chatsimple

Data Processing Agreement

BETWEEN: The Fleetworks Software Company Limited, a private limited company registered in England with number 12235444 (the “Data Processor”) AND Each individual Fleetworks Customer that Fleetworks processes data for and that has not otherwise entered into a valid data processor agreement with Fleetworks (the “Data Controller”) (hereinafter referred to individually as a “Party” or together as the “Parties”)
1. INTRODUCTION This Data Processing Agreement (“DPA”) specifies the Parties’ data protection obligations, which arise from the Data Processor’s processing of personal data on behalf of the Data Controller under the quote, service agreement or other agreement between the Parties (“the Agreement”).The DPA is adopted as an appendix to the Agreement. In the event that any provision of this DPA is inconsistent with any term(s) of the Agreement, the DPA will prevail.
2. PURPOSE, SCOPE AND RESPONSIBILITIES

     2.1 The Data Processor shall only process personal data in accordance with the terms of this DPA.

     2.2 The Data Processor shall process personal data for the limited purpose of performing the obligations set out under the Agreement. Data may, for that purpose, be processed by any of the Data Processor’s entities.

     2.3 Data processing by the Data Processor shall include such actions as may be specified in the Agreement.

     2.4 The term of this DPA shall continue until the latter of the following: the termination of the Agreement, or the date at which the Data Processor ceases to process personal data for the Data Controller.

     2.5 The personal data to be processed by the Supplier concerns the categories of data, the categories of data subjects and the purposes of the processing set out in Exhibit 1.

     2.6 With the exception of the data described in Exhibit 1, in no event will the data processed by the Data Processor include (examples are not exhaustive):i) Personal data as set out in art. 9 or 10 in Regulation 2016/679 of 27 April 2016 of UK GDPR ii) Financial data, iii) Personal data regarding criminal offenses, or iv) Data regarding persons’ economy, taxes, debt, sick days, family relations, residential circumstances, car, personality tests, exams or CVs.

3. FLEETWORKS WEBAPP

     3.1. The Agreement enables the Data Controller to access and use the “Fleetworks Webapp”, a software tool developed by the Data Processor. “Fleetworks" enables the Data Controller’s employees (with admin-access) to upload information without the Data Processors’ participation or knowledge.

     3.2. The Data Processor undertakes no responsibility for the quality or accuracy of the data uploaded by the Data Controller in the “Fleetworks Webapp".

     3.3. To the extent that such upload of data constitutes processing of personal data, the Data Controller warrants: i) that the Data Controller has the relevant legal basis for having and processing the personal data, including, if applicable, the relevant permissions from the data subject.
     3.3. If the transfer involves sensitive categories of data, the data subject has been informed or will be informed before the transfer, or as soon as possible after, that its data could be transmitted to a third country not providing adequate protection within the meaning of the Data Protection Legislation.


4. OBLIGATIONS OF THE DATA PROCESSOR
The Data Processor warrants that the Data Processor will:

i) comply with the Data Protection Legislation from time to time applicable to the Data Processor’s obligations under the Agreement (“Data Protection Legislation”),

ii) process any personal data transferred to or collected by the Data Processor only as a ‘processor’, as such terms are defined in the Data Protection Legislation, on behalf of the Data Controller,

iii) implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the applicable Data Protection Legislation and ensure the protection of the rights of the data subjects,

iv) ensure that Sub-processors undertakes to process personal data in accordance with the Data Protection Legislation,

v) taking into account the nature of the processing, assist the Data Controller by appropriate technical and organizational measures, in so far as this is possible, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the data subject’s rights according to the Data Protection Legislation,

vi) to a relevant extent assist the Data Controller in ensuring compliance with the requirements for security of personal data,

vii) make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections to facilities under the control of the Data Processor, conducted by the Controller or an auditor mandated by the Controller.

5. TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

     5.1. The Data Processor will implement and maintain through out the term of the DPA and will procure its Sub-processors to implement and maintain through the term of the DPA, the appropriate technical and organizational security measures to protect personal data against accidental or unlawful destruction, loss, damage or alteration and against unauthorized disclosure, abuse or other processing in violation of the requirements of Data Protection Legislation.

     5.2. The Data Processor will ensure that it and its Sub-processors involved in the processing of personal data at all times comply with the minimum data security requirements set out in Exhibit 2.

