BikefleetBack to home

Data Processing Agreement (DPA)

Last updated: March 20, 2026

Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") forms part of the agreement between Systemity AB ("Systemity", "BIKEFLEET", "Processor") and the entity or individual using the BIKEFLEET platform as a business customer ("Customer", "Controller").

This DPA governs the processing of personal data by BIKEFLEET on behalf of the Customer when providing the BIKEFLEET platform (the "Service"). This agreement is entered into in accordance with Article 28 of the General Data Protection Regulation (GDPR).

1. Definitions

Asset Data Non-personal data related to Assets registered in the Service, including but not limited to specifications, maintenance records, usage data, images, and associated documents. Asset Data does not constitute Personal Data unless it can be linked to an identifiable natural person.

Controller The entity that determines the purposes and means of processing personal data.

Processor The entity that processes personal data on behalf of the Controller.

Personal Data Any information relating to an identified or identifiable natural person.

Processing Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.

Subprocessor A third party engaged by the Processor to process personal data on behalf of the Controller.

Applicable Data Protection Law All applicable laws relating to data protection and privacy, including the General Data Protection Regulation (GDPR).

2. Roles of the Parties

When the Customer uses the Service to process personal data:

  • the Customer acts as Data Controller
  • BIKEFLEET acts as Data Processor.

The Customer determines:

  • the categories of personal data processed
  • the purpose of processing
  • which individuals' data is uploaded.

BIKEFLEET processes personal data only in accordance with the Customer's documented instructions and this DPA.

3. Subject Matter and Duration of Processing

The subject matter of processing is the provision of the BIKEFLEET Asset management platform, including the processing of Personal Data submitted by the user in connection with the use of the Service.

The duration of processing shall be for as long as the Customer uses the Service or until termination of the applicable service agreement, unless retention is required by law.

4. Nature and Purpose of Processing

BIKEFLEET processes Personal Data only to provide and maintain the Service. Processing activities may include:

  • hosting and storing Personal Data associated with user Accounts
  • processing Personal Data contained within Asset Data where applicable
  • managing user Accounts
  • enabling collaboration between authorised users
  • ensuring platform security and reliability.

Asset Data that does not constitute Personal Data falls outside the scope of this DPA and is governed by the Terms of Service.

BIKEFLEET does not process personal data for its own independent commercial purposes.

5. Types of Personal Data

Depending on how the Customer uses the Service, the following types of personal data may be processed:

  • account information (name, email address)
  • contact information
  • user-generated content to the extent it contains Personal Data
  • uploaded documents and photographs to the extent they contain Personal Data.

Asset Data that does not contain Personal Data is not considered Personal Data under this DPA.

BIKEFLEET does not require Customers to upload personal data beyond what is necessary to use the Service.

6. Categories of Data Subjects

Personal data processed through the Service may relate to:

  • Customer employees
  • service technicians or contractors
  • Asset owners
  • individuals whose data is uploaded by the Customer.

7. Processor Obligations

BIKEFLEET shall:

  1. Process personal data only on documented instructions from the Customer.
  2. Ensure that personnel authorized to process personal data are subject to confidentiality obligations.
  3. Implement appropriate technical and organizational measures to ensure data security.
  4. Assist the Customer in responding to requests from data subjects exercising their rights under GDPR.
  5. Assist the Customer in complying with obligations relating to security, breach notification, and data protection impact assessments.
  6. Make available information necessary to demonstrate compliance with this DPA.

These obligations apply only to the processing of Personal Data as defined under applicable data protection law.

8. Security Measures

BIKEFLEET implements appropriate technical and organizational measures designed to protect personal data, including:

  • encryption of data in transit
  • authentication and access control mechanisms
  • infrastructure security monitoring
  • logging and security auditing.

Security measures are regularly reviewed and updated as necessary.

9. Subprocessors

BIKEFLEET may engage Subprocessors to support the operation of the Service, including providers of:

  • cloud hosting infrastructure
  • monitoring services
  • analytics tools.

BIKEFLEET ensures that all Subprocessors are bound by contractual obligations consistent with this DPA and applicable data protection laws.

BIKEFLEET remains responsible for the performance of its Subprocessors.

A list of Subprocessors may be provided upon request.

10. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), BIKEFLEET will ensure that appropriate safeguards are in place, including:

  • Standard Contractual Clauses approved by the European Commission
  • other lawful transfer mechanisms recognized under GDPR.

11. Personal Data Breach Notification

BIKEFLEET shall notify the Customer without undue delay after becoming aware of a personal data breach affecting personal data processed on behalf of the Customer. Such notification shall include information reasonably necessary for the Customer to comply with its obligations under applicable data protection laws.

12. Data Subject Rights

BIKEFLEET shall assist the Customer, where technically feasible, in responding to requests from individuals exercising their rights under GDPR, including:

  • access
  • rectification
  • erasure
  • restriction of processing
  • data portability.

13. Data Retention and Deletion

Upon termination of the Service:

  • BIKEFLEET will delete or return personal data processed on behalf of the Customer unless retention is required by law.
  • Data that has been anonymised such that it no longer constitutes Personal Data may be retained by BIKEFLEET.
  • Asset Data that does not constitute Personal Data is not subject to deletion under this DPA and may be retained in accordance with the Terms of Service.

14. Audits and Compliance

Upon reasonable request, BIKEFLEET will provide information necessary to demonstrate compliance with this DPA. Audits shall be conducted in a manner that does not unreasonably disrupt BIKEFLEET's operations or compromise security.

15. Liability

Each party's liability arising from this DPA shall be subject to the liability limitations set forth in the BIKEFLEET Terms of Service.

16. Governing Law

This DPA shall be governed by the laws of Sweden.

Any disputes arising from this DPA shall be resolved in accordance with the dispute resolution provisions set forth in the BIKEFLEET Terms of Service, including arbitration administered by the Stockholm Chamber of Commerce (SCC).