Data Processing Agreement (DPA) - Smartway AI Inc. (US)

Effective Date: March 24, 2025

Last Updated: February 24, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service or other written agreement ("Agreement") between SMARTWAY INC., a Delaware corporation doing business in California as SMARTWAY AI INC. ("Smartway," "Processor," or "Service Provider") and the customer identified in the Agreement ("Customer," "Controller," or "Business") for the provision of Smartway's Services, including Smartdetection and Smartdecision.

This DPA governs the processing of personal data submitted by Customer to Smartway's Services and reflects the parties' agreement to comply with applicable data protection laws, including:

  • The General Data Protection Regulation (EU) 2016/679 ("GDPR")
  • The California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.) and California Privacy Rights Act ("CCPA/CPRA")
  • Other applicable federal, state, and international data protection laws

By entering into the Agreement, Customer enters into this DPA on behalf of itself and, where applicable, on behalf of its authorized affiliates.

1. Definitions

1.1 General Definitions

Unless otherwise defined in this DPA, capitalized terms used herein have the meanings set forth in the Agreement.

"Affiliate" means an entity that directly or indirectly controls, is controlled by, or is under common control with a party.

"Customer Data" means all personal data submitted, uploaded, or transmitted by Customer or its Authorized Users to the Services.

"Data Protection Laws" means all applicable laws and regulations relating to the processing of personal data, including GDPR, CCPA/CPRA, and other federal, state, or international data protection laws.

"Personal Data" means any information relating to an identified or identifiable natural person contained in Customer Data.

"Processing" (including "process" and "processed") means any operation or set of operations performed on personal data, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, transmission, deletion, or destruction.

"Subprocessor" means any third party engaged by Smartway to process Personal Data on behalf of Customer.

1.2 GDPR-Specific Definitions

For purposes of GDPR compliance:

  • "Controller" means the entity that determines the purposes and means of processing Personal Data (i.e., Customer).
  • "Processor" means the entity that processes Personal Data on behalf of the Controller (i.e., Smartway).
  • "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
  • "Supervisory Authority" means an independent public authority established by an EU Member State to oversee compliance with GDPR.

1.3 CCPA/CPRA-Specific Definitions

For purposes of CCPA/CPRA compliance:

  • "Business" means the entity that determines the purposes and means of processing Personal Information (i.e., Customer).
  • "Service Provider" means the entity that processes Personal Information on behalf of the Business (i.e., Smartway).
  • "Personal Information" has the meaning set forth in Cal. Civ. Code § 1798.140.
  • "Consumer" means a California resident as defined under CCPA/CPRA.

2. Scope and Roles

2.1 Parties' Roles

The parties acknowledge and agree that:

  • Customer is the Controller/Business and determines the purposes and means of processing Personal Data contained in Customer Data.
  • Smartway is the Processor/Service Provider and processes Personal Data solely on behalf of Customer and in accordance with Customer's documented instructions.

2.2 Scope of Processing

Smartway will process Personal Data only:

  • To provide the Services as described in the Agreement;
  • As instructed by Customer through its use of the Services and any written instructions provided by Customer that are consistent with the Agreement;
  • As required by applicable law.

2.3 Customer Instructions

Customer instructs Smartway to process Personal Data in accordance with this DPA and the Agreement. Customer warrants that it has the legal authority to provide such instructions and that such instructions comply with Data Protection Laws.

If Smartway believes that Customer's instruction violates Data Protection Laws, Smartway will promptly inform Customer and may suspend performance of the instruction until Customer confirms or modifies it.

3. Processing Details

3.1 Nature and Purpose of Processing

Smartway processes Personal Data to provide the Services, including:

  • Food waste detection, prediction, and management analytics
  • Store operations optimization and decision support
  • Data storage, analysis, and visualization
  • Customer support and service delivery

3.2 Duration of Processing

Smartway will process Personal Data for the duration of the Agreement, unless otherwise agreed in writing or required by law.

3.3 Categories of Data Subjects

Personal Data may relate to the following categories of data subjects:

  • Customer's employees, contractors, and agents
  • Retail store personnel (managers, associates, staff)
  • End users of Customer's retail operations
  • Customer's customers or clients (if applicable)

3.4 Types of Personal Data

Personal Data processed may include:

  • Identification data: Name, employee ID, job title, department
  • Contact information: Email address, phone number, work location
  • Professional information: Employment details, role, responsibilities
  • Usage data: Login credentials, activity logs, usage patterns
  • Operational data: Store data, sales data, inventory data, waste tracking data
  • Other data: Any other Personal Data submitted by Customer to the Services

3.5 Sensitive Personal Data

Customer shall not submit "Special Categories of Personal Data" (as defined under GDPR, including data revealing racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, etc.) or "Sensitive Personal Information" (as defined under CCPA/CPRA) to the Services without Smartway's prior written consent.

If Customer submits such data without authorization, Smartway may suspend or terminate the Services and Customer shall indemnify Smartway for any resulting liability.

