Data Processing Agreement

This Data Processing Agreement (DPA) forms part of the agreement between Drivzu Ltd (registered in Dublin, Ireland) and the business customer (Controller) who subscribes to the Drivzu platform on behalf of a driving school, instructor group, or similar organisation.

This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 (GDPR) and sets out the terms under which Drivzu, acting as a data processor, processes personal data on behalf of the Controller.

Where the Controller instructs Drivzu to process personal data in connection with the platform services, the terms of this DPA shall apply. In the event of any conflict between this DPA and the main service agreement, this DPA shall prevail with respect to data protection matters.

For the purposes of this DPA, the following terms have the meanings set out below. Terms not defined here have the meanings given to them in the GDPR.

• Controller means the business customer (driving school, instructor group, or similar entity) that determines the purposes and means of processing personal data through the Drivzu platform.
• Processor means Drivzu Ltd, which processes personal data on behalf of the Controller in accordance with this DPA.
• Data Subject means an identified or identifiable natural person whose personal data is processed under this DPA, including students, instructors, and accompanying drivers.
• Personal Data means any information relating to a Data Subject that is processed through the Drivzu platform.
• Processing means any operation or set of operations performed on personal data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, restriction, erasure, or destruction.
• Sub-processor means any third party engaged by Drivzu to process personal data on behalf of the Controller in connection with the platform services.

The subject matter of this DPA is the processing of personal data by Drivzu in connection with the provision of the Drivzu platform services, including the driving lesson marketplace, booking management, payment processing, voice-based booking assistance, and related administrative tools.

This DPA shall remain in effect for the duration of the service agreement between the Controller and Drivzu. Upon termination or expiry of the service agreement, Drivzu shall continue to process personal data only to the extent required by applicable law or as set out in Section 9 of this DPA.

Drivzu processes personal data for the following purposes on behalf of the Controller:

• Facilitating the driving lesson marketplace, including matching students with instructors and accompanying drivers
• Managing bookings, scheduling, and calendar synchronisation for lessons and practice sessions
• Processing payments, issuing invoices, managing refunds, and handling payouts to instructors and accompanying drivers
• Providing voice-based booking assistance through AI-powered voice sessions
• Generating reviews, ratings, and feedback to support marketplace quality
• Communicating with Data Subjects via email, SMS, and in-app notifications regarding bookings and platform activity
• Providing reporting, analytics, and administrative tools to the Controller

The following categories of personal data may be processed under this DPA:

• Identity data: full name, date of birth, profile photograph
• Contact data: email address, phone number, postal address
• Booking records: lesson dates, times, locations, instructor assignments, lesson types, and session notes
• Payment data: transaction amounts, payment method references (processed via Stripe; Drivzu does not store full card numbers), payout records, and invoice data
• Location data: pickup and drop-off locations for lessons and practice sessions
• Voice session data: transcripts and metadata from AI-powered voice booking sessions (processed via LiveKit, Deepgram, and related services)
• Professional data: RSA ADI registration numbers, driving licence details, insurance information, and vehicle details
• Usage data: login activity, platform interactions, and device information

The personal data processed under this DPA relates to the following categories of Data Subjects:

• Students: learner drivers who use the Drivzu platform to book driving lessons or practice sessions
• Instructors: RSA-approved driving instructors (ADIs) who offer lessons through the Drivzu platform
• Accompanying drivers: individuals who provide supervised practice sessions to learner drivers through the platform

Drivzu, as Processor, shall comply with the following obligations:

7.1 Processing Instructions

Drivzu shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless required to do so by Union or Member State law. Drivzu shall inform the Controller if it believes an instruction infringes the GDPR.

7.2 Confidentiality

Drivzu shall ensure that all persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7.3 Security Measures

Drivzu shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access controls with least-privilege principles
• Multi-factor authentication for administrative access
• Regular security assessments and vulnerability scanning
• Secure coding practices and code review processes
• Automated backup and disaster recovery procedures
• Logging and monitoring of access to personal data

7.4 Sub-processors

The Controller provides general authorisation for Drivzu to engage sub-processors. Drivzu shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object. The following sub-processors are currently engaged:

Drivzu shall impose the same data protection obligations on each sub-processor as are set out in this DPA. Drivzu remains fully liable for the acts and omissions of its sub-processors.

7.5 Data Breach Notification

Drivzu shall notify the Controller without undue delay after becoming aware of a personal data breach. The notification shall include the nature of the breach, the categories and approximate number of Data Subjects affected, the likely consequences, and the measures taken or proposed to address the breach.

7.6 Data Subject Requests

Drivzu shall assist the Controller in responding to requests from Data Subjects exercising their rights under the GDPR, including access, rectification, erasure, restriction, portability, and objection. Drivzu shall promptly forward any such requests it receives directly to the Controller.

7.7 Audit Rights

Drivzu shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. The Controller shall provide reasonable notice and shall conduct audits in a manner that minimises disruption to Drivzu operations.

Drivzu primarily processes personal data within the European Economic Area (EEA), using AWS infrastructure located in Ireland (eu-west-1).

Where personal data is transferred to sub-processors located outside the EEA (as identified in Section 7.4), Drivzu ensures that appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Assessment of the legal framework in the recipient country to ensure adequate protection
• Supplementary measures where required, such as encryption and access controls

Details of the specific transfer mechanisms in place for each sub-processor are available on request by contacting privacy@drivzu.ie.

Upon termination or expiry of the service agreement, the Controller may request that Drivzu:

• Return all personal data to the Controller in a commonly used, machine-readable format; or
• Delete all personal data and confirm deletion in writing.

The Controller shall make this election within 30 days of termination. If no election is made, Drivzu shall delete all personal data within 90 days of termination, unless retention is required by applicable law.

Drivzu shall ensure that all sub-processors also delete or return personal data in accordance with this section.

Drivzu shall, on request, demonstrate compliance with the obligations set out in this DPA, including by providing relevant documentation, certifications, or summary audit reports.

Drivzu shall cooperate with the Data Protection Commission (DPC) of Ireland and any other competent supervisory authority in the performance of their tasks, including responding to enquiries and facilitating investigations where required.

This DPA shall be governed by the laws of Ireland. Any dispute arising under or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of Ireland.

For questions about this DPA or data processing practices, please contact us:

• Email: legal@drivzu.ie or privacy@drivzu.ie
• Post: Drivzu Ltd, Dublin, Ireland

See also our Privacy Policy and Terms of Service for additional information about how we handle personal data.