Quick Links
THIRD-PARTY DATA PROCESSORS
Last Updated: February 7, 2026
What Are Data Processors?
Data processors are third-party companies that handle your personal information on our behalf. They don't own or control your dataβthey process it according to our instructions under strict agreements.
Our Data Processors
π Amazon Web Services (AWS)
What They Do: Store our database, server infrastructure, and backups
Data Handled: All personal data including names, emails, booking records, verification status
Security:
- β SOC 2 Type II certified
- β ISO 27001 certified
- β Encryption in transit and at rest
- β Annual third-party security audits
Data Locations: Primary storage in US (Virginia), backup in Europe (Frankfurt) for disaster recovery
Data Processing Agreement: β Signed
Learn More: AWS Security
β‘ Cloudflare
What They Do: Content delivery network (CDN), DDoS protection, web application firewall
Data Handled: Request metadata (IP address, user agent, requested pages); does NOT store biometric data
Security:
- β SOC 2 Type II certified
- β ISO 27001 certified
- β DDoS mitigation (protects you from attacks)
- β WAF (Web Application Firewall)
Data Locations: Global network (280+ data centers)
Data Processing Agreement: β Signed
Learn More: Cloudflare Security
π³ WiPay
What They Do: Payment processing for Trinidad and Tobago (TTD currency)
Data Handled: Booking amount, card last 4 digits, cardholder name, billing address
What They DON'T Store: Full credit card numbers (tokenized for security)
Security:
- β PCI-DSS Level 1 certified (highest payment security standard)
- β ISO 27001 certified
- β Encrypted payment processing
- β Annual security audits
Data Processing Agreement: β Signed
Note: WiPay retains transaction records per legal requirements. You cannot delete payment history.
π° PayPal
What They Do: Payment processing for international customers (USD currency)
Data Handled: Booking amount, PayPal account email, transaction history
What They DON'T Access: Your credit card directly (payment security responsibility)
Security:
- β PCI-DSS Level 1 certified
- β SOC 2 Type II certified
- β ISO 27001 certified
- β Annual security audits
Data Processing Agreement: β Signed (PayPal User Agreement + Privacy Policy)
Learn More: PayPal Security
π Google Analytics
What They Do: Website analytics (track visitor behavior and site usage)
Data Handled: Pages visited, time spent, device type, browser, general location (country/city only)
What They DON'T Get: Names, emails, booking information, or any personally identifiable data
Security:
- β Data is anonymized (IP addresses hidden)
- β No direct personally identifiable information collected
- β Google's privacy policies apply
Data Processing Agreement: β Signed (Google Ads Data Processing Amendment)
Opt-Out: Google Analytics Opt-Out Browser Extension
Learn More: Google Privacy Policy
Sub-Processors (Processors' Processors)
Sometimes our processors use their own sub-contractors. For example:
- AWS may use related companies for backup and disaster recovery
- Cloudflare may use third-party DDoS mitigation services
β All sub-processors are approved and contractually bound to the same data protection standards.
Your Data Rights with Processors
Even though processors handle your data, you still have rights:
- β Data Access: We can retrieve your data from processors upon your request
- β Deletion: We can instruct processors to delete your data (with legal exceptions)
- β Security: Processors must maintain security standards or we terminate the relationship
- β Breach Notification: Processors must notify us of breaches within 48 hours
International Data Transfers
Your data is stored outside Trinidad and Tobago:
- π AWS: Primary storage in US (Virginia)
- π Cloudflare: Global network (280+ data centers)
- π PayPal: US and international servers
How We Protect This Transfer:
- β Your explicit consent (disclosed in our privacy policy)
- β Encryption (data encrypted before and during transfer)
- β Standard Contractual Clauses (SCCs) with processors
- β Security certifications (SOC 2, ISO 27001, PCI-DSS)
By using Fleet, you consent to your data being transferred to and processed in these locations.
How We Audit Processors
Annual Compliance Review (Every February):
- βοΈ Request updated security certifications (SOC 2, ISO 27001)
- βοΈ Review any breaches or security incidents
- βοΈ Confirm Data Processing Agreements are still in effect
- βοΈ Evaluate new sub-processors
If a Processor Fails to Comply:
- 1. We issue a warning and give them time to fix the issue
- 2. If not resolved, we migrate your data to a compliant processor
- 3. In extreme cases, we terminate the relationship immediately
What if a Processor Gets Breached?
Example: If AWS experienced a data breach affecting our database
- β AWS notifies us within 48 hours
- β We investigate the scope (what data was accessed?)
- β We notify you within 72 hours (per T&T law)
- β We provide support (credit monitoring if payment data involved)
Important: Even if the processor caused the breach, we are responsible for notifying you.
Changing Processors
Do we ever change processors? Possibly, but:
- β We only change for good reason (better security, cost, reliability)
- β New processor must meet same security standards
- β Data migration happens securely with minimal downtime
- β We notify you of material processor changes
Summary Table
| Processor | Purpose | Data Stored | Certification |
|---|---|---|---|
| AWS | Database & Storage | All personal data | SOC 2, ISO 27001 |
| Cloudflare | CDN & Security | Request metadata | SOC 2, ISO 27001 |
| WiPay | TTD Payments | Payment data | PCI-DSS L1, ISO 27001 |
| PayPal | USD Payments | Payment data | PCI-DSS L1, SOC 2 |
| Google Analytics | Analytics | Anonymized usage | ISO 27001 |
Questions About Our Processors?
- π§ Email: [email protected]
- π Information Commissioner: (868) 622-3684
Last Updated: February 7, 2026
Trinidad and Tobago Data Protection Act Compliant