Konduce

Data processing agreement (DPA)

Last updated: 29 April 2026

This is a courtesy translation. The Spanish version prevails in case of discrepancy.

This agreement governs the processing of personal data by Konduce SL (the “Processor”) on behalf of the contracting driving school (the “Controller”), in accordance with the GDPR (EU 2016/679) and the Spanish LOPDGDD (LO 3/2018).

1. Subject matter

The Processor will process the data of students, instructors and driving-school staff to deliver the management services included in the Konduce subscription. The Processor will not use the data for any other purpose.

2. Data categories and data subjects

  • Students: name, national ID, contact, academic data, payments, digital signature.
  • Instructors and staff: name, contact, role, DGT authorisations.
  • Service-usage data (sessions, audit events).

3. Processor obligations

  • Process data only on the Controller’s instructions.
  • Ensure confidentiality of staff with access to the data.
  • Apply appropriate technical and organisational measures (encryption, access control, audit logging).
  • Notify the Controller of any data breach without undue delay and, in any event, no later than 72 hours after detection.
  • Assist the Controller in handling data-subject rights (access, rectification, erasure, portability, objection, restriction).
  • Return or delete all data when the service ends, unless a legal obligation requires retention.

4. Sub-processors

The Controller authorises Konduce to use the following sub-processors:

  • Supabase Inc. — database and authentication hosting (Frankfurt, EU).
  • Vercel Inc. — application hosting (EU).
  • Stripe Payments Europe Ltd. — payment processing (Ireland, EU).
  • Resend Inc. — transactional email (EU/US, under Standard Contractual Clauses).

Any addition or removal of sub-processors will be notified to the Controller 30 days in advance, at which point a reasoned objection may be raised.

5. International transfers

Data is stored primarily in the EU. Occasional transfers outside the EEA rely on Standard Contractual Clauses approved by the European Commission.

6. Audit

The Controller may request a compliance report once per year, or — with reasonable justification — an audit coordinated with the Processor at the Controller’s expense.

7. Term

This DPA is in force for the duration of the main subscription contract. Termination triggers the return or deletion of data within a maximum of 30 days.