Driver Codes — Data Processing Addendum (Standard)
Provider: RSMT Limited trading as Driver Codes
Version:v1.2 — 15th May 2026
Document use: Standard processor terms for self-serve customers, applying automatically to every account created at app.driver.codes. Incorporated by reference into the Self-Serve Business Terms.
Published location: app.driver.codes/documents/dpa
This Data Processing Addendum ("DPA") applies where Driver Codes processes Customer Personal Data on the Customer's behalf as a processor — specifically, in the operation of the Customer Portal workspace. It satisfies Article 28 UK GDPR.
For processing where Driver Codes acts as a controller in its own right (driver authority capture, DVLA retrieval, mandate retention, platform security), the Data Sharing Agreement (Standard) applies instead.
This DPA is non-negotiable for the self-serve track. Customers needing bespoke terms should request an Enterprise Agreement at hello@driver.codes.
1. Definitions
Terms have the meanings given in the Self-Serve Business Terms and the UK GDPR. "Customer Personal Data" means personal data within the Customer Portal that is processed on the Customer's behalf, as described in the Schedule.
2. Roles
2.1 For the processing covered by this DPA, the Customer is the controller and Driver Codes is the processor.
2.2 Driver Codes is not a processor for any other Service activity. In particular, Driver Codes acts as an independent controller for driver authority capture, DVLA retrieval, mandate retention, platform security and audit logging — see the Data Sharing Agreement (Standard).
3. The Customer's compliance role
3.1 The Customer is the controller and is responsible for its own data protection compliance, including: identifying and documenting its own Article 6 lawful basis; identifying and documenting its Schedule 1 condition under the Data Protection Act 2018 for criminal offence data (endorsements, disqualifications); maintaining an Appropriate Policy Document where required; providing transparency information to its drivers; and handling data subject requests in respect of its own processing.
3.2 The Customer warrants that all instructions it gives Driver Codes through normal use of the Service comply with applicable law.
4. Driver Codes' obligations as processor
Driver Codes will:
5. Sub-processors
5.1 The Customer gives general written authorisation for Driver Codes to engage sub-processors. Each sub-processor is bound to obligations no less protective than those in this DPA, and Driver Codes remains liable for their acts and omissions in respect of Customer Personal Data.
5.2 The current list is at app.driver.codes/documents/subprocessors. Driver Codes will give 30 days' notice of changes through that page (and by email if the Customer has subscribed to change notifications).
5.3 If the Customer reasonably objects to a proposed change on legitimate data protection grounds within 20 days, Driver Codes will discuss reasonable alternatives. If none can be agreed, the Customer may close the account under the Self-Serve Business Terms with refund of unused Credits as a goodwill measure.
6. International transfers
6.1 Driver Codes' primary production hosting for the Customer Portal and core check records is located in the United Kingdom, in AWS region eu-west-2. Certain ancillary sub-processors engaged by Driver Codes may process limited Customer Personal Data outside the United Kingdom, as identified in the Sub-processor List.
6.2 For each sub-processor whose processing involves a transfer outside the UK, Driver Codes has put in place the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or another transfer mechanism recognised under UK data protection law, supported by a documented Transfer Risk Assessment in accordance with Information Commission guidance. The applicable mechanism for each sub-processor is recorded in the Sub-processor List. Summaries of Transfer Risk Assessments are available to Customers on request.
6.3 If a sub-processor change introduces a new country of processing not already covered by the Sub-processor List, Driver Codes will update the list with the country and the transfer mechanism in advance, in accordance with clause 5.
6.4 Driver Codes does not intentionally transfer full driver-check records outside the UK for production hosting. Where ancillary providers process limited personal data outside the UK, the categories of data, locations and transfer mechanisms are recorded in the Sub-processor List.
7. Liability
Liability under this DPA is governed by clause 14 of the Self-Serve Business Terms.
8. Term and conflicts
8.1 This DPA applies for as long as Driver Codes processes Customer Personal Data under the Service.
8.2 In the event of conflict between this DPA and the Self-Serve Business Terms, this DPA prevails on data protection matters within its scope. In the event of conflict between this DPA and the Data Sharing Agreement (Standard), each instrument prevails for the activity it governs.
Schedule — details of the processing
| Field | Value |
|---|---|
| Subject matter | Operation of the Customer Portal workspace and related functionality, on the Customer's behalf. |
| Duration | For as long as the Customer's account is active, plus the post-closure window in clause 11 of the Self-Serve Business Terms. |
| Nature and purpose | Hosting, storage, transmission, retrieval, organisation and display of Customer Personal Data in the Customer Portal — including driver invitation records, delivered check outcomes, configuration data, reminders, exports, and audit logs of Customer User activity. |
| Type of personal data | Customer User account details (name, work email, role); identity and contact information for invited drivers (name, work contact, internal reference); delivered check outcomes (entitlements, restriction codes, endorsements, disqualifications, CPC and DQC data, digital tachograph data); configuration and workflow data; portal access logs. |
| Special category / criminal offence data | Endorsements and disqualifications (Article 10 UK GDPR — criminal offence data). The Customer warrants that it has identified and maintains a valid Schedule 1 condition under the Data Protection Act 2018 and an Appropriate Policy Document where required. |
| Categories of data subject | Drivers, applicants and contracted drivers invited by the Customer; Customer-appointed Users of the Customer Portal. |
| Customer instructions | (a) provide the Service in accordance with the Self-Serve Business Terms; (b) act on the Customer's use of the Customer Portal (configuration, user management, exports, deletions); (c) take reasonable technical and security actions to operate, secure and support the Service; (d) comply with applicable law. |
| Sub-processors | As listed at app.driver.codes/documents/subprocessors. |
| Technical and organisational measures | As set out in the Security and Technical Measures Schedule at app.driver.codes/documents/security. |
Note on regulator naming: at the version date of this document, the Information Commissioner's Office (ICO) remains the operative legal name of the UK data protection regulator. References in this document to the "Information Commission" anticipate the regulator's reconstitution under Part 6 of the Data (Use and Access) Act 2025. Our registration (ZA788385) is held with the regulator and will transfer to the Information Commission by operation of law on commencement of sections 118 and 119 of that Act.