GDPR & Data Protection Commitment

We implement robust technical and organizational security measures to protect client data, including:

• Isolation of Tenant Data: Our multi-tenant architecture implements PostgreSQL Row-Level Security (RLS) policies. Each query is automatically scoped with the logged-in session's `tenantId`, guaranteeing that no tenant can view, access, or modify another fleet's passenger, driver, or billing records.
• Encryption Frameworks: All personal data is encrypted in transit using TLS 1.3/HTTPS, and all database tables, columns, backups, and file logs are encrypted at rest using AES-256 standards.
• Access Control & Multi-Factor Auth (MFA): Administrative access to database servers and production logs is restricted to authorized personnel using role-based access controls (RBAC) and mandatory MFA verification.
• Server Infrastructure: Our databases and hosting servers are deployed within secure, ISO 27001-certified cloud data centers located in the United Kingdom and the European Union.

Every subscription agreement with our Tenants incorporates a standard Data Processing Addendum (DPA) under Article 28 of the GDPR. Key commitments include:

• Processor Obligations: We process personal data solely to provide, support, and optimize the SaaS platform in accordance with the Tenant's documented configurations. We will not use passenger or driver data for marketing or profiling purposes.
• Subprocessor Engagement: We only engage third-party subprocessors who provide sufficient technical and organizational security measures. We maintain an up-to-date internal directory of subprocessors and notify Tenants of material changes.
• International Transfers: Where data is processed outside the UK/EEA (such as for telephony or automated voice processing engines), we enforce the UK International Data Transfer Addendum or EU Standard Contractual Clauses (SCCs) to ensure equivalent protection levels.

In the unlikely event of a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data, Cabai Ltd will:

• Investigate the root cause, scope, and impact of the incident immediately.
• Notify affected taxi operators (Tenants) without undue delay, and in any event within **72 hours** of becoming aware of the breach, to allow them to comply with their reporting obligations under Article 33 of the GDPR.
• Provide detailed reports outlining the categories of data breached, number of data subjects affected, and immediate mitigation actions taken.

We have appointed a Data Protection Officer (DPO) to oversee compliance with data protection laws. For inquiries regarding our GDPR compliance, Standard Contractual Clauses, or technical safety measures, please contact us: