Data Processing Agreement
1. Parties and roles
This Data Processing Agreement ("DPA") applies between the Customer using the Diflo Service and Chillzone Kft., trading under the Diflo brand ("Diflo", "we"). For personal data that the Customer enters into, imports into, or generates through the Service for its transport operations, the Customer is the controller and Diflo is the processor. Diflo acts as controller only for its own account, billing, security, website, and business-administration data as described in the Privacy Policy.
2. Processing details
| Item | Description |
|---|---|
| Subject matter | Cloud dispatch, fleet, driver, subcontracting, marketplace, and settlement tools. |
| Duration | For the term of the Customer account, plus backup, audit, security, and legal-retention periods described in the Privacy Policy and Terms. |
| Nature and purpose | Hosting, storing, displaying, synchronising, securing, supporting, and transmitting Customer operational data so the Customer can manage transport work. |
| Data subjects | Customer users, dispatchers, drivers, subcontractor contacts, passengers / guests, and other persons whose data appears in Customer job records. |
| Data categories | Names, emails, phone numbers, company details, user roles, job routes, passenger notes, driver assignment data, vehicle data, location samples during active assignments, settlement and invoice metadata, audit logs, and support/security logs. |
| Special-category data | The Service is not designed for special-category data. Customer must not intentionally enter health, biometric, political, religious, union, sexual-orientation, or similar sensitive data unless separately agreed in writing. |
3. Customer instructions
Diflo processes Customer operational data only on documented instructions from the Customer. The Customer gives those instructions through account configuration, user actions, uploaded or imported data, API/integration settings, support requests, and this DPA. Diflo will inform the Customer if, in our opinion, an instruction infringes applicable data-protection law.
4. Confidentiality and security
Diflo ensures that persons authorised to process Customer operational data are bound by confidentiality duties. Diflo maintains technical and organisational measures appropriate to the risk, including tenant-scoped access controls, encrypted transport, hashed passwords, role-based permissions, audit logging, backup controls, and operational monitoring.
5. Subprocessors
The Customer gives general authorisation for Diflo to use subprocessors needed to operate the Service. Current subprocessors are listed at /legal/subprocessors. Diflo will impose data protection obligations on subprocessors that are materially equivalent to this DPA. Diflo remains responsible for subprocessor performance as required by GDPR Article 28. Customers may object to a new subprocessor on reasonable data-protection grounds within 30 days after the change is published or notified. If the objection cannot be resolved, the Customer may terminate the affected part of the Service.
6. International transfers
Diflo aims to store production application and database data in the EU. Some subprocessors may involve access from, or transfer to, countries outside the EEA. Where required, Diflo relies on appropriate safeguards such as European Commission Standard Contractual Clauses or another lawful transfer mechanism.
7. Assistance
Taking into account the nature of the processing and the information available to Diflo, Diflo will reasonably assist the Customer with data subject requests, security obligations, personal-data breach assessment, data protection impact assessments, and regulator consultations where required by applicable law.
8. Personal-data breaches
Diflo will notify the Customer without undue delay after becoming aware of a personal-data breach affecting Customer operational data. The notice will include information reasonably available to Diflo about the nature of the breach, affected data, likely consequences, and measures taken or proposed to address it.
9. Deletion and return
On termination of the Service, the Customer may request export or deletion of Customer operational data, subject to technical feasibility, backup retention, legal retention duties, fraud prevention, billing records, and legitimate security needs. Diflo will delete or anonymise Customer operational data according to the retention periods in the Privacy Policy unless applicable law requires continued storage.
10. Audits
Diflo will make available information reasonably necessary to demonstrate compliance with this DPA. Audits must be reasonable, proportionate, remote-first, limited to information relevant to the Customer's data, and scheduled in advance. The Customer may not access data or systems belonging to other customers.
11. Customer responsibilities
The Customer is responsible for having a lawful basis for the personal data it processes in Diflo, giving required notices to drivers, passengers, and other data subjects, configuring user access appropriately, using the Service lawfully, and not entering data that is unnecessary or unlawful for its transport operations.
12. Conflict and law
If this DPA conflicts with the Terms, this DPA controls only for personal-data processing obligations. Hungarian law governs this DPA, subject to mandatory data-protection law.
13. Contact
Data protection contact: info@diflo.eu.