This Data Processing Addendum ("DPA") forms part of the Terms of Service between Simple Works Ltd ("Processor") and the customer ("Controller") and applies where we process personal data on the Controller's behalf in the course of providing SimpleGPS.
1. Roles
For Customer Data, the Controller determines the purposes and means of processing; Simple Works Ltd acts as Processor and processes personal data only on documented instructions from the Controller (including via the Terms and use of the Service).
2. Subject matter & duration
Subject matter: provision of the SimpleGPS GPS vehicle tracking service. Duration: for the term of the subscription plus any retention period.
3. Nature & purpose
Hosting, storage and processing of Customer Data to operate the Service (vehicle positions, trip history, geofences, alerts, reports and integrations the Controller enables).
4. Types of data & data subjects
Data subjects: the Controller's drivers, staff and people referenced in vehicle records. Data types: names, work contact details, vehicle assignments, positions, trip data and related records the Controller chooses to store.
5. Processor obligations
We will: (a) process only on instructions; (b) ensure persons authorised to process are bound by confidentiality; (c) implement appropriate technical and organisational security measures; (d) respect the conditions for engaging sub-processors below; (e) assist the Controller with data-subject requests and with security, breach and DPIA obligations; and (f) delete or return Customer Data at the end of the service.
6. Sub-processors
The Controller authorises Simple Works Ltd to engage sub-processors (e.g. hosting and email providers) under written terms no less protective than this DPA. We will inform the Controller of changes and remain responsible for our sub-processors.
7. International transfers
Any transfer of Customer Data outside the European Economic Area (EEA) will be covered by an appropriate transfer mechanism, primarily the European Commission's Standard Contractual Clauses (SCCs), together with any supplementary measures required.
8. Personal data breach
We will notify the Controller without undue delay after becoming aware of a personal data breach affecting Customer Data and provide reasonable information to help the Controller meet its obligations.
9. Audit
We will make available information reasonably necessary to demonstrate compliance and allow for audits, subject to reasonable confidentiality and security limits.
10. Return & deletion
On termination we will, at the Controller's choice, delete or return Customer Data within a reasonable period, except where retention is required by law.
11. Contact
Data protection contact: support@simplegps.bg.
Annex A - Sub-processors
We use the following categories of sub-processors to deliver the Service:
- Hosting / infrastructure - hosts the application and per-tenant databases (EU/EEA region).
- Email delivery - sends transactional and account emails.
- Connectivity (SIM) - 1NCE for global IoT connectivity on tracker SIMs.
- Optional integrations - only those the Controller explicitly connects.
A current, detailed list is available on request at support@simplegps.bg.
Annex B - Technical & organisational measures
- Encryption in transit (TLS) for all web traffic; sensitive secrets encrypted at rest.
- Strict tenant isolation: each customer's data lives in a separate database.
- Role-based access control and granular permissions inside each workspace; optional two-factor authentication.
- Hashed passwords (bcrypt), CSRF protection and rate-limited authentication.
- Least-privilege access for our staff, logging of administrative actions, and regular backups.