Do you need a DPA?

If you're a business customer using Fleetiqo to process data about your own employees, drivers, or end customers— and your customers are EU/UK/Swiss residents, or you're based in those regions — then yes, you almost certainly need a signed Data Processing Addendum (DPA). It's required by Article 28 of the GDPR and equivalent provisions in the UK GDPR, Swiss FADP, California CCPA/CPRA, Virginia VCDPA, Colorado CPA, Connecticut CTDPA, and Brazil LGPD.

If you're a sole operator using Fleetiqo only for your own personal data, you don't formally need a DPA — you're the data subject, not a controller — but you're still welcome to one for the file.

How to request a signed DPA

Email legal@fleetiqo.com with the subject line "DPA request" from the email associated with your Fleetiqo account.
Include the legal name and registered address of your organisation, and the role of the signatory.
We send back a pre-filled DPA in PDF + Word format, signed by Fleetiqo, ready for your countersignature on DocuSign or equivalent.
Standard turnaround is 2–3 business days. Annex II (sub-processors) references the current sub-processor list by URL, so it stays current as our infrastructure evolves.

Standard terms — what's in the DPA

Our DPA template is modeled on the European Commission's 2021 Standard Contractual Clauses and follows the CIPL-recommended structure. The core commitments:

Processing only on your instructions. We process personal data only for the purposes described in the master agreement and this DPA.
Confidentiality. Everyone with access to your personal data is under a written confidentiality obligation.
Security measures (Art. 32). Encryption at rest for OAuth tokens (AES-256-CBC, per-user keys), TLS 1.2+ in transit, bcrypt password hashing, two-factor authentication available for admin accounts, daily DB backups, scheduled automatic purges of driver-license images, internal code-level audits at least annually.
Sub-processor consent. The DPA approves the sub-processors listed at /sub-processors at the time of signing. New or replacement sub-processors are notified at least 30 days in advance with a right of objection.
Breach notification. Without undue delay and in any event within 48 hours of becoming aware of a personal-data breach.
Data subject rights assistance. We help you respond to requests under Chapter III of the GDPR — the Fleetiqo dashboard already exposes export, delete, rectify, and restriction primitives directly to your end users.
International transfers. Personal data is hosted in the EEA by default. Where a sub-processor is non-EEA (Stripe US, Google US, Microsoft US, Resend US, Cloudflare US/EU, Apple US), transfers happen under the EU Standard Contractual Clauses (Module 3) and/or an active Adequacy Decision.
Return / deletion of data. On termination, we return or delete all personal data within 30 days at your option.
Audits. One written audit per twelve-month period at your cost; we respond within 30 days with our most recent internal audit summary plus supporting evidence as needed.

Negotiated changes

Enterprise customers occasionally need negotiated changes — different governing law, audit clauses, or additional security commitments. Send us a redline or a list of required changes with your DPA request and our legal team will review and respond within a few business days. We try to say yes when we reasonably can; we'll explain when we can't.

Source-controlled template

The DPA template we sign from is maintained in the Fleetiqo source tree at docs/dpa-template.md on github.com/Fleetiqo/Fleetiqo-V2. Every change to the template is captured in the git history so you have a full provenance trail of what you signed and when.

Contact

Send DPA requests, redlines, or questions to legal@fleetiqo.com. For day-to-day privacy questions (subject access requests, etc.) use privacy@fleetiqo.com instead.

Data Processing Addendum

Template version: May 17, 2026

Do you need a DPA?

If you're a sole operator using Fleetiqo only for your own personal data, you don't formally need a DPA — you're the data subject, not a controller — but you're still welcome to one for the file.

How to request a signed DPA

Email legal@fleetiqo.com with the subject line "DPA request" from the email associated with your Fleetiqo account.
Include the legal name and registered address of your organisation, and the role of the signatory.
We send back a pre-filled DPA in PDF + Word format, signed by Fleetiqo, ready for your countersignature on DocuSign or equivalent.
Standard turnaround is 2–3 business days. Annex II (sub-processors) references the current sub-processor list by URL, so it stays current as our infrastructure evolves.

Standard terms — what's in the DPA

Our DPA template is modeled on the European Commission's 2021 Standard Contractual Clauses and follows the CIPL-recommended structure. The core commitments:

Processing only on your instructions. We process personal data only for the purposes described in the master agreement and this DPA.
Confidentiality. Everyone with access to your personal data is under a written confidentiality obligation.
Security measures (Art. 32). Encryption at rest for OAuth tokens (AES-256-CBC, per-user keys), TLS 1.2+ in transit, bcrypt password hashing, two-factor authentication available for admin accounts, daily DB backups, scheduled automatic purges of driver-license images, internal code-level audits at least annually.
Sub-processor consent. The DPA approves the sub-processors listed at /sub-processors at the time of signing. New or replacement sub-processors are notified at least 30 days in advance with a right of objection.
Breach notification. Without undue delay and in any event within 48 hours of becoming aware of a personal-data breach.
Data subject rights assistance. We help you respond to requests under Chapter III of the GDPR — the Fleetiqo dashboard already exposes export, delete, rectify, and restriction primitives directly to your end users.
International transfers. Personal data is hosted in the EEA by default. Where a sub-processor is non-EEA (Stripe US, Google US, Microsoft US, Resend US, Cloudflare US/EU, Apple US), transfers happen under the EU Standard Contractual Clauses (Module 3) and/or an active Adequacy Decision.
Return / deletion of data. On termination, we return or delete all personal data within 30 days at your option.
Audits. One written audit per twelve-month period at your cost; we respond within 30 days with our most recent internal audit summary plus supporting evidence as needed.

Negotiated changes

Source-controlled template

Contact

Send DPA requests, redlines, or questions to legal@fleetiqo.com. For day-to-day privacy questions (subject access requests, etc.) use privacy@fleetiqo.com instead.

Data Processing Addendum

Do you need a DPA?

How to request a signed DPA

Standard terms — what's in the DPA

Negotiated changes

Source-controlled template

Contact

Contact

Social

Data Processing Addendum

Do you need a DPA?

How to request a signed DPA

Standard terms — what's in the DPA

Negotiated changes

Source-controlled template

Contact

Contact

Social