Data Processing Agreement
FleetLinq Data Processing Agreement
Last Updated: February 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between FleetLinq ("Processor", "we", "us") and the Customer ("Controller", "you") regarding the processing of personal data.
1. Definitions
| Term | Definition |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person |
| Processing | Any operation performed on Personal Data |
| Data Subject | The individual whose Personal Data is processed |
| Sub-processor | Third party engaged by Processor to process Personal Data |
| Applicable Data Protection Law | GDPR, UK GDPR, and other relevant data protection laws |
2. Roles and Responsibilities
2.1 Controller Obligations
As the Controller, you:
- Determine the purposes and means of processing
- Ensure lawful basis for processing (consent, contract, etc.)
- Provide appropriate privacy notices to Data Subjects
- Respond to Data Subject requests with our assistance
- Ensure accuracy and relevancy of data provided
2.2 Processor Obligations
As the Processor, we:
- Process Personal Data only on your documented instructions
- Ensure confidentiality of personnel processing data
- Implement appropriate technical and organizational security measures
- Assist with Data Subject requests and compliance obligations
- Delete or return data upon termination (per Section 8)
- Make available information necessary to demonstrate compliance
3. Scope of Processing
3.1 Subject Matter and Duration
We process Personal Data for the duration of your subscription to provide fleet management services.
3.2 Nature and Purpose
| Purpose | Description |
|---|---|
| Account Management | User authentication, profile storage |
| Booking Services | Processing rental reservations |
| Customer Management | Storing customer records you upload |
| Communications | Sending transactional notifications |
| Analytics | Generating reports and dashboards |
3.3 Types of Personal Data
- Contact information (name, email, phone)
- Booking history and preferences
- Payment information (tokenized, not stored directly)
- Vehicle usage data
3.4 Categories of Data Subjects
- Your employees and staff
- Your customers and renters
- Your business contacts
4. Security Measures
We implement appropriate security measures including:
Technical Measures
- Encryption of data in transit (TLS 1.3)
- Encryption of data at rest
- Access controls and authentication
- Regular security testing and audits
- Intrusion detection and monitoring
- Backup and disaster recovery procedures
Organizational Measures
- Staff confidentiality agreements
- Security awareness training
- Access on need-to-know basis
- Incident response procedures
- Regular policy reviews
5. Sub-processors
5.1 Authorization
You provide general authorization for us to engage sub-processors listed in our Sub-processor List.
5.2 Current Sub-processors
| Sub-processor | Location | Purpose |
|---|---|---|
| Neon | AWS (EU/US) | Database hosting |
| Vercel | Global (Edge) | Frontend hosting |
| Railway | US/EU | Backend hosting |
| Paystack | Africa | Payment processing |
5.3 Changes to Sub-processors
We will:
- Notify you of new sub-processors with 30 days' notice
- Provide opportunity to object with reasonable grounds
- Ensure equivalent data protection obligations in sub-processor contracts
5.4 Objection Rights
If you reasonably object to a new sub-processor:
- We will attempt to provide an alternative
- If no alternative is available, you may terminate affected services
6. Data Subject Rights
6.1 Assistance
We will assist you in responding to Data Subject requests for:
- Access to Personal Data
- Rectification of inaccurate data
- Erasure ("right to be forgotten")
- Restriction of processing
- Data portability
- Objection to processing
6.2 Response Time
We will respond to your assistance requests within 10 business days.
6.3 Direct Requests
If we receive requests directly from Data Subjects, we will:
- Promptly notify you
- Not respond without your authorization (unless legally required)
7. Data Breach Notification
7.1 Notification
In case of a Personal Data breach, we will:
- Notify you without undue delay (within 72 hours of awareness)
- Provide details of the breach (nature, categories affected, likely consequences)
- Describe measures taken or proposed to address the breach
7.2 Cooperation
We will cooperate with your investigations and regulatory notifications as required.
7.3 Documentation
We maintain records of all breaches including facts, effects, and remedial actions.
8. Data Return and Deletion
8.1 Upon Termination
At the end of the service agreement:
- You may request export of your data within 30 days
- We will delete all Personal Data within 90 days of termination
- Deletion will be certified upon request
8.2 Exceptions
We may retain data as required by law, subject to:
- Continued security obligations
- Processing only as required by law
- Deletion once legal requirement ends
9. International Transfers
9.1 Transfer Mechanisms
For transfers outside the EEA/UK, we rely on:
- Standard Contractual Clauses (Module 2: Controller to Processor)
- Adequacy decisions where applicable
9.2 Supplementary Measures
We implement supplementary measures where necessary:
- Strong encryption
- Data minimization
- Access controls
10. Audits and Inspections
10.1 Audit Rights
You may audit our compliance with this DPA:
- With 30 days' written notice
- During normal business hours
- At your expense
- No more than once per year (unless required by regulators)
10.2 Audit Reports
We will provide copies of relevant third-party audit reports (SOC 2, ISO 27001) upon request.
11. Liability
11.1 Limitation
Liability under this DPA is subject to the limitations in our Terms of Service.
11.2 Allocation
Each party is liable for damages caused by its breach of this DPA or Applicable Data Protection Law.
12. Term and Termination
12.1 Term
This DPA is effective for the duration of your subscription.
12.2 Survival
Provisions relating to data deletion, liability, and audits survive termination.
13. Governing Law
This DPA is governed by the same law as the Terms of Service.
For EEA Data Subjects: EU GDPR applies to processing of their data.
For UK Data Subjects: UK GDPR applies to processing of their data.
14. Contact
Data Protection Inquiries:
Email: fleetlinq.on@gmail.com
General Legal:
Email: fleetlinq.on@gmail.com
This DPA is incorporated into and made part of the FleetLinq Terms of Service.