GoMoveGoMove
Try free
Legal

Data Processing Agreement

This Data Processing Agreement (the “DPA”) forms part of the Terms of Service between GoMove and the Customer and governs the processing of personal data by GoMove acting as a processor on behalf of the Customer (acting as controller).

Last updated · June 8, 2026

1. Scope & roles

This DPA applies where GoMove processes personal data on behalf of the Customer through the SaaS Services. To the extent applicable, terms such as "controller", "processor", "data subject", "personal data", "processing", "sub-processor", and "personal data breach" have the meanings given to them under Québec Law 25, PIPEDA, the EU/UK GDPR, or other applicable privacy laws.

For Marketplace transactions, GoMove and the Customer may each act as an independent controller of certain data; in that case this DPA applies only to the data that GoMove processes on behalf of the Customer.

2. Subject matter & duration

The subject matter of the processing is the provision of the Services. The duration equals the term of the underlying agreement plus any additional period during which GoMove retains data as required by law.

3. Nature & purpose of processing

GoMove processes personal data to host, operate, secure and support the Services, including planning jobs, routing, dispatch, proof capture, customer notifications, analytics, billing, and customer support.

4. Categories of data & data subjects

  • Data subjects: Customer's personnel, drivers, helpers, end customers, recipients, suppliers, and third parties whose data the Customer chooses to upload.
  • Personal data: identifiers, contact data, address, geolocation, vehicle and asset data, job and route data, proof-of-delivery captures (photos, signatures, notes), communications, usage and device data.

5. GoMove obligations

  • Process personal data only on documented instructions from the Customer, including with regard to transfers, unless required by law.
  • Ensure that personnel authorized to process personal data are subject to confidentiality obligations.
  • Implement appropriate technical and organizational security measures (see §9).
  • Assist the Customer, taking into account the nature of processing, to comply with its obligations regarding data-subject rights, security, breach notification, and impact assessments.

6. Customer obligations

  • The Customer has the sole responsibility for the lawfulness of the personal data it uploads and the instructions it gives.
  • The Customer must obtain all necessary consents, provide all required notices to data subjects, and have a valid legal basis for processing.
  • The Customer must not upload sensitive personal information beyond what is necessary for the Services and must not upload special-category data unless expressly authorized in writing by GoMove.

7. Sub-processors

The Customer provides general authorization for GoMove to engage sub-processors to support the Services (cloud hosting, monitoring, analytics, communications, payments, mapping, support, error reporting). GoMove imposes data-protection obligations on its sub-processors that are substantially similar to those in this DPA. A current list is available on request at gomove@gomove.ai. GoMove will notify the Customer of changes; the Customer may object on reasonable data-protection grounds, in which case GoMove may propose an alternative or, failing that, the Customer's sole remedy is to terminate the affected portion of the Services.

8. International transfers

Where personal data is transferred outside the originating jurisdiction, GoMove relies on legally recognized transfer mechanisms, including standard contractual clauses where applicable. The Customer authorizes such transfers.

9. Security measures

GoMove implements measures appropriate to the risk, including:

  • Encryption in transit (TLS) and at rest where applicable.
  • Identity and access management, least-privilege access, MFA for privileged accounts.
  • Network segmentation, monitoring, logging, and intrusion detection.
  • Backups, disaster recovery, and business-continuity planning.
  • Secure software development lifecycle, vulnerability management, and patching.
  • Vendor risk management.

10. Incident notification

GoMove will notify the Customer without undue delay after becoming aware of a confirmed personal data breach affecting the Customer's data, and will provide information reasonably available to the Customer to comply with its own breach notification obligations. Notification is not an acknowledgment of fault or liability.

11. Data subject requests

Taking into account the nature of the processing, GoMove will assist the Customer by appropriate technical and organizational measures, insofar as possible, in responding to requests from data subjects to exercise their rights. Where GoMove receives a request directly from a data subject, it will forward it to the Customer.

12. Audits

GoMove will make available information necessary to demonstrate compliance with this DPA. Where audits are required by applicable law, the parties will agree on reasonable timing, scope, frequency, and confidentiality protections, and the Customer will bear the reasonable costs incurred.

13. Return or deletion of data

On expiry or termination of the Services, GoMove will, at the Customer's choice, return or delete personal data within a reasonable period, except where retention is required by law or necessary to defend legal claims.

14. Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the underlying agreement, including the Terms of Service. To the maximum extent permitted by law, the Customer is solely responsible for its own compliance obligations as controller.

GoMove · Montréal, Québec, Canada · gomove@gomove.ai