An overview of our DPA for customers processing personal data. Last updated: March 1, 2026.
When you use Lither to process personal data about your own users, drivers, customers, or employees, you act as the data controller and Lither acts as your data processor under the GDPR. To formalize that relationship, we make a Data Processing Agreement (DPA) available to all customers. This page is a plain-language overview of what the DPA covers. It is not the agreement itself. To put a signed DPA in place, use the request options at the bottom of this page.
You (the customer) are the data controller. You decide why and how personal data is processed. Lither, operated by Fastlane Grupp OÜ (registry code 16631754, VAT ID EE102566109, Estonia), is the data processor. We process personal data only on your documented instructions and only to provide the services you have subscribed to.
The DPA covers all personal data that Lither processes on your behalf through the platform. This typically includes account and contact data, fleet and driver data, location and route data, uploaded documents, and support communications. Processing is limited to delivering, securing, and supporting the services, plus any additional instructions you give in writing.
We process personal data for as long as your subscription is active, plus any short wind-down period needed to return or delete data after termination. Specific retention periods are described in our Privacy Policy and in the DPA.
We use a limited set of vetted sub-processors (for example, EU-based infrastructure and payment providers) to deliver the services. The DPA authorizes these sub-processors, binds them to equivalent data protection obligations, and commits us to notify you of changes so you can object. A current list is published on our sub-processors page.
View our sub-processorsThe DPA sets out the technical and organizational measures we apply, including encryption in transit and at rest, access controls and least-privilege permissions, network isolation, logging and monitoring, regular backups, and staff training. These measures are described in more detail on our Security page and are kept appropriate to the risk.
If one of your users exercises a right under the GDPR (access, rectification, erasure, restriction, portability, or objection), the DPA commits us to assist you in responding, using the export, correction, and deletion tools built into the platform and, where needed, additional support from our team.
If we become aware of a personal data breach affecting data we process for you, the DPA requires us to notify you without undue delay, with the information you need to meet your own notification obligations to authorities and affected individuals.
When your subscription ends, the DPA gives you a defined window to export your data. After that window, we delete or return the personal data we hold on your behalf, except where law requires us to retain specific records for a limited period.
Our default is to store and process personal data within the European Union. Where a transfer outside the European Economic Area is unavoidable, the DPA relies on appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs) or an adequacy decision, together with any supplementary measures required.
The DPA commits us to make available the information needed to demonstrate compliance and to cooperate with reasonable audits, subject to confidentiality and security safeguards. It also covers our cooperation with you on data protection impact assessments where relevant.
The full DPA is available to every customer at no extra cost. To receive a copy, ask a question, or arrange signature, contact us at winston.van.der.pol@fastlane.ee or reach out through our contact page. We countersign and return executed agreements promptly.
The DPA is entered into with the legal entity operating Lither:
Contact our Data Protection Officer to receive, review, or sign the full DPA. We respond promptly.