Last Updated: May 4, 2026
This Data Processing Agreement (“DPA”) forms part of the Tigris Terms of Service (“Agreement”) between Tigris Systems Ltd (“Tigris”, “Processor”) and the Customer (“Controller”) and applies to the extent that Tigris processes Personal Data on behalf of the Customer in the course of providing the Services.
“Personal Data”, “Data Subject”, “Processing”, “Controller”, “Processor”, and “Supervisory Authority” have the meanings given in the UK GDPR and EU GDPR. “UK GDPR” means the General Data Protection Regulation as incorporated into UK law by the Data Protection Act 2018. “EU GDPR” means Regulation (EU) 2016/679.
2.1. The Customer is the Controller of Personal Data submitted to the Services. Tigris is the Processor acting on the Customer’s instructions.
2.2. This DPA applies to all Personal Data processed by Tigris on behalf of the Customer through the Services.
3.1. Subject matter: Processing of Personal Data as necessary to provide the Tigris platform and related services.
3.2. Duration: The duration of the Agreement between Tigris and the Customer.
3.3. Nature and purpose: Collection, storage, organisation, structuring, retrieval, consultation, use, disclosure by transmission, and erasure of Personal Data as required to deliver logistics infrastructure services including data ingestion, application building, and operational platform hosting.
3.4. Categories of Data Subjects: Customer’s employees, contractors, end-users, and Customer’s own clients (to the extent their data is submitted to the Services).
3.5. Types of Personal Data: Names, email addresses, business contact details, account credentials, IP addresses, device identifiers, access timestamps, and any Personal Data contained in operational data submitted by the Customer (such as contact details within shipping documentation).
4.1. Tigris will process Personal Data only on the documented instructions of the Customer, unless required to do so by applicable law, in which case Tigris will inform the Customer of that legal requirement before processing (unless prohibited by law from doing so).
4.2. Tigris will ensure that persons authorised to process Personal Data are bound by obligations of confidentiality.
4.3. Tigris will implement appropriate technical and organisational measures as described in the Tigris Information Security Policy to ensure a level of security appropriate to the risk.
4.4. Tigris will not engage another processor (sub-processor) without prior written authorisation from the Customer. The Customer provides general authorisation for Tigris to engage sub-processors, subject to Tigris maintaining a current list of sub-processors and notifying the Customer of any intended changes. The Customer may object to a new sub-processor within 14 days of notification. If the Customer objects and the parties cannot resolve the matter, the Customer may terminate the Agreement.
4.5. Tigris will assist the Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling the Customer’s obligation to respond to Data Subject requests (access, rectification, erasure, restriction, portability, objection).
4.6. Tigris will assist the Customer in ensuring compliance with the obligations under UK GDPR Articles 32 to 36 (security, breach notification, impact assessments, and prior consultation), taking into account the nature of processing and information available to Tigris.
4.7. Upon termination of the Agreement, Tigris will delete all Personal Data processed on behalf of the Customer within 60 days of the Customer’s request, unless applicable law requires continued storage. Tigris will confirm deletion in writing upon request.
4.8. Tigris will make available to the Customer all information necessary to demonstrate compliance with the obligations in this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, subject to reasonable notice and scope.
5.1. Tigris will notify the Customer without undue delay, and in any event within 72 hours of becoming aware of a Personal Data breach affecting Customer Personal Data.
5.2. The notification will include, to the extent available: the nature of the breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed to address the breach.
6.1. Tigris will not transfer Personal Data outside the United Kingdom or European Economic Area unless appropriate safeguards are in place, such as UK International Data Transfer Agreements (UK IDTA), EU Standard Contractual Clauses (SCCs), or transfers to countries with an adequacy decision.
6.2. Where transfers rely on the UK IDTA or EU SCCs, those instruments are incorporated into this DPA by reference.
7.1. A current list of sub-processors engaged by Tigris is available on request by contacting info@tigris.systems.
7.2. Tigris will impose data protection obligations on any sub-processor that are no less protective than those set out in this DPA.
The liability of each party under this DPA is subject to the limitations of liability set out in the Agreement.
This DPA is governed by the laws of England and Wales.
