← Back to Routella

Data Processing Agreement

Last updated: June 25, 2026 · Operated by Deco Garden (company no. 5583435), Jabotinsky 1, Herzliya, Israel

This Data Processing Agreement ("DPA") forms part of, and is incorporated by reference into, the Routella Terms of Service (the "Agreement") between Deco Garden (Israeli company number 5583435, registered office Jabotinsky 1, Herzliya, Israel) — the company that operates Routella (the "Processor," "Routella," "we," "us") — and the business customer that uses Routella (the "Controller," "merchant," "Customer," "you"). It applies whenever Routella processes personal data on behalf of the merchant — including personal data of the merchant's end customers, recipients, and drivers — in connection with the Routella delivery-dispatch and route-optimization service at routella.app. Where this DPA conflicts with the rest of the Agreement on a data-protection matter, this DPA controls; where the EU Standard Contractual Clauses or the UK transfer tools conflict with this DPA on an international-transfer matter, those clauses control. Capitalized terms not defined here have the meaning given in the Agreement or, where the term comes from data-protection law, in that law.

1. Definitions

The terms below carry their meaning under applicable data-protection law. Where a concept exists under more than one law, the broadest applicable meaning governs.

  • "Applicable Data Protection Law" means all privacy and data-protection laws that apply to the processing under this DPA, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR and Data Protection Act 2018 ("UK GDPR"), the California Consumer Privacy Act as amended by the CPRA ("CCPA/CPRA"), Canada's PIPEDA, Brazil's LGPD, the Australian Privacy Act 1988 (the "APPs"), and Israel's Protection of Privacy Law, each as amended.
  • "Controller," "Processor," "Personal Data," "Processing," "Data Subject," "Personal Data Breach," and "Supervisory Authority" have the meanings given under GDPR (and, for US state law, "Business," "Service Provider," "Personal Information," "Sell," and "Share" carry their CCPA/CPRA meanings).
  • "Customer Personal Data" means Personal Data that Routella Processes on the merchant's behalf under the Agreement — including end-customer, recipient, and driver Personal Data the merchant enters into or connects to Routella.
  • "Sub-processor" means any third party engaged by Routella to Process Customer Personal Data on Routella's behalf.
  • "Standard Contractual Clauses" or "SCCs" means the clauses approved by EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
  • "UK Transfer Tool" means the UK International Data Transfer Agreement ("IDTA") or the UK Addendum to the EU SCCs issued by the UK Information Commissioner.

2. Roles of the Parties

For Customer Personal Data, the merchant is the Controller and Routella is the Processor: Routella Processes that data only on the merchant's documented instructions. The merchant alone determines the purposes and means of Processing its end-customer, recipient, and driver data, holds the lawful basis for it, and is responsible for responding (with Routella's assistance) to its Data Subjects.

Routella acts as a Controller only for data it decides the purpose and means of — namely merchant account-holder data, billing records, security and operational telemetry, support communications, and public-website visitor/analytics data. That Controller-side Processing is governed by the Routella Privacy Policy, not this DPA.

Under CCPA/CPRA and similar US state laws, Routella acts as a "Service Provider" / "Processor" with respect to Customer Personal Data and certifies that it understands and will comply with the restrictions in Section 12.

Nothing in this DPA makes Routella a joint controller with the merchant or the originator/"sender" of the merchant's customer messaging; the merchant is the sender of record for all SMS, WhatsApp, and email it sends through Routella to its own customers.

3. Subject Matter, Duration, Nature, Purpose, Data Categories, and Data Subjects (Processing Annex)

This Section is the Processing description required by GDPR Article 28(3) and serves as Annex I to the SCCs where the SCCs apply.

  • Subject matter: provision of the Routella delivery-dispatch and route-optimization service — order import, route optimization, dispatch, driver coordination, customer delivery notifications, tracking pages, and cash-on-delivery (COD) record-keeping.
  • Duration: for the lifetime of the merchant's Routella account, plus the retention and deletion windows in Section 10.
  • Nature of Processing: collection, storage, organization, structuring, retrieval, use, transmission to recipients (e.g. message delivery), geocoding/route computation, and deletion — all carried out by automated means.
  • Purpose: performing the Routella service on the merchant's documented instructions as described in the Agreement and configured by the merchant in the product.
  • Categories of Data Subjects: the merchant's end customers and delivery recipients; the merchant's drivers; the merchant's own staff users.
  • Categories of Personal Data: name; postal/delivery address (including building, floor, apartment); geocoordinates; email; phone number; order details and line items; delivery status, notes and tags; COD amounts recorded as ledger entries; driver contact details, vehicle details, driver licence image and contract file (where the merchant uploads them); driver GPS location during active delivery rounds; proof-of-delivery photos; customer rating/review name, phone and free-text; and the full upstream order payload retained for sync/debugging where an integration supplies it.
  • Special-category data: Routella does not require or solicit special-category data. The merchant must not enter special-category data into free-text fields unless it has a lawful basis under GDPR Article 9, and is the Controller for any it chooses to enter.
  • Frequency of transfer (for SCCs): continuous, for the duration of the account.

