Data Processing Addendum (DPA)

Last updated: February 26, 2026

This Data Processing Addendum ("DPA") clarifies the data controller and data processor relationship between you and Auto Fleet Checker under UK GDPR and applicable data protection laws.

1. Definitions

• Data Controller: You (the customer/DSP using the Service)
• Data Processor: Auto Fleet Checker ("we", "us", "our")
• Personal Data: Any data relating to identified or identifiable individuals processed through the Service

2. Roles and Responsibilities

You are the Data Controller

As the Data Controller, you:

• Determine the purposes and means of processing personal data
• Have the right to upload and process data through the Service
• Are responsible for ensuring you have lawful basis for processing
• Are responsible for informing drivers, staff, and other data subjects about data processing
• Must obtain necessary consents and permissions
• Are responsible for data subject rights requests

We are the Data Processor

As the Data Processor, we agree to:

• Process data only on your instructions and for the purposes of providing the Service
• Use data only to provide, maintain, and improve the Service
• Not use data for any other purpose without your consent
• Not sell, rent, or otherwise monetize your data
• Not misuse or access data except as necessary to provide the Service
• Implement reasonable technical and organizational security measures
• Assist you in responding to data subject rights requests where reasonably possible
• Notify you of any data breaches affecting your data (where required by law)

3. Processing Instructions

We will process your data only:

• As necessary to provide the Service (photo storage, analysis, comparison)
• As instructed by you through your use of the Service
• As required by applicable law

4. Security Measures

We implement reasonable security measures including:

• Encryption of data in transit (HTTPS)
• Access controls and authentication
• Secure password storage (hashing)
• Regular security updates
• Secure database and file storage

However, no system is 100% secure. You acknowledge that you use the Service at your own risk.

5. Sub-Processors

We may use third-party sub-processors to provide the Service, including:

• Hosting providers: For server infrastructure and data storage
• Database providers: Supabase (PostgreSQL) for data storage
• AI service providers: OpenAI (for optional AI-assisted photo validation)

We ensure sub-processors are bound by similar data protection obligations. See our Privacy Policy for details on third-party services.

6. Data Subject Rights

As the Data Controller, you are responsible for:

• Responding to data subject rights requests (access, rectification, erasure, etc.)
• Obtaining necessary consents from data subjects
• Providing privacy notices to data subjects

We will assist you in responding to such requests where reasonably possible and where required by law.

7. Data Retention

Data is retained while your account is active. You may request deletion of your data at any time. Upon account closure or deletion request, we will delete your data within a reasonable timeframe, subject to legal retention requirements.

8. Data Breaches

In the event of a data breach affecting your data, we will:

• Notify you as soon as reasonably possible
• Provide details of the breach and affected data
• Take reasonable steps to mitigate the breach
• Comply with applicable breach notification requirements

9. International Transfers

Your data may be processed and stored in locations outside the UK/EEA, including by sub-processors. We ensure appropriate safeguards are in place for such transfers, including:

• Standard contractual clauses where applicable
• Compliance with applicable data protection laws

10. Termination

Upon termination of the Service:

• You may export your data
• We will delete your data within a reasonable timeframe (subject to legal retention requirements)
• This DPA will continue to apply to data processed prior to termination

11. Incorporation into Terms

This DPA forms part of the Terms of Service. By using the Service, you agree to this DPA.

12. Contact

For questions about data processing:

[YOUR COMPANY NAME]
[YOUR CONTACT EMAIL]