Data Processing Agreement (DPA)

§1. Parties

This Data Processing Agreement (hereinafter: "Agreement" or "DPA") is entered into between:

and

§2. Agreement Execution

1. This Agreement is automatically concluded upon acceptance of the Aroute Platform Terms of Service during the registration process.
2. Acceptance of the Terms of Service (checking the required checkbox "I accept the Terms of Service") constitutes simultaneous acceptance of this Data Processing Agreement.
3. The Organization represents that the person accepting the Terms of Service and this Agreement is authorized to represent the Organization and enter into obligations on its behalf.

§3. Subject Matter

1. The Controller entrusts the Processor with the processing of personal data of Drivers (employees and contractors of the Controller) to the extent necessary to provide the Aroute Platform services.
2. The Processor undertakes to process the entrusted personal data only for the purpose and scope specified in this Agreement and in accordance with the Controller's instructions.
3. The Processor processes data on behalf of the Controller pursuant to Art. 28 of Regulation (EU) 2016/679 (GDPR).

§4. Scope of Entrusted Data

4.1. Categories of Data Subjects

• Drivers (employees and contractors of the Organization)
• Users invited by the Administrator

4.2. Categories of Processed Data

Identification data:

• First and last name
• Work email address
• Profile photo (optional)

Trip data:

• GPS coordinates (route start/end)
• GPS checkpoints containing: latitude and longitude, altitude, instantaneous speed, heading, GPS accuracy, timestamp
• Addresses (start/end)
• Timestamps (start/end)
• Trip distance
• Speed (maximum, average)
• Vehicle odometer reading
• Trip purpose
• Trip type (business/private)

Private vehicle data:

• Registration number
• Make and model
• Engine capacity
• Vehicle type

Reimbursement data:

• Reimbursement claim amounts
• Billing periods
• Approval status

Technical data:

• Working hours and days (for auto-trip feature)
• Language preferences
• Consent settings (location, marketing)

4.3. Special Categories of Data

The Processor does not process special categories of personal data within the meaning of Art. 9 of GDPR.

§5. Purpose of Processing

The Processor processes entrusted data only for the purpose of:

1. Recording and documenting business and private trips
2. Generating Vehicle Mileage Log reports (for company vehicles) and Reimbursement Summary reports (for private vehicles)
3. Processing reimbursement claims for private vehicles
4. Visualizing data on the fleet map (paid feature)
5. Detecting mileage gaps and discrepancies
6. Automatic trip detection (auto-trip)
7. Exporting data to Excel and PDF formats
8. Providing iOS mobile application functionality
9. Sending invitations to Drivers
10. Technical support and user assistance

§6. Processor Obligations

The Processor undertakes to:

6.1. Compliance with Regulations

• Process data in accordance with GDPR and other applicable EU regulations
• Process data only on documented instructions from the Controller
• Immediately inform the Controller if an instruction violates applicable law

6.2. Confidentiality

• Ensure that persons authorized to process data have committed to confidentiality
• Process data only through trained personnel

6.3. Security

Implement appropriate technical and organizational measures ensuring data security, including:

• Data encryption in transit (TLS/HTTPS)
• Data encryption at rest
• Password hashing (bcrypt)
• Row-Level Security (RLS) at database level
• Role-based access control (RBAC)
• Webhook signature verification
• Regular security updates

6.4. Sub-processing

• Use sub-processors only under conditions specified in §7
• Ensure that sub-processors meet GDPR requirements

6.5. Assistance to Controller

• Assist in fulfilling data subject rights
• Assist in ensuring compliance with Art. 32-36 GDPR (security, DPIA, consultations)
• Provide information necessary to demonstrate compliance

6.6. Data Breaches

• Promptly (no later than 24 hours) notify the Controller of any data breach
• Document breaches and remedial actions taken

§7. Sub-processors (Further Entrustment)

7.1. Consent to Sub-processing

The Controller grants general consent for the Processor to use sub-processors listed in §7.3.