4. Processor Obligations and Documented Instructions

Routella's obligations under GDPR Article 28(3) are set out below. "Documented instructions" means this DPA together with the merchant's configuration and use of the Routella product; normal use of an enabled feature is an instruction to Process accordingly.

  • Process Customer Personal Data only on the merchant's documented instructions, including for any transfer to a third country, unless required to do otherwise by EU/Member-State or other applicable law — in which case Routella will inform the merchant of that legal requirement before Processing, unless the law prohibits such notice on important grounds of public interest.
  • Promptly inform the merchant if, in Routella's reasonable opinion, an instruction infringes Applicable Data Protection Law. Routella is not obliged to actively monitor or verify the merchant's own compliance.
  • Not Sell or Share Customer Personal Data, and not retain, use, or disclose it for any purpose other than performing the service or as permitted by Applicable Data Protection Law (see Section 12).
  • Assist the merchant in keeping Customer Personal Data accurate and up to date through the editing and correction tools in the product.

5. Confidentiality

Routella ensures that any person authorized to Process Customer Personal Data (staff and contractors) is bound by a contractual or statutory duty of confidentiality, and limits access to those who need it to provide or support the service. These confidentiality obligations survive the end of the engagement.

Administrative operations are gated by a server-side allowlist enforced in application code, independent of database-level access.

6. Security Measures (Technical and Organizational Measures)

Routella implements and maintains technical and organizational measures appropriate to the risk, as required by GDPR Article 32. The current measures are listed below and serve as Annex II to the SCCs where the SCCs apply. Routella may update these measures from time to time but will not materially weaken the overall level of protection during the term. The measures below are code-verified facts about the platform.

  • Encryption in transit: HTTPS / TLS 1.2 or later on every endpoint — merchant API, customer tracking pages, and all sub-processor calls. Vercel terminates TLS and enforces HSTS.
  • Encryption at rest: AES-256 on the primary MongoDB Atlas database and on backups, plus an additional AES-256-GCM field-level encryption layer on connected-integration credentials (access tokens, API keys, OAuth/refresh tokens) using a separately-managed key. The application refuses to start in production if that key is missing.
  • Authentication: bcrypt password hashing (cost 12); minimum 10-character passwords requiring a letter and a digit, with a common-password denylist and a block on passwords containing the user's email; SHA-256-hashed, time-limited reset tokens; rate-limited sign-in and registration; signed JWT sessions; and a one-time email-code (OTP) sign-in option.
  • Tenant isolation: every database query is scoped by the tenant's userId so one merchant's data is not exposed to another.
  • Audit logging: sign-in events (retained 180 days), personal-data record reads (retained 365 days), admin actions, and public tracking-page views with the viewer's IP hashed (retained 90 days) are logged with timestamp, IP hash, and user agent.
  • Data minimization by design: tracking-page and access logs store a hashed IP, not the raw IP; driver GPS auto-expires after 24 hours; orders use soft-delete to preserve an audit trail.
  • Backups: MongoDB Atlas continuous backups with point-in-time restore, encrypted to the same AES-256 standard.
  • Environment separation: production and non-production are isolated — separate Vercel projects, separate MongoDB clusters, separate secrets, no shared credentials; production personal data is never copied into staging.
  • Vulnerability management: dependency scanning, automatic platform security patching, and security review of code changes before production.
  • Staff access: limited to authorized personnel with a documented need; each authenticates with SSO and mandatory multi-factor authentication, with no shared accounts; access is reviewed at least every six months.
  • Routella holds no audited security certifications (no SOC 2, ISO 27001, PCI-DSS, or HIPAA) and makes no such claim. It does not store or process full payment-card numbers; subscription card payments are handled by the billing providers named in Section 7.

7. Sub-processors and Change Notice

The merchant gives Routella general written authorization to engage the Sub-processors in the list below to Process Customer Personal Data. Routella imposes data-protection obligations on each Sub-processor that are materially equivalent to those in this DPA, and remains fully liable to the merchant for any Sub-processor's failure to meet those obligations (GDPR Article 28(4)).

The connected platforms a merchant chooses to link (such as Shopify, WooCommerce, Wix, Salesforce, or Monday) are the merchant's own data sources and independent controllers selected by the merchant; Routella reads from and writes to them on the merchant's instruction. They are listed separately below for transparency rather than as Sub-processors Routella unilaterally appointed.

Change notice: Routella will give the merchant at least 14 days' advance notice (by email and in-app) before adding or replacing a Sub-processor that Processes Customer Personal Data. The merchant may, within that period, object on reasonable, good-faith, data-protection grounds. If the parties cannot resolve the objection, the merchant's remedy is to terminate the affected service.

