Data Processing Agreement
Last updated: 5 June 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between the customer ("Controller") and Dimva LTD ("Processor") and governs the Processor's processing of personal data on the Controller's behalf under UK GDPR and the Data Protection Act 2018.
1. Subject matter & duration
The Processor processes personal data to provide the ShiftsPod platform for the duration of the Controller's subscription and until data is deleted or returned per clause 9.
2. Nature & purpose
Managing drivers, shifts, live location tracking, proof of delivery, and vehicle/trailer checks, as instructed by the Controller through its use of the platform.
3. Types of personal data
- Driver identifiers: name, username, role;
- Location data: GPS coordinates and timestamps during active shifts;
- Proof of delivery: photographs, signatures, delivery references, times;
- Operational records: vehicle/trailer checks, reported defects, notes.
4. Categories of data subjects
The Controller's drivers and operational staff.
5. Controller & Processor obligations
The Controller warrants it has a lawful basis and has given any required notices to its drivers (including about location tracking). The Processor shall:
- process personal data only on documented instructions from the Controller;
- ensure persons authorised to process are bound by confidentiality;
- implement the security measures in clause 7;
- assist the Controller with data-subject requests and with its obligations under Arts. 32–36;
- make available information needed to demonstrate compliance and allow reasonable audits.
6. Sub-processors
The Controller authorises the use of the following sub-processors. We will give notice of intended changes so the Controller may object.
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe | Payments & subscriptions | EU / US (SCCs) |
| Brevo | Transactional & alert email | EU |
| Cloudflare | CDN / network protection | Global edge |
| Contabo GmbH | Application & database hosting | EU (Germany) |
7. Security measures
- Encryption in transit (TLS) and password hashing (bcrypt);
- Multi-tenant isolation with tenant-scoped access tokens;
- Role-based access control and least-privilege access;
- Audit logging of administrative actions;
- Rate limiting and security headers;
- Regular backups and access restrictions to production systems.
8. International transfers
Any transfer outside the UK is made under UK adequacy regulations or the IDTA / EU SCCs with appropriate safeguards.
9. Return & deletion
On termination, the Processor will, at the Controller's choice, return or delete personal data within 30 days, save where retention is required by law (e.g. billing records).
10. Personal data breach
The Processor will notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's data, and will assist with the Controller's notification obligations.
11. Liability
Liability under this DPA is subject to the limitations in the Terms of Service.