Legal

Data Processing Addendum

Last updated: 2026-05-11

This DPA is incorporated by reference into the Carrier Terms of Service. By using the Services, you agree to this DPA.

1. Definitions

GDPR — Regulation (EU) 2016/679 and, where applicable, the UK GDPR as retained under the UK European Union (Withdrawal) Act 2018.
Controller — you (the customer) who determines the purposes and means of processing personal data.
Processor — Carrier (Lifecycle Innovations Limited), processing personal data on your behalf.
Sub-processor — any third party engaged by Carrier to process personal data in the provision of the Services.
Personal Data — any information relating to an identified or identifiable natural person, as defined under GDPR.
SCCs — Standard Contractual Clauses approved by the European Commission for cross-border personal data transfers.

2. Roles and responsibilities

The parties acknowledge that, in relation to personal data processed through the Services:

You are the Controller. You determine the purposes for which personal data is processed (e.g., managing your eSIM subscriber base, billing your customers).
Carrier is the Processor. Carrier processes personal data only on your documented instructions and solely to provide the Services.

Carrier will not process personal data for its own purposes beyond what is necessary to operate, secure, and improve the Services.

3. Data categories and processing details

Category	Examples	Retention
API credentials	eSIMVault API token (AES-GCM encrypted)	Until account deletion
Tool invocation metadata	Tool name, timestamp, status, hashed user ID	31 days
Account data	Email address	Until account deletion

Carrier does not process special categories of personal data (GDPR Article 9) on your behalf.

4. Sub-processors

Carrier uses the following sub-processors to deliver the Services. Carrier has entered into data processing agreements with each sub-processor that impose obligations equivalent to those in this DPA.

Sub-processor	Purpose	Location
Cloudflare, Inc.	Hosting, KV storage, edge WAF, analytics	US/Global
Sentry	Error tracking	US
Resend	Transactional email delivery	US
Stripe (v1.1)	Payment processing	US

Carrier will notify you of any new sub-processors at least 14 days before they are engaged. You may object to any new sub-processor in writing; Carrier will work in good faith to address your objection.

5. Cross-border transfers

Personal data may transit through or be processed in the United States and other non-EEA countries via Cloudflare's global edge network. Carrier relies on:

Cloudflare's EU Standard Contractual Clauses (Module 2: Controller-to-Processor) for transfers to Cloudflare.
Equivalent SCCs or adequacy decisions for transfers to Sentry, Resend, and Stripe.

Copies of applicable SCCs are available on request at privacy@carrier.llc.

6. Security measures

—

Encryption at rest: API tokens stored in Cloudflare KV using AES-GCM 256-bit encryption. No plaintext credential storage.

—

Encryption in transit: All traffic over TLS 1.3. Cloudflare terminates TLS at the edge.

—

Access control: OAuth 2.1 + PKCE for user-facing authentication. No shared credentials between tenants.

—

SOC 2: In progress. Certification not yet achieved. Carrier will notify customers when Type II certification is obtained.

7. Audit rights

Carrier will provide an annual self-attestation report confirming compliance with this DPA. Enterprise customers may request a third-party audit summary at their expense, subject to reasonable advance notice (30 days) and a confidentiality agreement. Audit scope is limited to controls relevant to the Services.

8. Data subject rights

Carrier will, within a reasonable timeframe, assist you in fulfilling your obligations to respond to data subject requests (access, erasure, portability, rectification) under GDPR. You remain responsible for determining the legitimacy of data subject requests and communicating responses to data subjects.

9. Breach notification

In the event of a personal data breach affecting your data, Carrier will notify you without undue delay and within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Notification will include: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.

10. Termination

Upon termination of the Services, Carrier will delete or return your personal data within 30 days, unless retention is required by applicable law. Carrier will certify deletion in writing upon request.

11. Contact

DPA queries, SCC requests, or breach notifications: privacy@carrier.llc