6. PERSONNEL

     6.1. The Data Processor will procure that any personnel of the Data Processor required to access personal data have committed themselves to the obligation of confidentiality set out in the Agreement or are under a statutory obligation of confidentiality.

     6.2. The Data Processor will procure that all personnel of the Data Processor required to access personal data are informed of the confidential nature of the personal data and the security procedures applicable to the processing of or access to the personal data.

     6.3. The Data Processor’s personnel’s undertaking to abide by such confidentiality requirements will continue after the end term of this DPA.

7. ASSISTANCE TO THE DATA CONTROLLER

    7.1 The Data Processor shall provide reasonable and timely assistance to Data Controller to enable Data Controller to respond to:(i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and(ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data. In the event that any such request, correspondence, inquiry or complaint is made directly to Data Processor, Data Processor shall inform Data Controller providing full details of the same within 72 hours or by the end of the third working day, which ever is longer.
    
     7.2 The Data Processor shall provide Data Controller with reasonable cooperation to enable Data Controller to conduct any data protection impact assessment that it is required to undertake under Applicable Data Protection Law.

8. SUB-PROCESSORS

     8.1. The Data Processor shall meet the requirements specified in Article 28(2) and (4) GDPR in order to engage another processor (a Sub-processor).

     8.2. With this DPA, the Data Processor has the Data Controller’s general authorisation for the engagement of Sub-processors for the purpose of performing the obligations set out under the Agreement. The Sub-processors, approved by the Data Controller by the signing of this DPA, are listed in Exhibit 3. The Data Processor shall;

i) maintain an up-to-date list of its Sub-processors on the Data Processor’s website at https://www.fleetworks.co/ (or any future website used by the Data Processor);

ii) update with details of any change in Sub-processors at least30 days prior to any such change (except to the extent a 30 days’ notice is not possible due to an emergency) and notify the Data Controller of such change via the Data Processor’s usual e-mail notification process;

iii) provide a copy upon request of the data processing agreement(s) between the Data Processor and the Sub-processors at any given time to the Data Controller.

     8.3. The Data Controller may object to such new Sub-processor for justified reasons relating to data protection. In the case of a justified objection, the Parties shall negotiate in good faith to find an alternative solution. If such alternative solution cannot be found and the Data Processor decides to proceed with such Sub-processor, the Data Controller can terminate the Agreement with a notice of 30 days. Neither of the Parties shall be considered in breach of contract in the event of such termination.

9. TRANSFER OF DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS

     9.1. Any transfer of personal data to third countries or international organizations by the Data Processor shall only occur on the basis of documented instructions from the Data Controller and shall always take place in compliance with Chapter V GDPR.

     9.2. If any Data Controller Data originates from any country(other than an EEA country) with one or more laws imposing data transfer restrictions or prohibitions and Data Controller has informed Data Processor of such data transfer restrictions or prohibitions, Data Controller and Data Processor shall ensure appropriate transfer mechanism (satisfying the country’s data transfer requirement(s)) is in place, as reasonably requested by Data Controller and mutually agreed upon by both Parties, before transferring or accessing Data Controller’s Data outside of such country. For the avoidance of doubt, this transfer restriction does not pertain to Data Controller or its Affiliates’ Authorized Users who have access to the Software and Data Controller Data, and Data Processor shall not be held responsible for actions of Data Controller or its Affiliates’ Authorized Users. Neither Data Controller or its Authorized Users shall be entitled to use the Software or Subscription Services in any country with data localization laws that would require Data Controller’s environment to be hosted in said country.

10. OBLIGATIONS OF THE DATA CONTROLLER

     10.1. The Data Controller and the Data Processor will be separately responsible for conforming with the Data Protection Legislation as applicable to them.

     10.2. The Data Controller shall be responsible, among others, for ensuring that the processing of personal data, which the Data Processor is instructed to perform, has a legal basis.

     10.3. The Data Controller will inform the Data Processor in writing without undue delay following the Data Controller’s discovery of a failure to comply with Data Protection Legislation with respect to processing of personal data in accordance with this DPA.

     10.4. The Data Controller shall be responsible for providing accurate and relevant contact details after entering into the Agreement and thereafter to assist in Data Processor’s notification obligations.

11. NOTIFICATION OF DATA BREACH
     11.1. The Data Processor shall without undue delay, and no later than 36 hours, in writing, notify the Data Controller in case of any identified or potential breach of personal data processed under the DPA.

