Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the Terms of Use between InstaDispatch ("Processor") and the Customer ("Controller") and sets out the terms on which InstaDispatch processes personal data on behalf of the Customer.
Definitions
- "Controller" means the Customer who determines the purposes and means of processing personal data.
- "Processor" means InstaDispatch, which processes personal data on behalf of the Controller.
- "Data Subject" means an identified or identifiable natural person whose personal data is processed.
- "Personal Data" has the meaning given under UK GDPR.
- "Processing" has the meaning given under UK GDPR.
- "Sub-Processor" means any third party engaged by InstaDispatch to process personal data.
- "Security Incident" means any confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
- "UK GDPR" means the UK General Data Protection Regulation as retained in UK law under the European Union (Withdrawal) Act 2018, as amended.
Nature and Purpose of Processing
Subject Matter
InstaDispatch processes personal data on behalf of the Customer for the purpose of providing the InstaDispatch logistics software platform.
Duration
Processing shall continue for the duration of the Terms of Use and until all Customer data is deleted in accordance with this DPA.
Nature of Processing
The processing includes: collection, storage, retrieval, transmission, and deletion of shipment data and delivery information.
Categories of Personal Data
The categories of personal data processed include:
- Names and contact details of senders and recipients
- Delivery addresses
- Tracking and delivery status information
- Proof of delivery data (signatures, photographs, GPS location)
- Account and login information of Authorised Users
Categories of Data Subjects
The categories of data subjects include:
- Authorised Users of the Customer's account
- Senders and recipients of shipments
- Customer End Users
Controller Obligations
The Controller warrants and undertakes that it:
- Has a lawful basis for processing personal data submitted to the Service
- Has provided data subjects with appropriate privacy notices
- Is authorised to appoint InstaDispatch as a Processor
- Will comply with all applicable data protection legislation
- Will notify InstaDispatch promptly of any changes that may affect processing
Processor Obligations
InstaDispatch agrees to:
- Process personal data only on documented instructions from the Customer, unless required to do so by applicable law
- Ensure that persons authorised to process the personal data are bound by appropriate confidentiality obligations
- Implement appropriate technical and organisational measures as set out in Schedule 1
- Assist the Customer in responding to requests from data subjects exercising their rights
- Assist the Customer in ensuring compliance with data security, breach notification, and impact assessment obligations
- Delete or return all personal data to the Customer on termination of the Terms, and delete existing copies unless retention is required by law
- Make available all information necessary to demonstrate compliance with this DPA and allow for audits and inspections
- Notify the Customer without undue delay upon becoming aware of a Security Incident
Sub-Processors
The Customer provides general written authorisation for InstaDispatch to engage sub-processors. InstaDispatch's current list of sub-processors is:
- Amazon Web Services (AWS) — cloud infrastructure (EU region)
- Freshworks (Freshdesk) — customer support
- GoCardless — payment processing
InstaDispatch will inform the Customer of any intended changes to sub-processors by providing at least 30 days' prior written notice. The Customer may reasonably object to the engagement of a new sub-processor within 14 days of such notice.
InstaDispatch ensures that all sub-processors are bound by contractual obligations equivalent to those in this DPA.
International Transfers
InstaDispatch shall not transfer personal data outside the UK or EEA without ensuring appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs)
- UK International Data Transfer Agreements (IDTAs)
- Adequacy decisions
Security Measures
InstaDispatch implements the technical and organisational security measures set out in Schedule 1 to this DPA.
Security Incidents
In the event of a Security Incident, InstaDispatch will:
- Notify the Customer without undue delay and within 72 hours of becoming aware
- Provide sufficient information to allow the Customer to fulfil its own reporting obligations to the ICO
- Cooperate with the Customer and take reasonable steps to mitigate the effects
Data Subject Rights
InstaDispatch will provide reasonable assistance to enable the Customer to respond to data subject requests, including requests for access, rectification, erasure, restriction, portability, and objection to processing.
Data Retention and Deletion
On termination of the Terms of Use:
- InstaDispatch will irretrievably delete all Customer personal data within 30 days of termination
- InstaDispatch will provide written confirmation of deletion upon request
- InstaDispatch may retain data where required by applicable law, and will notify the Customer accordingly
Audit Rights
The Customer may, on reasonable prior written notice (minimum 30 days), request an audit of InstaDispatch's data processing activities to verify compliance with this DPA. Audits shall be conducted no more than once per year, at the Customer's expense, unless a Security Incident has occurred.
Liability
The parties' liability under this DPA is governed by the Limitation of Liability provisions in the Terms of Use. Nothing in this DPA shall limit either party's liability for breach of obligations under UK GDPR.
Data Location Transparency
InstaDispatch primarily stores and processes Customer data within infrastructure located in the United Kingdom and the European Economic Area. Where processing occurs outside these regions, appropriate safeguards such as Standard Contractual Clauses or UK International Data Transfer Agreements will be implemented. InstaDispatch will notify Customers of any material change to the primary location of data processing that may affect their compliance obligations.
Governing Law
This DPA is governed by the laws of England and Wales. Disputes shall be subject to the jurisdiction of the courts of England and Wales.
Schedule 1 — Technical and Organisational Security Measures
Encryption
- All data in transit encrypted using TLS 1.2 or higher
- All data at rest encrypted using AES-256 or equivalent
Access Controls
- Role-based access controls limiting data access to authorised personnel only
- Multi-factor authentication required for administrative access
- Regular access reviews and removal of unnecessary privileges
System Security
- Regular vulnerability scanning and penetration testing
- Patch management and system update processes
- Firewall and intrusion detection systems
Monitoring and Logging
- Comprehensive audit logging of access to personal data
- Real-time security monitoring and alerting
- Regular review of security logs
Business Continuity
- Regular automated data backups
- Tested disaster recovery procedures
- Business continuity plan covering data processing activities
Staff and Training
- Data protection training for all staff with access to personal data
- Staff bound by contractual confidentiality obligations
- Background checks for staff in data-sensitive roles
Physical Security
- Data centres with appropriate physical access controls
- CCTV and access logging at all data processing facilities
