Data Processing Agreement

Effective Date: 01/01/2026

This Data Processing Agreement (“Agreement”) forms part of the Terms & Conditions between:

  • The Customer (Data Controller)
    and
  • MXTrak (Data Processor)

1. Purpose

This Agreement governs the processing of personal data by MXTrak on behalf of the Customer in connection with the provision of vehicle tracking, fleet management, and related services.

2. Definitions

  • Controller: The entity that determines the purposes and means of processing personal data
  • Processor: The entity that processes personal data on behalf of the Controller
  • Personal Data: Any information relating to an identified or identifiable individual
  • UK GDPR: The UK General Data Protection Regulation

3. Scope of Processing

3.1 Nature and Purpose

MXTrak processes personal data to provide:

  • GPS vehicle tracking
  • Fleet management analytics
  • Driver behaviour monitoring
  • Alerts and reporting services

3.2 Categories of Data

  • Driver identifiers (name, ID where applicable)
  • Vehicle identifiers
  • Location and journey data
  • Behavioural data (e.g. speeding, braking)

3.3 Data Subjects

  • Employees (drivers)
  • Contractors
  • End users authorised by the Customer

4. Customer Obligations

The Customer agrees to:

  • Ensure lawful basis for processing (e.g. consent or legitimate interest)
  • Inform individuals that tracking is in place
  • Comply with UK GDPR and other applicable laws
  • Provide clear instructions to MXTrak regarding data processing

5. MXTrak Obligations

MXTrak shall:

  • Process personal data only on documented instructions
  • Ensure confidentiality of authorised personnel
  • Implement appropriate technical and organisational measures
  • Assist the Customer with data subject rights requests
  • Notify the Customer of any data breaches without undue delay

6. Security Measures

MXTrak implements appropriate safeguards, including:

  • Encryption of data in transit and at rest
  • Access controls and authentication
  • Secure cloud infrastructure (e.g. AWS)
  • Monitoring and logging of system access

7. Sub-Processors

MXTrak may engage sub-processors, including:

  • Cloud hosting providers
  • Connectivity/SIM providers
  • Communication services

All sub-processors are bound by equivalent data protection obligations.

8. International Transfers

Where data is transferred outside the UK:

  • Appropriate safeguards are applied
  • Standard contractual clauses or equivalent protections are used

9. Data Retention

  • Data is retained only as long as necessary for service delivery
  • Retention periods may depend on subscription plans
  • Data may be deleted upon request or contract termination

10. Data Subject Rights

MXTrak will assist the Customer in responding to:

  • Access requests
  • Rectification requests
  • Erasure requests
  • Data portability requests

11. Data Breach Notification

In the event of a personal data breach, MXTrak will:

  • Notify the Customer without undue delay
  • Provide relevant details of the breach
  • Assist with regulatory compliance

12. Audit Rights

The Customer may request reasonable information to verify compliance with this Agreement.

13. Termination

Upon termination of services:

  • Personal data will be deleted or returned as instructed
  • Legal retention obligations may apply

14. Liability

Each party’s liability is subject to the limitations set out in the main Terms & Conditions.

15. Governing Law

This Agreement is governed by the laws of England and Wales.

16. Contact

For data protection enquiries, please contact MXTrak via the website.

📦 17. Data Retention Configuration (Per Company)

17.1 Configurable Retention

MXTrak allows Customers to configure data retention settings on a per-company basis, subject to system capabilities.

Retention may apply to:

  • GPS location data
  • Journey history
  • Driver behaviour data
  • Alerts and event logs

17.2 Default Retention

Where no custom configuration is set, MXTrak will apply a default retention period appropriate to the subscription plan.

17.3 Customer Responsibility

The Customer is responsible for:

  • Selecting appropriate retention periods
  • Ensuring compliance with applicable data protection laws
  • Managing retention settings within the platform (where available)

17.4 Deletion of Data

Data exceeding the configured retention period may be:

  • Automatically deleted, or
  • Archived where applicable

📊 18. Audit Logging

18.1 Audit Logs

MXTrak maintains audit logs of key system activities, which may include:

  • User logins and authentication events
  • Changes to account or company settings
  • Access to tracking data
  • Administrative actions

18.2 Purpose

Audit logs are maintained for:

  • Security monitoring
  • Compliance and accountability
  • Investigation of incidents

18.3 Access to Logs

  • Customers may request access to relevant audit logs where reasonably required
  • Access may be subject to security and operational constraints

18.4 Retention of Logs

Audit logs are retained for a limited period based on:

  • System configuration
  • Security requirements
  • Subscription level

🔄 19. Data Export & Portability

19.1 Data Access

Customers may request access to their data at any time during the contract term.

19.2 Export Formats

MXTrak will provide data exports in commonly used formats such as:

  • CSV
  • JSON
  • API access (where available)

19.3 Scope of Export

Exported data may include:

  • Vehicle data
  • Journey history
  • Event and alert data
  • Driver-related data (where applicable)

19.4 Assistance

MXTrak may provide reasonable assistance with data export requests, which may be:

  • Included in the service, or
  • Subject to additional charges depending on complexity

19.5 Post-Termination Access

  • Customers may request data export within a defined period after termination (e.g. 30 days)
  • After this period, data may be permanently deleted