1. Processing principles
We follow GDPR Article 5 principles: lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and accountability. Access to production systems is restricted via RBAC, hardware security keys, and audit logging.
2. Infrastructure
- Primary hosting: AWS (eu-west-1, us-east-1) and Azure (uaenorth, southeastasia) with customer-selectable residency.
- Backups: point-in-time snapshots every 15 minutes stored in separate regions, encrypted with AES-256 and retained for 45 days.
- Disaster recovery: RTO 2 hours, RPO 15 minutes. Annual failover tests with summary reports available to enterprise clients.
3. Sub-processors
Core sub-processors include AWS, Azure, Stripe, Twilio, Segment, and Snowflake. We execute Data Processing Agreements with each vendor and publish an up-to-date list on compliance.irhyde.com. Customers may subscribe to change notifications.
4. Retention schedule
| Data Category | Retention | Rationale |
|---|---|---|
| Trip telemetry, invoices, payouts | 7 years | Regulatory & tax obligations |
| Driver onboarding + compliance docs | Engagement period + 5 years | Insurance + dispute defence |
| Support tickets, call recordings | 24 months | Quality assurance & claims |
| Analytics logs | 18 months (then anonymised) | Product improvement |
5. Data subject requests
Requests are submitted through in-app privacy controls or via data@irhyde.com. We verify identity with MFA and document reference before fulfilling within 30 days (or 45 days where legally permitted). Enterprise customers may self-serve via the admin console.
6. Breach management
We maintain an incident response plan aligned with NIST 800-61. Notifiable breaches are communicated to affected customers and supervisory authorities within 72 hours. Post-incident reports include scope, containment, remediation, and future prevention steps.
7. Technical & organisational measures
- Application security: OWASP ASVS Level 2 coverage, secure SDLC, automated dependency scanning.
- Network security: segmented VPCs, WAF protection, rate limiting, mutual TLS between services.
- Personnel security: background checks, confidentiality agreements, quarterly access reviews.
8. International transfers
Data transfers outside the origin jurisdiction rely on Standard Contractual Clauses, UK Addendum, or other approved mechanisms. Additional safeguards include encryption, access controls, and transfer impact assessments.
For copies of signed DPAs or security questionnaires contact legal@irhyde.com. Effective 15 November 2025.