Proud to be Powered by Vontier. Sharing a united vision that is driven by innovation.

Find out more
Talk to us

Data Processing Agreement

This Data Processing Agreement (“DPA”) is made by Driivz Inc. and its affiliates, for transactions based in the United States of America or North America, or Driivz Ltd. and its affiliates, for transactons elsewhere in the world (both, “Driivz”), either effective from the effective date of any terms of use between you (“Company”) and Driivz (the “Agreement”).

As you and Driivz have entered into the Agreement, which may require the Processing of Personal Information by Driivz acting as Service Provider (as defined under applicable Data Protection Laws) (“Processor”) for or on behalf of Company acting as the Business (as defined under applicable Data Protection Laws) and/or its customers (if applicable) (“Controller”), this DPA will set out the additional requirements, terms, and conditions on which the Processor will process Personal Information until such time the Processor ceases all Processing of Personal Information on behalf of the Controller.

1. Definitions and interpretation

Capitalized terms used but not defined in this DPA shall have the meaning set forth in the Agreement. Where different definitions for the same term have been used in the Agreement and this DPA, the definitions provided in this DPA shall prevail in relation to the terms of this DPA. For the purpose of this DPA, the following words and phrases shall have the following meaning unless the context otherwise requires:

Controller Personal Information” means all Personal Information and Personal Data, in whatever form or medium, which is Processed by the Processor for and on behalf of the Controller and/or the Controller’s customers (if applicable) whether or not such Personal Information and Personal Data is supplied to (by transfer or access), and/or produced or generated by or on behalf of the Processor in connection with the Agreement or this DPA., including as set out in Appendix 1.

Data Subject”, “Personal Data”, “Business”, “Service Provider”, “Personal Information”, “Personal Data Breach”, “Processing” and “Sensitive Personal Information” (or “Special Categories of Personal Data”) all have the meanings given to those terms in applicable Data Protection Laws (and related terms, such as “Process”, have corresponding meanings). If any of these terms is not defined under applicable Data Protection Laws, the term shall have the meaning given to it under the GDPR.

Data Exporter” has the meaning set out in the EU Standard Contractual Clauses.

Data Importer” has the meaning set out in the EU Standard Contractual Clauses.

Data Protection Laws” means all laws, regulations, legislative and regulatory requirements, and legally binding codes of practice applicable to the Processing, privacy, integrity, security, confidentiality and use of the Controller Personal Information, as applicable to Controller, the Controller’s customers and/or the Supplier including, without limitation and where applicable (i) the GDPR together with national implementing laws in any Member State of the EEA; (ii) the GDPR as it is incorporated into the laws of the United Kingdom; (iii) the Data Protection Act of 2018 of the United Kingdom; (iv) the Swiss Federal Act on Data Protection; (v) the California Consumer Privacy Act; (vi) the California Privacy Rights Act; (viii) the Lei Geral de Proteção de Dados; (ix) the Protection of Personal Information Act 2013 of South Africa; and any legislation that amends or supersedes the foregoing.

EU Standard Contractual Clauses” means the clauses, approved with Commission Implementing Decision (EU) 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, (a copy of which is available at: www.vontier.com/EU_Contractual_Clauses).

GDPR” means the General Data Protection Regulation (EU) 2016/679.

Services” shall have the meaning given to it under the Agreement or where this term is not defined means the services described in the Agreement and agreed between Controller and the Processor from time to time.

Supervisory Authority” means any competent data protection or privacy authority in any jurisdiction in which the Controller, the Controller’s customers (if applicable) or the Processor is established, the Processor provides the Services, or in which the Processor Processes Controller Personal Information.

UK Addendum” means the Addendum in Schedule 5 available at: www.vontier.com/EU_Contractual_Clauses.