     11.2. The notification referred to in section 10.1. must, to the extent possible:

i) describe the nature of the personal data breach including where possible (e.g., loss, theft, copying), the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned,

ii) communicate the name and contact details of the person with the Data Processor where more information can be obtained,

iii) describe the likely consequences of the personal data breach, and iv) describe the measures taken or proposed to be taken by the Data Processor to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

12. ADDITIONAL ASSIGNMENTS

     12.1. The Data Processor shall carry all costs associated with compliance of this DPA in its capacity as Data Processor.

     12.2. The Data Controller shall carry all costs associated with compliance of this DPA in its capacity as Data Controller.

     12.3. In respect of tasks of the Data Processor, that are not an obligation under this DPA, cf. the sections above, the Data Processor shall been titled to charge the Data Controller for the additional resources, time and material necessary to fulfil the required task(s), unless such services are already included in the services rendered under the Agreement.

     12.4. The Data Processor will notify the Data Controller in advance of such additional charges and, to the extent possible, provide the Data Controller with a quote of the expected costs.

     12.5. If the Data Controller cannot agree to the costs, the Data Processor shall be entitled not to perform the additional assignment and to terminate the Agreement with a notice of 30 days. The Data Processor shall not be considered in breach of contract in this event.

13. DELETION AND RETURN OF PERSONAL DATA

     13.1. Following the end term or termination of the Agreement, the Data Processor shall (at Data Controller’s election) destroy or return to Data Controller all Data in its possession or control. The Data Processor reserves the right after 90 days to delete personal data from all locations when the Data Controller has not elected either option. This requirement shall not apply to the extent that Data Processor is required by applicable law to retain some or all of the Data.

     13.2. Upon the Data Controller’s request, the Data Processor shall certify in writing the destruction of the personal data.

14. LIABILITY

     14.1. Each party’s liability for one or more breaches of this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement. In no event shall either party’s liability for a breach of this DPA exceed the liability cap set out in the Agreement. Neither party limits nor excludes any liability that cannot be limited or excluded under applicable law(such as for fraud).

15. LEGAL VENUE AND APPLICABLE LAW

     15.1. This DPA shall be governed by the laws of England and Wales.

     15.2. Any claim or dispute arising from or in connection with the Data Processing Agreement must be settled by the courts of England as first instance.

16. SIGNATURES Signed for and on behalf of the Data Processor Date: 18th February 2021 Name: Marc Lee Title: Managing Director

1: INFORMATION ABOUT THE PROCESSING

     1. The purpose of the Data Processor’s processing of personal data on behalf of the Data Controller is: The Data Processor is a software development company, assigned by the Data Controller to make available to the Data Controller software as a service for supporting the management of their vehicle fleet. The content of this DPA reflects the limited amount of personal data the Data Processor handles for the Data Controller.

     2. The Data Processor’s processing of personal data on behalf of the Data Controller shall mainly pertain to (the nature of the processing):Processing of traffic violations/fines including reassignment, creating and processing chargeback defences, the notification of unpaid invoices and ad-hoc fleet management functions using the Data Processor’s software as a service delivery system.

     3. The processing includes the following types of personal data about data subjects: Name, e-mail address, address. Processing will usually include presenting the evidence of responsibility for the vehicle that committed the offence. This will usually take the form of a written contract such as a rental agreement, lease agreement, contract hire document or other recognisable supply agreement, as required by the supplier of the vehicle. This document could include personal data required to hire, lease or acquire authorised use of the vehicle. This might include the following details of the the nominated driver or any additional named drivers: full name, permanent address, date of birth, driving licence number, country of issue of driving licence, expiry date of licence, passport or other identification document number, expiry date of passport or identification document, country of issue of passport or identification document.

     4. The processing includes the following type of special categories of data about data subjects: None.

     5. Processing includes the following categories of data subject: Data Controller’s customers.

     6. The Data Processor’s processing of personal data on behalf of the Data Controller may be performed when instructed in accordance with the Agreement. Processing has the following duration: Fleetworks will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.

 2: DESCRIPTION OF MINIMUM DATA SECURITY

     1. Technical and organizational measures baseline Physical Access Controls Data Processor shall take reasonable measures to prevent physical access, such as secured buildings, to prevent unauthorized persons from gaining access to personal data.

     2. System Access Controls Data Processor shall take reasonable measures to prevent personal data from being used without authorization. These controls shall vary based on the nature of the processing undertaken and may include, among other controls, authentication via passwords and/or two-factor authentication, documented authorization processes, documented change management processes and/or logging of access on several levels.

     3. Data Access Controls Data Processor shall take reasonable measures to provide that personal data is accessible and manageable only by properly authorized staff, direct database query access is restricted and application access rights are established and enforced to ensure that persons entitled to use a data processing system only have access to the personal data to which they have privilege of access; and, that personal data cannot be read, copied, modified or removed without authorization in the course of processing. The Data Processor shall take reasonable measures to implement an access policy under which access to its system environment, to personal data and other data by authorized personnel only.

     4. Transmission Controls Data Processor shall take reasonable measures to ensure that it is possible to check and establish to which entities the transfer of personal data by means of data transmission facilities is envisaged so personal data cannot be read, copied, modified or removed without authorization during electronic transmission or transport.

     5. Input Controls Data Processor shall take reasonable measures to provide that it is possible to check and establish whether and by whom personal data has been entered into data processing systems, modified or removed. Data Processor shall take reasonable measures to ensure that

(i) the personal data source is under the control of data exporter; and

(ii) personal data integrated into Data Processor’s systems is managed by secured file transfer from the Data Processor and data subject.

EXHIBIT 3: AUTHORISED SUB-PROCESSORS

Microsoft Azure, Inc., Cloud Service Provider, Ireland
SendGrid, Inc., Email service provider for email authentication, The Netherlands


Updated 15th May 2024. Grammar change. No technical adjustment.

, the data subject has been informed or will be informed before the transfer, or as soon as possible after, that its data could be transmitted to a third country not providing adequate protection within the meaning of the Data Protection Legislation.


4. OBLIGATIONS OF THE DATA PROCESSOR
The Data Processor warrants that the Data Processor will:

i) comply with the Data Protection Legislation from time to time applicable to the Data Processor’s obligations under the Agreement (“Data Protection Legislation”),

ii) process any personal data transferred to or collected by the Data Processor only as a ‘processor’, as such terms are defined in the Data Protection Legislation, on behalf of the Data Controller,

iii) implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the applicable Data Protection Legislation and ensure the protection of the rights of the data subjects,

iv) ensure that Sub-processors undertakes to process personal data in accordance with the Data Protection Legislation,

v) taking into account the nature of the processing, assist the Data Controller by appropriate technical and organizational measures, in so far as this is possible, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the data subject’s rights according to the Data Protection Legislation,

vi) to a relevant extent assist the Data Controller in ensuring compliance with the requirements for security of personal data,

vii) make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections to facilities under the control of the Data Processor, conducted by the Controller or an auditor mandated by the Controller.

5. TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

     5.1. The Data Processor will implement and maintain throughoutthe term of the DPA and will procure its Sub-processors to implement andmaintain through the term of the DPA, the appropriate technical andorganizational security measures to protect personal data against accidental orunlawful destruction, loss, damage or alteration and against unauthorizeddisclosure, abuse or other processing in violation of the requirements of DataProtection Legislation.

     5.2. The Data Processor will ensure that it and its Sub-processors involved in the processing of personal data at all times comply with the minimum data security requirements set out in Exhibit 2.

6. PERSONNEL

     6.1. The Data Processor will procure that any personnel of the Data Processor required to access personal data have committed themselves to the obligation of confidentiality set out in the Agreement or are under a statutory obligation of confidentiality.

     6.2. The Data Processor will procure that all personnel of theData Processor required to access personal data are informed of theconfidential nature of the personal data and the security procedures applicableto the processing of or access to the personal data.

     6.3. The Data Processor’s personnel’s undertaking to abide by such confidentiality requirements will continue after the end term of this DPA.

7. ASSISTANCE TO THE DATA CONTROLLER

    7.1 The Data Processor shall provide reasonable and timely assistance to Data Controller to enable Data Controller to respond to:(i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and(ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data. In the event that any such request, correspondence, inquiry or complaint is made directly to Data Processor, Data Processor shall promptly inform Data Controller providing full details of the same.
    
     7.2 The Data Processor shall provide Data Controller withreasonable cooperation to enable Data Controller to conduct any data protectionimpact assessment that it is required to undertake under Applicable DataProtection Law.

8. SUB-PROCESSORS

     8.1. The Data Processor shall meet the requirements specified inArticle 28(2) and (4) GDPR in order to engage another processor (aSub-processor).

     8.2. With this DPA, the Data Processor has the Data Controller’s general authorisation for the engagement of Sub-processors for the purpose of performing the obligations set out under the Agreement. The Sub-processors, approved by the Data Controller by the signing of this DPA, are listed in Exhibit 3. The Data Processor shall;

i) maintain an up-to-date list of its Sub-processors on the Data Processor’s website at https://www.fleetworks.co/ (or any future website used by the Data Processor);

ii) update with details of any change in Sub-processors at least30 days prior to any such change (except to the extent a 30 days’ notice is not possible due to an emergency) and notify the Data Controller of such change via the Data Processor’s usual e-mail notification process;

iii) provide a copy upon request of the data processing agreement(s) between the Data Processor and the Sub-processors at any given time to the Data Controller.

     8.3. The Data Controller may object to such new Sub-processor for justified reasons relating to data protection. In the case of a justified objection, the Parties shall negotiate in good faith to find an alternative solution. If such alternative solution cannot be found and the Data Processor decides to proceed with such Sub-processor, the Data Controller can terminate the Agreement with a notice of 30 days. Neither of the Parties shall be considered in breach of contract in the event of such termination.

9. TRANSFER OF DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS

     9.1. Any transfer of personal data to third countries or international organizations by the Data Processor shall only occur on the basis of documented instructions from the Data Controller and shall always take place in compliance with Chapter V GDPR.

     9.2. If any Data Controller Data originates from any country(other than an EEA country) with one or more laws imposing data transfer restrictions or prohibitions and Data Controller has informed Data Processor of such data transfer restrictions or prohibitions, Data Controller and Data Processor shall ensure appropriate transfer mechanism (satisfying the country’s data transfer requirement(s)) is in place, as reasonably requested by Data Controller and mutually agreed upon by both Parties, before transferring or accessing Data Controller’s Data outside of such country. For the avoidance of doubt, this transfer restriction does not pertain to Data Controller or its Affiliates’ Authorized Users who have access to the Software and Data Controller Data, and Data Processor shall not be held responsible for actions of Data Controller or its Affiliates’ Authorized Users. Neither Data Controller or its Authorized Users shall be entitled to use the Software or Subscription Services in any country with data localization laws that would require Data Controller’s environment to be hosted in said country.

10. OBLIGATIONS OF THE DATA CONTROLLER

     10.1. The Data Controller and the Data Processor will be separately responsible for conforming with the Data Protection Legislation as applicable to them.

     10.2. The Data Controller shall be responsible, among others,for ensuring that the processing of personal data, which the Data Processor isinstructed to perform, has a legal basis.

     10.3. The Data Controller will inform the Data Processor in writing without undue delay following the Data Controller’s discovery of a failure to comply with Data Protection Legislation with respect to processing of personal data in accordance with this DPA.

     10.4. The Data Controller shall be responsible for providingaccurate and relevant contact details after entering into the Agreement andthereafter to assist in Data Processor’s notification obligations.

11. NOTIFICATION OF DATA BREACH
     11.1. The Data Processor shall without undue delay, and no laterthan 36 hours, in writing, notify the Data Controller in case of any identifiedor potential breach of personal data processed under the DPA.

     11.2. The notification referred to in section 10.1. must, to theextent possible:

i) describe the nature of the personal data breach includingwhere possible (e.g., loss, theft, copying), the categories and approximatenumber of data subjects concerned and the categories and approximate number ofpersonal data records concerned,

ii) communicate the name and contact details of the person with the Data Processor where more information can be obtained,

iii) describe the likely consequences of the personal data breach, and iv) describe the measures taken or proposed to be taken by the Data Processor to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

12. ADDITIONAL ASSIGNMENTS

     12.1. The Data Processor shall carry all costs associated withcompliance of this DPA in its capacity as Data Processor.

     12.2. The Data Controller shall carry all costs associated withcompliance of this DPA in its capacity as Data Controller.

     12.3. In respect of tasks of the Data Processor, that are not an obligation under this DPA, cf. the sections above, the Data Processor shall been titled to charge the Data Controller for the additional resources, time and material necessary to fulfil the required task(s), unless such services are already included in the services rendered under the Agreement.

     12.4. The Data Processor will notify the Data Controller inadvance of such additional charges and, to the extent possible, provide theData Controller with a quote of the expected costs.

