Data Processing Agreement

This Data Processing Agreement ("DPA") is between:

• The Customer — the transport operator or business accessing and using the HauliK Service (as identified in the account registration), acting as controller in relation to operational fleet and driver personal data.
• Mat Mad LTD (Company No. 09270153), of Swadlincote, UK, trading as HauliK, acting as processor in relation to that same data.

This DPA supplements and is incorporated by reference into the HauliK Terms of Service ("Terms"). Where this DPA conflicts with the Terms in matters relating to the processing of personal data, this DPA prevails. Capitalised terms not defined here have the meaning given in the Terms.

In this DPA:

• Controllerthe natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
• Processora natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
• Sub-processorany third-party processor engaged by HauliK to process personal data in the performance of the Service on behalf of the Customer.
• Personal Data, Data Subject, Processingas defined in the UK GDPR.
• UK GDPRthe UK General Data Protection Regulation, as it forms part of UK law by virtue of the European Union (Withdrawal) Act 2018, as amended.
• DPAthis Data Processing Agreement.
• Servicethe HauliK web platform, HauliK Driver mobile applications, APIs and related services as described in the Terms.

This DPA applies to the processing of personal data that HauliK carries out on behalf of the Customer in the course of providing the Service.

This DPA does not apply to:

• personal data that HauliK processes as a controller in its own right — including account registration details, billing and payment data, platform security and fraud-prevention data, and support communications. That processing is governed by the HauliK Privacy Policy;
• data that the Customer processes independently in systems outside HauliK's control.

For HauliK's own account management, billing, platform security, website operation and service improvement, HauliK acts as controller. This is described in the Privacy Policy.

HauliK processes personal data as processor solely to:

• provide, maintain and support the fleet management platform and driver application;
• enable driver walkaround checks, defect reports, job management, proof of delivery, messaging, timesheets and fuel logs;
• store photographic evidence, signatures and documents as part of compliance record-keeping on behalf of the Customer;
• relay push notifications to driver devices;
• provide administrative reporting and audit trails within the platform;
• carry out security, monitoring and fraud-prevention operations necessary to maintain service integrity.

HauliK processes personal data under this DPA for the duration of the Customer's active subscription or trial period. On termination or expiry, HauliK will handle data in accordance with Section 18 (Return or Deletion of Personal Data).

Personal data processed under this DPA may relate to:

• drivers employed or contracted by the Customer;
• employees, contractors, mechanics, dispatchers and administrators of the Customer;
• delivery recipients where proof-of-delivery name or signature is captured via the platform;
• support contacts communicating with HauliK on behalf of the Customer.

HauliK may process the following categories of personal data on the Customer's behalf:

• Identity and contact: full name, email address, user ID, account role
• Organisational membership: company association, team membership, user role
• Operational records: vehicle and trailer records, job details and history, walkaround check and defect records, proof-of-delivery records
• Evidence data: photographs captured during checks or delivery, signatures, uploaded documents
• Location evidence: foreground-only location data captured at the point a check or job record is submitted — not continuous or background location tracking
• Communications: in-platform messages between operators and drivers
• Timesheet and attendance records; fuel logs
• Device identifiers: push notification tokens (held solely for push relay purposes)
• Technical data: IP address, browser/device user-agent, platform audit logs
• Support communications: content of support requests and responses submitted via the platform

HauliK shall process personal data only on the documented instructions of the Customer. The Customer's use of the Service — including its configuration, data inputs and submissions — constitutes such instructions.

HauliK shall promptly notify the Customer if, in HauliK's reasonable opinion, an instruction would infringe the UK GDPR or other applicable data protection law, unless HauliK is prohibited from doing so by law.

HauliK shall:

• process personal data only to the extent necessary to provide the Service and comply with legal obligations, and not for any other purpose;
• implement appropriate technical and organisational security measures as described in Section 12;
• maintain records of processing activities carried out on behalf of the Customer to the extent required by Art. 30 UK GDPR;
• assist the Customer with data subject rights obligations as described in Section 15;
• assist the Customer with security, breach notification, DPIAs and regulator consultation as described in Section 16.

HauliK shall ensure that persons authorised to process the Customer's personal data are subject to appropriate obligations of confidentiality, whether under contract, employment terms or professional duty.

HauliK implements technical and organisational measures appropriate to the risk of the processing, including:

• encrypted transmission of all data over HTTPS/TLS;
• role-based access controls within the platform;
• row-level security (RLS) within the database layer where applicable;
• restriction of administrative database access (service-role) to server-side operations only, not exposed to the browser;
• encryption at rest provided by infrastructure providers (Supabase, Vercel);
• logical separation of Customer data within the multi-tenant platform;
• audit logging of significant platform actions;
• secure credential handling and least-privilege access principles;
• platform monitoring and logging.