2. Appointment and role of the parties

  1. The Controller appoints the Processor to Process Controller Personal Information on its behalf as is necessary for the provision of the Services and performance of the Agreement.
  2. Where the Controller Personal Information consists of Personal Information for which the Controller’s customer is a ‘controller’ (as that term is understood under the GDPR), Controller warrants that it has obtained prior authorization and all applicable consents and licenses from the Controller’s customers to appoint the Processor as a ‘processor’ (as that term is understood under the GDPR).

3. Details of the Processing

  1. Processing of the Controller Personal Information by the Processor under this DPA shall be for the: (a) subject-matter; (b) duration; (c) nature and purpose; and (d) the type of Personal Information and categories of Data Subjects, set out in this DPA.
  2. The processing instruction, nature and purpose of processing are described in Appendix 1.
  3. The obligations and rights of the Controller are as set out in this DPA and Data Protection Law.

4. Complying with Data Protection Law

  1. Each party shall in all cases Process Controller Personal Information in compliance with the Data Protection Laws.
  2. The Controller shall have the right to take reasonable and appropriate steps to help ensure that the Processor uses the Controller Personal Information in a manner consistent with the Controller’s obligations under the Data Protection Laws.
  3. The Controller shall have the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Controller Personal Information.
  4. The Processor hereby agrees to notify the Controller immediately, but in any event no later than forty-eight (48) hours from the time it makes a determination, if it determines that it can no longer meet its obligations under the Data Protection Laws.
  5. The Controller hereby warrants that the provision by it of any Controller Personal Information complies with Data Protection Laws.
  6. Neither party shall cause the other party, by act or omission, to be in breach of Data Protection Laws.

5. Acting on controller’s documented instructions

  1. The Processor shall Process Controller Personal Information only on the documented instructions of the Controller including as set out in this DPA and the Agreement. The Processor also has the right to Process the Controller Personal Information to the extent required by law, following Processor’s prior notification to the Controller, except where mandatory applicable law prohibits such notification. The Processor shall promptly notify the Controller if in the Processor’s reasonable opinion any instruction from the Controller infringes Data Protection Law, with such notification to include an explanation of why Processor has formed such an opinion and the Processor shall be entitled to suspend its Processing of the affected Controller Personal Information until the Controller amends its instructions to comply with Data Protection Law.
  2. The Processor acknowledges that it is prohibited from:
  3. selling or sharing Controller Personal Information unless otherwise permitted under the Data Protection Laws or this DPA;
  4. retaining, using, or disclosing Controller Personal Information for any purpose other than for the purpose(s) specified in Appendix 1 or as otherwise permitted under Data Protection Laws; or
  5. combining Controller Personal Information with Personal Information that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the Data Subject, unless otherwise allowed under the Data Protection Laws or this DPA.
  6. Controller authorizes Processor to create an aggregated or fully anonymised data set based on Controller Personal Information. Controller and Processor agree the aggregated or fully anonymised data set is not Personal Data and will be owned and retained by Processor.

6. Ensuring employee confidentiality

The Processor shall ensure that any person acting under its authority who may have access to, or who otherwise Process, Controller Personal Information are subject to legally binding obligations of confidentiality.

7. Taking appropriate technical and organizational measures, including for security

  1. The Processor shall implement appropriate technical and organizational measures:
    1. designed to assist the Controller in responding to requests from Data Subjects to exercise their rights under Data Protection Law; and
    2. designed to ensure a level of security for the Controller Personal Information appropriate to the risk posed by the Processor’s Processing of such Controller Personal Information, to protect it from unauthorized, accidental or unlawful disclosure, or access, loss or alteration and shall include the measures set out in Appendix 2 at a minimum.

8. Data breach notification and assistance

  1. The Processor shall notify Controller in writing without undue delay if it becomes aware of a Personal Data Breach affecting the Controller Personal Information (a “Data Breach”), and provide the Controller, as soon as reasonably practicable with the following information relating to the Data Breach:
    1. the nature of the Personal Information affected;
    2. the categories and number of Data Subjects concerned;
    3. the number of Personal Information records concerned;
    4. measures taken to address the Data Breach; and
    5. the possible consequences and adverse effect of the Data Breach.
    6. The Processor, at the Controller’s cost, shall provide Controller with all reasonable assistance in relation to Controller’s compliance with Articles 32-34 of the GDPR or equivalent requirements of other Data Protection Laws. The Processor shall provide such assistance in a timely manner and in accordance with any time frames set out in the Data Protection Laws.

9. Subcontracting

  1. The Controller hereby authorizes the Processor to engage third parties to perform Processing activities in respect of Controller Personal Information on behalf of the Controller (“Subprocessors”). The Processor shall notify the Controller in writing in advance if it intends to replace or add to the Subprocessors and the Controller shall have a right, acting reasonably, to reject to such replacement or additional subprocessor. If the Controller does not notify the Processor in writing of its objection to the additional or replacement subprocessor within 20 days of being notified of such addition or replacement, the Processor may proceed with engaging the additional or replacement subprocessor to Process the Controller Personal Information. If the Controller notifies the Processor of its objection in accordance with this Clause, the parties shall work in good faith to find a resolution to the issue. If a resolution cannot be reached within 30 days of the Controller’s objection, either party has the right to terminate this DPA and the Agreement on 30 days’ written notice to the other.
  2. The Processor shall enter into a written agreement with each Subprocessor that contains obligations that are consistent with and, at a minimum, no less than the responsibilities and requirements set out in this DPA.

10. Cross Border Transfers of Personal Information

  1. The Processor shall not, and shall procure that any Subprocessor shall not, transfer any Controller Personal Information to any country or territory outside the Controller Personal Information’s country or territory of origin, without ensuring that appropriate safeguards are in place to protect the Controller Personal Information, in accordance with the requirements of Data Protection Laws.
  2. Subject to Clauses 10.4 and 10.5 (as applicable), if Controller Personal Information originating from the EEA, UK or Switzerland is transferred from the Controller to the Processor as part of this DPA and/or the Agreement, module two of the EU Standard Contractual Clauses is hereby incorporated into this DPA by reference and shall apply to the Controller as the Data Exporter and to the Processor as the Data Importer.
  3. Subject to Clauses 10.4 and 10.5 (as applicable), if Controller Personal Information originating from the EEA, UK or Switzerland is transferred from the Processor to the Controller as part of this DPA and/or the Agreement, module four of the EU Standard Contractual Clauses is hereby incorporated into this DPA by reference and shall apply to the Processor as the Data Exporter and to the Controller as the Data Importer.
  4. With respect to Controller Personal Information originating from Switzerland, the EU Standard Contractual shall be amended as follows: (i) the term ‘Member State’ will not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU Standard Contractual Clauses; and (ii) references to “Regulation (EU) 2016/679” or “that Regulation” will be understood as references to the Swiss Federal Act on Data Protection; (iii) all references to the “Commission” shall be deemed to refer to the The Federal Data Protection and Information Commissioner; (iv) all references to the “European Union”, “EU”, “Member State” and “Union” shall be deemed to refer to Switzerland; and (v) the footnotes are removed.
  5. With respect to Controller Personal Information originating from the UK, the EU Standard Contractual Clauses shall be amended in accordance with the UK Addendum.

11. Deleting or returning of Controller Personal Information

  1. The Processor shall promptly and in any event within thirty (30) days: (a) of termination or expiry of the Agreement, for whatever reason; (b) after the end of the provision of the relevant Services related to the Processing; or (c) if earlier, as soon as Processing by the Processor of any Controller Personal Information is no longer required for the Processor’s performance of its obligations under this Agreement, cease all use of such Controller Personal Information and shall either securely destroy or return to the Controller (at the Controller’s direction) all such Controller Personal Information.
  2. Notwithstanding Clause 11.1, if the Processor is required by applicable law to store any Controller Personal Information, the Processor shall notify the Controller of the requirement, ensure continued confidentiality of all such Controller Personal Information and ensure that Controller Personal Information is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.

