accessed through the Partner portal (a "Security Incident"), Partner will:
- Notify DispatchDeck at chris@dispatchdeck.app without undue delay, and in any event within 72 hours of becoming aware of the Security Incident.
- Include, to the extent known: the nature of the incident, the categories and approximate number of individuals affected, the categories and approximate volume of records affected, the likely consequences, and the measures taken or proposed to address the incident.
- Cooperate with DispatchDeck and the Client in investigating, remediating, and—where required—notifying affected individuals and regulators. Cost of remediation and notification is allocated according to fault.
8. Sub-Processors of DispatchDeck
Partner acknowledges that DispatchDeck relies on the following sub-processors to operate the Platform. Client personal data may be transmitted to these providers in the ordinary course of Platform operation:
| Sub-processor | Purpose |
|---|---|
| Google Cloud / Firebase | Hosting, authentication, database, file storage |
| Google Gemini API | Optional Smart Tools features (document Q&A, receipt scanning). See the DispatchDeck Privacy Policy. |
| SendGrid (Twilio Inc.) | Transactional email delivery |
| Twilio | SMS notifications and dispatch messaging |
| Stripe / Stripe Connect | Subscription billing, payment processing, partner payouts, tax reporting |
| Checkr | Motor vehicle records, background checks, Clearinghouse queries (when the Client uses these Pass-Through Services) |
| HERE Technologies | Truck routing and map services |
DispatchDeck will provide at least 30 days notice (by posting an updated DPA at a new version URL) before engaging any new sub-processor that will routinely process Client personal data. Partner's sole remedy for objecting to a new sub-processor is to terminate the Partner Agreement under Section 11 of that Agreement.
9. Partner Sub-Processors
Partner may not engage any sub-processor to process Client personal data from the Platform without the prior written consent of DispatchDeck and the affected Client. If Partner does engage a sub-processor with that consent, Partner will impose on the sub-processor contractual data-protection obligations at least as protective as this DPA, and Partner remains fully liable for the sub-processor's acts and omissions.
10. International Transfers
DispatchDeck processes Client personal data in the United States. Partner represents that it will access the Partner portal only from jurisdictions where such access does not violate any applicable cross-border data transfer restriction. If Partner intends to access Client personal data from outside the United States, Partner must notify DispatchDeck in advance so that appropriate transfer mechanisms can be evaluated.
11. Data Retention; Return or Deletion on Termination
Personal data Partner accesses through the Platform remains in the Platform; Partner is not authorized to retain copies outside the Platform except as needed to deliver compliance services and for the minimum duration required for that purpose.
On termination of the Partner Agreement, on Partner's loss of access to a particular Client, or upon DispatchDeck's or the Client's written request, Partner will within 30 days delete (and certify the deletion of, in writing on request) any Client personal data that Partner holds in its own systems, unless applicable law, a regulator, or a documented FMCSA record-retention requirement (e.g., retention of driver qualification file records under 49 CFR Part 391) requires longer retention. For personal data retained under such a legal requirement, Partner will continue to apply the security and confidentiality obligations of this DPA for as long as the data is retained, and will delete the data when the legal retention period ends. Partner's duty to delete, and the surviving security obligations, continue indefinitely, without regard to termination of the Partner Agreement.
12. Audit
On DispatchDeck's written request (no more than once per year, absent a Security Incident or regulator request), Partner will provide written responses to a reasonable data-protection questionnaire covering Partner's compliance with this DPA. Partner is not required to provide direct access to its systems or to disclose information that would breach confidentiality obligations to third parties.
13. Liability and Indemnification
Liability and indemnification under this DPA are governed by Sections 13 (Limitation of Liability) and 13A (Indemnification) of the Partner Agreement. The data-and-confidentiality super-cap in Section 13 of the Partner Agreement applies to breaches of this DPA, except that no cap limits Partner's liability for (a) unauthorized sale, sharing, or misappropriation of Client personal data, (b) a Security Incident caused by Partner's gross negligence, willful misconduct, or fraud, or (c) regulatory fines or statutory damages assessed directly against a party because of the other party's unlawful act.
14. Precedence
In the event of any conflict between this DPA and the Partner Agreement, this DPA controls solely with respect to the processing of personal data.
15. Changes to This DPA
DispatchDeck may revise this DPA from time to time. When we do, we will post the revised version at a new version URL (e.g., /legal/dpa-v2.html) and require Partner to accept it on next login to the Partner portal. If Partner does not accept the revised DPA, Partner's sole remedy is to terminate the Partner Agreement.