Taxi fleet operators handle customer PII, payment data, driver licensing data, and corporate-account contract data. Each of these surfaces creates cyber security exposure that operators need structured posture against. This guide covers the security priorities UK + Ireland operators should consider in 2026 — customer PII, PCI-DSS scope, supply-chain risk, GDPR posture.
1. Customer PII protection
Modern dispatch software like TaxiCloud masks customer PII before any data leaves the dispatch boundary for LLM inference. Card data tokenises via Stripe (PCI-DSS Level 1). Customer phone + email never share with sub-processors except as required for service delivery (Twilio for SMS, the operator's chosen email provider).
2. PCI-DSS scope
Card data should never touch the dispatch platform. Modern platforms hold only opaque Stripe tokens; PCI-DSS scope is effectively limited to passing tokens. Legacy on-premises dispatch software with local card-data storage carries materially larger PCI-DSS scope and audit cost.
3. Supply chain risk
Sub-processor list transparency matters — TaxiCloud publishes its sub-processor list in the DPA at /dpa (AWS, Stripe, Anthropic, Plausible, Cloudflare, Twilio). Sub-processor change notifications fire 30 days in advance. Operators should evaluate sub-processor lists during platform evaluation.
4. GDPR posture
UK + Ireland operators must hold a DPA with their dispatch software vendor under GDPR Article 28. DPA covers scope of processing, sub-processor list, breach notification (within 72 hours per Article 33), data subject access request handling within 7 working days. TaxiCloud's pre-signed DPA available on request.
About the author
Priya Iyer
Head of Product, TaxiCloud
Priya Iyer works with UK and Ireland fleet operators on dispatch strategy, AI Copilot adoption, and migration planning. Reach out at priya@taxicloud.ai.