Data Processing Agreement
Last updated: February 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between the instructor ("Controller") and Usman Ghani trading as DriveSync ("Processor"), as required by UK GDPR Article 28.
1. Parties
- Controller: The driving instructor who registers for and uses the DriveSync service.
- Processor: Usman Ghani trading as DriveSync.
2. Scope of processing
The Processor processes personal data on behalf of the Controller for the purpose of providing lesson scheduling, route optimisation, pupil management, and booking services as described in the DriveSync Terms of Service.
3. Categories of data processed
The following categories of personal data are processed:
- Pupil names, email addresses, and phone numbers
- Pupil addresses and postcodes
- GPS coordinates derived from postcodes
- Lesson schedules and booking history
- PIN authentication data (hashed; never stored in plaintext)
Data subjects
The data subjects are the Controller's pupils, including learner drivers who may be 17 years of age (minors under UK GDPR).
4. Processor obligations
The Processor shall:
- Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless required to do so by law.
- Ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Take all measures required pursuant to UK GDPR Article 32 (security of processing).
- Not engage another processor without prior written authorisation of the Controller. The current list of approved sub-processors is provided in Section 5 below.
- Assist the Controller by appropriate technical and organisational measures in fulfilling the Controller's obligation to respond to data subject rights requests.
- Assist the Controller in ensuring compliance with breach notification obligations under UK GDPR Articles 33 and 34.
- At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless storage is required by law.
- Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in UK GDPR Article 28.
5. Approved sub-processors
| Sub-processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Stripe, Inc. | Payment processing | US / UK | UK Extension to EU-US Data Privacy Framework |
| Twilio, Inc. | SMS delivery | US | UK Extension to EU-US Data Privacy Framework |
| Mapbox, Inc. | Route calculation | US | UK Extension to EU-US Data Privacy Framework |
| SMTP2GO | Email delivery | New Zealand | Standard Contractual Clauses |
| DigitalOcean, LLC | Infrastructure hosting | UK (London) | Data remains in the UK |
The Controller is deemed to have authorised the sub-processors listed above by accepting this DPA. The Processor shall notify the Controller of any intended changes to the list of sub-processors, giving the Controller the opportunity to object.
6. Security measures (Article 32)
The Processor implements the following technical and organisational measures:
- Encryption in transit: All data transmitted over networks is encrypted using TLS 1.2 or higher.
- Password hashing: All passwords are hashed using bcrypt and never stored in plaintext.
- Multi-tenant data isolation: Each instructor's data is logically separated using tenant-scoped database queries. Instructors cannot access other instructors' data.
- Rate-limited authentication: PIN authentication is rate-limited with automatic account lockout after repeated failed attempts.
- Regular security updates: The platform is regularly updated with security patches.
- Access controls: Administrative access is restricted to authorised personnel with appropriate security clearance.
7. Breach notification
The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting the Controller's data. The notification shall include:
- A description of the nature of the breach, including the categories and approximate number of data subjects and records concerned.
- The name and contact details of the Processor's data protection contact.
- A description of the likely consequences of the breach.
- A description of the measures taken or proposed to address the breach.
8. Data subject rights
The Processor shall assist the Controller in responding to requests from data subjects exercising their rights under UK GDPR (access, rectification, erasure, restriction, portability, objection). The Processor shall respond to Controller requests for assistance within 5 business days.
9. Duration
This DPA remains in effect for the duration of the service agreement between the Controller and the Processor. It automatically terminates when the service agreement ends.
10. Termination and data deletion
Upon termination of the service:
- The Processor shall delete all of the Controller's personal data within 30 days of the Controller's request.
- The Processor may retain billing and financial records for up to 6 years as required by HMRC.
- The Controller may request a data export before deletion.
11. Governing law
This DPA is governed by the laws of England and Wales and is subject to the jurisdiction of the courts of England and Wales.
12. Contact
For questions about this DPA, contact us at support@drivesync.live.