1.Parties & framework
This Data Processing Agreement ("DPA") forms Schedule 1 to the CheckPod Fleet Terms of Service (the "Agreement") between:
- Traction Solutions Ltd, a company registered in England & Wales (Company No. 17075841), with registered office at 3rd Floor, 86–90 Paul Street, London, EC2A 4NE ("the Processor" or "CheckPod"); and
- The Fleet Customer identified in the corresponding CheckPod Fleet subscription ("the Controller").
This DPA is entered into pursuant to Article 28 of the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018 ("DPA 2018"). It sets out the terms on which the Processor processes Personal Data on behalf of the Controller.
In the event of any conflict between this DPA and the Agreement, this DPA prevails in respect of data protection matters.
2.Definitions
Terms in this DPA have the meanings given in UK GDPR and the DPA 2018, except as follows:
- "Controller Personal Data" — any Personal Data processed by the Processor on behalf of the Controller pursuant to the Agreement.
- "Data Subject" — an identified or identifiable natural person to whom Personal Data relates.
- "Personal Data Breach" — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Controller Personal Data.
- "Processing" — any operation performed on Personal Data (collection, recording, storage, use, disclosure, deletion, etc.).
- "Sub-processor" — any third party engaged by the Processor to process Controller Personal Data.
- "Standard Contractual Clauses" or "SCCs" — the UK International Data Transfer Agreement or UK Addendum to EU SCCs, as approved by the Information Commissioner.
3.Subject matter, duration & purpose
Subject matter: the Processor processes Controller Personal Data to provide the CheckPod Fleet service (the "Service") to the Controller — a software-as-a-service platform for HGV and commercial fleet compliance management, supporting vehicle walkaround checks, defect reporting, proof-of-delivery, driver licence verification, accident reporting, and related operational compliance.
Duration: processing continues for the duration of the Controller's active CheckPod Fleet subscription, plus any post-termination retention period set out in section 15 below.
Nature & purpose: the Processor processes Controller Personal Data solely to provide, maintain, secure, and support the Service. The Processor does not use Controller Personal Data for its own purposes, except as expressly permitted in this DPA (e.g. aggregated and anonymised statistical analysis to improve the Service).
4.Categories of data & data subjects
The Controller authorises the Processor to process the following categories of Personal Data on its behalf:
| Category | Examples | Data subjects |
|---|---|---|
| Identification data | Name, employee/driver number, role, profile photo | Drivers, Transport Managers, garage staff |
| Contact data | Email address, mobile number, work address | All Fleet users |
| Licence & entitlement data | Driving licence number (where verified against DVLA ADD), photocard expiry, entitlement categories, endorsements, CPC status, ADR card details, D4 medical date | Drivers |
| Operational data | Walkaround check results, defect reports, PODs, vehicle assignments, tachograph weekly signoffs, infringement records | Drivers, vehicles assigned to drivers |
| Location data | Vehicle GPS coordinates where Fleet GPS tracking is enabled by the Controller; geotag on photo capture; depot location | Drivers (while operating Controller's vehicles) |
| Accident & incident data | Accident wizard responses, third-party details, witness information, photographs, FNOL data | Drivers, third parties involved in incidents |
| Technical & account data | Login timestamps, IP address, device identifier, audit log of user actions | All Fleet users |
Special category data (UK GDPR Article 9) — such as driver medical conditions disclosed for DVLA fitness-to-drive purposes — is not a standard processing activity under this DPA. If the Controller requires special category processing, a separate written instruction and supplementary safeguards (including DPIA) are required.
5.Controller's obligations
The Controller warrants and undertakes that:
- It has, and will maintain, a lawful basis under UK GDPR Article 6 for each category of Controller Personal Data processed under the Service;
- Where the Controller relies on consent or legitimate interests, it has performed the necessary assessments (including a Legitimate Interest Assessment for activities such as Fleet GPS tracking) and made appropriate notices available to Data Subjects;
- It has provided Data Subjects with privacy information that complies with UK GDPR Articles 13 and 14, including identifying the Processor's role and the sub-processors listed in section 9;
- Its instructions to the Processor (whether documented in this DPA, the Agreement, or given through the configuration of the Service) comply with UK GDPR and all other applicable data protection law;
- It will not transmit special category data (UK GDPR Article 9) or criminal offence data (UK GDPR Article 10) to the Service without first agreeing supplementary terms in writing with the Processor;
- It is responsible for the accuracy and lawful collection of Controller Personal Data that it (or its users) input into the Service.
