Data Processing Addendum (DPA)

This Data Processing Addendum (“DPA”) forms part of the Terms of Service, Master Subscription Agreement, order form, or other written services agreement between Customer and Jinx Lane LLC d/b/a Dealers Engine (the “Agreement”). This DPA applies to the extent Dealers Engine Processes Personal Data on behalf of Customer in connection with the Services.

Capitalized terms not defined in this DPA have the meanings given in the Agreement.

For purposes of this DPA:

• “Controller”, “Processor”, “Business”, “Service Provider”, “Contractor”, “Consumer”, “Sell”, “Share”, “Process”, and “Personal Data” have the meanings given by applicable Data Protection Laws, to the extent those laws apply.
• “Data Protection Laws” means privacy, data protection, and data security laws applicable to the Processing of Personal Data under the Agreement, including as applicable U.S. state privacy laws, the GDPR, the UK GDPR, the Swiss Federal Act on Data Protection, and implementing legislation.
• “Subprocessor” means a third party authorized by Dealers Engine to Process Personal Data in connection with providing the Services.
• “Security Incident” means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data Processed by Dealers Engine on behalf of Customer. Security Incident does not include unsuccessful attempts or activities that do not compromise Personal Data, such as pings, port scans, denial-of-service attempts, or blocked attacks.

The parties acknowledge and agree that, with respect to Personal Data Processed under this DPA, Customer acts as the Controller or Business (or, where applicable, as a Processor / Service Provider on behalf of its own customer), and Dealers Engine acts as the Processor, Service Provider, or Contractor, except to the extent Dealers Engine Processes data as an independent Controller for its own limited business purposes permitted by law, such as billing, account management, security, fraud prevention, service analytics using de-identified or aggregated data, legal compliance, and protecting the Services.

Dealers Engine will Process Personal Data only on documented instructions from Customer, as set out in the Agreement, this DPA, and Customer's use of the Services, unless otherwise required by applicable law. Customer instructs Dealers Engine to Process Personal Data as necessary to provide, host, secure, maintain, support, improve, and update the Services and to prevent abuse, detect security incidents, comply with law, and enforce the Agreement.

Customer is responsible for ensuring that its instructions comply with applicable law. Dealers Engine may refuse an instruction that is unlawful, technically infeasible, or outside the scope of the Services.

Dealers Engine will ensure that persons authorized to Process Personal Data on its behalf are bound by appropriate confidentiality obligations and receive access only to the extent necessary for their role.

Dealers Engine will implement and maintain appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access, taking into account the nature of the Personal Data, the state of the art, implementation costs, and the risks presented by the Processing.

The measures in Annex 2 describe the baseline security controls applicable to the Services. Dealers Engine may update the security measures from time to time, provided that the overall security posture is not materially reduced.

Customer authorizes Dealers Engine to engage Subprocessors to Process Personal Data in connection with the Services. Dealers Engine will impose data protection obligations on its Subprocessors that are materially protective of Personal Data in a manner consistent with this DPA.

A current Subprocessor list may be provided in Documentation, a trust page, an order form, or on request. Customer may reasonably object to a new Subprocessor on documented data protection grounds by providing written notice within fifteen (15) days after notice of the change. If the parties cannot resolve the objection in good faith, either party may terminate the affected Services upon written notice.

Taking into account the nature of the Processing and the functionality of the Services, Dealers Engine will provide commercially reasonable assistance to Customer in responding to verified requests from data subjects to exercise their rights under applicable Data Protection Laws, to the extent Customer cannot reasonably fulfill such requests independently through the Services.

Taking into account the nature of the Processing and the information available to Dealers Engine, Dealers Engine will provide commercially reasonable information and assistance to help Customer comply with its obligations relating to security, breach notification, impact assessments, prior consultation, and similar obligations under applicable Data Protection Laws, provided that Customer remains responsible for its own compliance decisions and obligations.

Dealers Engine will notify Customer without undue delay after becoming aware of a Security Incident affecting Personal Data Processed on Customer's behalf. Such notice may be provided by email, in-product notice, or other reasonable means and will include, to the extent then known and legally permitted, information reasonably available to Dealers Engine regarding the nature of the incident, the categories of affected Personal Data, and the steps taken or proposed to address the incident.

Dealers Engine's notification of a Security Incident is not an admission of fault or liability. Customer is solely responsible for making any notifications to regulators, individuals, dealerships, lender partners, or other third parties, except to the extent applicable law expressly requires Dealers Engine to do so.

