CarConnectiveConnected Vehicle Intelligence
PlatformModulesPricingSecurityCompanyBook a Demo
PlatformModulesPricingSecurityCompanyBook a Demo
Legal

Data Processing Addendum

Last updated: [Effective date]
Working draft. This document reflects how CarConnective is built and operated, and is provided for review. It should be reviewed and finalized by qualified legal counsel before you rely on it. Bracketed items [ ] need completing (legal entity, governing-law state, effective date).

Contents

  1. Parties & roles
  2. Definitions
  3. Nature of processing
  4. Processor obligations
  5. Security measures
  6. Sub-processors
  7. Data-subject requests
  8. Breach notification
  9. Audits
  10. Return & deletion
  11. International transfers
  12. Annexes

This Data Processing Addendum (“DPA”) forms part of the agreement between the dealer customer (“Customer”) and [CarConnective legal entity name] (“CarConnective”) for the CarConnective Services, and governs the processing of personal data on Customer's behalf.

1. Parties & roles

With respect to personal data processed under the Services, Customer acts as the controller / business and CarConnective acts as the processor / service provider, processing personal data only on Customer's documented instructions and to provide the Services. CarConnective does not sell personal data and does not use it for its own purposes outside the Services.

2. Definitions

“Personal data,” “processing,” “controller,” “processor,” “data subject” and “personal data breach” have the meanings given under applicable data-protection law. Terms not defined here have the meaning in the underlying agreement.

3. Nature of processing

CarConnective processes personal data to provide the Services described in the agreement. The subject matter, duration, nature and purpose of processing, the categories of data and the categories of data subjects are set out in Annex I.

4. Processor obligations

  • Process personal data only on Customer's documented instructions, including for transfers, unless required by law.
  • Ensure personnel authorized to process personal data are bound by confidentiality.
  • Implement appropriate technical and organizational security measures (Section 5 / Annex II).
  • Assist Customer, taking into account the nature of processing, in responding to data-subject requests and in meeting security, breach-notification and impact-assessment obligations.
  • Make available information reasonably necessary to demonstrate compliance.

5. Security measures

CarConnective maintains a security program engineered to the SOC 2 control set, including the measures described in Annex II: row-level security on all data, a server-only privileged key, AES-256 encryption at rest and TLS in transit, hardened security headers, least-privilege access, a controlled change pipeline, vulnerability scanning and threat modeling. CarConnective's SOC 2 Type II audit is underway with an independent firm.

6. Sub-processors

Customer authorizes CarConnective to engage vetted sub-processors to help provide the Services. Each sub-processor is bound by written terms no less protective than this DPA and is reviewed against its own security posture. CarConnective maintains a current list of sub-processor categories, available on request, and will give Customer a means to be informed of and object to material changes.

7. Data-subject requests

Taking into account the nature of the processing, CarConnective will assist Customer by appropriate measures in fulfilling Customer's obligation to respond to requests from data subjects to exercise their rights. Where a request is received directly, CarConnective will refer the individual to the relevant Customer.

8. Personal-data breach notification

CarConnective will notify Customer without undue delay after becoming aware of a personal-data breach affecting Customer's data, and will provide information reasonably available to help Customer meet its notification obligations.

9. Audits

CarConnective will make available information necessary to demonstrate compliance with this DPA and, on reasonable prior notice and subject to confidentiality, will allow for and contribute to audits, including through the provision of its SOC 2 report(s) when available.

10. Return & deletion

On termination or expiry of the Services, CarConnective will, at Customer's choice, return or delete Customer's personal data (and existing copies) except where retention is required by law. Customer's data remains portable to Customer, consistent with our data-ownership commitment.

11. International transfers

The Services are operated in the United States and personal data is processed in the U.S. Where any transfer requires a lawful transfer mechanism, the parties will put an appropriate mechanism in place.

Annex I — Processing details

Subject matter & duration: provision of the Services for the term of the agreement.

Nature & purpose: to operate the connected-vehicle intelligence platform and its modules on Customer's behalf.

Categories of data subjects: Customer's customers and prospects; vehicle owners who consent to connect their vehicle; Customer's authorized personnel.

Categories of personal data: contact details; vehicle ownership and identifiers (VIN); vehicle telemetry limited to title, odometer, history and connected signals; service and deal records; consent status. Restricted data (e.g., SSN, credit) is handled under Customer's instructions and our data-handling standard.

Annex II — Security measures

  • Row-level security on all data; server-only privileged access; per-dealer isolation.
  • Encryption in transit (TLS) and at rest (AES-256); secrets stored server-side only.
  • Hardened security headers; least-privilege access and access reviews.
  • Controlled change pipeline; vulnerability scanning; STRIDE threat modeling.
  • Consent, Do-Not-Call, contactable-hours enforcement and an immutable evidence trail.
  • Logging and monitoring; incident-response process.

See the Security page for the full control matrix and honest status of each control.

Own the intelligence

Stop renting your stack. Own it.

Book a Demo →
CarConnective

The most advanced AI infrastructure in automotive retail — one connected brain beneath sales, service, F&I and reputation, engineered to SOC 2 standards.

Founder-led · building with design partners

Platform

How It WorksThe ProductThe 14 ModulesSecurity & SOC 2Trust Center

Company

AboutResultsRent vs OwnPricingInsightsFAQ

Get Started

Book a DemoTalk to the Founderhello@carconnective.com
© 2026 CarConnective · Connected Vehicle IntelligencePrivacyTermsDPACookiesSecurityUS & UK