Further detail is available on the HauliK Security page. HauliK does not guarantee absolute security. HauliK is not currently certified under ISO 27001 or SOC 2.

The Customer authorises HauliK to engage the sub-processors listed at haulik.co.uk/sub-processors (the "Sub-processor List").

HauliK will provide reasonable advance notice of material changes to sub-processor arrangements by updating the Sub-processor List and, where practicable, providing electronic notice to registered account administrators. The Customer may object to the appointment of a new sub-processor on reasonable data-protection grounds by contacting info@matmad.co.uk within 30 days of the notice.

HauliK shall impose data protection obligations on sub-processors no less protective than those in this DPA, and shall remain liable to the Customer for any failure by a sub-processor to meet those obligations.

Some sub-processors are located or process data outside the UK or EEA. Where such transfers occur, HauliK shall ensure appropriate safeguards are in place, which may include:

• transfers relying on UK adequacy regulations or decisions;
• transfers covered by an International Data Transfer Agreement (IDTA) or the UK Addendum to Standard Contractual Clauses (SCCs);
• equivalent transfer mechanisms recognised under UK data protection law.

Specific transfer arrangements for each sub-processor are noted in the Sub-processor List.

HauliK shall, taking into account the nature of the processing and by appropriate technical and organisational means, assist the Customer in fulfilling its obligation to respond to data subject rights requests under the UK GDPR — including rights of access, rectification, erasure, restriction, data portability and objection — to the extent that HauliK holds or processes the relevant data.

Where data subjects contact HauliK directly in respect of personal data for which the Customer is the controller, HauliK will direct them to the Customer where appropriate.

HauliK shall assist the Customer:

• in complying with its security obligations under Art. 32 UK GDPR, taking into account the nature of processing and information reasonably available to HauliK;
• where applicable and requested, in conducting data protection impact assessments (DPIAs) under Art. 35 UK GDPR, to the extent reasonably within HauliK's ability to assist;
• in prior consultation with the ICO under Art. 36 UK GDPR, where required and to the extent HauliK holds relevant information.

HauliK shall notify the Customer without undue delay upon becoming aware of a personal data breach affecting Customer data processed under this DPA. Notification shall include such information as is reasonably available at the time and shall be sent to the contact email registered on the Customer's account.

The Customer is responsible for assessing whether the breach meets the reporting threshold under Art. 33 UK GDPR, and for making any required notifications to the ICO or to affected data subjects.

On termination or expiry of the Customer's subscription, HauliK will:

• make the Customer's data available for export within the platform for up to 30 days following termination where technically feasible;
• thereafter, delete or anonymise Customer data in accordance with HauliK's standard data retention practices, except where retention is required by applicable law (including financial, accounting and legal hold obligations), by security or audit requirements, or by the obligations set out in this DPA.

The Customer is responsible for exporting any records it requires for its own legal or regulatory compliance before account closure. HauliK shall not be liable for loss of data that the Customer failed to export before deletion.

HauliK shall make available to the Customer information reasonably necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits or inspections conducted by the Customer or a mandated third-party auditor, subject to:

• reasonable advance notice (not less than 30 days);
• confidentiality obligations to protect HauliK's other customers and proprietary systems;
• HauliK's right to charge reasonable costs for significant audit activity.

HauliK may, at its discretion, provide compliance information in the form of written responses, documentation, or third-party certifications where available, in lieu of on-site audit access.

As controller, the Customer is responsible for:

• ensuring it has a lawful basis for collecting and submitting personal data to HauliK, including any basis required by employment law or sector-specific regulation;
• complying with its obligations under the UK GDPR and applicable legislation, including obligations regarding driver monitoring, compliance record-keeping and disclosure;
• ensuring data subjects — including drivers — have received appropriate transparency information under Art. 13 UK GDPR about the use of HauliK;
• managing user access and permissions within the platform, including promptly removing access for drivers or staff who leave;
• exporting and retaining records required for its own legal and regulatory compliance before account closure.

Each party's liability under this DPA is subject to the limitations and caps set out in the Terms. This DPA supplements the Terms and does not create liability beyond what the Terms provide, except where required by applicable law.

In the event of a conflict between this DPA and the Terms in relation to the processing of personal data, this DPA shall prevail.

For questions about this DPA, to exercise data subject assistance rights, or to request a signed DPA for enterprise procurement purposes, please contact: