DATA PROCESSING AGREEMENT (DPA)

Ready to Build up Your Website's Maintenance?

Subscribe and let us make your website better!

14 days Money Back Guarantee
Basic Care
$ 69
monthly
Basket Subscribe
Advanced Care
$ 99
monthly
Basket Subscribe
Premium Care
$ 159
monthly
Basket Subscribe

Version 1.0

 

This Data Processing Agreement (“DPA”) forms part of and supplements the Terms of Service, Subscription Agreement, Order Form or other agreement governing the use of CodiCo Dispatch Software (the “Main Agreement”) entered into between:

 

BILTO GROUP LLC, a company incorporated in the United Arab Emirates, operating CodiCo Dispatch Software (“Processor”),

 

and

 

Customer, acting as a controller of personal data (“Controller”).

 

The Controller and the Processor are collectively referred to as the “Parties”.

 

1. PURPOSE

This DPA governs the Processing of Personal Data by Processor on behalf of Controller in connection with the provision of CodiCo Dispatch Software and related services.

 

The Parties acknowledge that Controller determines the purposes and means of Processing Personal Data and acts as the Controller, while Processor acts solely as a Processor under Article 28 GDPR.

 

2. DEFINITIONS

“Personal Data”, “Controller”, “Processor”, “Data Subject”, “Processing”, “Supervisory Authority” and other capitalized terms shall have the meanings assigned to them under the GDPR.

 

“Customer Data” means all Personal Data submitted, stored, transmitted or otherwise processed through CodiCo Dispatch Software by or on behalf of Controller.

 

3. NATURE OF PROCESSING

Processor provides cloud-based dispatch, booking, fleet management, driver management, passenger management, scheduling, reporting, communication and related services.

 

Processing may include:

 

  • ● collection;
  • ● storage;
  • ● organization;
  • ● retrieval;
  • ● consultation;
  • ● transmission;
  • ● synchronization;
  • ● deletion;
  • ● analysis necessary for operation of the service.

 

Processor shall Process Personal Data solely for the purpose of providing the Services and in accordance with documented instructions from Controller.

 

4. CATEGORIES OF DATA SUBJECTS

The categories of Data Subjects may include:

 

  • ● passengers;
  • ● customers;
  • ● drivers;
  • ● dispatchers;
  • ● operators;
  • ● administrators;
  • ● employees of Controller;
  • ● business contacts.
 

5. CATEGORIES OF PERSONAL DATA

The categories of Personal Data may include:

 

  • ● names;
  • ● email addresses;
  • ● telephone numbers;
  • ● booking information;
  • ● trip information;
  • ● pickup and drop-off locations;
  • ● driver information;
  • ● vehicle information;
  • ● account credentials;
  • ● GPS and location data;
  • ● communication logs;
  • ● service usage information.

 

Controller shall not upload or submit special categories of personal data under Article 9 GDPR unless expressly agreed in writing.

 

Processor does not require or request copies of passports, driver’s licenses, medical records or other special-category data.

 

6. CUSTOMER RESPONSIBILITIES

Controller warrants that:

 

  1. a) it has a lawful basis for Processing Personal Data;
  2. b) it has provided all required notices to Data Subjects;
  3. c) it is solely responsible for the accuracy, quality and legality of Customer Data;
  4. d) it has obtained all necessary consents where required.

 

Controller remains solely responsible for compliance with GDPR and applicable privacy laws.

 

7. PROCESSOR OBLIGATIONS

Processor shall:

 

  1. a) Process Personal Data only on documented instructions from Controller;
  2. b) ensure confidentiality of personnel with access to Personal Data;
  3. c) implement appropriate technical and organizational measures;
  4. d) assist Controller in responding to Data Subject requests where reasonably possible;
  5. e) notify Controller without undue delay after becoming aware of a Personal Data Breach affecting Customer Data;
  6. f) provide reasonable assistance regarding GDPR compliance obligations.

 

8. SECURITY MEASURES

Processor shall maintain reasonable and appropriate administrative, technical and organizational safeguards designed to protect Customer Data against unauthorized access, disclosure, alteration or destruction.

 

Security measures may include:

 

  • ● HTTPS encryption;
  • ● access controls;
  • ● authentication procedures;
  • ● role-based permissions;
  • ● backups;
  • ● firewall protection;
  • ● monitoring and logging;
  • ● software security updates.

 

Processor does not guarantee that the Services will be free from all vulnerabilities or security incidents.

 

9. SUBPROCESSORS

Controller grants Processor general authorization to engage Subprocessors.

 

Processor may add, replace or remove Subprocessors from time to time as reasonably necessary for providing the Services.

