1 – Scope
1.1 This Data Processing Agreement (the “Agreement”) applies to TRAXXEO’s Processing of Personal Data in the context of providing TRAXXEO Cloud Services, including vehicle and object tracking data and mobile applications.
1.2 In case of conflict or inconsistency between this Agreement and any other agreement with You governing the TRAXXEO Cloud Services, the provisions of this Agreement shall prevail.
2 – Definitions
2.1 “Applicable Data Protection Law” means Regulation (EU) 2016/679 of 27 April 2016 (the “GDPR”), and any other applicable data privacy or data protection laws and regulations governing the Processing of Personal Data under this Agreement.
2.2 “You” means the customer entity that is a client of TRAXXEO and acts as Controller.
2.3 Terms such as “Controller”, “Processor”, “Data Subject”, “Processing”, “Supervisory Authority”, “Data Protection Officer” and “Binding Corporate Rules” have the meaning given in the GDPR.
2.4 “Standard Contractual Clauses” means the clauses adopted by the European Commission under Decision (EU) 2021/914 of 4 June 2021, as may be amended or replaced.
2.5 “Personal Data” means any information relating to a Data Subject that TRAXXEO may Process on Your behalf as part of the Cloud Services.
2.6 “Special Categories of Personal Data” means the data referred to in Article 9 GDPR. Processing of data relating to criminal convictions and offences is subject to Article 10 GDPR.
2.7 “Third Party Subprocessor” means a third-party subcontractor engaged by TRAXXEO that may Process Personal Data as set forth in Section 8.
3 – Controller and Processor of Personal Data and Purpose of Processing
3.1 You are and remain the Controller of the Personal Data Processed by TRAXXEO under this Agreement. You are responsible for compliance with your Controller obligations, including providing required notices, obtaining necessary consents or authorizations, and ensuring a valid legal basis under Applicable Data Protection Law.
3.2 TRAXXEO acts as a Processor with regard to Personal Data provided by You. TRAXXEO is responsible for compliance with its Processor obligations under this Agreement and Applicable Data Protection Law.
For certain operations (e.g. billing, compliance, fraud prevention), TRAXXEO may act as an independent Controller.
3.3 TRAXXEO, and persons acting under its authority (including Third Party Subprocessors under Section 8), will Process Personal Data solely for:
- providing the Cloud Services in accordance with the Client Contract and this Agreement,
- following Your documented written instructions (Section 5), or
- complying with TRAXXEO’s legal obligations (Section 14).
4 – Categories of Personal Data and Data Subjects
4.1 Depending on the Cloud Services You order, TRAXXEO may Process categories of Personal Data including, but not limited to: contact information (name, email, phone), employment information (employer, job title, function), geolocation and performance data, and credentials required for access to the Cloud Services.
4.2 Data Subjects may include Your representatives and end users, such as employees, applicants, contractors, partners, suppliers, customers, and clients.
4.3 Unless explicitly agreed otherwise, You shall not provide TRAXXEO with Special Categories of Personal Data or criminal conviction data.
5 – Your Instructions
5.1 TRAXXEO will Process Personal Data on Your written instructions as specified in this Agreement.
5.2 Additional written instructions must comply with Applicable Data Protection Law. TRAXXEO will follow such instructions where required to:
- comply with its Processor obligations, and/or
- assist You with Controller obligations (e.g. breach notifications, Data Subject rights).
5.3 If TRAXXEO considers an instruction unlawful, it will promptly inform You. TRAXXEO is not responsible for providing legal advice.
5.4 Where instructions require resources beyond those normally required for the Cloud Services, the parties will negotiate in good faith regarding additional costs.
6 – Rights of Data Subjects
6.1 TRAXXEO will grant You access to Your Cloud Services environment to enable You to address Data Subject requests (e.g. access, erasure, restriction, portability, objection).
6.2 If such access is unavailable, You may submit a service request to TRAXXEO Support (support@traxxeo.com) with instructions. TRAXXEO will follow such instructions promptly. Costs may be agreed if special resources are needed.
6.3 If TRAXXEO receives a Data Subject request directly, it will forward it to You without responding, unless legally required.
7 – Personal Data Transfers
7.1 Personal Data will be hosted in data centers located within the European Union. TRAXXEO will not migrate data outside this region without Your prior written consent.
7.2 TRAXXEO may access and process Personal Data across the EU for purposes such as IT security, maintenance, and support.
7.3 Personal Data shall not be transferred to countries outside the EEA or Switzerland unless:
- the country benefits from an adequacy decision, or
- appropriate safeguards such as the Standard Contractual Clauses are in place.
8 – Third Party Subprocessors
8.1 You agree that TRAXXEO may engage Subprocessors to deliver the Cloud Services.
8.2 A list of Subprocessors will be provided as an Appendix. You will be informed of substantial changes. If You reasonably object and no solution is found, You may terminate the Services.
8.3 Subprocessors must provide at least the same level of protection as TRAXXEO.
8.4 TRAXXEO remains fully responsible for its Subprocessors.
9 – Technical and Organizational Measures, and Confidentiality
9.1 TRAXXEO implements appropriate technical and organizational measures considering the risks of Processing.
9.2 These measures include physical security, system access, data encryption, backups, segregation, monitoring, and enforcement. A detailed list is available on request (support@traxxeo.com).
9.3 TRAXXEO shall keep all Personal Data confidential and not disclose it to third parties without Controller approval, except where required for Processing or by law.
9.4 Access is strictly limited to personnel or Subprocessors who need it on a need-to-know basis, subject to confidentiality obligations.
10 – Audit Rights
10.1 You may audit TRAXXEO’s compliance once per year, or more frequently if required by law or Supervisory Authority. TRAXXEO may alternatively provide third-party certifications (e.g. ISO 27001, SOC 2).
10.2 External auditors must be mutually agreed (except Supervisory Authorities).
10.3 A proposed audit plan must be submitted at least two weeks in advance.
10.4 Audits must be conducted during normal business hours, without undue interference.
10.5 Audit reports are shared with TRAXXEO and are Confidential Information.
10.6 Costs are borne by You, unless otherwise required by law.
11 – Incident Management and Breach Notification
11.1 TRAXXEO maintains incident response procedures and requires Subprocessors to do the same.
11.2 If TRAXXEO becomes aware of a Personal Data Breach, it will notify You without undue delay and, where feasible, not later than 72 hours, to the DPO or contact provided in the Client Contract.
11.3 TRAXXEO will take steps to identify root cause(s), mitigate effects, and prevent recurrence.
11.4 The parties will coordinate on any required notifications or public statements.
12 – Return and Deletion of Personal Data
12.1 Upon termination, TRAXXEO will make Your Personal Data available for retrieval.
12.2 After termination or expiry of retrieval period, TRAXXEO will delete all Personal Data except where retention is required by law or necessary for legal claims.
13 – Legally Required Disclosures
13.1 If TRAXXEO receives a Disclosure Request (e.g. subpoena, order), it will promptly forward it to You unless legally prohibited.
13.2 TRAXXEO will assist You in responding, where possible.
14 – Data Protection Officer
14.1 TRAXXEO has appointed a Data Protection Officer, available at dpo@traxxeo.com.
14.2 If You have a DPO, You may provide contact details to TRAXXEO for coordination.