1. Parties & Roles
This Data Processing Agreement ("DPA") forms part of the Terms of Service between the customer ("Controller") and QuickFleet Limited ("Processor"). It applies whenever QuickFleet Limited processes personal data on the Controller's behalf in the course of providing Quick Wing.
2. Subject Matter & Duration
The Processor processes personal data for the duration of the subscription, plus any reasonable wind-down period required to return or delete the data. Processing concerns the operation of a fleet management platform, including booking, compliance, document storage, and reporting.
3. Categories of Data Subjects & Data
Data subjects: the Controller's employees, contractors, drivers, fleet managers, and authorised third parties.
Categories of personal data: name, email, role, contact details, login credentials, photographs (where uploaded), booking records, vehicle assignments, mileage logs, incident reports, and uploaded documents.
4. Processor Obligations
- Process personal data only on documented instructions from the Controller.
- Ensure persons authorised to process the data are bound by confidentiality.
- Implement appropriate technical and organisational measures (Article 32 GDPR).
- Assist the Controller with data subject requests and DPIAs where applicable.
- Notify the Controller of any personal data breach without undue delay.
- At the end of the contract, return or delete personal data at the Controller's choice.
5. Sub-processors
The Controller authorises QuickFleet Limited to engage sub-processors to deliver the Service. The current list includes:
- Render (application hosting) — EU/US
- MongoDB Atlas (database hosting) — EU
- Email delivery providers (transactional email) — EU/US
- AI providers — only when AI features are enabled by the Controller
QuickFleet Limited will give the Controller reasonable notice of any intended changes to sub-processors so the Controller can object on reasonable grounds.
6. International Transfers
Where personal data is transferred outside the EEA, the parties rely on Standard Contractual Clauses adopted by the European Commission, adequacy decisions, or another lawful transfer mechanism.
7. Security Measures
The Processor implements: encryption in transit (TLS 1.2+), hashed passwords (bcrypt), tenant-level data isolation, role-based access controls, audit logging, regular backups, and least-privilege administrative access. See the Security & Compliance page for full details.
8. Audits
The Controller may, no more than once per year and on reasonable notice, request information necessary to demonstrate compliance with this DPA. The Processor will respond to reasonable requests in a confidential manner.
9. Liability
Liability under this DPA is subject to the limitation of liability set out in the Terms of Service.
10. Governing Law
This DPA is governed by the laws of Ireland and disputes are subject to the exclusive jurisdiction of the courts of Ireland.
11. Contact
DPA queries: Lee.quickwing@gmail.com.