This Data Processing Agreement outlines our responsibilities as a data processor under GDPR and other Applicable Data Protection Law for each organization.
Introduction
This Data Processing Agreement ("DPA") forms part of—and is subject to—the FleetFlow Terms of Use (the "Main Agreement") between FleetFlow B.V. (i.o.) ("FleetFlow", "Processor") and the organization using our services ("Customer", "Controller"). It governs Processor's handling of Personal Data under the General Data Protection Regulation (EU) 2016/679 (GDPR) and any other Applicable Data Protection Law.
Effective Date: 14-06-2025 Last Updated: 01-07-2025
1. Definitions
"Applicable Data Protection Law" means the GDPR and any other data-protection or privacy law that applies to the Processing, including the UK GDPR, Swiss FADP and comparable US state privacy statutes.
"Controller" means the Customer organization that determines the purposes and means of Processing Personal Data.
"Processor" means FleetFlow, which Processes Personal Data on behalf of and according to the instructions of the Controller.
"Personal Data" has the meaning given in Article 4(1) GDPR and includes any data received via third-party integrations (e.g. Shopify, payment providers) as configured by Controller.
"Processing" has the meaning given in Article 4(2) GDPR.
"Data Subject" has the meaning given in Article 4(1) GDPR.
"Sub-processor" means any Processor engaged by FleetFlow to assist in fulfilling its obligations under this DPA.
"Services" means the FleetFlow platform, API, SDK and related services.
2. Scope and Purpose of Processing
2.1 Subject Matter & Nature of Processing
FleetFlow Processes Personal Data in order to provide the Services, which include vehicle and asset management functionality, telemetry ingestion and analytics, supply-chain and dealer tooling, commerce workflows, support tooling and related integrations chosen by Controller. Processor does not knowingly process special categories of Personal Data (Art. 9 GDPR) or Personal Data relating to children under 16; Controller shall not supply such data.
2.2 Purpose of Processing
Vehicle and asset management (GPS, speed, battery and other telemetry where available).
Spare-parts and dealer-order management, including component/serial-number tracking.
Test-ride scheduling and sales-cycle activities (quotations, orders, payments).
Order, payment and invoicing workflows, including transaction history.
Integrations with Controller-selected third-party systems (e-commerce, ERP, payment processors, authentication providers).
End-user profile management via the FleetFlow SDK embedded in Controller apps.
Customer support, AI-assisted FAQ and service-ticket/conversation management.
Analytics and reporting strictly on Controller-supplied data.
Service and maintenance record keeping.
Any other Processing reasonably necessary to provide, secure and improve the Services, as described in Annex A (Processing Activities).
2.3 Categories of Personal Data
Contact information (names, email addresses, phone numbers).
Authentication credentials and account identifiers.
Vehicle identifiers (VIN, licence plate, serial numbers, component serial numbers).
Usage data (ride history, performance metrics, application logs).
Billing and payment information (order references, invoice data, payment tokens - no full card PANs processed).
Test-ride booking details (preferred date/time, store location, vehicle model).
Push-notification tokens and related device identifiers.
Service records (maintenance history, support tickets).
Communication records (chat logs, customer-service threads).
2.4 Categories of Data Subjects
End customers of Controller (vehicle owners, lessees).
Prospective customers booking test rides, drivers, riders and testers.
Service technicians, dealer staff and support personnel.
Controller's employees and other authorized users.
3. Duration of Processing
FleetFlow will Process Personal Data for the term of the Main Agreement plus an additional thirty (30) days to allow for Data return or deletion unless a longer period is required by law or instructed by Controller.
Unless otherwise agreed, raw telemetry and application logs are retained for twelve (12) months from the date of collection and are then permanently deleted or irreversibly anonymised.
4. Processor Obligations
4.1 Processing Instructions
Processor will Process Personal Data only on documented instructions from Controller.
Controller's use of the Services constitutes such instructions.
Processor will promptly inform Controller if an instruction appears to violate Applicable Data Protection Law.
4.2 Confidentiality
All persons authorized to Process Personal Data are bound by confidentiality obligations.
Personnel receive regular privacy and security training.
Access is limited to individuals with a legitimate need to know.
4.3 Security Measures
Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
Encryption of Personal Data in transit (e.g. TLS ≥ 1.3) and at rest (AES-equivalent strength) or superseding industry standards.
Regular vulnerability assessments and penetration testing.
Role-based access controls and multi-factor authentication.
Secure software-development lifecycle and peer code reviews.
Routine backups and disaster-recovery plans.
Physical security at data-center facilities.
Background checks for relevant personnel.
