Data Processing Agreement

Standard terms · Version 1.0 · 6 June 2026

⚠ Draft for legal review. These standard DPA terms are provided as a template. They should be reviewed by qualified legal counsel and signed (or accepted by reference in the service contract) before relying on them.

This Data Processing Agreement ("DPA") forms part of the agreement between CodifyAI S.R.L., CUI 51174729, Romania ("Processor", "we") and the customer that uses the Codify Fleet service ("Controller", "Customer", "you"). It governs the processing of personal data by the Processor on behalf of the Controller and is concluded pursuant to Article 28 of the GDPR.

1. Roles and scope

For personal data the Customer submits to or generates within Codify Fleet (including vehicle locations, trips, driver records and uploaded documents), the Customer is the Controller and CodifyAI is the Processor. CodifyAI processes such data only to provide the service and only on the Controller's documented instructions, including this DPA and the configuration of the service.

2. Subject-matter and duration

Subject-matter: provision of the Codify Fleet GPS fleet-management platform. Duration: for as long as CodifyAI provides the service to the Customer, plus any post-termination period required for return/deletion of data.

3. Nature and purpose of processing

Collection, recording, storage, organisation, retrieval, transmission and erasure of personal data for the purpose of vehicle tracking, trip and route history, geofencing, driver and vehicle management, reporting, maintenance scheduling and related fleet-management features.

4. Categories of data subjects

The Customer's drivers and employees
The Customer's authorised platform users / administrators
Other individuals whose data the Customer chooses to enter (e.g. contacts in documents)

5. Types of personal data

Identification & contact: names, emails, phone numbers, user/driver identifiers (incl. iButton/NFC IDs)
Location & telemetry: GPS coordinates, speed, heading, ignition status, geofence events, route/trip history, timestamps
Driving behaviour: harsh braking/acceleration/cornering events, scoring, mileage logs
Vehicle & document data that may contain personal data (e.g. registration documents)

The Customer must not enter special categories of data (Art. 9 GDPR) into the service unless agreed separately in writing.

6. Processor obligations

CodifyAI shall:

process personal data only on the Controller's documented instructions, including for transfers, unless required by EU/Member State law (in which case it will inform the Controller unless legally prohibited);
ensure persons authorised to process the data are bound by confidentiality;
implement the technical and organisational measures in Annex II;
respect the conditions for engaging sub-processors (Section 7);
assist the Controller, insofar as possible, in responding to data-subject requests (Art. 12–23);
assist the Controller with security, breach notification, DPIAs and prior consultation (Art. 32–36);
at the Controller's choice, delete or return all personal data after the end of services and delete existing copies, unless storage is required by law;
make available information necessary to demonstrate compliance and allow for and contribute to audits as set out in Section 8.

7. Sub-processors

The Controller provides general authorisation for CodifyAI to engage the sub-processors listed below to provide the service. CodifyAI imposes data-protection obligations on each sub-processor equivalent to those in this DPA and remains liable for their performance. CodifyAI will inform the Controller of intended changes (additions/replacements) and give the Controller the opportunity to object.

Sub-processor	Service	Location
Hetzner Online GmbH	Server hosting & backups	EU (Germany/Finland)
Cloudflare, Inc.	DNS, CDN, security/proxy	USA (SCCs)
Synsbasen ApS / TjekBil	Vehicle registration lookup (on request)	Denmark (EU)
HeiGIT (OpenRouteService)	Routing / isochrone (optional)	EU (Germany)

8. Audits

CodifyAI shall make available to the Controller, on reasonable request and subject to confidentiality, information necessary to demonstrate compliance with Art. 28, and allow for audits (including inspections) conducted by the Controller or an auditor mandated by it, at reasonable intervals and with reasonable prior notice.

9. International transfers

Personal data is hosted in the EU. Where a sub-processor processes data outside the EEA (e.g. Cloudflare), transfers are made under the European Commission's Standard Contractual Clauses and appropriate supplementary measures.

10. Personal data breach

CodifyAI shall notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's data, and provide information reasonably available to assist the Controller in meeting its obligations under Art. 33–34.

11. Return and deletion

Upon termination of the service, and at the Controller's choice, CodifyAI shall return or delete the personal data and delete existing copies within a reasonable period, unless EU/Member State law requires continued storage.

12. Liability and governing law

Liability is governed by the main service agreement. This DPA is governed by the law applicable to that agreement (Romanian law), without prejudice to the GDPR.

Annex I — Processing details

As described in Sections 2–5 above. Controller: the Customer. Processor: CodifyAI S.R.L.

Annex II — Technical and organisational measures (Art. 32)

Encryption of data in transit (HTTPS/TLS)
Access control: authenticated accounts, role-based permissions, hashed passwords
Network protection and reverse-proxy filtering
Regular, access-controlled backups with rotation
Logical separation of customer data
Logging and monitoring of access and security events
Confidentiality undertakings for personnel
Procedures for breach detection, response and notification

To execute this DPA for your organisation, contact [email protected]. CodifyAI S.R.L., CUI 51174729, Romania.