Version 1.0
This Data Processing Agreement (“DPA”) forms part of and supplements the Terms of Service, Subscription Agreement, Order Form or other agreement governing the use of CodiCo Dispatch Software (the “Main Agreement”) entered into between:
BILTO GROUP LLC, a company incorporated in the United Arab Emirates, operating CodiCo Dispatch Software (“Processor”),
and
Customer, acting as a controller of personal data (“Controller”).
The Controller and the Processor are collectively referred to as the “Parties”.
This DPA governs the Processing of Personal Data by Processor on behalf of Controller in connection with the provision of CodiCo Dispatch Software and related services.
The Parties acknowledge that Controller determines the purposes and means of Processing Personal Data and acts as the Controller, while Processor acts solely as a Processor under Article 28 GDPR.
“Personal Data”, “Controller”, “Processor”, “Data Subject”, “Processing”, “Supervisory Authority” and other capitalized terms shall have the meanings assigned to them under the GDPR.
“Customer Data” means all Personal Data submitted, stored, transmitted or otherwise processed through CodiCo Dispatch Software by or on behalf of Controller.
Processor provides cloud-based dispatch, booking, fleet management, driver management, passenger management, scheduling, reporting, communication and related services.
Processing may include:
Processor shall Process Personal Data solely for the purpose of providing the Services and in accordance with documented instructions from Controller.
The categories of Data Subjects may include:
The categories of Personal Data may include:
Controller shall not upload or submit special categories of personal data under Article 9 GDPR unless expressly agreed in writing.
Processor does not require or request copies of passports, driver’s licenses, medical records or other special-category data.
Controller warrants that:
Controller remains solely responsible for compliance with GDPR and applicable privacy laws.
Processor shall:
Processor shall maintain reasonable and appropriate administrative, technical and organizational safeguards designed to protect Customer Data against unauthorized access, disclosure, alteration or destruction.
Security measures may include:
Processor does not guarantee that the Services will be free from all vulnerabilities or security incidents.
Controller grants Processor general authorization to engage Subprocessors.
Processor may add, replace or remove Subprocessors from time to time as reasonably necessary for providing the Services.
Processor shall maintain an up-to-date list of Subprocessors and make such information available upon request.
Processor shall remain responsible for the performance of its Subprocessors to the extent required by applicable law.
Third-party services independently selected, connected or configured by Controller shall not be considered Subprocessors of Processor.
Controller acknowledges that Customer Data may be accessed, processed or transferred internationally where necessary for the operation, maintenance, support and delivery of the Services.
Processor shall implement appropriate safeguards where required under applicable data protection laws.
Where Processor receives a request directly from a Data Subject relating to Customer Data, Processor may redirect the Data Subject to Controller.
Processor shall provide reasonable assistance to Controller in responding to such requests where required by law.
Controller may request information reasonably necessary to demonstrate compliance with this DPA.
Physical inspections, penetration testing, source code reviews, vulnerability scans, access to internal systems, access to confidential business information, or access to data relating to other customers shall not be required.
Any audit shall:
Upon termination of the Services, Customer Data shall remain available for export for ten (10) days.
Following such period, Customer Data shall be permanently deleted from production systems.
Residual copies contained in backups may remain until overwritten in accordance with Processor’s backup retention procedures.
To the maximum extent permitted by law, Processor’s aggregate liability arising out of or related to this DPA shall not exceed the total fees paid by Controller to Processor during the twelve (12) months immediately preceding the event giving rise to the claim.
Processor shall not be liable for indirect, incidental, consequential, special, punitive or exemplary damages, including loss of revenue, profits, goodwill, business opportunities or data.
Nothing in this DPA limits liability where such limitation is prohibited by applicable law.
The Controller shall indemnify and hold harmless the Processor against claims, fines, penalties, damages or expenses arising from:
This DPA shall be governed by the law specified in the Main Agreement.
In the absence of such provision, the laws of the United Arab Emirates shall apply.
In the event of any conflict between this DPA and the Main Agreement, this DPA shall prevail solely with respect to data protection matters.
