Data Processing Addendum

1. Definitions

Capitalized terms not defined in this DPA have the meaning given in the main Terms of Service. In addition:

• “Data Protection Laws” means applicable data protection and privacy laws, including where applicable the EU General Data Protection Regulation (“GDPR”), the UK GDPR and any similar laws that apply to Customer’s use of the Service.
• “Personal Data” means any information relating to an identified or identifiable natural person that is processed by Dromium on behalf of Customer as part of the Service.
• “Processing”, “Controller”, “Processor”, “Data Subject” and “Supervisory Authority” have the meanings given in the GDPR.
• “Customer Data” means Personal Data that Customer or its users submit to the Service or that Dromium collects or generates on Customer’s documented instructions in order to provide the Service.
• “Subprocessor” means any third party engaged by Dromium to process Customer Data on Dromium’s behalf in connection with the Service.

2. Roles and scope of processing

2.1 Roles. For the purposes of Data Protection Laws, Customer is the Controller of Customer Data and Dromium is the Processor, except where Dromium acts as an independent controller as described in our Privacy Policy (for example, for our own account, billing, security and product analytics data).

2.2 Subject matter. The subject matter of the processing is the provision of the Service, including booking management, client management, vehicle management and related workflows configured by Customer.

2.3 Duration. Dromium will process Customer Data for the duration of the agreement between Customer and Dromium, and thereafter as required to comply with legal obligations or to resolve disputes, unless Customer requests earlier deletion in accordance with this DPA.

2.4 Nature and purpose. Dromium processes Customer Data only to provide, maintain, secure and improve the Service, to prevent or address technical or security issues, to provide support to Customer, and as otherwise documented in the Terms of Service and this DPA.

2.5 Types of data and data subjects. Customer Data may include contact, identification and booking-related information about:

• Renters, drivers and other individuals who make or are associated with bookings;
• Customer’s staff and users (for example, team members using the dashboard); and
• Other individuals whose data Customer chooses to store in the Service.

Financial card data is handled directly by Stripe as described in Section 6 of the Terms of Service and our Privacy Policy. Dromium does not store full card numbers or card security codes and does not act as Processor for such card data.

3. Customer instructions

3.1 Dromium will process Customer Data only on documented instructions from Customer, including as set out in this DPA, the Terms of Service, and Customer’s configuration and use of the Service.

3.2 Customer is responsible for ensuring that its instructions comply with Data Protection Laws. Customer will not instruct Dromium to process Customer Data in a way that would violate Data Protection Laws.

3.3 If Dromium becomes aware that an instruction from Customer infringes Data Protection Laws, Dromium will promptly inform Customer (unless prohibited by law).

4. Security

4.1 Dromium will implement and maintain appropriate technical and organizational measures designed to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, having regard to the nature of the data and the risks involved.

4.2 These measures include, as appropriate:

• Encryption in transit and at rest where appropriate;
• Access controls and authentication for staff and systems;
• Logical separation between Customer environments;
• Regular backups and disaster recovery procedures; and
• Policies and training for staff handling Customer Data.

4.3 Customer is responsible for maintaining the security of its own systems and credentials, including account passwords and access to the Service.

5. Confidentiality

Dromium will ensure that persons authorized to process Customer Data are bound by appropriate confidentiality obligations, whether through employment agreements or contractual obligations, and will only access Customer Data as necessary to provide the Service.

6. Subprocessors

6.1 Customer authorizes Dromium to engage Subprocessors to process Customer Data in connection with the Service. Typical categories of Subprocessors include cloud hosting providers, email and messaging tools, logging and monitoring tools and support tools.

6.2 Dromium will impose data protection obligations on Subprocessors that are materially no less protective than those in this DPA. Dromium remains responsible for the performance of its Subprocessors.

6.3 Where required by law, Dromium will make available a list of current Subprocessors and provide notice of material changes, giving Customer an opportunity to object where the change would materially increase the risk to Customer Data.

7. International data transfers

7.1 Customer Data may be processed in the United States and in other countries where Dromium or its Subprocessors maintain operations.

7.2 Where Customer Data is transferred from the European Economic Area, the United Kingdom or Switzerland to a country that does not provide an adequate level of data protection, Dromium will ensure that appropriate safeguards are in place, such as the execution of Standard Contractual Clauses or other lawful transfer mechanisms.

8. Data subject requests

8.1 If Dromium receives a request from a Data Subject directly (for example, a renter asking to access, correct or delete their booking information), Dromium will, where reasonably practicable, notify Customer and direct the Data Subject to contact Customer, unless Dromium is legally required to respond directly.

8.2 Taking into account the nature of the processing, Dromium will provide reasonable assistance to Customer, at Customer’s expense where appropriate, in responding to Data Subject requests under Data Protection Laws.

9. Personal data breaches

In the event of a Personal Data breach involving Customer Data, Dromium will notify Customer without undue delay after becoming aware of the breach and will provide information reasonably required for Customer to meet its obligations under Data Protection Laws. Dromium will take appropriate steps to investigate and mitigate the breach and will cooperate with Customer as reasonably necessary.

10. Deletion and return of data

Upon termination of the Service or at Customer’s written request, Dromium will delete or return Customer Data in accordance with the Terms of Service and Dromium’s standard data retention practices, unless Dromium is required by law to retain certain data. Aggregated or anonymized data that no longer constitutes Personal Data may be retained.

11. Audit and information

On Customer’s reasonable request, Dromium will make available information necessary to demonstrate compliance with this DPA and, where required by Data Protection Laws, allow for and contribute to audits conducted by Customer or an auditor mandated by Customer, provided that such audits are subject to reasonable confidentiality, security and scheduling restrictions and do not unreasonably interfere with Dromium’s business operations.

12. Precedence

In the event of any conflict between this DPA and the main Terms of Service with respect to the processing of Customer Data, this DPA will prevail to the extent of the conflict.

13. Governing law

This DPA is governed by the same law and jurisdiction that apply to the underlying agreement between Customer and Dromium, unless Data Protection Laws require otherwise.