Data Processing Agreement

Last updated: June 2026 ยท Standard DPA between MATIC AUTOMOTIVE LIMITED (the processor) and the tenant (the controller).

1. Parties

Processor: MATIC AUTOMOTIVE LIMITED, registered in England & Wales, trading as vehReports. Registered office: London, UK.

Controller: The tenant identified by the company name and primary administrator email on file with their vehReports account.

2. Subject matter and duration

The processor processes personal data on behalf of the controller solely to deliver the vehReports SaaS โ€” vehicle inspection records, rental agreements, driver-licence checks, billing and ancillary services. Processing continues for the term of the subscription plus the documented retention windows (see Schedule A โ€” Retention).

3. Nature and purpose of processing

Storage, organisation, structuring, retrieval, transmission, erasure of personal data submitted to the platform by the controller, its team and its end-customers. The processor does not use the data for any other purpose.

4. Categories of personal data

  • Controller staff: name, email, phone, role, login activity.
  • End-customers (hirers): name, contact details, address, ID document references, signatures, driving-licence details.
  • Vehicles: registration, make, model, condition records, photographs (which may incidentally contain personal data e.g. licence plates).

5. Categories of data subjects

  • The controller's own staff and contractors with platform accounts.
  • End-customers, hirers, drivers, vehicle keepers.

6. Obligations of the processor

The processor will:

  1. Process personal data only on documented instructions from the controller, including with regard to transfers to a third country (unless legally required otherwise).
  2. Ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  3. Take appropriate technical and organisational measures (Article 32) โ€” including encryption at rest of driver-licence data, pseudonymisation where practicable, least-privilege access controls, regular backups, vulnerability testing, and a tested incident-response runbook.
  4. Engage sub-processors only with the controller's general written authorisation (Article 28(2)). The current list is published at vehreports.com/legal/sub-processors, and the controller will be notified at least 30 days before any addition.
  5. Assist the controller โ€” taking into account the nature of processing โ€” to respond to data-subject requests under Articles 12โ€“22.
  6. Assist the controller in ensuring compliance with Articles 32โ€“36 (security, breach notification, DPIAs).
  7. At the choice of the controller, delete or return all personal data after the end of the provision of services, and delete existing copies unless legally required to retain (e.g. HMRC).
  8. Make available to the controller all information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits.

7. Sub-processors

The current sub-processor list and its DPA references are at vehreports.com/legal/sub-processors. The processor remains liable for the acts and omissions of its sub-processors as if they were its own.

8. Personal data breach notification

The processor will notify the controller without undue delay and in any event within 72 hours of becoming aware of a personal data breach, providing all information reasonably required for the controller to meet its own Article 33 obligations.

9. International transfers

Where transfers of personal data outside the UK are required, the processor will rely on (a) a UK Adequacy decision, (b) the UK International Data Transfer Agreement, or (c) Standard Contractual Clauses with supplementary measures appropriate to the destination country.

10. Termination

This DPA terminates automatically on termination of the underlying subscription. The processor will delete or return personal data in line with the controller's written instruction within 30 days, save where retention is required by law.

Schedule A โ€” Retention

Default retention windows (configurable per tenant in the app):

  • Signed inspection reports: 7 years (HMRC + statute of limitations).
  • Signed rental agreements: 7 years.
  • DVSA daily walkaround records: 15 months (DVSA minimum).
  • Driver-licence checks: 2 years, then PII stripped.
  • Marketing lead captures: 2 years.
  • Support tickets: 3 years.

Schedule B โ€” Technical and organisational measures

  • Encryption at rest (AES-256) for backups, photos and sensitive fields (driver-licence number, share-code, response payloads).
  • Encryption in transit (TLS 1.2+).
  • Role-based access control; staff access is recorded in the audit trail.
  • Annual penetration test.
  • Documented 72-hour breach-notification runbook.
  • Off-site, encrypted, region-locked backups (AWS S3, UK region).

Need a counter-signed copy?

Paying tenants can request one in-app under Billing โ†’ Request DPA, or email [email protected].