Data Processing Agreement

Version November 2025

PARTIES
(1) The Licensee(s) listed in Schedule 1 (“Controller”); and
(2) Dealer Management Services Limited, of Navigator House, Unit 5, 12 O’Clock Court, Attercliffe Road, Sheffield S4 7WW (“Processor”).

BACKGROUND
A. The Controller and the Processor have entered into a Software Licence Agreement (“Services Agreement”) under which the Processor provides the Navigator DMS software platform and related services that may require the Processor to process Personal Data on behalf of the Controller.
B. This Data Processing Agreement (“Agreement”) sets out the terms on which the Processor will process Personal Data when providing such services. It reflects the requirements of Article 28(3) of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. DEFINITIONS
Unless otherwise defined, terms in this Agreement have the meaning given in the UK GDPR, including:

  • Data Protection Legislation: the UK GDPR, the Data Protection Act 2018, and all applicable laws relating to the processing of personal data and privacy.
  • Personal Data, Data Subject, Processing, Controller, and Processor have the meanings given in Article 4 of the UK GDPR.
  • Sub-Processor: any third party engaged by the Processor to process Personal Data on behalf of the Controller.

2. PROCESSING PURPOSES
The parties acknowledge that:

  • The Controller determines the purposes and means of processing.
  • The Processor acts only on the Controller’s documented instructions.

The categories of Personal Data, Data Subjects, and purposes of processing are set out in Schedule 1.
The Processor will not process Personal Data other than as necessary to perform the Services Agreement, unless required by UK law.

3. PROCESSOR OBLIGATIONS
The Processor shall:

  • Process Personal Data only on documented instructions from the Controller.
  • Ensure confidentiality of persons authorised to process Personal Data.
  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (see Schedule 2).
  • Assist the Controller in fulfilling Data Subject rights and data-protection obligations.
  • Notify the Controller of any Personal Data Breach without undue delay and within 24 hours.
  • Return or securely delete Personal Data at the end of the Services Agreement in accordance with Clause 9.
  • Make available information necessary to demonstrate compliance and allow for audits.
  • Inform the Controller if it believes an instruction infringes Data Protection Legislation.

4. SUB-PROCESSORS
The Processor may use approved Sub-Processors listed at https://www.dmsnavigator.com/terms/subprocessors

The Processor will:

  • Conduct due diligence on all Sub-Processors.
  • Ensure equivalent data-protection obligations through a written agreement.
  • Remain fully liable for each Sub-Processor’s acts or omissions.

The Processor will notify the Controller at least 30 days in advance of any intended changes to its Sub-Processor list.

5. SECURITY
The Processor shall implement security measures consistent with Article 32 of UK GDPR, including:

  • Encryption of data in transit and at rest.
  • Access controls, role-based permissions, and multi-factor authentication.
  • Regular penetration testing and vulnerability management.
  • Logging and monitoring of access.
  • Incident response and recovery plans.

Details are set out in Schedule 2 (Security Measures).

6. DATA SUBJECT RIGHTS
The Processor shall assist the Controller by appropriate technical and organisational measures to enable responses to Data Subject requests, including access, rectification, erasure, restriction, portability and objection.

7. PERSONAL DATA BREACH
The Processor will notify the Controller without undue delay (and within 24 hours) upon becoming aware of any Personal Data Breach.

The Processor shall provide details including:

  • Nature of the breach, categories and volume of data affected.
  • Likely consequences.
  • Remedial measures taken or proposed.

The Controller is responsible for any required notifications to supervisory authorities or Data Subjects, except where required otherwise by law.

8. INTERNATIONAL TRANSFERS
The Processor shall not transfer Personal Data outside the United Kingdom without the Controller’s prior written authorisation.

Where authorised, such transfers must be made under either a UK adequacy regulation or the ICO’s International Data Transfer Agreement (IDTA) or Addendum to the EU SCCs, as applicable.

9. DATA RETURN AND DESTRUCTION
On termination or expiry of the Services Agreement, the Processor shall, at the Controller’s written instruction, either (a) securely delete or destroy all Personal Data in its possession or control, or (b) return such data to the Controller, subject to clause 9.2.

Where the Controller requests the return of Personal Data, the Processor may charge a reasonable administrative fee to cover the cost of preparing and providing such data in a commonly used electronic format. The Processor shall notify the Controller of the applicable fee in advance and shall not proceed without the Controller’s confirmation.

Unless otherwise required by law, all Personal Data will be securely destroyed within 30 days of the end of the Services Agreement or confirmation from the Controller that it no longer requires return of the data.

The Processor shall confirm in writing when data deletion or destruction has been completed.

10. AUDIT
The Controller (or its appointed auditor) may conduct audits once per year on reasonable notice during normal business hours at the Controller’s expense.
The Processor will co-operate fully and provide evidence of security and compliance controls that align with ISO 27001 standards, although the Processor is not formally certified.

11. WARRANTIES
The Processor warrants that:

  • Its personnel are trained in data protection and confidentiality.
  • It has implemented measures to ensure compliance with UK GDPR.
  • It has no reason to believe its processing infringes UK law.

12. NOTICES
All notices under this Agreement shall be in writing and sent to:

For the Controller: as specified in Schedule 1
For the Processor:
Data Protection Officer
Dealer Management Services Ltd
Email: support@dmsnavigator.com

SCHEDULE 1 – DATA PROCESSING DETAILS

Subject Matter: Processing of customer, supplier, prospect and user data within the Navigator software.

Duration: For the term of the Services Agreement.

Purpose: Provision of hosted software and related services.

Data Categories: Name, address, contact details, purchase history, payment details, communications, login and usage data.

Data Subjects: Customers, suppliers, prospects and dealership staff users.

SCHEDULE 2 – SECURITY MEASURES

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Multi-factor authentication for administrative access.
  • Regular vulnerability scanning and third-party penetration testing.
  • Hosting environment operated in accordance with processes aligned to ISO 27001 controls, including access control, change management and incident response.
  • Continuous monitoring and logging of system activity.
  • Annual staff training on data protection and information security.