Parkspot.ai
Contact sales

Legal

Data Processing Agreement

Effective April 25, 2026

This page explains how Parkspot signs Data Processing Agreements with our enterprise customers (cities, fleets, and other organizations that process personal data of their own users through the Parkspot platform).

1. Who needs a DPA

You need a Data Processing Agreement (DPA) with Parkspot if you are an organization sending personal data through the Parkspot platform on behalf of your own end users — for example:

  • A city deploying the Parkspot platform across its enforcement, planning, or curb-management teams;
  • A fleet operator routing drivers, technicians, or service personnel through Parkspot;
  • Any business customer subject to the GDPR, UK GDPR, CCPA/CPRA, or equivalent privacy laws when their use of Parkspot involves personal data.

If you’re an individual driver using the Parkspot mobile app for personal use, you don’t need a DPA — our Privacy Policy covers your use directly.

2. What our DPA covers

Our DPA template is built around GDPR Article 28 and includes the standard set of processor commitments enterprise customers expect:

  • Subject matter, nature, purpose, and duration of processing;
  • Categories of data subjects and types of personal data;
  • Controller and processor obligations;
  • Current subprocessor list and 30-day change-notification mechanism;
  • EU–US transfer mechanism (Standard Contractual Clauses Module 2 and the EU–US Data Privacy Framework where applicable);
  • UK International Data Transfer Addendum to the EU SCCs;
  • Technical and organizational security measures (TLS in transit, encryption at rest, least-privilege access, audit logging, secret management);
  • Data-subject-rights assistance;
  • Breach-notification SLA of 72 hours from confirmation;
  • Audit rights (records-based audits annually; on-site audits with reasonable notice and confidentiality);
  • Return or deletion of personal data on termination;
  • Liability allocation aligned with the limitation of liability in the underlying agreement.

3. How to request a DPA

Email legal@parkspot.aiwith the subject “DPA request” and include:

  • Your legal entity name, address, and signing authority;
  • The Parkspot product or pilot you intend to use;
  • The category of personal data and data subjects involved;
  • Any required-by-law clauses specific to your jurisdiction (for example, UK ICO addendum, Swiss DPA, US state-specific addenda).

We will respond within 5 business days with the current draft for your counsel’s review.

4. Standard Contractual Clauses

For transfers of personal data from the European Economic Area, the United Kingdom, or Switzerland to Parkspot in the United States, we rely on:

  • The EU–US Data Privacy Framework, where the receiving subprocessor is DPF-certified;
  • The UK Extension to the EU–US DPF (UK–US Data Bridge) for UK transfers;
  • European Commission Standard Contractual Clauses (Decision 2021/914) Module 2 (Controller→Processor), where DPF does not apply;
  • The UK International Data Transfer Addendum (IDTA) to the EU SCCs.

5. Subprocessors

Our current subprocessor list is included as an annex to the DPA and is also available on request from legal@parkspot.ai. We give 30 days’ notice before adding or replacing a subprocessor that processes personal data, and we offer customers a right to object on reasonable grounds.

6. Security and audit

Our technical and organizational measures are summarized in the security section of our Privacy Policy. The DPA references the same controls as binding commitments and adds records-based audit cooperation. On-site audits require advance notice, scope agreement, and a confidentiality agreement.

7. Contact

For DPA requests, signed copies, or questions: legal@parkspot.ai.