Data Processing Agreement

1. Definitions

Controller: The customer (dealership) that determines purposes and means of processing. Processor: DealerInt Inc. Personal Data: Data relating to identified or identifiable individuals processed under the Service.

2. Processing

We process Personal Data only on documented instructions from the Controller, including as set forth in the Terms and this DPA. We do not process for our own purposes beyond Service delivery.

3. Sub-processors

We use Supabase (US/EU), Vercel (US), and Cashfree (India) as sub-processors. We maintain a list and will notify of material changes. We impose equivalent obligations on sub-processors.

4. Security

We implement appropriate technical and organizational measures including encryption, access controls, and regular security assessments.

5. Assistance

We assist the Controller in responding to data subject requests and meeting GDPR/CCPA compliance obligations, subject to reasonable fees for excessive requests.

6. Data Subject Rights

We support access, rectification, erasure, restriction, and portability via our APIs and support processes.

7. Breach Notification

We will notify the Controller of a personal data breach without undue delay and within 72 hours where feasible.

8. Audit

We provide audit reports (Read-only · No PII stored · Encrypted in transit when available) upon request. Customer audits may be conducted with 30 days’ notice, not more than once per year, and subject to confidentiality.

9. International Transfers

Data may be transferred to the US and India. We use Standard Contractual Clauses (SCCs) and supplementary measures where required.

10. Deletion

Upon termination, we delete or return Personal Data within 90 days unless law requires retention.