FuelLogix
Sign In Get Started

Data Processing Agreement

Effective Date: February 22, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Micro-Logix, Inc. ("Processor") and the customer ("Controller") for the provision of the FuelLogix XCP platform.

1. Definitions

  • Controller: The customer entity that determines the purposes and means of processing personal data.
  • Processor: Micro-Logix, Inc., which processes personal data on behalf of the Controller.
  • Sub-processor: A third party engaged by the Processor to assist in processing personal data.
  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing: Any operation performed on personal data, including collection, storage, use, and deletion.

2. Scope of Processing

The Processor shall process personal data only on documented instructions from the Controller and solely for the purpose of providing the FuelLogix XCP platform services as described in the service agreement.

3. Processing Details

The following categories of data are processed:

Data Categories

Category Examples
Transaction Data POS sales records, payment details, refund records
Fuel Inventory Tank levels, delivery records, variance reports
Employee Records Names, timeclock entries, shift schedules, roles
Financial Data GL entries, bank deposits, vendor invoices
Account Data User names, email addresses, login activity

Data Subjects

Processing may involve data relating to:

  • Employees and contractors of the Controller
  • Users authorized to access the platform
  • Customers of the Controller (transaction data)

4. Processor Obligations

The Processor shall:

  • Process personal data only on documented instructions from the Controller
  • Ensure that persons authorized to process data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist the Controller in responding to data subject requests
  • Assist the Controller in ensuring compliance with data protection impact assessments
  • Delete or return all personal data upon termination of the service agreement
  • Make available all information necessary to demonstrate compliance with this DPA

5. Sub-processors

The Controller authorizes the use of the following sub-processors:

Sub-processor Purpose Location
Microsoft Azure Cloud infrastructure hosting and data storage United States

The Processor shall notify the Controller at least 30 days before adding or replacing a sub-processor, giving the Controller the opportunity to object. Each sub-processor shall be bound by data protection obligations no less protective than those in this DPA.

6. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to data subject requests, including requests for access, rectification, erasure, restriction, portability, and objection. The Processor shall promptly notify the Controller if it receives a request directly from a data subject.

7. Security Measures

The Processor implements the following technical and organizational measures:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Network segmentation and firewall protection
  • Multi-factor authentication for administrative access
  • Regular security audits and penetration testing
  • Automated backup with point-in-time recovery
  • Access logging and monitoring
  • Incident response procedures

8. Breach Notification

In the event of a personal data breach, the Processor shall notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach. The notification shall include:

  • The nature of the breach, including affected data categories and approximate number of records
  • The name and contact details of the data protection point of contact
  • A description of the likely consequences of the breach
  • A description of the measures taken or proposed to address the breach

9. Deletion and Return of Data

Upon termination of the service agreement, the Processor shall, at the Controller's election, return or delete all personal data within 90 days. The Controller may request a data export in a standard machine-readable format prior to deletion.

The Processor may retain personal data to the extent required by applicable law, provided that such data remains subject to the confidentiality obligations of this DPA.

10. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits and inspections conducted by the Controller or a mandated auditor.

Audits shall be conducted with reasonable notice (at least 30 days), during normal business hours, and shall not unreasonably interfere with the Processor's operations.

11. Term

This DPA shall remain in effect for the duration of the service agreement between the Controller and the Processor. Obligations regarding data confidentiality and security shall survive termination.

Questions?

If you have questions about this document, please contact us:

FuelLogix Assistant
Powered by AI · Free Trial

Cookie Notice

We use cookies to ensure the proper functioning of our platform and to improve your experience. Essential cookies are always active. You can learn more in our Cookie Policy.