5. Sub-processors
5.1 General Authorization
Controller grants Processor a general authorization to engage Sub-processors provided that Processor: (i) imposes data-protection terms that are no less protective than those set out in this DPA, and (ii) remains liable for each Sub-processor's performance.
5.2 Current Sub-processors
Sub-processor
Service
Location
Amazon Web Services (AWS)
Cloud hosting & infrastructure
EU (Frankfurt, Ireland)
OpenAI
AI-powered FAQ assistant (no-training API)
United States
Cloudflare
CDN & security services
Global network
5.3 Sub-processor Changes
Processor will post notice of any intended new Sub-processor on its Trust-Center web page and notify Controller via email at least thirty (30) days in advance.
If Controller objects on reasonable grounds, the parties will discuss an alternative; if no solution is found, Controller may terminate the affected Services.
6. Data-Subject Rights
Processor will assist Controller to respond to Data-Subject requests within thirty (30) days.
Controller may submit requests via its admin portal or by email to privacy@fleetflow.io.
Routine assistance is free of charge; extensive or repetitive requests may incur reasonable administrative fees.
Processor will not respond directly to Data Subjects unless authorized by Controller or required by law.
7. Personal Data Breach Notification
7.1 Notification Timeline
Processor will notify Controller without undue delay, and in any event within forty-eight (48) hours after becoming aware of a Personal Data Breach.
Initial notice may be made by phone or email, followed by written documentation.
Processor will provide all information reasonably necessary for Controller's own notification obligations.
7.2 Breach Information
Breach notifications will include, where feasible:
Description of the nature of the breach.
Categories and approximate number of affected Data Subjects and records.
Likely consequences of the breach.
Measures taken or proposed to address the breach.
8. International Data Transfers
8.1 Transfer Mechanisms
When Personal Data is transferred outside the European Economic Area, Processor ensures appropriate safeguards, including:
Standard Contractual Clauses (SCCs) approved by the European Commission.
Adequacy decisions for certain destinations.
EU-US Data Privacy Framework for transfers to certified US entities, or SCCs with supplementary measures if the framework becomes invalid.
Additional technical and organizational measures where required.
Binding Corporate Rules, where applicable.
8.2 Transfer Impact Assessment
Processor conducts Transfer Impact Assessments (TIAs) for transfers to countries without adequacy decisions and will provide a summary TIA to Controller upon request.
9. Data-Protection Impact Assessment
Processor will assist Controller with Data-Protection Impact Assessments when reasonably requested.
Processor will provide information on security measures and Processing activities.
Extensive assistance may be subject to reasonable fees.
10. Audits and Inspections
Processor will make documentation necessary to demonstrate compliance available to Controller.
Processor maintains ISO 27001 (target 2025) and, upon request, will provide certificates, SOC 2 Type II reports or a completed CAIQ questionnaire.
On-site audits are permitted only if documentation proves insufficient and must be scheduled with reasonable notice.
Processor may charge reasonable fees for extensive audit assistance.
11. Data Return and Deletion
11.1 End of Processing
Upon termination of the Services, Processor will return or delete all Personal Data within thirty (30) days, at Controller's choice.
Controller may receive the data in a structured, commonly used, machine-readable format.
Back-up copies stored in immutable archives will be overwritten in the ordinary course of Processor's backup cycle (currently ≤ 35 days).
Processor will provide a PDF certificate of deletion upon written request.
11.2 Legal Requirements
Data may be retained for a longer period if required by Applicable Data Protection Law. Processor will inform Controller of any such requirement and will continue to protect the data in accordance with this DPA.
12. Liability and Indemnification
Each party is liable for damages caused by Processing that infringes Applicable Data Protection Law.
Processor is liable only for damage caused by Processing where it has not complied with its obligations as a Processor.
Any limits of liability set out in the Main Agreement apply equally to this DPA.
Processor will support Controller in responding to regulatory investigations related to the Services.
13. Governing Law and Jurisdiction
This DPA is governed by the laws of the Netherlands, and any disputes shall be submitted to the courts of Amsterdam, the Netherlands. Nothing in this clause affects the rights of Data Subjects under Applicable Data Protection Law.
14. Contact Information
FleetFlow Data-Protection Contact: FleetFlow B.V. (i.o.) Hazelaarlaan 13, 2267BH Leidschendam Email: privacy@fleetflow.io DPO: To be appointed as needed
Controller Contact Information: Controller contact details are maintained separately as part of the Controller's FleetFlow service agreement.
15. Updates to this DPA
Processor may update this DPA to reflect changes in law or business practice. Material changes will be communicated to Controllers at least thirty (30) days in advance. Continued use of the Services after such notice constitutes acceptance of the updated DPA.