Data Processing Agreement

"Controller", "Processor", "Data Subject", "Personal Data", "Processing" and "Sub-processor" have the meanings given in the UK GDPR and the EU GDPR. "Services" means the Arrive & Drive booking platform provided to the Controller.

The Controller appoints the Processor to process Personal Data on its behalf solely to provide the Services. The Processor acts only on documented instructions from the Controller, including with regard to transfers of Personal Data outside the UK/EEA.

• Subject matter: processing required to operate the booking platform.
• Duration: term of the underlying service agreement plus retention periods set out in Annex 1.
• Nature and purpose: hosting, storage, transmission, access management, communications, analytics.
• Types of Personal Data: identity, contact, driving licence, booking, technical and marketing data.
• Categories of Data Subjects: attendees, prospective customers, dealership staff and admins.

• Process Personal Data only on the Controller's documented instructions.
• Ensure persons authorised to process Personal Data are under appropriate confidentiality obligations.
• Implement the technical and organisational measures set out in Annex 2 (Art. 32 GDPR).
• Assist the Controller with Data Subject rights requests, DPIAs and prior consultations.
• Notify the Controller without undue delay (and in any event within 48 hours) of any Personal Data Breach.
• At the Controller's choice, delete or return all Personal Data at the end of the Services.
• Make available all information necessary to demonstrate compliance and allow audits, including inspections, conducted by the Controller or a mandated auditor on reasonable notice.

The Controller provides general authorisation for the Processor to engage Sub-processors, currently including the providers listed in Annex 3 (hosting, email delivery, analytics, identity verification). The Processor will notify the Controller of any intended changes, giving the Controller the opportunity to object on reasonable grounds within 14 days.

Where transfers are made outside the UK/EEA, the parties incorporate by reference the UK International Data Transfer Addendum and the EU Standard Contractual Clauses (Module 2 or 3 as applicable), with the Processor providing supplementary measures as required by the Schrems II ruling.

Each party's liability under this DPA is subject to the limitations of liability in the underlying service agreement, save that nothing limits liability for fines imposed by a supervisory authority directly attributable to a party's breach.

• Retention: booking records 24 months; licence verification logs 7 years; marketing data until withdrawal or 24 months inactivity.
• Frequency: continuous for the duration of the Services.

• TLS 1.2+ in transit; AES-256 at rest.
• Role-based access control with MFA for administrative accounts.
• Row-level security and tenant isolation at the database layer.
• Daily encrypted backups with 30-day retention.
• Audit logging of administrative and data-export actions.
• Annual penetration testing and continuous vulnerability scanning.
• Documented incident response plan with 48-hour breach notification.
• Staff confidentiality agreements and annual data protection training.

• Supabase / AWS — application hosting and database (EU regions).
• Resend — transactional email delivery.
• Cloudflare — CDN, DNS and WAF.