7.2. Obligations Towards Sub-processors

The Processor undertakes to:

• Enter into a data processing agreement with each sub-processor
• Ensure that sub-processors meet requirements no less than those specified in this Agreement
• Bear full responsibility for sub-processor actions

7.3. List of Sub-processors

7.4. Changes to Sub-processor List

1. The Processor will notify the Controller of the intention to add or change a sub-processor with 30 days' advance notice by email to the Organization's billing address.
2. The Controller may object to a new sub-processor within 14 days of notification. Lack of objection means acceptance.
3. In case of justified objection, the parties will negotiate to find a solution. If no solution is reached, the Controller may terminate the agreement effective at the end of the current billing period.

§8. Data Transfers to Third Countries

8.1. Transfers to USA

Some sub-processors process data in the USA. Transfers are secured through:

• Standard Contractual Clauses (SCC) approved by the European Commission
• EU-US Data Privacy Framework (where applicable)

8.2. Sub-processors in Third Countries

§9. Data Subject Rights

9.1. Assistance in Fulfilling Rights

The Processor undertakes to assist the Controller in fulfilling data subject rights under Art. 15-21 GDPR:

9.2. Response Time

The Processor will respond to Controller requests regarding data subject rights within 10 business days.

§10. Audit and Verification

10.1. Right to Audit

The Controller has the right to verify Processor compliance with this Agreement through:

• Requesting written information and documentation
• Conducting an audit (with 30 days' advance notice, during business hours)

10.2. Audit Costs

Audit costs are borne by the Controller, unless the audit reveals significant violations – in which case costs are borne by the Processor.

10.3. Audit Confidentiality

Audit results are confidential and may not be disclosed to third parties without Processor consent.

§11. Term and Termination

11.1. Term

This Agreement remains in effect for the entire period of the Controller's use of the Aroute Platform.

11.2. Termination

The Agreement terminates:

• Upon subscription end and expiration of the grace period (90 days for voluntary cancellation or 30 days for non-payment)
• Upon termination of the Terms of Service
• By mutual agreement of the parties

11.3. Data Handling After Termination

1. After Agreement termination, the Processor will:
   • Enable data export in CSV and PDF formats during the grace period
   • Delete personal data after the grace period expires
   • Retain data required by law (e.g., invoice data – 5 years from end of tax year per Polish tax law). Customers are responsible for retaining invoices according to their local tax requirements.
2. Upon Controller request, the Processor will provide a data deletion certificate.

11.4. Platform Discontinuation

1. In case of Platform discontinuation by the Processor, the Controller will be notified with at least 90 days' advance notice.
2. During the notice period, the Controller will be able to export all data.
3. After the notice period expires, data will be permanently deleted, except for data subject to mandatory legal retention.

§12. Liability

12.1. Processor Liability

The Processor is liable for damages resulting from data processing in violation of this Agreement or GDPR provisions.

12.2. Limitation of Liability

The total liability of the Processor is limited to the sum of subscription fees paid by the Controller in the 12 months preceding the event, unless the damage results from gross negligence or intentional misconduct.

12.3. Liability for Sub-processors

The Processor is liable for acts and omissions of sub-processors as for its own acts.

§13. Agreement Amendments

1. The Processor may introduce changes to this Agreement with 30 days' advance notice.
2. The Controller will be notified of changes by email.
3. Continued use of the Platform after changes take effect constitutes acceptance of the amended Agreement.
4. If the Controller does not accept the changes, they may terminate the agreement before the changes take effect.

§14. Final Provisions

14.1. Governing Law

This Agreement is governed by GDPR and applicable EU law. For matters not regulated by EU law, Polish law shall apply as subsidiary law.

14.2. Dispute Resolution

Any disputes arising from this Agreement shall be resolved by the court having jurisdiction over the Processor's registered office, unless mandatory provisions of the Controller's country of establishment require otherwise.

14.3. Document Hierarchy

In case of conflict between this Agreement and the Terms of Service, the provisions of this Agreement shall prevail regarding personal data protection.

14.4. Severability

If any provision of this Agreement is found to be invalid, the remaining provisions shall remain in effect.