Data Processing Agreement (DPA)

§1. Parties

This Data Processing Agreement (hereinafter: "Agreement" or "DPA") is entered into between:

and

§2. Agreement Execution

1. This Agreement is automatically concluded upon acceptance of the Aroute Platform Terms of Service during the registration process.
2. Acceptance of the Terms of Service (checking the required checkbox "I accept the Terms of Service") constitutes simultaneous acceptance of this Data Processing Agreement.
3. The Organisation represents that the person accepting the Terms of Service and this Agreement is authorised to represent the Organisation and enter into obligations on its behalf.

§3. Subject Matter

1. The Controller entrusts the Processor with the processing of personal data of Drivers (employees and contractors of the Controller) to the extent necessary to provide the Aroute Platform services.
2. The Processor undertakes to process the entrusted personal data only for the purpose and scope specified in this Agreement and in accordance with the Controller's instructions.
3. The Processor processes data on behalf of the Controller pursuant to Article 28 of the UK GDPR and in compliance with the Data Protection Act 2018.

§4. Scope of Entrusted Data

4.1. Categories of Data Subjects

• Drivers (employees and contractors of the Organisation)
• Users invited by the Administrator

4.2. Categories of Processed Data

Identification data:

• First and last name
• Work email address
• Profile photo (optional)

Trip data:

• GPS coordinates (route start/end)
• GPS checkpoints containing: latitude and longitude, altitude, instantaneous speed, heading, GPS accuracy, timestamp
• Addresses (start/end)
• Timestamps (start/end)
• Trip distance
• Speed (maximum, average)
• Vehicle odometer reading
• Trip purpose
• Trip type (business/private)

Private vehicle data:

• Registration number
• Make and model
• Engine capacity
• Vehicle type

Reimbursement data:

• Reimbursement claim amounts
• Billing periods
• Approval status

Technical data:

• Working hours and days (for auto-trip feature)
• Language preferences
• Consent settings (location, marketing)

4.3. Special Categories of Data

The Processor does not process special categories of personal data within the meaning of Article 9 of UK GDPR.

§5. Purpose of Processing

The Processor processes entrusted data only for the purpose of:

1. Recording and documenting business and private trips
2. Generating Vehicle Mileage Log reports (for company vehicles) and Reimbursement Summary reports (for private vehicles)
3. Processing reimbursement claims for private vehicles
4. Visualising data on the fleet map (paid feature)
5. Detecting mileage gaps and discrepancies
6. Automatic trip detection (auto-trip)
7. Exporting data to Excel and PDF formats
8. Providing iOS mobile application functionality
9. Sending invitations to Drivers
10. Technical support and user assistance

§6. Processor Obligations

The Processor undertakes to:

6.1. Compliance with Regulations

• Process data in accordance with UK GDPR, Data Protection Act 2018, and other applicable UK regulations
• Process data only on documented instructions from the Controller
• Immediately inform the Controller if an instruction violates applicable law

6.2. Confidentiality

• Ensure that persons authorised to process data have committed to confidentiality
• Process data only through trained personnel

6.3. Security

Implement appropriate technical and organisational measures ensuring data security, including:

• Data encryption in transit (TLS/HTTPS)
• Data encryption at rest
• Password hashing (bcrypt)
• Row-Level Security (RLS) at database level
• Role-based access control (RBAC)
• Webhook signature verification
• Regular security updates

6.4. Sub-processing

• Use sub-processors only under conditions specified in §7
• Ensure that sub-processors meet UK GDPR requirements

6.5. Assistance to Controller

• Assist in fulfilling data subject rights
• Assist in ensuring compliance with Articles 32-36 UK GDPR (security, DPIA, consultations)
• Provide information necessary to demonstrate compliance

6.6. Data Breaches

• Promptly (no later than 24 hours) notify the Controller of any data breach
• Document breaches and remedial actions taken

§7. Sub-processors (Further Entrustment)

7.1. Consent to Sub-processing

The Controller grants general consent for the Processor to use sub-processors listed in §7.3.

