About this document. This Data Processing Agreement (the "DPA") is a reference template provided by Drivant to its B2B customers in fulfillment of GDPR Article 28(3). It is aligned with the EU Standard Contractual Clauses adopted by the European Commission on 4 June 2021 (Decision 2021/914), Module Two: Controller to Processor, and incorporates the UK International Data Transfer Addendum (UK IDTA) for transfers from the United Kingdom. For execution, the customer ("Controller") and Drivant ("Processor") sign a wet or electronic counterpart — request a counter-signed copy via the form linked at the bottom of this page.
Contents
1. Parties and Scope
This DPA forms part of the agreement under which Drivant provides the Drivant route-planning, dispatch, and receive-scan services (the "Service") to the customer. The customer acts as Controller of Personal Data submitted to the Service. Drivant acts as Processor, processing Personal Data on the Controller's documented instructions.
Drivant's contracting entity, registered address, and signatory will be set out in the executed counterpart.
2. Definitions
Capitalized terms used in this DPA have the meanings given in GDPR Article 4 unless defined otherwise below. The following terms apply throughout this document:
| Term | Meaning |
|---|---|
| Controller | The natural or legal person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data — here, the Drivant customer. |
| Processor | The natural or legal person which Processes Personal Data on behalf of the Controller — here, Drivant. |
| Personal Data | Any information relating to an identified or identifiable natural person ("Data Subject") submitted to or generated by the Service on behalf of the Controller. |
| Processing | Any operation performed on Personal Data — collection, storage, organization, retrieval, transmission, deletion, or destruction. |
| Sub-processor | A third party engaged by the Processor to Process Personal Data on the Controller's behalf — listed in §5. |
| Data Subject | The identified or identifiable natural person to whom Personal Data relates. |
| Personal Data Breach | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data. |
| Standard Contractual Clauses (SCCs) | The EU-Commission-approved clauses adopted under Decision 2021/914, used here in their Module Two (Controller-to-Processor) form. |
| UK IDTA | The UK International Data Transfer Addendum to the EU SCCs, issued by the UK Information Commissioner's Office. |
| Applicable Data Protection Law | The EU GDPR (Regulation 2016/679), the UK GDPR + Data Protection Act 2018, the Swiss FADP, and any equivalent national implementing law applicable to the Controller. |
3. Subject-Matter, Nature and Duration of Processing
Subject-matter. Drivant Processes Personal Data submitted by the Controller solely to provide the Service — namely route planning, dispatch, driver tracking, proof-of-delivery capture, receive-scan OCR / line-item extraction, telemetry, and billing.
Categories of Data Subjects. The Controller's employees, contractors, drivers, dispatchers, recipients of deliveries (where their address or signature is captured), and the Controller's authenticated end users.
Categories of Personal Data.
| Category | Examples |
|---|---|
| Account & identity | Email address, name, password hash, optional phone, optional company name. |
| Driver & dispatch | Driver name, email, phone, vehicle assignment, driver photos, current GPS location during an active dispatch session. |
| Route & stop | Recipient names, addresses, geocoded coordinates, scheduled time windows, delivery instructions. |
| Proof of delivery | Recipient name, signature image, photo evidence, capture timestamp. |
| Manifest images | Photographed shipping documents uploaded for receive-scan OCR. |
| Receive-scan items | Extracted line items, barcodes, quantities, match states, dispatcher overrides (with the actor user_id retained for transportation audit). |
| Telemetry & logs | Feature usage events, error reports, login IP addresses (last two), request IDs. |
| Authentication artifacts | JWT access/refresh tokens (Processor-side hashes only), passkey public keys + counters, transient WebAuthn challenges. |
| Billing | Email and name shared with Stripe; full payment instrument data is held by Stripe, not by the Processor. |
Duration. Drivant Processes Personal Data for the term of the Controller's subscription to the Service plus any documented retention windows set out in the Drivant Privacy Policy (e.g. 30-day archive for deleted projects, 180 days for manifest image bytes, 2 years for receive-scan items). On termination, §11 governs.
4. Instructions and Lawfulness
- Drivant Processes Personal Data only on the Controller's documented instructions, including with regard to international transfers, unless required to do otherwise by EU or Member State law to which Drivant is subject. In such cases Drivant will inform the Controller of that legal requirement before Processing, unless the law prohibits such notice on important grounds of public interest.
- The Controller's instructions are documented in (i) this DPA, (ii) the Drivant subscription agreement and Acceptable Use Policy, (iii) the Service's configuration as set by the Controller, and (iv) any further written instructions the Controller provides to Drivant in the course of using the Service.
- Drivant will inform the Controller without undue delay if, in its opinion, an instruction infringes Applicable Data Protection Law.
- Drivant ensures persons authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- The Controller warrants that it has a lawful basis under GDPR Art. 6 (and, where applicable, Art. 9) for the Processing it instructs Drivant to perform, and that it has provided the notices and obtained the consents required of a Controller.
5. Sub-processors
The Controller authorizes Drivant to engage the sub-processors listed below for the Processing activities described. Drivant imposes data-protection obligations on each sub-processor that are no less protective than those set out in this DPA, and remains liable to the Controller for the performance of the sub-processor's obligations.
| Sub-processor | Purpose | Data accessed | Location |
|---|---|---|---|
| Stripe, Inc. | Subscription billing, payment processing | Email, name, payment instrument tokens (we never see card numbers) | United States |
| Mailgun Technologies, Inc. | Transactional email (verification, password reset, billing alerts, OS&D reports) | Email address, recipient first name, OS&D event content where applicable | United States |
| Wasabi Technologies, Inc. | Object storage for project data, driver photos, manifest images, database backups | Project JSON, JPEG photos, encrypted SQL dumps | United States (us-east region) |
| OpenRouter, Inc. | AI gateway for manifest extraction | Manifest images submitted via receive-scan; org_id for billing attribution | United States |
| Anthropic PBC | Vision-model inference for OCR / line-item extraction | Manifest page images received via OpenRouter | United States |
| Mapbox, Inc. | Map tiles, geocoding, directions | Addresses and waypoint coordinates | United States |
| HERE Global B.V. | Commercial truck routing (Pro tier and above) | Route waypoint coordinates | Netherlands / European Union |
| OSRM (community-hosted) | Default driving directions | Route waypoint coordinates | European Union |
| Umami Software, Inc. | Privacy-friendly analytics on the marketing site (cookie-free, honors DNT) | Aggregate page-view counters and referrer URLs only — no cookies, no IP retention | United States |
| Cloudflare, Inc. | DNS, CDN, WAF, TLS termination | HTTP request/response metadata | Global edge |
Notice of changes. Drivant maintains the current sub-processor list at drivant.com/security. Drivant will give the Controller at least 30 days' notice before adding or replacing a sub-processor, by updating that page and notifying the Controller's billing contact via email. The Controller may object to the change on reasonable data-protection grounds within the notice period; if the parties cannot resolve the objection, the Controller may terminate the affected portion of the Service without penalty.
6. International Data Transfers
Several sub-processors listed in §5 are based in the United States. For Personal Data transferred from the EU, UK, or Switzerland, the parties rely on the following lawful-transfer mechanisms (GDPR Art. 44–49; UK GDPR Art. 44–49; Swiss FADP):
- EU-US Data Privacy Framework (DPF) and UK Extension, where the sub-processor is self-certified under the Framework.
- EU Standard Contractual Clauses (Module Two, Controller-to-Processor) of Commission Decision 2021/914, incorporated by reference into this DPA. The optional docking clause is included; the optional independent-dispute-resolution clause is not. Annex I (parties, Processing description, competent supervisory authority), Annex II (technical and organisational measures — see §7), and Annex III (sub-processors — see §5) are populated by reference to the corresponding sections of this DPA.
- UK International Data Transfer Addendum for transfers originating from the United Kingdom, executed by reference and amending the EU SCCs as required by the UK ICO.
- Swiss FADP supplements — the SCCs are read with the Swiss FADP-specific amendments published by the Swiss Federal Data Protection and Information Commissioner.
Where DPF certification ceases for a given sub-processor, the SCCs (and UK IDTA where applicable) become the operative transfer mechanism without further action by the parties. The Controller may request a copy of the SCC counterpart covering a specific sub-processor relationship by submitting a data request via the Drivant data request form.
7. Security Measures
Drivant implements the following technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures collectively form Annex II of the SCCs incorporated under §6.
7.1 Encryption
- In transit — TLS for every endpoint. Cloudflare terminates TLS at the edge in Full SSL mode and re-encrypts to origin.
- At rest — Wasabi S3 applies AES-256 encryption to all objects (project data, driver photos, manifest images, database backups). MySQL backups are gzip-compressed and stored under
backups/in the same encrypted bucket. - Optional client-side encryption — Pro-tier
.dvntexports support AES-256-GCM with PBKDF2-SHA256 (100,000 iterations). The passphrase never leaves the client.
7.2 Access controls
- Role-based access control (RBAC) within each Controller's organization (owner, admin, editor, viewer, dispatcher, driver), enforced server-side on every authenticated request.
- Phishing-resistant WebAuthn passkeys (Touch ID, Windows Hello, hardware keys) supported as an authentication factor.
- 15-minute access-token lifetimes, 7-day rotating refresh tokens, family-based reuse detection that revokes the entire chain on replay.
- Bcrypt password hashing (cost factor 12). Plaintext passwords never persisted.
- Drivant production access is restricted to a small operations team via SSH key authentication with no password login. Production database access is gated behind the same SSH boundary.
7.3 Network and application security
- Helmet middleware applies HSTS, X-Content-Type-Options, X-Frame-Options, and Referrer-Policy headers.
- Strict CORS allowlist; no wildcard origins.
- Rate limits: 20 auth requests / 15 min / IP; 1,000 global requests / 15 min / IP.
- Parameterized SQL queries via
mysql2across the entire codebase. Zod schema validation on POST/PUT request bodies. - UFW firewall on the application VPS — only ports 22, 80, and 443 accept inbound traffic.
- Electron desktop client runs with
contextIsolation: true,nodeIntegration: false,sandbox: true, and a strict Content Security Policy.
7.4 Incident response
- Drivant maintains an internal Breach Notification Runbook covering detection, severity classification, containment, GDPR Art. 33 supervisory-authority notification within 72 hours, and Art. 34 user notification when a high-risk breach occurs.
- Post-mortem reports are produced for every Severity 0 and Severity 1 incident within 14 days of incident close.
7.5 Resilience and backup
- Daily encrypted MySQL backups retained for 30 days in the Wasabi backup bucket.
- Automated retention jobs purge expired data on schedule (telemetry 90 days, manifest images 180 days, receive-scan items 2 years, etc.).
- Health endpoint (
/api/health) monitored; PM2 zero-downtime reload used for application updates.
8. Personal Data Breach Notification
Drivant will notify the Controller of any Personal Data Breach affecting the Controller's data without undue delay, and in any event within 72 hours after Drivant becomes aware of the Breach. The notification will include, to the extent then known:
- The nature of the Breach, including the categories and approximate number of Data Subjects and records concerned.
- The likely consequences of the Breach.
- The measures taken or proposed to address the Breach and to mitigate possible adverse effects.
- The Drivant contact point for further information.
Where information is not available within the 72-hour window, Drivant will provide it in phases as it is confirmed, without further undue delay. Drivant will reasonably assist the Controller in the Controller's own notification obligations to supervisory authorities (GDPR Art. 33) and to Data Subjects (GDPR Art. 34), including providing such information as is reasonably available to Drivant.
9. Data Subject Rights
Drivant will, taking into account the nature of the Processing, provide reasonable assistance to the Controller — by appropriate technical and organisational measures, insofar as possible — to enable the Controller to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law (access, rectification, erasure, restriction of Processing, data portability, objection, automated decision-making).
The Service exposes self-service controls that the Controller can use directly to action many such rights without involving Drivant: data export (Excel, CSV, JSON, GPX, KML, GeoJSON, .dvnt), in-app account and project deletion, telemetry opt-out, and profile editing. Where a Data Subject contacts Drivant directly with a request relating to Personal Data Drivant Processes for the Controller, Drivant will, without undue delay, refer the request to the Controller and not respond on its own behalf except to acknowledge the receipt of the request.
10. Audit and Inspection
Drivant will make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and GDPR Art. 28, and will allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, subject to the following:
- Drivant may satisfy this obligation by providing the Controller with summaries of independent third-party audit reports (where available) and responses to a reasonable security questionnaire.
- On-site audits, where required, occur no more than once in any 12-month period (except where there has been a confirmed Personal Data Breach in the period), with at least 30 days' prior written notice, during normal business hours, and subject to Drivant's reasonable confidentiality, security, and access-control policies.
- The Controller bears the costs of audits it initiates, except where the audit reveals a material breach of this DPA by Drivant.
11. Term, Return and Deletion
This DPA takes effect on the date the Controller and Drivant execute the agreement under which the Service is provided, and remains in force for as long as Drivant Processes Personal Data on the Controller's behalf.
On termination of the Service for any reason, and at the Controller's choice expressed in writing within 30 days of termination, Drivant will either return or delete all Personal Data Processed on behalf of the Controller. Absent a contrary written instruction within that 30-day window, Drivant will delete the Personal Data. Deletion cascades cover the relational database, Wasabi-hosted project data, driver photos, manifest images, and shared-link objects under the Controller's owned organizations' prefixes.
Documented exceptions to deletion: (i) Drivant retains anonymized billing records and audit logs as required by tax, accounting, or transportation-record-keeping laws; (ii) the dispatcher-override actor identity in scan_item_corrections.overridden_by_user_id is retained for the parent receive-scan item's 2-year audit window before being purged with the parent row, as documented in the Drivant Privacy Policy.
12. Liability and Governing Law
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the underlying subscription agreement between the Controller and Drivant. Where the SCCs apply under §6, the SCC liability provisions govern in respect of transfers covered by those clauses.
Governing law and jurisdiction will be those set out in the underlying subscription agreement.
Counter-signed copies. The text above is the operative DPA between Controller and Processor on its terms. For organisations that require a counter-signed counterpart on file, request one via the form below — Drivant will return a counter-signed PDF within 5 business days.
Need a counter-signed DPA?
Org owners can request a counter-signed copy below. We log the request, send confirmation, and follow up within 5 business days.