This Data Processing Addendum ("DPA") forms part of the agreement between 73 Auto Ltd ("Processor", "we") and the customer ("Controller", "you") for use of the 73auto.com Service. It is offered to all business customers and is incorporated by reference into the Business plan order form or click-wrap acceptance.
This DPA is designed to satisfy the requirements of Article 28 of the UK GDPR (and Article 28 of Regulation (EU) 2016/679 where applicable), the Data Protection Act 2018, and to record the appropriate safeguards required for international transfers under Article 46 UK GDPR.
1. Parties
- Controller: the legal entity identified on the order form or account, which determines the purposes and means of processing personal data submitted to the Service.
- Processor: 73 Auto Ltd, company number 16883211, registered office 71-75 Shelton Street, London, England, WC2H 9JQ, contactable at privacy@73auto.com.
Both parties acknowledge that for end-user account data submitted by the Controller's authorised users into the Service, the Controller is the controller and 73auto.com is the processor.
2. Definitions
Capitalised terms not defined here have the meaning given to them in the UK GDPR. "Personal Data", "Processing", "Data Subject", "Sub-processor" and "Supervisory Authority" each carry their UK GDPR meaning. "Sub-processor" means any third party engaged by us to process Personal Data on the Controller's behalf.
3. Scope, subject-matter and duration
The subject-matter of processing is the provision of the 73auto.com Service to the Controller and its authorised users. The duration is the term of the main agreement plus the retention periods set out in our Privacy Policy. The nature and purpose of processing are vehicle Total Cost of Ownership calculation, user account management, billing and quota enforcement. Categories of Data Subject are the Controller's employees and authorised users. Categories of Personal Data are listed in section 5.
4. Processor obligations
We will:
- Process Personal Data only on the documented instructions of the Controller, including with regard to transfers outside the United Kingdom, except where required to do so by UK or EU law (in which case we will inform you of that legal requirement before processing, unless prohibited).
- Ensure that persons authorised to process the Personal Data are under an enforceable obligation of confidentiality.
- Implement and maintain the technical and organisational measures set out in section 8.
- Engage Sub-processors only as set out in section 6.
- Taking into account the nature of the processing, assist the Controller, by appropriate technical and organisational measures, in fulfilling its obligation to respond to Data Subject requests under Chapter III UK GDPR.
- Assist the Controller in ensuring compliance with Articles 32–36 UK GDPR (security, breach notification, DPIA, prior consultation).
- At the Controller's choice, delete or return all Personal Data after the end of the provision of services, unless retention is required by law.
- Make available to the Controller all information necessary to demonstrate compliance with Article 28 UK GDPR and contribute to audits as described in section 11.
5. Categories of Personal Data and Data Subjects
- Data Subjects: the Controller's authorised users, and any individuals identifiable through the VRMs the Controller submits (note: DVLA responses for a VRM do not include the keeper's identity).
- Personal Data categories: account credentials, contact email, billing identifiers, IP address, request timestamps, vehicle lookup history, support correspondence.
- Special category data: none. The Service is not intended for and does not require Article 9 data.
6. Sub-processors
The Controller authorises the engagement of the following Sub-processors as of the effective date of this DPA. The current authoritative list is also published in our Privacy Policy and on this page.
| Sub-processor | Service | Location | Safeguard |
|---|---|---|---|
| Stripe Payments Europe Ltd. | Payment processing and billing | Ireland (EU) with onward transfer to Stripe Inc. (US) | UK IDTA / SCCs; PCI-DSS Level 1 |
| Vultr Holdings LLC | Cloud hosting (London region) | United Kingdom | UK region only; full-disk encryption |
| MongoDB (self-hosted) | Application database | United Kingdom (co-located on Vultr) | Private Docker network; no public exposure |
| DVLA Vehicle Enquiry API | Vehicle technical data lookup | United Kingdom | UK public-sector controller |
| Sendinblue SAS (Brevo) | Transactional email | France (EU) | EU processor; DPA in force |
| Google LLC (optional) | OAuth sign-in (only if chosen by the user) | United States | UK IDTA / SCCs |
We will notify the Controller at least 30 days before adding or replacing a Sub-processor. The Controller may object in writing on reasonable data-protection grounds; if the parties cannot agree on a resolution, the Controller may terminate the affected Service.
7. International transfers
For any transfer of Personal Data outside the United Kingdom or the EEA, we rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (or equivalent adequacy mechanism) and complete a Transfer Risk Assessment in line with ICO guidance.
8. Security measures (Article 32)
We implement the following technical and organisational measures, which we may update from time to time provided the overall level of security is not diminished:
- TLS 1.2+ for all data in transit; HSTS enforced on production domains.
- Full-disk encryption at rest on hosting infrastructure.
- Passwords stored as salted bcrypt hashes; no plaintext credentials.
- Role-based access control to production systems with audit logging; multi-factor authentication required for all administrative access.
- Principle of least privilege for service accounts and API keys; secret rotation procedure.
- Defence in depth: private Docker network, no public database ports, rate limiting and fraud detection at the application layer.
- Regular dependency scanning and patch management; off-site encrypted backups with documented restore drills.
- Incident response plan with defined roles and a 24-hour internal triage target.
9. Data subject rights
We will, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures (insofar as this is possible) to respond to requests for exercising the Data Subject's rights laid down in Chapter III UK GDPR. Where a Data Subject contacts us directly, we will refer them to the Controller unless agreed otherwise.
10. Breach notification
We will notify the Controller without undue delay and in any event within 48 hours of becoming aware of a Personal Data Breach affecting the Controller's Personal Data. The notification will include, to the extent known: the nature of the breach, categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address it. We will cooperate with the Controller in meeting its 72-hour notification obligation to the Supervisory Authority under Article 33 UK GDPR.
11. Audits
We will make available, on request and subject to reasonable confidentiality obligations, the information necessary to demonstrate compliance with this DPA. This includes our most recent security-controls summary and the SOC 2 / ISO 27001 reports of our principal Sub-processors where they are published. On-site audits are available no more than once per year, at the Controller's expense, with reasonable notice.
12. Liability
The liability of each party under this DPA is governed by the limitations of liability set out in the main agreement (or the Terms of Service if no separate agreement exists), subject to any liability that cannot be limited under UK GDPR.
13. Term and termination
This DPA takes effect when the Controller accepts the main agreement and continues for as long as we process Personal Data on the Controller's behalf. On termination, we will, at the Controller's choice, delete or return all Personal Data within 90 days, except where retention is required by law (e.g. tax records).
14. Governing law
This DPA is governed by the laws of England and Wales and the parties submit to the exclusive jurisdiction of the courts of England and Wales.