 

Processor shall maintain an up-to-date list of Subprocessors and make such information available upon request.

 

Processor shall remain responsible for the performance of its Subprocessors to the extent required by applicable law.

 

Third-party services independently selected, connected or configured by Controller shall not be considered Subprocessors of Processor.

 

10. INTERNATIONAL DATA TRANSFERS

Controller acknowledges that Customer Data may be accessed, processed or transferred internationally where necessary for the operation, maintenance, support and delivery of the Services.

 

Processor shall implement appropriate safeguards where required under applicable data protection laws.

 

11. DATA SUBJECT REQUESTS

Where Processor receives a request directly from a Data Subject relating to Customer Data, Processor may redirect the Data Subject to Controller.

 

Processor shall provide reasonable assistance to Controller in responding to such requests where required by law.

 

12. AUDIT RIGHTS

Controller may request information reasonably necessary to demonstrate compliance with this DPA.

 

Physical inspections, penetration testing, source code reviews, vulnerability scans, access to internal systems, access to confidential business information, or access to data relating to other customers shall not be required.

 

Any audit shall:

 

  • ● occur no more than once per calendar year;
  • ● be conducted during normal business hours;
  • ● be subject to at least 30 days prior written notice;
  • ● not interfere with Processor’s operations;
  • ● be at Controller’s expense.

 

13. RETURN AND DELETION OF DATA

Upon termination of the Services, Customer Data shall remain available for export for ten (10) days.

 

Following such period, Customer Data shall be permanently deleted from production systems.

 

Residual copies contained in backups may remain until overwritten in accordance with Processor’s backup retention procedures.

 

14. LIMITATION OF LIABILITY

To the maximum extent permitted by law, Processor’s aggregate liability arising out of or related to this DPA shall not exceed the total fees paid by Controller to Processor during the twelve (12) months immediately preceding the event giving rise to the claim.

 

Processor shall not be liable for indirect, incidental, consequential, special, punitive or exemplary damages, including loss of revenue, profits, goodwill, business opportunities or data.

 

Nothing in this DPA limits liability where such limitation is prohibited by applicable law.

 

14.1 INDEMNIFICATION BY CONTROLLER

The Controller shall indemnify and hold harmless the Processor against claims, fines, penalties, damages or expenses arising from:

 

  • ● unlawful collection of Personal Data by the Controller;
  • ● absence of a lawful basis for Processing;
  • ● failure to provide required notices to Data Subjects;
  • ● instructions provided by the Controller that violate applicable law.

 

15. GOVERNING LAW

This DPA shall be governed by the law specified in the Main Agreement.

 

In the absence of such provision, the laws of the United Arab Emirates shall apply.

 

16. ORDER OF PRECEDENCE

In the event of any conflict between this DPA and the Main Agreement, this DPA shall prevail solely with respect to data protection matters.

 

17. TERM AND TERMINATION

This DPA shall become effective on the date the Controller first accepts the Main Agreement, creates an account, accesses the Services, or otherwise uses the Services, whichever occurs first.

 

This DPA shall remain in effect for as long as the Processor Processes Personal Data on behalf of the Controller.

 

Termination or expiration of the Main Agreement shall automatically terminate this DPA, except to the extent that the Processor continues to Process Personal Data after such termination for the purposes of data retention, legal compliance, backup retention, dispute resolution, enforcement of contractual rights, or other legitimate business purposes permitted by applicable law.

 

The provisions relating to confidentiality, liability, audits, international transfers, data deletion, dispute resolution and any other provisions which by their nature are intended to survive termination shall remain in effect following termination of this DPA.

 

Upon termination of the Services, Customer Data shall be handled in accordance with Section 13 (Return and Deletion of Data).

 

Termination of this DPA shall not relieve either Party of any obligations accrued prior to the effective date of termination.

 

ANNEX A
DETAILS OF PROCESSING

 

A. SUBJECT MATTER OF PROCESSING

The Processor provides cloud-based transportation dispatch, booking management, driver management, passenger management, fleet management, communication, scheduling, reporting and related software services through the CodiCo Dispatch Software platform.

 

B. PURPOSE OF PROCESSING

Personal Data is processed solely for the purpose of:

 

  • ● providing the Services;
  • ● managing transportation bookings;
  • ● dispatching and assigning trips;
  • ● managing drivers and vehicles;
  • ● facilitating communication between passengers, drivers and dispatchers;
  • ● generating reports and analytics;
  • ● customer support;
  • ● maintaining security, availability and performance of the Services.

 

C. DURATION OF PROCESSING

Processing shall continue for the duration of the Customer’s active subscription.

 

Upon termination of the Services, Customer Data shall remain available for export for ten (10) days.

