Your Data, Your Rules
We process sensitive transportation data at national scale. This page explains exactly where it lives, who can access it, how long we keep it, and what controls you have.
Where Your Data Lives
Data residency is non-negotiable. We offer regional and sovereign storage options so your data never leaves the jurisdiction you choose.
Kingdom of Saudi Arabia
PDPL, NCA ECCPrimary data residency for KSA deployments. All personal data and telemetry records remain within the Kingdom in compliance with the Personal Data Protection Law and National Cybersecurity Authority requirements.
European Union
GDPR, ePrivacyData from European operations is stored exclusively within EU borders. Standard contractual clauses govern any cross-border data flows required for global fleet management.
United Kingdom
UK GDPR, DPA 2018UK vehicle data and enforcement records are stored domestically. Post-Brexit data adequacy mechanisms ensure compliant data exchange with EU operations when needed.
Multi-Region
Client-definedFor clients with strict sovereignty requirements, iVMS supports fully on-premises deployment with no external data dependencies. Air-gapped configurations available.
Roles and Access Rights
Every user is assigned a role with the minimum permissions needed to do their job. No exceptions, no shortcuts.
| Role | Access Scope | MFA | Audit Level |
|---|---|---|---|
| System AdministratorCan manage users, configure modules, and access system-level settings. Cannot view raw personal data without an audited justification. | Full platform configuration | Required | Full |
| Operations ManagerCan view dashboards, run reports, and manage workflows within assigned modules. Access is scoped to their organizational unit. | Module-level operations | Required | Full |
| AnalystCan view aggregated data, generate reports, and export anonymized datasets. No access to personally identifiable information. | Read-only analytics | Required | Standard |
| Field TechnicianCan provision, configure, and troubleshoot edge devices. No access to stored data or analytics. Sessions are time-limited. | Device management only | Required | Standard |
| External AuditorTime-limited, read-only access to audit trails and compliance reports. All access is logged and automatically revoked after the audit window closes. | Read-only audit logs | Required | Full |
How Long We Keep Data
Every data category has a defined retention period, legal basis, and anonymization timeline. Nothing is kept longer than necessary.
| Data Type | Retention | Legal Basis | Anonymization |
|---|---|---|---|
| Telemetry (GPS, speed, route) | 24 months | Operational requirement | After 12 months |
| Enforcement evidence (images, video) | 36 months | Legal hold period | After adjudication |
| Payment transaction records | 7 years | Financial regulation | Not applicable |
| Access & authentication logs | 24 months | Security audit | After 18 months |
| Personal identity data | Duration of service | Consent / contract | On account closure |
| Aggregated analytics | Indefinite | No personal data | Pre-anonymized |
Every Action, Recorded
Our audit system captures every data interaction — who accessed what, when, and why. Logs are immutable and cryptographically secured.
Immutable Logging
Every data access, modification, and deletion is recorded in append-only logs. Records cannot be altered or purged, even by system administrators.
Tamper Detection
Cryptographic hash chains link log entries. Any attempt to modify historical records is immediately detected and flagged for investigation.
Real-Time Monitoring
Anomalous access patterns — unusual query volumes, off-hours access, bulk exports — trigger automatic alerts to the security operations center.
Exportable Reports
Audit logs can be exported in structured formats for regulatory submissions, external audits, or integration with your own SIEM platform.
Data Processing Agreements
Every client engagement is governed by a comprehensive Data Processing Agreement. Here is what our standard DPA covers.
Need a DPA for Your Procurement?
Download our standard DPA template or request a custom version tailored to your jurisdiction and regulatory requirements.
Data Governance Questions
Common questions about how we manage, protect, and govern your data.
Yes. At deployment time, you select your primary data jurisdiction. We support Saudi Arabia, EU, UK, and on-premises options. Data will never leave your chosen jurisdiction without explicit contractual agreement and appropriate transfer mechanisms.
Deletion requests are processed within 30 days. Our system identifies all instances of the data subject's information across modules, removes identifiable data, and provides a deletion certificate. Aggregated, anonymized data derived from the original records is retained for analytics.
We maintain a public sub-processor list that is updated whenever a new sub-processor is engaged. Clients are notified 30 days before any new sub-processor begins processing their data, with the right to object.
Yes. Our DPA includes audit rights. You can conduct on-site or remote audits of our data processing facilities and practices. We also provide annual third-party audit reports (SOC 2, ISO 27001) that satisfy most audit requirements without requiring a dedicated visit.
Upon contract termination, we provide a complete data export in standard formats within 30 days. After the export period, all client data is permanently deleted from our systems, including backups, within 90 days. A certificate of destruction is provided upon completion.
Ready to Review Our Data Practices?
Download our standard DPA template or schedule a call with our data protection team to discuss your specific requirements.