Legal

Data Processing Addendum.

How Plaman Engineering Limited processes personal data on behalf of Jics customers. This addendum forms part of the customer agreement.

Working draft —this DPA is a structural draft. Please review with counsel and your data protection officer; the security annex and subprocessor list need to be confirmed against current operations before publication.
Last updated: 3 May 2026Owner: Plaman Engineering LimitedForms part of: the Terms of Service and any order form

1. Purpose

This Data Processing Addendum (the "DPA") sets out how Plaman Engineering Limited ("Jics", "we") processes personal data on behalf of the Customer when providing the Jics platform. It applies whenever the Customer's use of the platform involves the processing of personal data and is governed by applicable data protection laws.

2. Definitions

Terms such as personal data, processing, controller, processor, data subject, subprocessor and personal data breach have the meanings given in applicable data protection law. Capitalised terms not defined here have the meaning in the Terms of Service.

3. Roles and instructions

The Customer is the controller of customer data. Jics acts as processor and processes personal data only on the Customer's documented instructions — including the configuration of the platform, support requests, and these terms. Where the Customer's service provider has been delegated authority, their instructions count as Customer instructions.

4. Subject matter and scope

Subject matter: the provision of the Jics fleet logistics platform.

Duration: the term of the Customer agreement plus any post-termination return-or-delete window.

Nature and purpose: hosting, processing, transmitting, securing and otherwise handling personal data so the Customer can manage its fleet, dispatch trips, track vehicles, raise alerts, verify deliveries, replay completed trips, and report on operations.

5. Categories of data subjects

  • operators (administrators, fleet managers, security managers),
  • operators using the mobile application,
  • customers of the Customer who receive tracking links and confirm delivery, and
  • any other person whose data the Customer chooses to load into the platform.

6. Categories of personal data

  • Identity and contact: name, work email, phone, role, tenant.
  • Authentication: credential metadata, sign-in events, session tokens.
  • Vehicle and trip data: registration, depot, position pings, speed, route, stops, events.
  • Delivery confirmations: recipient details, one-time QR code, scan timestamp and location.
  • Usage: features used, dashboards opened, performance telemetry.
  • Free text: notes, comments and messages submitted by users.

7. Processor obligations

We will:

  • process personal data only on the Customer's documented instructions;
  • ensure that personnel authorised to process personal data are bound by appropriate confidentiality obligations;
  • implement appropriate technical and organisational measures (see section 8);
  • assist the Customer in fulfilling data subject rights, security obligations and impact assessments, taking into account the nature of the processing;
  • notify the Customer without undue delay of a personal data breach affecting their data; and
  • at the end of the agreement, return or delete personal data as set out in section 14.

8. Security measures

Our security programme includes encryption in transit, role-based access controls, tenant isolation, audit logging, change management, vulnerability management, backup and disaster recovery procedures, and regular security reviews. A current technical and organisational measures description is available on request.

9. Subprocessors

We engage subprocessors to provide infrastructure, mapping, communications, analytics and support tooling. A current list is available on request. We will give the Customer reasonable advance notice of new or replacement subprocessors and an opportunity to object on reasonable grounds.

10. International transfers

Where personal data is transferred outside the Customer's region, we put in place appropriate safeguards — including standard contractual clauses where required — to protect personal data.

11. Data subject rights

We will provide reasonable assistance to the Customer in responding to data subject requests for access, correction, deletion, restriction, portability or objection. Where a request is made directly to us by an end user of the Customer, we will forward it to the Customer without undue delay.

12. Personal data incidents

We will notify the Customer without undue delay after becoming aware of a personal data breach affecting their data, with sufficient information to support the Customer's own notification and remediation obligations. We will cooperate with the Customer to investigate and contain the incident.

13. Audits

The Customer may, at its expense and on reasonable notice, audit our compliance with this DPA. Where we have third-party reports or certifications that demonstrate compliance, those will be made available in lieu of an on-site audit where reasonably possible.

14. Return or deletion

On expiry or termination of the Customer agreement, we will, at the Customer's choice, return or delete all personal data within a defined window, except where applicable law requires continued retention. Backups containing personal data will be deleted in accordance with our backup retention schedule.

15. Term and survival

This DPA is effective from the start of the Customer agreement and remains in force for the duration of the agreement and any return-or-delete window. Provisions which by their nature should survive — confidentiality, indemnities, limitations of liability, governing law — survive termination.

16. Contact

DPA questions or signed-copy requests can be sent to info@plamanengineering.com.