Data Processing Agreement (DPA)

1. Introduction and how to execute

This Data Processing Agreement (the “DPA”) forms part of the agreement between you (the “Customer”) and FORGEAI STUDIO LTD, a company registered in England and Wales and trading as “NovaStack” (“we”, “us”, “our” or the “Processor”), governing your use of the FleetFlow service (“FleetFlow” or the “Service”). It supplements and is incorporated into our Terms of Service (the “Terms”). Where there is any conflict between this DPA and the Terms in relation to the processing of personal data, this DPA prevails.

This DPA applies to the extent that we process personal data on your behalf in the course of providing the Service, and where such processing is subject to the UK GDPR and/or the EU GDPR.

How to execute and retain a copy. No physical signature is required: by accepting the Terms and using the Service, you agree to and accept this DPA. To retain an executed copy for your records, use your browser’s Print to save a PDF copy of this page (typically File → Print → Save as PDF, or Ctrl/Cmd + P).

2. Definitions

Capitalised terms not defined here have the meaning given in the Terms or in applicable data protection law.

• “UK GDPR” means the United Kingdom General Data Protection Regulation as it forms part of UK law by virtue of the European Union (Withdrawal) Act 2018, together with the Data Protection Act 2018.
• “EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data.
• “Controller” means the entity that determines the purposes and means of the processing of personal data.
• “Processor” means the entity that processes personal data on behalf of the Controller.
• “Personal Data” means any information relating to an identified or identifiable natural person that is processed under this DPA.
• “Sub-processor” means any third party engaged by the Processor to process personal data on the Controller’s behalf.
• “Data Subject” means the identified or identifiable natural person to whom the personal data relates.

3. Roles of the parties

For the purposes of this DPA, the Customer is the Controller and FORGEAI STUDIO LTD is the Processor in respect of the personal data processed through the Service. The Customer warrants that it has all necessary rights, consents and lawful bases to provide the personal data to us and to instruct us to process it as contemplated by this DPA.

4. Subject matter and duration

The subject matter of the processing is the provision of the FleetFlow fleet and operations management Service to the Customer. The processing continues for the duration of the Terms and for as long as we retain personal data on the Customer’s behalf, subject to the return and deletion provisions in section 11.

5. Nature and purpose of processing

We process personal data for the purpose of operating, maintaining, securing and supporting the Service, and otherwise in accordance with the Customer’s documented instructions. Processing operations include collection, recording, organisation, structuring, storage, retrieval, consultation, use, transmission, and erasure or destruction of personal data.

6. Types of personal data

The personal data processed may include, depending on the Customer’s configuration and use of the Service: names, contact details (email addresses, telephone numbers), job roles, account credentials and authentication data, driver and vehicle assignment details, scheduling and shift information, location and route data, and usage, log and metadata generated through use of the Service.

7. Categories of data subjects

The categories of data subjects include the Customer’s own customers, drivers, staff and other personnel whose personal data the Customer chooses to process through the Service.

8. Processor obligations

We shall:

• process personal data only on the Customer’s documented instructions, including this DPA and the Customer’s use of the Service, unless required to do otherwise by applicable law (in which case we will, where legally permitted, inform the Customer of that legal requirement);
• ensure that persons authorised to process the personal data are subject to an appropriate duty of confidentiality;
• implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in our Security Policy;
• taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as possible, in responding to requests from data subjects exercising their rights;
• notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer’s personal data;
• at the Customer’s choice, delete or return all personal data on termination of the Service, as set out in section 11;
• make available information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, subject to reasonable notice, confidentiality undertakings and not unreasonably disrupting our operations.

9. Sub-processors

The Customer provides general authorisation for us to engage sub-processors to assist in providing the Service. We currently engage the following sub-processors:

• Supabase — database, authentication and storage services.
• Stripe — payment processing.
• Cloudflare — hosting and content delivery network (CDN).

We will impose data protection obligations on each sub-processor that are no less protective than those set out in this DPA. We will give the Customer at least 30 days’ notice of any intended addition or replacement of a sub-processor, giving the Customer the opportunity to object on reasonable data protection grounds. We remain responsible for the acts and omissions of our sub-processors to the same extent as for our own.

10. International transfers

Where the provision of the Service involves the transfer of personal data outside the United Kingdom or the European Economic Area, we will ensure that an appropriate transfer mechanism is in place, such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum, and/or the EU Standard Contractual Clauses (SCCs), together with any supplementary measures required to ensure an adequate level of protection.

11. Security measures

We maintain appropriate technical and organisational measures designed to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage. These measures are described in our Security Policy and may include encryption in transit and at rest, access controls, network protection, logging and monitoring, and regular review of our security practices.

12. Data subject rights assistance

Taking into account the nature of the processing, we will provide reasonable assistance to the Customer, by appropriate technical and organisational measures and insofar as possible, to enable the Customer to fulfil its obligation to respond to requests from data subjects exercising their rights under the UK GDPR and EU GDPR. Further information on data subject rights is available on our GDPR & Data Rights page.

13. Personal data breach

We will notify the Customer without undue delay after becoming aware of a personal data breach affecting personal data processed on the Customer’s behalf. Our notification will, to the extent reasonably available, describe the nature of the breach, its likely consequences and the measures taken or proposed to address it, so as to assist the Customer in meeting its own notification obligations.

14. Return and deletion of data

On termination or expiry of the Service, we will, at the Customer’s choice, delete or return all personal data processed on the Customer’s behalf and delete existing copies, unless applicable law requires continued storage. Deletion will be carried out within a reasonable period, subject to routine technical backup cycles after which residual copies are overwritten or destroyed.

15. Liability and governing law

The liability of each party under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms. This DPA is governed by and construed in accordance with the laws of England and Wales, and the parties submit to the exclusive jurisdiction of the courts of England and Wales.

16. Contact

For any questions about this DPA or to make a data protection enquiry, please contact us at support@fleetflowtech.com.

Annex — Processing details