6.Processor's obligations
The Processor will:
- Process only on documented instructions from the Controller, as set out in this DPA, the Agreement, and the configuration of the Service. If the Processor reasonably believes an instruction infringes UK GDPR or other applicable law, it will notify the Controller without delay;
- Ensure persons authorised to process Controller Personal Data are bound by appropriate confidentiality obligations (section 7);
- Implement technical and organisational measures appropriate to the risk (section 8);
- Respect the conditions for engaging sub-processors set out in section 9;
- Assist the Controller, taking into account the nature of the processing, by appropriate technical and organisational measures, in fulfilling Data Subject rights requests (section 11);
- Assist the Controller in ensuring compliance with the security, breach notification, DPIA, and prior consultation obligations under UK GDPR Articles 32–36 (sections 8, 12, 13);
- Return or delete Controller Personal Data at the end of provision of services (section 15);
- Make available all information necessary to demonstrate compliance with this DPA, and allow for audits (section 14).
7.Confidentiality & staff
The Processor will ensure that all personnel authorised to access Controller Personal Data:
- Are subject to a written duty of confidentiality (either by contract or by professional obligation);
- Receive appropriate training on data protection responsibilities;
- Access Controller Personal Data only on a least-privilege, need-to-know basis;
- Use multi-factor authentication for any administrative access to Service infrastructure.
The Processor maintains separation of duty between operational staff and Data Subjects: where a member of staff is also a Data Subject (e.g. uses CheckPod as a driver), they cannot self-administer their own records, and any access to their own record by staff members is logged and reviewable.
8.Security measures
The Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, costs of implementation, the nature, scope, context and purposes of processing, and the risk to Data Subjects.
8.1 Technical measures
- Encryption in transit — TLS 1.2 or higher for all data transmission;
- Encryption at rest — production data is encrypted at rest at the storage layer by the Processor's hosting sub-processors;
- Role-based access control (RBAC) — granular role separation (Driver, Transport Manager, Admin, Garage) with least-privilege defaults;
- Audit logging — all administrative actions and access to sensitive data are logged with timestamp, actor identity, and action detail (the adminActions audit trail);
- Soft-delete by design — Service is built so that user-initiated deletions set a
deletedAtmarker rather than destroying records, supporting accidental-deletion recovery and audit trail preservation; - Vulnerability management — the Processor monitors for and applies security patches to its codebase and dependencies on a regular cadence;
- Backup & recovery — operational data is backed up by hosting sub-processors with tested recovery procedures;
- Anomaly detection — automated detection of unusual access or export patterns, with alerts to the Processor's responsible person for human review.
8.2 Organisational measures
- Written Personal Data Breach Procedure with 72-hour notification commitment;
- Documented Legitimate Interest Assessment for processing relying on Article 6(1)(f);
- Documented Data Subject Request handling procedure;
- Annual review of this DPA, sub-processor list, and security measures;
- Cyber and data insurance held with Hiscox Insurance Company Limited (£250,000 indemnity per the Processor's current policy) covering breach response, data recovery, and notification costs;
- ICO registration as a Data Controller (registration ZC133272).
9.Sub-processors
The Controller provides general authorisation for the Processor to engage the sub-processors listed below to process Controller Personal Data, subject to the conditions in this section.
| Sub-processor | Purpose | Region | Safeguards |
|---|---|---|---|
| Convex (Convex, Inc.) | Backend platform; database; serverless functions; file storage; user authentication, session management, MFA | EEA (Ireland) | Data Processing Addendum, EEA-resident data processing |
| Stripe (Stripe Payments UK Ltd) | Payment processing for subscription billing | UK / EEA | Stripe is the controller for payment data; processor for subscription metadata |
| Vercel (Vercel, Inc.) | Frontend hosting, edge delivery | EEA / Global edge | UK Addendum to EU SCCs; no application data stored on Vercel |
| Fly.io (Fly.io, Inc.) | Tachograph parser microservice (DDD file parsing) | EEA (Frankfurt) | EEA-resident processing; UK Addendum to EU SCCs |
| Resend (Resend, Inc.) | Transactional email delivery | EEA / USA | UK Addendum to EU SCCs; data minimisation in email payloads |
The Processor will:
- Maintain a current list of sub-processors and make it available to the Controller on request;
- Impose written contractual obligations on each sub-processor that are no less protective than those in this DPA;
- Notify the Controller in advance of any intended addition or replacement of a sub-processor (at least 30 days), giving the Controller the opportunity to object on reasonable data protection grounds. If the Controller objects, the parties will discuss in good faith. If no resolution is reached, the Controller may terminate the affected Service component without penalty;
- Remain fully liable to the Controller for each sub-processor's performance of its data protection obligations.
10.International transfers
The Processor's primary application infrastructure (Convex backend, database, authentication, file storage, Fly.io tachograph microservice) is hosted within the European Economic Area (Ireland and Frankfurt). Authentication and session data are EEA-resident and are not routinely transferred outside the EEA.
Where Controller Personal Data is transferred outside the UK or EEA (notably the Vercel edge delivery network), the Processor relies on:
- The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, as appropriate, in place with each receiving sub-processor;
- Supplementary technical measures (encryption in transit, encryption at rest, access controls, minimum-necessary data transfer);
- Transfer impact assessments where required.
