Data Processing Addendum
Contents
This Data Processing Addendum (“DPA”) forms part of the agreement between the dealer customer (“Customer”) and [CarConnective legal entity name] (“CarConnective”) for the CarConnective Services, and governs the processing of personal data on Customer's behalf.
1. Parties & roles
With respect to personal data processed under the Services, Customer acts as the controller / business and CarConnective acts as the processor / service provider, processing personal data only on Customer's documented instructions and to provide the Services. CarConnective does not sell personal data and does not use it for its own purposes outside the Services.
2. Definitions
“Personal data,” “processing,” “controller,” “processor,” “data subject” and “personal data breach” have the meanings given under applicable data-protection law. Terms not defined here have the meaning in the underlying agreement.
3. Nature of processing
CarConnective processes personal data to provide the Services described in the agreement. The subject matter, duration, nature and purpose of processing, the categories of data and the categories of data subjects are set out in Annex I.
4. Processor obligations
- Process personal data only on Customer's documented instructions, including for transfers, unless required by law.
- Ensure personnel authorized to process personal data are bound by confidentiality.
- Implement appropriate technical and organizational security measures (Section 5 / Annex II).
- Assist Customer, taking into account the nature of processing, in responding to data-subject requests and in meeting security, breach-notification and impact-assessment obligations.
- Make available information reasonably necessary to demonstrate compliance.
5. Security measures
CarConnective maintains a security program engineered to the SOC 2 control set, including the measures described in Annex II: row-level security on all data, a server-only privileged key, AES-256 encryption at rest and TLS in transit, hardened security headers, least-privilege access, a controlled change pipeline, vulnerability scanning and threat modeling. CarConnective's SOC 2 Type II audit is underway with an independent firm.
6. Sub-processors
Customer authorizes CarConnective to engage vetted sub-processors to help provide the Services. Each sub-processor is bound by written terms no less protective than this DPA and is reviewed against its own security posture. CarConnective maintains a current list of sub-processor categories, available on request, and will give Customer a means to be informed of and object to material changes.
7. Data-subject requests
Taking into account the nature of the processing, CarConnective will assist Customer by appropriate measures in fulfilling Customer's obligation to respond to requests from data subjects to exercise their rights. Where a request is received directly, CarConnective will refer the individual to the relevant Customer.
8. Personal-data breach notification
CarConnective will notify Customer without undue delay after becoming aware of a personal-data breach affecting Customer's data, and will provide information reasonably available to help Customer meet its notification obligations.
9. Audits
CarConnective will make available information necessary to demonstrate compliance with this DPA and, on reasonable prior notice and subject to confidentiality, will allow for and contribute to audits, including through the provision of its SOC 2 report(s) when available.
10. Return & deletion
On termination or expiry of the Services, CarConnective will, at Customer's choice, return or delete Customer's personal data (and existing copies) except where retention is required by law. Customer's data remains portable to Customer, consistent with our data-ownership commitment.
11. International transfers
The Services are operated in the United States and personal data is processed in the U.S. Where any transfer requires a lawful transfer mechanism, the parties will put an appropriate mechanism in place.
Annex I — Processing details
Subject matter & duration: provision of the Services for the term of the agreement.
Nature & purpose: to operate the connected-vehicle intelligence platform and its modules on Customer's behalf.
Categories of data subjects: Customer's customers and prospects; vehicle owners who consent to connect their vehicle; Customer's authorized personnel.
Categories of personal data: contact details; vehicle ownership and identifiers (VIN); vehicle telemetry limited to title, odometer, history and connected signals; service and deal records; consent status. Restricted data (e.g., SSN, credit) is handled under Customer's instructions and our data-handling standard.
Annex II — Security measures
- Row-level security on all data; server-only privileged access; per-dealer isolation.
- Encryption in transit (TLS) and at rest (AES-256); secrets stored server-side only.
- Hardened security headers; least-privilege access and access reviews.
- Controlled change pipeline; vulnerability scanning; STRIDE threat modeling.
- Consent, Do-Not-Call, contactable-hours enforcement and an immutable evidence trail.
- Logging and monitoring; incident-response process.
See the Security page for the full control matrix and honest status of each control.