12. Records and audit

  1. The Processor shall maintain complete, accurate and up to date written records of all Processing activities carried out on behalf of the Controller and shall make available to the Controller, on written request, such records and any other information as is reasonably required by Controller to demonstrate compliance by the Processor with its obligations under this DPA.
  2. If the Controller is not satisfied (acting reasonably) that the information provided by the Processor pursuant to Clause 12.1 demonstrates the Processor’s compliance with this DPA, the Controller has the right to conduct, by itself or by an independent third party acting under Controller’s direction that is not a competitor of the Processor, at Controller’s cost, an inspection, including an audit, of the Processor’s data security and privacy procedures relating to the Processing of Controller Personal Information and compliance with this DPA. Such inspection or audit may only occur once per calendar year, during the Processor’s normal business hours following receipt by the Processor of 30 days prior written notice of such inspection and audit, and agreement between the parties as to the scope of the inspection or audit. For the avoidance of doubt, such inspection or audit shall not cause unreasonable disruption to the Processor’s business and shall not include an inspection or audit which compromises Personal Information or confidential information Processed by the Processor on behalf of third parties.

13. General Terms

  1. This DPA constitutes the entire agreement between the parties and supersedes, terminates and extinguishes all previous and contemporaneous agreements, promises, assurances and understandings between them, whether written or oral, relating to its subject matter.
  2. Both Parties acknowledge and understand that the Controller Personal Information may be subject to Data Protection Laws that require certain undertakings and/or the entering into of agreements, including in relation to the cross-border transfer of the Controller Personal Information.  Both parties agree that they shall enter into any alternative or additional agreements or arrangements or implement any additional measures as may be required under Data Protection Laws in relation to the Processing and/or cross-border transfer of the Controller Personal Information.
  3. In the event of any conflict between the provisions of this DPA, the Agreement and the EU Standard Contractual Clauses the following order of precedence shall apply: the EU Standard Contractual Clauses; the provisions of this DPA and then the Agreement.
  4. Variation or amendment of this Agreement is only valid upon the signed written agreement of both parties.
  5. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall either be (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
  6. Except where the parties cannot limit or exclude their liability under applicable law, each party’s liability in the aggregate arising out of or in connection with this DPA, whether in contract, tort (including negligence), breach of statutory duty or otherwise, is subject to the limitations and exclusions of liability in the Agreement, and any reference in the Agreement to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and the DPA together.
  7. Any disputes or claims (including non-contractual disputes or claims) arising out of or in connection with this DPA shall be governed by the laws set out in the Agreement and the courts in the territory set out in the Agreement shall have jurisdiction to resolve such disputes or claims.

 

Appendix 1:

Details of Processing of Controller Personal Information

This Appendix 1 includes certain details of the Processing of Controller Personal Information as required by Article 28(3) GDPR or equivalent requirements of other Data Protection Laws.

1. Subject matter and duration of the Processing of Controller Personal Information

The subject matter of the Processing of the Controller Personal Information is the provision of the Services to the Controller. Controller Personal Information will be Processed for the duration of the Agreement between the parties, subject to Section 11 of this DPA.

2. Nature and purpose of the Processing of Controller Personal Information

Processor shall host, maintain and otherwise process Controller Personal Information only in connection with the provision of Services pursuant to the terms of the Agreement and this DPA.

3. Types of Controller Personal Information Processed

Personal Information input by (or at the direction of) the Controller or by Data Subjects into Processor’s system or that Processor otherwise Processes on Controller’s behalf in connection with providing the Services pursuant to the terms of the Agreement and this DPA, including users’ name, contact information (including, but not limited to: phone, email address, billing address), payment information and history, vehicle information, and authorized platform user interactions.

4. Categories of Data Subject to whom the Controller Personal Information Relates

Company’s/Controller’s authorized employees, contractors, and end users.