The Controller hereby authorises the Processor to enter into the relevant transfer mechanism on its behalf with each sub-processor that processes Controller Personal Data outside the UK.
11.Data subject rights assistance
The Processor will provide the Controller with the technical and organisational measures necessary to enable the Controller to respond to Data Subject requests under UK GDPR Articles 15–22, including:
- Right of access — the Controller can export Data Subject records via the admin console;
- Right to rectification — the Controller can correct records via the admin console;
- Right to erasure — the Controller can initiate soft-delete via the admin console; if a Data Subject specifically requests destruction, the Processor will assist on written request, subject to overriding legal obligations (e.g. statutory retention for compliance records);
- Right to data portability — the Processor will provide structured export on request;
- Right to object & restriction — the Controller can suspend processing of individual records via the admin console;
- Right not to be subject to automated decision-making — the Service does not make legal or similarly significant decisions about Data Subjects through solely automated processing.
If a Data Subject contacts the Processor directly with a request, the Processor will not act on the request, will forward it to the Controller without undue delay, and will reply to the Data Subject only to confirm the forwarding.
12.Breach notification
The Processor will notify the Controller of any Personal Data Breach affecting Controller Personal Data without undue delay, and in any case within 24 hours of becoming aware of the Breach.
The notification will include, to the extent known at the time:
- A description of the nature of the Breach including, where possible, the categories and approximate number of Data Subjects and records concerned;
- The name and contact details of the Processor's responsible person;
- A description of the likely consequences of the Breach;
- A description of the measures taken or proposed to address the Breach and mitigate its possible adverse effects.
If full information is not available within 24 hours, the Processor will provide it in phases without further undue delay.
The Processor will cooperate with the Controller and provide reasonable assistance to enable the Controller to comply with its own notification obligations to the ICO (within 72 hours of awareness) and to affected Data Subjects (where required by UK GDPR Article 34).
13.DPIA & consultation
The Processor will provide the Controller, on reasonable written request, with information and assistance necessary to support the Controller in:
- Carrying out Data Protection Impact Assessments under UK GDPR Article 35;
- Conducting prior consultation with the ICO under UK GDPR Article 36 where required;
- Maintaining its records of processing activities under UK GDPR Article 30.
14.Audit rights
The Processor will make available to the Controller, on reasonable written request and at intervals no more frequent than once every twelve months (unless required by a regulator or following a Personal Data Breach affecting the Controller):
- This DPA and the current sub-processor list;
- The Processor's current Privacy Policy, Personal Data Breach Procedure, and Legitimate Interest Assessment summary;
- Evidence of relevant insurance cover;
- Summary of security measures and any independent assessments held (e.g. Cyber Essentials, if obtained).
Where the Controller reasonably requires further audit information that is not available from this documentation, the parties will agree in good faith the scope, timing, conduct, and cost of an audit. Audits must be conducted in a manner that does not unreasonably interfere with the Processor's business operations or compromise the security or confidentiality of other customers' data.
15.Return & deletion
On termination or expiry of the Agreement, the Processor will, at the Controller's written election:
- Return all Controller Personal Data to the Controller in a structured, commonly-used, machine-readable format (typically JSON or CSV); or
- Delete all Controller Personal Data from active systems and operational backups within 90 days of termination, subject to overriding statutory retention obligations (e.g. DVSA-mandated 15-month retention of walkaround and PMI records under DVSA Guide to Maintaining Roadworthiness).
Where statutory retention overrides erasure, the Processor will isolate the retained data, restrict access to it, and delete it as soon as the retention period ends.
The Processor will provide written confirmation of deletion on request.
16.Liability & indemnity
Each party's liability under this DPA is governed by the limitation and exclusion of liability provisions of the Agreement, except that nothing in the Agreement limits either party's liability:
- For administrative fines imposed directly on that party by a supervisory authority;
- For its own wilful misconduct or fraud;
- For death or personal injury caused by negligence; or
- To the extent such limitation is prohibited by UK GDPR or the DPA 2018.
The Processor maintains cyber and data liability insurance with Hiscox Insurance Company Limited (currently £250,000 indemnity in the aggregate, covering own losses, claims, investigations, and business interruption arising from a cyber or data incident).
17.General terms
- Variation — the Processor may update this DPA to reflect changes in applicable law, sub-processor arrangements, or operational practice. Material changes will be notified to the Controller at least 30 days in advance.
- Severability — if any provision is held unenforceable, the remainder continues in effect.
- Governing law — this DPA is governed by the laws of England and Wales. The English courts have exclusive jurisdiction.
- Entire agreement on data protection — this DPA, together with the Agreement and the Processor's Privacy Policy, constitutes the entire agreement between the parties on data protection matters.
18.Contact & signature
This DPA is incorporated by reference into the Controller's CheckPod Fleet subscription. By subscribing to the Service and clicking to accept the Terms of Service, the Controller agrees to be bound by this DPA. No physical signature is required.
A counter-signed copy is available on written request to the data protection contact above.