Upon termination or expiration of the Agreement, Dealers Engine will delete or return Personal Data in accordance with the Agreement and its standard retention and backup practices, unless applicable law requires retention. Archived or backup copies may be retained until deleted in the ordinary course, provided that they remain subject to appropriate protection.

Dealers Engine will make available information reasonably necessary to demonstrate compliance with this DPA, which may include summaries of security practices, third-party audit reports, certifications, questionnaire responses, or other standard documentation. To the extent Customer reasonably requires an audit beyond the information Dealers Engine makes generally available, the parties will cooperate in good faith to arrange a limited audit no more than once per year during business hours, subject to reasonable confidentiality, security, scope, reimbursement, and non-disruption requirements.

If Dealers Engine Processes Personal Data subject to cross-border transfer restrictions under Data Protection Laws, the parties agree that the following transfer mechanisms are incorporated by reference to the extent legally required and only for the relevant transfers:

• the 2021 EU Standard Contractual Clauses (“EU SCCs”), Module Two (Controller to Processor) or Module Three (Processor to Processor), as applicable;
• the UK International Data Transfer Addendum to the EU SCCs, for transfers subject to the UK GDPR; and
• the Swiss adaptation to the EU SCCs, for transfers subject to Swiss data protection law.

For purposes of the SCCs: (a) Customer is the data exporter and Dealers Engine is the data importer, unless Customer acts as a Processor in which case Module Three applies; (b) the description of transfer is set out in Annex 1; (c) the technical and organizational measures are set out in Annex 2; (d) the list of Subprocessors is described in Section 7 and may be maintained separately; and (e) the optional docking clause is enabled. The parties agree that signatures to the Agreement or an order form are deemed signatures to the SCCs to the extent permitted by law.

To the extent U.S. state privacy laws apply and Dealers Engine acts as a Service Provider or Contractor:

• Dealers Engine will not Sell or Share Personal Data received from Customer, except as expressly permitted by applicable law.
• Dealers Engine will not retain, use, or disclose Personal Data outside the direct business relationship between the parties, except as permitted by applicable law and the Agreement.
• Dealers Engine will not combine Personal Data received from Customer with personal data received from other persons, except as permitted by applicable law.
• Dealers Engine will Process Personal Data only for the limited and specified business purposes set out in the Agreement and this DPA.
• Dealers Engine will provide the same level of privacy protection for Personal Data as required by applicable law and will notify Customer if it determines it can no longer meet those obligations.
• Customer may take reasonable and appropriate steps to ensure Dealers Engine uses Personal Data in a manner consistent with Customer's obligations under applicable law.

Customer represents, warrants, and covenants that:

• it has provided all required notices and obtained all required rights, permissions, authorizations, and consents for Dealers Engine and its Subprocessors to Process Personal Data under the Agreement;
• it will not instruct Dealers Engine to Process Personal Data in violation of applicable law;
• it will use the Services in a manner consistent with applicable privacy, communications, employment, consumer-finance, and recordkeeping laws; and
• it is responsible for responding to data subject requests, consumer requests, and regulatory inquiries relating to Personal Data, except to the extent Dealers Engine is expressly required to do so by law.

Each party's liability arising out of or relating to this DPA is subject to the exclusions and limitations of liability set out in the Agreement, unless applicable law prohibits those limitations.

If there is a conflict between this DPA and the Agreement, this DPA controls with respect to the Processing of Personal Data. If there is a conflict between this DPA and any incorporated SCCs, the SCCs control to the extent required by law.

Dealers Engine maintains a security program designed for a cloud-based B2B software service and, as applicable to the Services, implements measures such as:

• access controls, role-based permissions, and authentication controls;
• tenant-scoping and logical segregation controls;
• encryption in transit and encryption at rest where supported by the relevant infrastructure or subprocessors;
• logging, monitoring, alerting, and abuse-prevention controls;
• secure development and change-management practices;
• vulnerability handling and dependency-management practices;
• backup, restoration, and business continuity measures;
• incident response procedures and personnel confidentiality controls; and
• subprocessor management and vendor review practices.

The foregoing describes baseline categories of measures rather than a guarantee that any specific control will be implemented in a particular way at all times. Dealers Engine may revise these measures as technology and the Services evolve, provided the overall security posture is not materially reduced.

For how we describe data practices to end users and dealerships, see our Privacy Policy.