Data Processing Agreement
Version 1.0. Effective June 5, 2026
This DPA governs Westline's processing of Personal Information on behalf of business customers acting as data controllers under applicable U.S. and EU privacy law. It is self-executing on the Customer's first use of the platform. For a countersigned copy for procurement or vendor-management records, contact info@westlinetp.com.
01Parties and Scope
This Data Processing Agreement ("DPA") forms part of the Westline Terms of Service between Westline Trade Partners LLC ("Westline", "we", "Service Provider", "Processor") and the customer ("Customer", "Business", "Controller") and governs Westline's processing of Personal Information on the Customer's behalf in connection with the Westline software platform. To the extent the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), or any other U.S. state privacy law applies to the Customer's data, Westline acts as a "Service Provider" or "Processor" as those terms are defined under that law. For Customers subject to the EU General Data Protection Regulation (GDPR), Westline acts as a "Processor" under Article 28 and this DPA is the data processing agreement required by that article.
02Categories of Personal Information
Westline processes the following categories of Personal Information on the Customer's behalf: business identifiers (business name, EIN, sales tax ID); contact data (name, email, phone); shipment data (origin and destination addresses, recipient name, recipient phone, package contents description, declared value); payment data (tokenized payment method only; full card data is handled by the payment processor and never accessible to Westline); integration data (order, customer, and product data pulled from the Customer's connected Shopify, eBay, QuickBooks, Fishbowl, Cin7, or similar systems); and platform usage data (login timestamps, action logs, IP addresses) for security and operational purposes.
03Purposes of Processing
Westline processes Personal Information solely for the following purposes: (a) providing the platform service (rate quoting, label generation, tracking, billing, fulfillment writeback to integrations); (b) account management, authentication, and identity verification; (c) processing payments and managing subscriptions; (d) complying with legal obligations (tax recordkeeping, sanctions screening, anti-fraud, regulatory reporting); (e) security monitoring, incident response, and audit logging; and (f) customer support. Westline will not process Personal Information for any purpose other than the foregoing without the Customer's prior written instruction.
04No Sale, No Sharing, No Cross-Context Advertising, No AI Training
Westline does not sell Personal Information as defined under any applicable privacy law. Westline does not share Personal Information for cross-context behavioral advertising. Westline does not use Customer Personal Information to train artificial intelligence or machine learning models. Westline does not combine Personal Information received from the Customer with Personal Information received from any other source for any purpose outside providing the platform service to the Customer.
05Subprocessors
Westline uses the following categories of subprocessors strictly as necessary to provide the platform service: shipping carriers (UPS, FedEx, USPS, FedEx Freight, and other authorized motor carriers); payment processing (Square); transactional email (Resend); identity verification (Persona); authentication (Clerk); database hosting (Neon); application hosting (Vercel); error monitoring (Sentry); rate limiting and caching (Upstash); and sanctioned-parties screening (using the U.S. Treasury OFAC SDN list, downloaded and cached by Westline). Each subprocessor is bound by data-handling obligations consistent with this DPA. Westline will provide the Customer with a current list of named subprocessors on request to info@westlinetp.com. For material changes to the subprocessor list affecting the Customer's Personal Information, Westline will provide at least thirty (30) days advance notice; the Customer may terminate the affected service if it reasonably objects to a new subprocessor.
06Security Measures
Westline maintains commercially reasonable technical and organizational security measures designed to protect Personal Information against unauthorized access, disclosure, alteration, or destruction. These measures include, at minimum: AES-256 encryption of data at rest, TLS 1.2 or higher for data in transit, AES-256-GCM encryption of sensitive integration credentials in the database, role-based access controls and multi-factor authentication for administrative access, private blob storage with admin-only signed-URL proxies for verification documents, append-only audit logging of sensitive actions, rate limiting on public endpoints, and a content security policy. Westline does not process credit card data. Payment card information is handled exclusively by our PCI-DSS-compliant payment processor.
07Data Subject Rights and Customer Assistance
Westline will, upon reasonable request and at no additional cost, assist the Customer in responding to requests from data subjects exercising rights under applicable law (right to know, right to access, right to delete, right to correct, right to data portability, right to opt out of sale or sharing). If Westline receives a data subject request directly, Westline will, unless legally prohibited, promptly notify the Customer and direct the data subject to contact the Customer. Westline will respond to verified Customer-forwarded data subject requests within the time frame required by applicable law (typically forty-five (45) days under CCPA/CPRA).
08Security Incident Notification
Westline will notify the Customer without undue delay, and in any event consistent with applicable law (typically within seventy-two (72) hours), upon becoming aware of a confirmed security incident involving the Customer's Personal Information. Notification will describe the nature of the incident, the categories and approximate volume of Personal Information involved, the steps Westline has taken or proposes to take in response, and recommendations for the Customer's own response. Westline will reasonably assist the Customer in fulfilling the Customer's own breach notification obligations to data subjects and regulators.
09Data Retention and Deletion
Westline retains Personal Information only as long as necessary to provide the platform service and to comply with legal, regulatory, audit, and dispute-resolution obligations. Specifically: shipment records (addresses, tracking, billing) are retained for seven (7) years; consent ledgers (Terms of Service, EULA, Subscription Agreement acceptances) and screening event records are retained as required by the underlying obligation, in some cases up to ten (10) years post-account-departure. Upon termination of the platform service, Westline will, upon Customer request, return or delete Personal Information except as retained for legal compliance.
10International Transfers
Westline is a United States entity and processes Personal Information in the United States. To the extent the Customer or its data subjects are located outside the United States and applicable law requires a specific transfer mechanism (such as the EU Standard Contractual Clauses or the EU-U.S. Data Privacy Framework), the Customer and Westline will execute the appropriate mechanism on request. Westline does not currently certify under the EU-U.S. Data Privacy Framework.
11Audit Rights
On reasonable advance notice and not more than once in any twelve (12) month period (except where required by applicable law or following a confirmed security incident), Westline will make available to the Customer documentation reasonably necessary to demonstrate compliance with this DPA, including the most recent reports from independent assessments of Westline's subprocessors where available.
12Term, Conflict, and Governing Law
This DPA is effective from the Customer's first use of the platform and continues for as long as Westline processes Personal Information on the Customer's behalf. In the event of any conflict between this DPA and the Westline Terms of Service with respect to the processing of Personal Information, this DPA controls. This DPA is governed by the same law and dispute resolution provisions as the Westline Terms of Service.
Contact
For DPA questions, subprocessor lists, or audit requests, contact info@westlinetp.com.
Westline Trade Partners LLC. 3104 North Armenia Avenue, Tampa FL 33607