1. Roles
The Customer acts as the Data Controller.
Clarvio Limited acts as the Data Processor.
The Controller determines the purposes and means of processing personal data.
The Processor processes personal data on behalf of the Controller.
2. Scope of Processing
The Processor will process personal data only:
To provide the Services
In accordance with the Controller’s instructions
In compliance with applicable UK data protection laws
Processing is limited to what is necessary to deliver the Services
Processing includes the storage, analysis, and modification of uploaded vehicle images and related data.
3. Types of Data
Personal data processed may include:
Vehicle images
Vehicle registration numbers
Vehicle identification numbers (VIN)
Associated metadata (e.g. timestamps, usage data)
Images that may contain identifiable information
User account data (if applicable)
4. Categories of Data Subjects
Data subjects may include individuals identifiable through vehicle-related data, such as vehicle owners or drivers.
5. Obligations of the Controller
The Controller warrants that:
It has a lawful basis to process personal data
It has the right to upload and share such data with the Processor
It has provided any required notices to relevant individuals
The Controller is responsible for ensuring compliance with all applicable data protection laws.
6. Obligations of the Processor
The Processor shall:
Process personal data only on documented instructions from the Controller
Ensure that persons authorised to process data are subject to confidentiality obligations
Implement appropriate technical and organisational security measures
Assist the Controller, where reasonably required, with responding to data subject requests
Assist the Controller in meeting its obligations under UK GDPR
7. Sub-Processors
The Controller authorises the use of sub-processors (e.g. cloud hosting and infrastructure providers).
The Processor shall:
Ensure sub-processors are bound by equivalent data protection obligations
Remain responsible for the performance of sub-processors
A list of current sub-processors is available upon request.
8. International Transfers
Where personal data is transferred outside the United Kingdom, the Processor shall ensure appropriate safeguards are in place, such as:
UK Standard Contractual Clauses
Transfers to countries with recognised adequacy decisions
9. Security
The Processor shall implement appropriate technical and organisational measures to protect personal data, including:
Encryption in transit
Access controls
Monitoring and security safeguards
Measures are regularly reviewed and updated to maintain security
10. Personal Data Breaches
The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach affecting the processed data.
11. Data Retention and Deletion
Upon termination, personal data will be deleted or returned at the Controller’s request, unless retention is required by law.
12. Audit and Compliance
The Processor shall make available information reasonably necessary to demonstrate compliance with this Agreement.Audits shall be subject to reasonable notice, unless required by law.
13. Governing Law
This Agreement is governed by the laws of England and Wales.