4. Processor/Service Provider Obligations

4.1 Compliance with Instructions

Smartway shall:

  • Process Personal Data only on documented instructions from Customer, unless required by applicable law to process otherwise (in which case Smartway will inform Customer before processing, unless prohibited by law);
  • Immediately inform Customer if, in Smartway's opinion, Customer's instruction violates Data Protection Laws.

4.2 Confidentiality

Smartway shall ensure that all personnel authorized to process Personal Data:

  • Are subject to confidentiality obligations (whether contractual or statutory);
  • Have received appropriate training on data protection and security practices.

4.3 Security Measures

Smartway shall implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, including:

Technical Measures:

  • Encryption of Personal Data in transit (TLS/SSL) and at rest (AES-256 or equivalent)
  • Access controls and authentication (multi-factor authentication where appropriate)
  • Network security (firewalls, intrusion detection systems)
  • Regular security patching and vulnerability management
  • Secure development practices and code reviews

Organizational Measures:

  • Access restricted to personnel with a legitimate need to know
  • Background checks for personnel with access to Personal Data (where legally permitted)
  • Incident response and breach notification procedures
  • Regular security audits and penetration testing
  • Business continuity and disaster recovery planning

Smartway may update these measures from time to time, provided such updates do not degrade the overall level of protection.

4.4 Subprocessors

4.4.1 Authorization

Customer provides general authorization for Smartway to engage Subprocessors to process Personal Data, subject to the requirements of this Section 4.4.

4.4.2 Current Subprocessors

Smartway's current Subprocessors are:

SubprocessorService ProvidedLocationAmazon Web Services (AWS)Cloud hosting and infrastructureUnited States

Smartway will update this list as Subprocessors are added or removed and will provide notice as described below.

4.4.3 Notification and Objection

Smartway will provide Customer with at least thirty (30) days' prior notice of the addition or replacement of any Subprocessor by email notification to Customer's account contact.

If Customer has reasonable grounds to object to a new Subprocessor based on data protection concerns, Customer may notify Smartway in writing within fourteen (14) days of notice. Smartway will use reasonable efforts to address Customer's concerns or provide an alternative solution. If Smartway cannot address Customer's objection, Customer may terminate the affected Services by providing written notice to Smartway within thirty (30) days of Smartway's response.

4.4.4 Subprocessor Agreements

Smartway shall:

  • Impose data protection obligations on Subprocessors that are substantially equivalent to those in this DPA;
  • Remain liable for the acts and omissions of Subprocessors to the same extent as if Smartway performed the Subprocessor's services directly.

4.5 Data Subject Rights

4.5.1 Assistance

Smartway shall, to the extent legally permitted and taking into account the nature of the processing, provide reasonable assistance to Customer in responding to requests from data subjects exercising their rights under Data Protection Laws, including:

  • Right of access, rectification, erasure, restriction, portability
  • Right to object to processing
  • Rights related to automated decision-making

4.5.2 Direct Requests

If Smartway receives a request directly from a data subject, Smartway will promptly redirect the data subject to Customer and will not respond to the request without Customer's prior written authorization, unless legally required to do so.

4.5.3 Fees

Smartway may charge reasonable fees for assistance with data subject requests that require significant time or resources beyond Smartway's standard Service obligations.

4.6 Data Breach Notification

4.6.1 Notification Obligation

Smartway shall notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data breach affecting Customer Data.

4.6.2 Breach Notification Contents

Smartway's notification shall include, to the extent known:

  • Description of the nature of the breach, including the categories and approximate number of data subjects and Personal Data records affected;
  • Name and contact details of Smartway's point of contact for the breach;
  • Description of the likely consequences of the breach;
  • Description of measures taken or proposed to address the breach and mitigate its effects.

4.6.3 Assistance

Smartway shall provide reasonable cooperation and assistance to Customer in investigating, mitigating, and remediating the breach, and in fulfilling Customer's breach notification obligations under Data Protection Laws.

4.6.4 No Admission

Smartway's breach notification does not constitute an acknowledgment of fault or liability.

4.7 Deletion and Return of Data

4.7.1 Post-Termination

Upon termination or expiration of the Agreement, Smartway shall, at Customer's written election:

  • Delete all Personal Data in Smartway's possession or control; or
  • Return a copy of all Personal Data to Customer in a commonly used format.

4.7.2 Retention Period

Smartway will make Customer Data available for download for thirty (30) days following termination, after which Smartway will delete all Personal Data, except as required by applicable law.

4.7.3 Certification

Upon Customer's written request, Smartway will provide written certification of deletion.

4.7.4 Legal Retention

Notwithstanding the above, Smartway may retain Personal Data to the extent required by applicable law, provided such Personal Data remains subject to confidentiality obligations and is processed only for legal compliance purposes.

4.8 Audits and Compliance

4.8.1 Audit Rights

Smartway shall, upon reasonable written notice and no more than once per year (unless required by a Supervisory Authority or in response to a suspected breach), permit Customer or its authorized third-party auditor to conduct audits (including inspections) to verify Smartway's compliance with this DPA.