7.2. Obligations Towards Sub-processors

The Processor undertakes to:

• Enter into a data processing agreement with each sub-processor
• Ensure that sub-processors meet requirements no less than those specified in this Agreement
• Bear full responsibility for sub-processor actions

7.3. List of Sub-processors

7.4. Changes to Sub-processor List

1. The Processor will notify the Controller of the intention to add or change a sub-processor with 30 days' advance notice by email to the Organisation's billing address.
2. The Controller may object to a new sub-processor within 14 days of notification. Lack of objection means acceptance.
3. In case of justified objection, the parties will negotiate to find a solution. If no solution is reached, the Controller may terminate the agreement effective at the end of the current billing period.

§8. International Data Transfers

8.1. Transfers to EU/EEA

Transfers to EU/EEA countries are permitted as the EU/EEA is recognised as providing adequate protection under UK adequacy regulations.

8.2. Transfers to USA

Some sub-processors process data in the USA. Transfers are secured through:

• UK International Data Transfer Agreement (IDTA)
• UK Addendum to EU Standard Contractual Clauses (SCC)
• UK Extension to EU-US Data Privacy Framework (where applicable)

8.3. Sub-processors in Third Countries

§9. Data Subject Rights

9.1. Assistance in Fulfilling Rights

The Processor undertakes to assist the Controller in fulfilling data subject rights under Art. 15-21 UK GDPR:

9.2. Response Time

The Processor will respond to Controller requests regarding data subject rights within 10 business days.

§10. Audit and Verification

10.1. Right to Audit

The Controller has the right to verify Processor compliance with this Agreement through:

• Requesting written information and documentation
• Conducting an audit (with 30 days' advance notice, during business hours)

10.2. Audit Costs

Audit costs are borne by the Controller, unless the audit reveals significant violations – in which case costs are borne by the Processor.

10.3. Audit Confidentiality

Audit results are confidential and may not be disclosed to third parties without Processor consent.

§11. Term and Termination

11.1. Term

This Agreement remains in effect for the entire period of the Controller's use of the Aroute Platform.

11.2. Termination

The Agreement terminates:

• Upon subscription end and expiration of the grace period (90 days for voluntary cancellation or 30 days for non-payment)
• Upon termination of the Terms of Service
• By mutual agreement of the parties

11.3. Data Handling After Termination

1. After Agreement termination, the Processor will:
   • Enable data export in CSV and PDF formats during the grace period
   • Delete personal data after the grace period expires
   • Retain data required by law (e.g., invoice data – 5 years from end of tax year per Polish tax law). UK customers should retain their copies for 6 years per HMRC requirements.
2. Upon Controller request, the Processor will provide a data deletion certificate.

11.4. Platform Discontinuation

1. In case of Platform discontinuation by the Processor, the Controller will be notified with at least 90 days' advance notice.
2. During the notice period, the Controller will be able to export all data.
3. After the notice period expires, data will be permanently deleted, except for data subject to mandatory legal retention.

§12. Liability

12.1. Processor Liability

The Processor is liable for damages resulting from data processing in violation of this Agreement or UK GDPR provisions.

12.2. Limitation of Liability

The total liability of the Processor is limited to the sum of subscription fees paid by the Controller in the 12 months preceding the event, unless the damage results from gross negligence or intentional misconduct.

12.3. Liability for Sub-processors

The Processor is liable for acts and omissions of sub-processors as for its own acts.

12.4. Exclusions

Nothing in this Agreement shall limit or exclude liability for: (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; (c) any other liability that cannot be limited or excluded by applicable law.

§13. Agreement Amendments

1. The Processor may introduce changes to this Agreement with 30 days' advance notice.
2. The Controller will be notified of changes by email.
3. Continued use of the Platform after changes take effect constitutes acceptance of the amended Agreement.
4. If the Controller does not accept the changes, they may terminate the agreement before the changes take effect.

§14. Final Provisions

14.1. Governing Law

This Agreement is governed by and construed in accordance with the laws of England and Wales.

14.2. Dispute Resolution

Any disputes arising from this Agreement shall be subject to the exclusive jurisdiction of the courts of England and Wales.

14.3. Document Hierarchy

In case of conflict between this Agreement and the Terms of Service, the provisions of this Agreement shall prevail regarding personal data protection.

14.4. Severability

If any provision of this Agreement is found to be invalid, the remaining provisions shall remain in effect.