 

Following such period, Customer Data shall be deleted in accordance with the DPA.

 

D. CATEGORIES OF DATA SUBJECTS

The categories of Data Subjects may include:

 

Passengers

  • ● customers
  • ● passengers
  • ● travellers

Drivers

  • ● employed drivers
  • ● contracted drivers
  • ● owner-operators

Customer Personnel

  • ● dispatchers
  • ● operators
  • ● administrators
  • ● managers
  • ● employees
  • ● contractors

Business Contacts

  • ● suppliers
  • ● partners
  • ● agents
  • ● affiliates

 

E. CATEGORIES OF PERSONAL DATA

Passenger Data

  • ● first name
  • ● last name
  • ● email address
  • ● telephone number
  • ● pickup address
  • ● destination address
  • ● booking information
  • ● trip history

Driver Data

  • ● first name
  • ● last name
  • ● email address
  • ● telephone number
  • ● vehicle information
  • ● availability status
  • ● GPS location data
  • ● trip assignments

Operational Data

  • ● account information
  • ● login records
  • ● activity logs
  • ● communication logs
  • ● service usage information

Location Data

  • ● vehicle locations
  • ● driver locations
  • ● trip routes
  • ● dispatch information
 

F. SPECIAL CATEGORIES OF DATA

The Services are not intended for the processing of Special Categories of Personal Data as defined by Article 9 GDPR.

 

The Controller shall not upload or otherwise provide such data unless expressly agreed in writing by the Processor.

 

The Processor reserves the right to remove such data where reasonably necessary to protect the integrity and compliance of the Services.

 

ANNEX B
TECHNICAL AND ORGANIZATIONAL MEASURES

The Processor maintains reasonable and appropriate technical and organizational measures designed to protect Customer Data.

 

The following measures may be implemented and updated from time to time:

 

1. ACCESS CONTROL

  • ● password-protected systems;
  • ● role-based permissions;
  • ● restricted employee access;
  • ● least-privilege principles;
  • ● user authentication mechanisms.

 

2. NETWORK SECURITY

  • ● HTTPS/TLS encrypted communications;
  • ● firewall protection;
  • ● infrastructure security controls;
  • ● monitoring and logging.

 

3. DATA SECURITY

  • ● logical separation of customer environments;
  • ● controlled access to Customer Data;
  • ● backup procedures;
  • ● secure deletion procedures.

 

4. PERSONNEL SECURITY

Authorized personnel are subject to confidentiality obligations.

 

Access to Customer Data is granted only where reasonably necessary for:

 

  • ● customer support;
  • ● maintenance;
  • ● troubleshooting;
  • ● service delivery.

 

5. REMOTE ACCESS

The Processor operates a distributed workforce.

 

Authorized personnel may access Customer Data remotely from various jurisdictions solely for legitimate business purposes related to the Services.

 

Such access is limited to authorized personnel and subject to security controls.

 

6. INCIDENT MANAGEMENT

The Processor maintains procedures designed to identify, investigate and respond to security incidents.

 

Where required by applicable law, the Controller shall be notified without undue delay after the Processor becomes aware of a Personal Data Breach affecting Customer Data.

 

7. TESTING AND MAINTENANCE

The Processor performs ongoing maintenance, monitoring and security updates appropriate to the nature of the Services.

 

The Processor does not warrant or guarantee absolute security or uninterrupted operation of the Services.

 

8. MODIFICATIONS

The Processor may modify, enhance or replace security measures from time to time provided that the overall level of security is not materially reduced.



ANNEX C
SUBPROCESSORS

The Controller acknowledges and agrees that the Processor may engage the following Subprocessors:

 

Subprocessor

Purpose

DigitalOcean

Cloud infrastructure and hosting

Stripe

Payment processing

Google Workspace

Email and calendar services

Google Maps Platform

Mapping, geolocation and routing services

Firebase Cloud Messaging

Mobile push notifications

Usertour

Product onboarding and user guidance

 

CUSTOMER-CONNECTED SERVICES

Third-party services independently selected, connected, configured or authorized by the Controller are not considered Subprocessors of the Processor.

 

Examples may include:

 

  • ● customer email providers;
  • ● customer SMTP services;
  • ● customer payment providers;
  • ● customer communication providers;
  • ● customer CRM systems;
  • ● customer integrations.

 

The Controller remains solely responsible for assessing and approving such services.

 

FUTURE SUBPROCESSORS

The Processor may add, replace or remove Subprocessors where reasonably necessary for providing, maintaining, improving or securing the Services.

 

An updated list of Subprocessors shall be made available upon request.

 

The Controller agrees that such changes shall not require execution of a new Data Processing Agreement.

 

×