Data processing & confidentiality

This page summarises how DrivingOps processes personal information on behalf of driving schools and our confidentiality commitments. It complements our Privacy policy and Terms of service. A signed Data Processing Addendum (DPA) is available to customers on request.

Roles

The school is the data controller and DrivingOps is the data processor. We process personal information only on the documented instructions of the school, to provide and support the service, and as required by law.

Confidentiality statement

We treat all customer data — learner records, instructor information, billing, documents, and communications — as strictly confidential. Personnel with access are bound by confidentiality obligations, access is limited to those who need it, and we do not use customer data for any purpose other than providing the service. We never sell personal information, and we do not use learner data for advertising or to train models for third parties.

Security measures

We maintain technical and organisational measures appropriate to the risk, including encryption in transit and at rest, role-based access control, tenant isolation, audit logging, and Canadian data residency. See our Security overview.

Sub-processors

We engage a limited set of vetted sub-processors to deliver the service — cloud hosting (Microsoft Azure, Canadian regions), payment processing, and messaging delivery. Each is bound by data-protection and confidentiality obligations. A current list is available to customers, and we provide notice of material changes.

Data subject requests

We assist schools in responding to access, correction, and deletion requests from learners, instructors, and staff, including data export and deletion workflows. Deletion requests proceed through a documented lifecycle (requested → verified → scheduled → completed).

International transfers

Customer data is stored in Canada. Where any limited processing by a sub-processor would occur elsewhere, it is governed by appropriate safeguards.

Breach notification

We notify affected schools without undue delay after becoming aware of a personal-data breach affecting their data, with the information needed for them to meet their own obligations.

Return & deletion

On termination, schools may export their data during an export-only window, after which data is deleted in accordance with documented retention schedules and legal requirements.

Requesting the full DPA

To request a countersigned DPA or the current sub-processor list, contact hello@drivingops.ca.