  • MongoDB Atlas — managed database / primary storage of all Customer Personal Data. Encrypted at rest and in transit.
  • Vercel — application hosting and TLS termination; processes data in transit and ephemeral request data.
  • Infobip — SMS delivery worldwide, and WhatsApp delivery via Routella's shared/managed number; receives recipient phone number and message content. SMS routes through carrier infrastructure in the recipient's own country to deliver the message.
  • WAHA Plus — WhatsApp transport for merchants who connect their own WhatsApp number (the primary self-connected transport on paid tiers); receives recipient phone number and message content.
  • Resend — transactional email delivery; receives recipient email address and message content.
  • Shopify (Shopify Billing) — subscription billing for Shopify-installed merchants; receives merchant billing identifiers. Does not receive Customer Personal Data for billing purposes.
  • LemonSqueezy — Merchant-of-Record for subscription billing and prepaid pack purchases for merchants not billed through Shopify; receives merchant billing contact and processes the card payment. Routella never stores card numbers.
  • Google LLC (Google Maps Platform — Routes API) — traffic-aware Smart Routing; receives delivery geocoordinates (origin, destination, intermediate stops) when the merchant uses Smart Routing. No customer name, phone, email, or order contents are sent. (This is distinct from Google's analytics/ads products, which are used on the marketing site only and receive no order data.)
  • Google LLC (Google Maps Platform — Places API) — address autocomplete in the address box; receives the address text a user types, plus an optional location bias, to return address suggestions. It does not receive customer names, phone numbers, emails, or order contents.
  • Photon / Nominatim (OpenStreetMap) — address geocoding; receives the address query text only.
  • OpenFreeMap and Esri — map tile imagery for the dashboard and tracking pages; receive map viewport coordinates, not customer identifiers.
  • Anthropic — translation of UI strings and message templates only; receives static text segments, never order, customer, or address data (placeholders such as {firstName} are kept verbatim and not sent).
  • Merchant-connected platforms (Shopify, WooCommerce, Wix, Salesforce, Monday and others) — the merchant's own connected data sources, accessed only where the merchant has connected the integration.

8. Assistance with Data Subject Requests

Routella will assist the merchant, by appropriate technical and organizational measures and taking into account the nature of the Processing and the information available to Routella, in responding to requests from Data Subjects to exercise their rights (access, rectification, erasure, restriction, portability, objection, and withdrawal of consent).

Many requests can be fulfilled by the merchant directly: the Routella dashboard and API let merchants find, edit, export (in JSON), and delete records, and for Shopify-installed merchants the mandatory Shopify privacy webhooks (customers/data_request, customers/redact, shop/redact) are implemented and audit-logged. Drivers and end customers should be directed to the merchant (as Controller) first; Routella will route any request it receives directly to the responsible merchant.

Routella provides reasonable assistance at no charge where the merchant can self-serve or where the request requires minimal effort; only disproportionate, manual, or repeated assistance beyond the statutory minimum may be charged at reasonable cost, with the basis disclosed in advance.

9. Personal Data Breach Notification (72 Hours) and Cooperation

If Routella becomes aware of a Personal Data Breach affecting Customer Personal Data, it will notify the merchant without undue delay and in any case within 72 hours of becoming aware. Notice is sent to the merchant's account email and via an in-app notice.

The notification will describe, to the extent known, the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address it; further information will follow as facts develop.

Routella will also assist the merchant, taking into account the nature of Processing and information available to Routella, with its obligations under GDPR Articles 32–36 — including the merchant's own breach notifications to its Supervisory Authority (within the controller's 72-hour window) and to affected Data Subjects, data protection impact assessments, and prior consultation with a regulator.

10. Return or Deletion on Termination

At the merchant's choice, on termination or expiry of the Agreement Routella will either return the Customer Personal Data to the merchant — via the in-dashboard / API export, which produces a JSON export — or delete it. Routella will delete remaining copies within 30 days, except where retention is required by law (for example, billing and tax records for up to 7 years).

Residual copies that exist only in routine encrypted backups are deleted on the normal backup-rotation cycle rather than by immediate surgical removal, and remain protected by the security measures in Section 6 until they age out.

During the engagement, Customer Personal Data is retained according to the windows in the Routella Privacy Policy, which are enforced automatically by database TTL indexes and a daily retention-cleanup job. The DPA, Privacy Policy, and the underlying TTL indexes must state the same retention windows.

11. Audit and Information Rights

Routella will make available to the merchant all information reasonably necessary to demonstrate compliance with GDPR Article 28, and will allow for and contribute to audits, including inspections, conducted by the merchant or a third-party auditor it mandates. This right cannot be excluded.

