Data Processing Agreement

Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Use between FleetFlow B.V. (i.o.) ("FleetFlow", "Processor") and the organization using our services ("Customer", "Controller") and governs the processing of personal data under the General Data Protection Regulation (GDPR) and other applicable data protection laws.

Effective Date: 14-06-2025
Last Updated: 14-06-2025

1. Definitions

• "Controller" means the Customer organization that determines the purposes and means of processing personal data
• "Processor" means FleetFlow, which processes personal data on behalf of and according to the instructions of the Controller
• "Personal Data" has the meaning given in Article 4(1) of the GDPR
• "Processing" has the meaning given in Article 4(2) of the GDPR
• "Data Subject" has the meaning given in Article 4(1) of the GDPR
• "Subprocessor" means any processor engaged by FleetFlow to assist in fulfilling its obligations under this DPA
• "Services" means the FleetFlow platform, API, SDK, and related services

2. Scope and Purpose of Processing

2.1 Subject Matter and Nature of Processing

FleetFlow processes personal data to provide vehicle fleet management, customer support, and related services through our platform.

2.2 Purpose of Processing

• Vehicle fleet management and tracking
• Customer support and service ticket management
• End-user account management
• Service and maintenance record keeping
• Analytics and reporting (as instructed by Controller)
• White-label application functionality

2.3 Categories of Personal Data

• Contact information (names, email addresses, phone numbers)
• Account credentials and authentication data
• Vehicle identification data (VIN numbers, serial numbers)
• Location data (GPS coordinates, ride routes)
• Usage data (ride history, performance metrics)
• Service records (maintenance history, support tickets)
• Communication records (chat logs, support interactions)

2.4 Categories of Data Subjects

• End customers of Controller (vehicle owners, lessees)
• Test riders and potential customers
• Service technicians and support staff
• Controller's employees and authorized users

3. Duration of Processing

FleetFlow will process personal data for the duration of the service agreement between the parties, plus an additional period of thirty (30) days for data deletion or return, unless otherwise required by law or instructed by the Controller.

4. Processor Obligations

4.1 Processing Instructions

• FleetFlow will process personal data only according to documented instructions from the Controller
• The Controller's use of the Services constitutes documented instructions
• FleetFlow will immediately inform the Controller if instructions appear to violate applicable data protection laws

4.2 Confidentiality

• FleetFlow ensures that persons authorized to process personal data have committed themselves to confidentiality
• All staff undergo regular data protection training
• Access to personal data is limited to authorized personnel on a need-to-know basis

4.3 Security Measures

FleetFlow implements appropriate technical and organizational measures to ensure security of processing, including:

• Encryption of personal data in transit and at rest using industry-standard protocols
• Regular security assessments and penetration testing
• Access controls and multi-factor authentication
• Secure development practices and code reviews
• Regular backup procedures and disaster recovery plans
• Physical security measures for data centers and facilities
• Employee background checks and security training

5. Subprocessors

5.1 General Authorization

The Controller provides general authorization for FleetFlow to engage subprocessors, subject to the conditions in this section.

5.2 Current Subprocessors

5.3 Subprocessor Changes

• FleetFlow will provide at least 30 days' notice before adding or changing subprocessors
• If Controller objects to a new subprocessor, parties will work together to find an alternative solution
• If no alternative can be found, Controller may terminate the affected services

6. Data Subject Rights

• FleetFlow will assist the Controller in responding to data subject requests within 30 days
• FleetFlow provides technical and organizational measures to facilitate data subject rights
• The Controller is responsible for handling data subject requests and determining their validity
• FleetFlow will not respond directly to data subjects unless authorized by the Controller
• Additional charges may apply for extensive assistance with data subject requests

7. Personal Data Breach Notification

7.1 Notification Timeline

• FleetFlow will notify the Controller of any personal data breach within 48 hours of becoming aware
• Initial notification may be provided by phone or email, followed by written documentation
• FleetFlow will provide all information reasonably necessary for Controller's own notification obligations

7.2 Breach Information

Breach notifications will include, where possible:

• Description of the nature of the breach
• Categories and approximate number of data subjects affected
• Categories and approximate number of personal data records affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach

8. International Data Transfers

8.1 Transfer Mechanisms

When personal data is transferred outside the European Economic Area (EEA), FleetFlow ensures appropriate safeguards:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions for certain countries
• Additional technical and organizational measures as required
• Binding Corporate Rules (where applicable)

8.2 Transfer Impact Assessment

FleetFlow conducts Transfer Impact Assessments (TIAs) for transfers to countries without adequacy decisions, implementing supplementary measures where necessary to ensure an essentially equivalent level of protection.

9. Data Protection Impact Assessment

• FleetFlow will assist the Controller with Data Protection Impact Assessments when requested
• FleetFlow will provide information about security measures and processing activities
• Assistance with DPIAs may be subject to additional fees for extensive work

10. Audits and Inspections

• FleetFlow will make available to the Controller all information necessary to demonstrate compliance
• FleetFlow submits to audits by the Controller or an authorized third-party auditor
• Audit requests must be reasonable and provided with reasonable notice
• FleetFlow may charge reasonable fees for extensive audit assistance
• Security certifications and compliance reports may be provided in lieu of on-site audits

11. Data Return and Deletion

11.1 End of Processing

• Upon termination of services, FleetFlow will return or delete all personal data within 30 days
• Controller may choose to receive data in a structured, commonly used format
• FleetFlow will provide certification of deletion upon request

11.2 Legal Requirements

Data may be retained longer if required by applicable law. FleetFlow will inform the Controller of any such requirements and will continue to protect the data according to this DPA.

12. Liability and Indemnification

• Each party is liable for damages caused by its processing in violation of GDPR obligations
• FleetFlow is liable only for damages caused by its failure to comply with GDPR obligations specific to processors
• Liability is subject to the limitations set forth in the main service agreement
• FleetFlow will assist Controller in responding to regulatory investigations

13. Governing Law and Jurisdiction

This DPA is governed by the laws of the Netherlands and any disputes shall be resolved in the courts of Amsterdam, the Netherlands. This DPA does not affect the rights of data subjects under applicable data protection laws.

14. Contact Information

FleetFlow Data Protection Contact:
FleetFlow B.V. (i.o.)
Hazelaarlaan 13, 2267BH Leidschendam
Email: privacy@fleetflow.io
DPO: To be appointed as needed

Controller Contact Information:
Controller contact details are maintained separately as part of the Controller's FleetFlow service agreement.

15. Updates to this DPA

FleetFlow may update this DPA to reflect changes in law or business practices. Material changes will be communicated to Controllers with at least 30 days' notice. Continued use of the Services after such notice constitutes acceptance of the updated DPA.