This DPA shall become effective on the date the Controller first accepts the Main Agreement, creates an account, accesses the Services, or otherwise uses the Services, whichever occurs first.
This DPA shall remain in effect for as long as the Processor Processes Personal Data on behalf of the Controller.
Termination or expiration of the Main Agreement shall automatically terminate this DPA, except to the extent that the Processor continues to Process Personal Data after such termination for the purposes of data retention, legal compliance, backup retention, dispute resolution, enforcement of contractual rights, or other legitimate business purposes permitted by applicable law.
The provisions relating to confidentiality, liability, audits, international transfers, data deletion, dispute resolution and any other provisions which by their nature are intended to survive termination shall remain in effect following termination of this DPA.
Upon termination of the Services, Customer Data shall be handled in accordance with Section 13 (Return and Deletion of Data).
Termination of this DPA shall not relieve either Party of any obligations accrued prior to the effective date of termination.
The Processor provides cloud-based transportation dispatch, booking management, driver management, passenger management, fleet management, communication, scheduling, reporting and related software services through the CodiCo Dispatch Software platform.
Personal Data is processed solely for the purpose of:
Processing shall continue for the duration of the Customer’s active subscription.
Upon termination of the Services, Customer Data shall remain available for export for ten (10) days.
Following such period, Customer Data shall be deleted in accordance with the DPA.
The categories of Data Subjects may include:
The Services are not intended for the processing of Special Categories of Personal Data as defined by Article 9 GDPR.
The Controller shall not upload or otherwise provide such data unless expressly agreed in writing by the Processor.
The Processor reserves the right to remove such data where reasonably necessary to protect the integrity and compliance of the Services.
The Processor maintains reasonable and appropriate technical and organizational measures designed to protect Customer Data.
The following measures may be implemented and updated from time to time:
Authorized personnel are subject to confidentiality obligations.
Access to Customer Data is granted only where reasonably necessary for:
The Processor operates a distributed workforce.
Authorized personnel may access Customer Data remotely from various jurisdictions solely for legitimate business purposes related to the Services.
Such access is limited to authorized personnel and subject to security controls.
The Processor maintains procedures designed to identify, investigate and respond to security incidents.
Where required by applicable law, the Controller shall be notified without undue delay after the Processor becomes aware of a Personal Data Breach affecting Customer Data.
The Processor performs ongoing maintenance, monitoring and security updates appropriate to the nature of the Services.
The Processor does not warrant or guarantee absolute security or uninterrupted operation of the Services.
The Processor may modify, enhance or replace security measures from time to time provided that the overall level of security is not materially reduced.
The Controller acknowledges and agrees that the Processor may engage the following Subprocessors:
|
Subprocessor |
Purpose |
|
DigitalOcean |
Cloud infrastructure and hosting |
|
Stripe |
Payment processing |
|
Google Workspace |
Email and calendar services |
|
Google Maps Platform |
Mapping, geolocation and routing services |
|
Firebase Cloud Messaging |
Mobile push notifications |
|
Usertour |
Product onboarding and user guidance |
Third-party services independently selected, connected, configured or authorized by the Controller are not considered Subprocessors of the Processor.
Examples may include:
The Controller remains solely responsible for assessing and approving such services.
The Processor may add, replace or remove Subprocessors where reasonably necessary for providing, maintaining, improving or securing the Services.
An updated list of Subprocessors shall be made available upon request.
The Controller agrees that such changes shall not require execution of a new Data Processing Agreement.
CodiCo - experts in web development, WordPress customization, mobile apps, Google Ads, and AI integration, which has offices in the following countries:
Waversebaan 65a, 3050 Oud-Heverlee, Belgium
ALL COMMERCE & BUSINESS SUPPLIES LTD
Landscape House, Baldonnell Business Park
Co. Dublin, D22 P3K7, Ireland
Company Nº: 600891
Tax Nº: 3466325KH
Copyright © 2025 CodiCo. All rights reserved.



Sangina
Customer manager
Hi dear 👋🏻
Any questions related to CodiCo Taxi Dispatch Software?
Start Chat