In the first instance, Routella satisfies audit requests through its Security and Compliance documentation and by answering reasonable written security questionnaires. Routella holds no SOC 2 or ISO 27001 report and will not represent that it does.

On-site or independent third-party audits are limited to once per 12-month period, on at least 30 days' prior written notice, during business hours, under confidentiality, at the merchant's cost, and scoped to Routella's Processing of that merchant's Customer Personal Data — except where a Supervisory Authority requires otherwise or a confirmed Personal Data Breach gives reasonable cause, in which case a for-cause audit may proceed without those limits. Audit costs will not be set so high as to deter audits.

12. US State Privacy (CCPA/CPRA and Similar)

With respect to Personal Information governed by CCPA/CPRA (and, at a high level, by LGPD, PIPEDA, and the Australian Privacy Act), Routella acts as a Service Provider / Processor and certifies that it understands and will comply with the following restrictions.

  • Routella will Process Personal Information only for the specific business purpose of providing the Routella service under the Agreement and on the merchant's documented instructions.
  • Routella will not Sell or Share Personal Information.
  • Routella will not retain, use, or disclose Personal Information for any purpose other than the business purposes specified, or outside the direct business relationship with the merchant, and will not combine it with Personal Information from other sources except as permitted by law.
  • Routella will notify the merchant if it determines it can no longer meet these obligations, and the merchant may take reasonable steps to stop and remediate unauthorized use.

13. International Data Transfers

Routella is operated by Deco Garden from Israel, which benefits from an EU adequacy decision (and is recognized as adequate by the UK). However, Routella's core infrastructure runs on global cloud providers: application hosting (Vercel) and the primary database (MongoDB Atlas) process and store Customer Personal Data on infrastructure that may be located in the United States and other regions. Customer Personal Data is therefore transferred to, and stored in, those regions, and the safeguards below — not Israel's adequacy status alone — are what make those transfers lawful.

For transfers of Customer Personal Data from the EEA to a country without an EU adequacy decision (including United-States-hosted infrastructure and any Sub-processor outside Israel and the EEA), Routella relies on the EU Standard Contractual Clauses (2021) — Module Two (controller-to-processor) where the merchant is the Controller and Routella is the data importer, and Module Three (processor-to-processor) for the onward Sub-processor leg — together with a Transfer Impact Assessment. For UK-origin data transferred to a non-adequate country, the UK Transfer Tool (the IDTA or the UK Addendum to the EU SCCs) applies, with a UK Transfer Risk Assessment; a Swiss addendum applies to Swiss-origin data. Israel's own rules on transferring data outside Israel also apply.

Where these SCCs apply, they are incorporated into this DPA by reference and deemed executed on acceptance of the Agreement; the merchant is the data exporter and Deco Garden (operating Routella) is the data importer; Annex I is Section 3 of this DPA, Annex II is Section 6, and the list of Sub-processors is in Section 7. In any conflict between the SCCs and this DPA on a transfer matter, the SCCs prevail.

Self-healing safeguard. The parties intend that a valid transfer mechanism covers every leg at all times. If the European Commission's adequacy decision for Israel (or the UK's recognition of Israel as adequate) is suspended, repealed, or materially narrowed, the EU Standard Contractual Clauses (Module Two) and, for UK data, the UK Transfer Tool incorporated under this Section apply automatically to transfers of Customer Personal Data to Routella in Israel from that date, without further action by either party.

Where no adequacy decision or standard safeguard applies, Routella relies on an applicable derogation only where genuinely available (for example, transfer necessary for performance of the contract).

14. Liability, Order of Precedence, and Acceptance

Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Agreement. Nothing in this DPA or the Agreement limits any liability that cannot be limited under Applicable Data Protection Law, nor any Data Subject's statutory rights, nor Routella's full liability for its Sub-processors as against a Supervisory Authority under GDPR Article 28(4).

Order of precedence: on data-protection matters, this DPA prevails over the rest of the Agreement; on international-transfer matters, the SCCs and the UK Transfer Tool prevail over this DPA. If any provision of this DPA is held invalid or unenforceable, it is limited or severed to the minimum extent necessary and the remainder stays in full force.

Governing law and forum follow the Agreement: the State of Israel, with exclusive jurisdiction in the courts of Tel Aviv — without prejudice to any non-waivable Data Subject or consumer rights under the laws of the Data Subject's own country.

Acceptance: by accepting the Agreement and using Routella, the merchant accepts this DPA. To make acceptance provable, Routella records the accepting user, the timestamp, and the DPA/Terms version at account creation. A countersigned copy is available on request from support@routella.app.


These documents are governed by the laws of the State of Israel. The English version of this document is authoritative; any translation is provided for convenience only. Related documents: Terms · Privacy · DPA · Acceptable Use · Security. Questions: support@routella.app

Privacy controls: Cookie settings · Do Not Sell or Share My Personal Information