5. Countries in which the Processor will Process the Controller Personal Information

United States, Israel, India

Appendix 2:

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Technical Measures

Technical Measure Description
1. Inventory and Control of Hardware Assets Actively manage all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.
2. Inventory and Control of Software Assets Actively manage all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.
3. Continuous Vulnerability Management Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.
4. Controlled Use of Administrative Privileges Maintain processes and tools to track, control, prevent, and correct the use, assignment, and configuration of administrative privileges on computers, networks, applications, and data.
5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers Implement and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
6. Maintenance, Monitoring, and Analysis of Audit Logs Collect, manage, and analyze audit and security logs of events that could help detect, understand, or recover from a possible attack.
7. Email and Web Browser Protections Deploy automated controls to minimize the attack surface and the opportunities for attackers to manipulate human behavior through their interaction with web browsers and email systems or content.
8. Malware Defenses Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action.
9. Limitation and Control of Network Ports, Protocols, and Services Manage (track, control, correct) the ongoing operational use of ports, protocols, services, and applications on networked devices in order to minimize windows of vulnerability and exposure available to attackers.
10. Data Recovery Capabilities Maintain processes and tools to properly back up personal data with a proven methodology to ensure the confidentiality, integrity, availability, and recoverability of that data.
11. Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches Implement, and actively manage (track, report on, correct) the security configuration of network infrastructure devices using a configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
12. Boundary Defenses Detect, prevent, and correct the flow of information transferring networks of different trust levels with a focus on personal data.
13. Data Protection Maintain processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the confidentiality and integrity of personal data.
14. Controlled Access Based on the Need to Know Maintain processes and tools to track, control, prevent, and correct secure access to critical or controlled assets (e.g. information, resources, systems) according to the formal determination of which persons, computers, and applications have a need and right to access these critical or controlled assets based on an approved classification.
15. Wireless Access Control Maintain processes and tools to track, control, prevent, and correct the secure use of wireless local area networks (WLANs), access points, and wireless client systems.
16. Account Monitoring and Control Actively manage the life cycle of system and application accounts, their creation, use, dormancy, and deletion in order to minimize opportunities for unauthorized, inappropriate, or nefarious use.

Organizational Measure

Organizational Measure Description
1. Implement a Comprehensive Information Security Program Through the implementation of a Comprehensive Information Security Program (CISP), maintain various administrative safeguards to protect personal data. These measures are designed to ensure:

  • security, confidentiality and integrity of personal data
  • protection against unauthorized access to or use of (stored) personal data in a manner that creates a substantial risk of identity theft or fraud
  • that employees, contractors, consultants, temporaries, and other workers who have access to personal data only process such data on instructions from the data controller.
2. Implement a Security Awareness and Training Program For all functional roles (prioritizing those mission critical to the business, its security, and the protection of personal data), identify the specific knowledge, skills and abilities needed to support the protection and defense of personal data; develop and execute an integrated plan to assess, identify gaps, and remediate through policy, organizational planning, training, and awareness programs.
3. Application Software Security Manage the security life cycle of all in-house developed and acquired software in order to prevent, detect, and correct security weaknesses.
4. Incident Response and Management Protect the organization’s information, including personal data, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight, retainers, and insurance) for quickly discovering an attack and then effectively containing the damage, eradicating the attacker’s presence, and restoring the integrity of the organization’s network and systems.
5. Security and Privacy Assessments, Penetration Tests, and Red Team Exercises Test the overall strength of the organization’s defense (the technology, processes, and people) by simulating the objectives and actions of an attacker; as well as, assess and validate the controls, policies, and procedures of the organization’s privacy and personal data protections.
6. Physical Security and Entry Control Require that all facilities meet the highest level of data protection standards possible, and reasonable, under the circumstances relevant to the facility and the data it contains, process, or transmits.

Appendix 3

EU STANDARD CONTRACTUAL CLAUSES

The Standard Contractual Clauses and related Annexes as well as the UK Addendum are available at: www.vontier.com/EU_Contractual_Clauses and are incorporated and integrated into this Agreement.