Introduction
This Data Processing Addendum ("DPA") forms part of the Terms of Service between Dizzy Solutions, MB ("Processor") and the subscribing rental company ("Controller") for the use of the Nomora vehicle rental management platform.
This DPA reflects the parties' agreement with regard to the Processing of Personal Data in accordance with the requirements of Data Protection Laws, specifically the EU General Data Protection Regulation (GDPR).
Definitions
Data Protection Laws
All laws and regulations applicable to the Processing of Personal Data, including GDPR and Lithuanian Law on Legal Protection of Personal Data
Personal Data
Information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1)
Processing
Any operation performed on Personal Data, such as collection, storage, use, disclosure, or deletion
Data Subject
The individual to whom Personal Data relates (rental customers and drivers)
Sub-Processor
Any third party engaged by the Processor to Process Personal Data on behalf of the Controller
Scope of Processing
Subject Matter
Provision of vehicle rental management software services
Duration
For the term of the Service Agreement and 30 days post-termination for data deletion
Nature and Purpose
Storage, management, and processing of rental customer data for booking management and operational purposes
Categories of Data Subjects
Rental customers, drivers, and authorized users of the Controller's rental service
Types of Personal Data
- • Names and contact information
- • Driver's license details
- • Personal Identification Codes
- • Payment information
- • Booking and rental history
- • Vehicle usage data
Processor's Obligations
Processing Instructions
The Processor shall Process Personal Data only on documented instructions from the Controller, including transfers of Personal Data to third countries or international organizations, unless required by EU or Member State law.
Confidentiality
The Processor ensures that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Security Measures
The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- • Encryption of Personal Data (AES-256 at rest, TLS 1.3 in transit)
- • Ensuring ongoing confidentiality, integrity, and availability
- • Ability to restore data availability in case of incidents
- • Regular testing and evaluation of security effectiveness
Sub-Processors
The Controller grants general authorization for the Processor to engage Sub-Processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-Processors, giving the Controller the opportunity to object to such changes.
Current Sub-Processors
| Sub-Processor | Service | Location |
|---|---|---|
| Supabase (AWS) | Database hosting | Germany (EU) |
| Clerk, Inc. | Authentication | USA |
| Stripe Payments Europe | Payment processing | Ireland/USA |
| Montonio Finance | Baltic bank payments | Estonia (EU) |
| Vercel, Inc. | Application hosting | Global (EU primary) |
All Sub-Processors are bound by data processing agreements with equivalent obligations to this DPA, including Standard Contractual Clauses for transfers outside the EU.
Assistance with Data Subject Rights
The Processor shall assist the Controller in fulfilling the Controller's obligation to respond to requests for exercising Data Subject rights under Data Protection Laws.
Access Requests
Provide Personal Data in portable format within 5 business days
Rectification
Correct inaccurate Personal Data within 3 business days
Erasure
Delete Personal Data within 30 days when instructed
Data Portability
Export data in CSV or JSON format
Personal Data Breach
Notification Obligations
The Processor shall notify the Controller without undue delay (and in any event within 24 hours) after becoming aware of a Personal Data Breach.
Notification must include:
- • Description of the nature of the breach
- • Categories and approximate number of Data Subjects affected
- • Categories and approximate number of Personal Data records affected
- • Likely consequences of the breach
- • Measures taken or proposed to address the breach
Deletion or Return of Personal Data
Upon termination of the Services or upon request, the Processor shall delete or return all Personal Data to the Controller and delete existing copies, unless EU or Member State law requires storage.
Deletion Procedure
- Day 0: Service termination or deletion request
- Day 1-7: Data export available to Controller upon request
- Day 30: All Personal Data permanently deleted with secure overwriting
- Day 35: Deletion certificate provided to Controller
Audit Rights
The Processor shall make available to the Controller all information necessary to demonstrate compliance with obligations under this DPA and allow for and contribute to audits, including inspections.
Audit Frequency: The Controller may conduct audits once per year, with reasonable advance notice (at least 30 days). Additional audits may be conducted if there is reasonable suspicion of non-compliance.
Questions About This DPA?
For questions or to request a signed copy of this Data Processing Addendum:
Email: info@nomora.io
Response time: Within 5 business days