About this DPA
This Data Processing Agreement (“DPA”) forms part of the agreement between you (the “Customer”) and [legal entity name] (“Sustys”) for use of the Service, and governs Sustys’ processing of personal data on your behalf under Article 28 of the EU General Data Protection Regulation (GDPR). Where it conflicts with the Terms of Service on data protection, this DPA prevails.
Pending detail. This is a working summary. The executable DPA — including Annexes describing the processing, the technical and organisational measures, and the sub-processor list — is finalised with counsel before launch. Items in [brackets] are confirmed then.
Roles
For the customs and personal data you upload, you are the controller and Sustys is the processor. Where you act as a customs consultant or representative for your own clients, you may be a processor to them and Sustys a sub-processor; in all cases each party processes personal data only as set out here and in our Privacy Policy.
Scope of processing
- Subject matter: provision of the Sustys CBAM service.
- Duration: the term of your subscription, plus the return-and-deletion period below.
- Nature & purpose: reading customs declaration documents, resolving embedded emissions, and producing the declaration file and supporting pack.
- Data subjects: your authorised users, and individuals named in the documents you upload.
- Data categories: account and contact data; customs declaration data; supplier production data. We do not seek special-category data.
Processing on instructions
Sustys processes personal data only on your documented instructions — including the instructions inherent in using the Service — unless required otherwise by EU or member-state law, in which case we tell you first where permitted. Our personnel are bound by confidentiality.
Security measures
Sustys implements appropriate technical and organisational measures, including EU-resident hosting, encryption in transit, access controls, an append-only audit trail of changes, human approval before any declaration is final, and document OCR under a zero-retention agreement. The current measures are summarised on our Security page and set out in full in Annex II: [technical & organisational measures].
Sub-processors
You authorise Sustys to engage the sub-processors listed on our Subprocessors page, each bound by data-protection terms no less protective than this DPA. We give advance notice of any intended addition or replacement, and you may object on reasonable data-protection grounds.
International transfers
Our default and intent is to process your data within the EU/EEA, with no non-EU egress. Where any transfer outside the EU/EEA is unavoidable through a sub-processor, it is made under an adequacy decision or Standard Contractual Clauses with appropriate supplementary measures.
Assistance & breach notification
Taking account of the nature of processing, Sustys assists you with data-subject requests, data protection impact assessments, and prior consultations. We notify you without undue delay after becoming aware of a personal-data breach affecting your data, with the information you need to meet your own obligations.
Return & deletion
On termination, Sustys makes your data available for export for a reasonable period, then deletes or anonymises it, except where EU or member-state law requires retention. Specific periods are set out in Annex I: [return & deletion schedule].
Audits
Sustys makes available the information necessary to demonstrate compliance with Article 28 and allows for and contributes to audits, including inspections, conducted by you or an auditor you mandate, subject to reasonable confidentiality and scheduling.
Signing the DPA
Customers who need a counter-signed DPA can request one at legal@sustys.com. A downloadable copy will be available here at launch: [DPA PDF link]. For the list of sub-processors, see Subprocessors.