     12.5. If the Data Controller cannot agree to the costs, the Data Processor shall be entitled not to perform the additional assignment and to terminate the Agreement with a notice of 30 days. The Data Processor shall not be considered in breach of contract in this event.

13. DELETION AND RETURN OF PERSONAL DATA

     13.1. Following the end term or termination of the Agreement, the Data Processor shall (at Data Controller’s election) destroy or return to Data Controller all Data in its possession or control. The Data Processor reserves the right after 90 days to delete personal data from all locations when the Data Controller has not elected either option. This requirement shall not apply to the extent that Data Processor is required by applicable law to retain some or all of the Data.

     13.2. Upon the Data Controller’s request, the Data Processor shall certify in writing the destruction of the personal data.

14. LIABILITY

     14.1. Each party’s liability for one or more breaches of this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement. In no event shall either party’s liability for a breach of this DPA exceed the liability cap set out in the Agreement. Neither party limits nor excludes any liability that cannot be limited or excluded under applicable law(such as for fraud).

15. LEGAL VENUE AND APPLICABLE LAW

     15.1. This DPA shall be governed by the laws of England andWales.

     15.2. Any claim or dispute arising from or in connection with the Data Processing Agreement must be settled by the courts of England as first instance.

16. SIGNATURES Signed for and on behalf of the Data Processor Date: 18th February 2021Name: Marc Lee Title: Managing Director EXHIBIT

1: INFORMATION ABOUT THE PROCESSING

     1. The purpose of the Data Processor’s processing of personal data on behalf of the Data Controller is: The Data Processor is a software development company, assigned by the Data Controller to make available to the Data Controller software as a service for supporting the management of their vehicle fleet. The content of this DPA reflects the limited amount of personal data the Data Processor handles for the Data Controller.

     2. The Data Processor’s processing of personal data on behalf of the Data Controller shall mainly pertain to (the nature of the processing):Processing of traffic violations/fines including reassignment, creating and processing chargeback defences, the notification of unpaid invoices and ad-hoc fleet management functions using the Data Processor’s software as a service delivery system.

     3. The processing includes the following types of personal data about data subjects: Name, e-mail address, address.

     4. The processing includes the following type of special categories of data about data subjects: None.

     5. Processing includes the following categories of data subject: Data Controller’s customers.

     6. The Data Processor’s processing of personal data on behalf of the Data Controller may be performed when instructed in accordance with the Agreement. Processing has the following duration: Fleetworks will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.

 2: DESCRIPTION OF MINIMUM DATA SECURITY

     1. Technical and organizational measures baseline Physical Access Controls Data Processor shall take reasonable measures to prevent physical access, such as secured buildings, to prevent unauthorized persons from gaining access to personal data.

     2. System Access Controls Data Processor shall take reasonable measures to prevent personal data from being used without authorization. These controls shall vary based on the nature of the processing undertaken and may include, among other controls, authentication via passwords and/or two-factor authentication, documented authorization processes, documented change management processes and/or logging of access on several levels.

     3. Data Access Controls Data Processor shall take reasonable measures to provide that personal data is accessible and manageable only by properly authorized staff, direct database query access is restricted and application access rights are established and enforced to ensure that persons entitled to use a data processing system only have access to the personal data to which they have privilege of access; and, that personal data cannot be read, copied, modified or removed without authorization in the course of processing. The Data Processor shall take reasonable measures to implement an access policy under which access to its system environment, to personal data and other data by authorized personnel only.

     4. Transmission Controls Data Processor shall take reasonable measures to ensure that it is possible to check and establish to which entities the transfer of personal data by means of data transmission facilities is envisaged so personal data cannot be read, copied, modified or removed without authorization during electronic transmission or transport.

     5. Input Controls Data Processor shall take reasonable measures to provide that it is possible to check and establish whether and by whom personal data has been entered into data processing systems, modified or removed. Data Processor shall take reasonable measures to ensure that

(i) the personal data source is under the control of data exporter; and

(ii) personal data integrated into Data Processor’s systems is managed by secured file transfer from the Data Processor and data subject.

EXHIBIT 3: AUTHORISED SUB-PROCESSORS

Microsoft Azure, Inc., Cloud Service Provider, Ireland
SendGrid, Inc., Email service provider for email authentication, The Netherlands
Stripe. Inc., Payment Processor, Ireland

Updated 12th September 2024. Update Sub-Processor list