Data Processing Addendum (DPA)

1. Roles

• Customer: usually the controller for delivery, driver, and recipient data.
• Trackely: usually the processor for that operational data.

2. Scope of processing

The DPA should describe at least:

• the subject matter and duration of the processing;
• the nature and purpose of the processing;
• the types of personal data involved; and
• the categories of data subjects and the controller's rights and obligations.

In Trackely, that may include account records, route and stop data, driver activity, location data, recipient details, proof-of-delivery records, support interactions, and integration data as configured by the customer.

3. Core processor commitments

A signed Trackely DPA is intended to cover commitments such as:

• processing only on documented instructions from the customer, unless required by law;
• ensuring persons authorised to process personal data are under duties of confidentiality;
• implementing appropriate technical and organisational security measures;
• assisting the customer with data subject requests where required;
• assisting with security incidents, breach reporting, DPIAs, and regulator consultation where applicable;
• supporting audits or information requests to the extent required under the agreement and law;
• obtaining appropriate authorisation for sub-processors and flowing down equivalent protection terms.

4. Security measures

The exact security schedule should reflect the deployed service and customer risk profile, but may include access control, encryption in transit, infrastructure protections, audit logging, backup controls, environment separation, and incident response processes.

5. Sub-processors

Trackely uses infrastructure and service providers for hosting, databases, storage, communications, mapping, billing, and related platform operations. Customers should carry out their own supplier due diligence and ensure the DPA or sub-processor notice process fits their compliance programme.

6. International transfers

If personal data is transferred outside the UK or EEA, the parties should ensure that a lawful transfer mechanism applies, such as adequacy regulations, the UK IDTA, the UK Addendum, or another valid safeguard.

7. End of contract

At the end of the contract, the DPA should state that Trackely will, at the controller's choice and subject to law, delete or return personal data and delete remaining copies unless storage is legally required. Backup and archive handling may be subject to delayed deletion on the next secure deletion cycle where data is put beyond use in the meantime.