4.8.2 Audit Conditions

Audits shall be subject to the following conditions:

  • Customer must provide at least thirty (30) days' prior written notice;
  • Audits shall be conducted during Smartway's normal business hours and shall not unreasonably interfere with Smartway's operations;
  • Customer and its auditors must execute Smartway's standard confidentiality agreement before accessing Smartway's facilities or systems;
  • Customer shall be responsible for all costs and expenses of the audit.

4.8.3 Security and Compliance Reports

In lieu of an on-site audit, Smartway may provide Customer with:

  • SOC 2 Type II report (or equivalent third-party security certification);
  • Completed security questionnaires;
  • Other documentation evidencing Smartway's compliance with this DPA.

If Smartway provides such documentation and Customer reasonably determines it satisfies Customer's audit requirements, an on-site audit shall not be required.

5. International Data Transfers

5.1 Data Transfer Mechanisms

Customer acknowledges that Smartway processes Personal Data in the United States and may transfer Personal Data to other countries where Smartway's Subprocessors are located.

If Customer is established in the European Economic Area (EEA), United Kingdom, or Switzerland, and Personal Data is transferred outside those jurisdictions, the parties shall execute Standard Contractual Clauses (SCCs) or rely on other lawful data transfer mechanisms as required by applicable Data Protection Laws.

5.2 Data Localization

To the extent Customer requires that Personal Data be stored or processed in a specific geographic region, Customer must notify Smartway in writing, and the parties will negotiate any necessary amendments to the Agreement.

6. CCPA/CPRA-Specific Provisions

6.1 Service Provider Certification

Smartway certifies that it understands the restrictions of this Section 6 and will comply with them.

6.2 Prohibited Uses

Smartway shall not:

  • Sell or share Personal Information (as defined under CCPA/CPRA);
  • Retain, use, or disclose Personal Information for any purpose other than performing the Services or as otherwise permitted by CCPA/CPRA and this DPA;
  • Retain, use, or disclose Personal Information outside the direct business relationship between Smartway and Customer;
  • Combine Personal Information received from Customer with personal information received from other sources, except as permitted by CCPA/CPRA.

6.3 Consumer Rights Assistance

Smartway shall provide reasonable assistance to Customer in responding to consumer requests to exercise rights under CCPA/CPRA, including access, deletion, correction, and opt-out requests.

6.4 Subprocessors and Third Parties

Smartway shall ensure that any Subprocessor or third party to whom Smartway discloses Personal Information is bound by contractual obligations that are consistent with this Section 6.

6.5 Certification of Compliance

Upon Customer's reasonable written request, Smartway shall provide written certification of compliance with this Section 6.

7. Liability and Indemnification

7.1 Liability Cap

Each party's liability arising out of or related to this DPA shall be subject to the limitation of liability provisions set forth in the Agreement.

7.2 Indemnification

Smartway shall indemnify, defend, and hold harmless Customer from and against any claims, liabilities, damages, or expenses (including reasonable attorneys' fees) arising from Smartway's breach of this DPA, except to the extent such breach results from Customer's instructions or actions.

7.3 Data Protection Authority Orders

If a Supervisory Authority or other regulatory body orders Customer to take action due to Smartway's non-compliance with Data Protection Laws, Smartway shall reimburse Customer for reasonable costs incurred in complying with such order.

8. Term and Termination

8.1 Term

This DPA shall commence on the Effective Date and remain in effect for the duration of the Agreement, unless earlier terminated as set forth below.

8.2 Termination

Either party may terminate this DPA if the other party materially breaches this DPA and fails to cure such breach within thirty (30) days of written notice.

Termination of this DPA shall result in termination of the Agreement.

8.3 Effect of Termination

Upon termination of this DPA, Smartway shall comply with the data deletion or return obligations set forth in Section 4.7.

8.4 Survival

The following provisions shall survive termination of this DPA: Sections 4.2 (Confidentiality), 4.7 (Deletion and Return of Data), 7 (Liability and Indemnification), and any other provisions that by their nature should survive.

9. General Provisions

9.1 Amendments

Smartway may amend this DPA from time to time to reflect changes in Data Protection Laws or Smartway's processing practices. Smartway will notify Customer of material amendments by email or in-product notification at least thirty (30) days before the effective date. Customer's continued use of the Services after the effective date constitutes acceptance of the amended DPA.

9.2 Conflict

In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA shall prevail to the extent of such conflict with respect to the processing of Personal Data.

9.3 Severability

If any provision of this DPA is held invalid or unenforceable, such provision shall be limited or eliminated to the minimum extent necessary, and the remaining provisions shall remain in full force and effect.

9.4 Governing Law

This DPA shall be governed by the same governing law provisions set forth in the Agreement, except to the extent superseded by applicable Data Protection Laws.

10. Contact Information

For questions, notices, or requests related to this DPA, please contact:

SMARTWAY INC.

d/b/a SMARTWAY AI INC.

Data Protection Officer / Privacy Contact:

Email: contact@smartway.ai

Address: 8 THE GREEN, STE B, DOVER 19901, KENT, DE

By entering into the Agreement, Customer agrees to the terms of this Data Processing Agreement.