Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Deal Desk Pro ("Processor") and the dealership using our services ("Controller"). This DPA governs the processing of personal data on behalf of the Controller.

2. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person. "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.

3. Scope of Processing

The Processor shall process Personal Data only:

• On documented instructions from the Controller
• As necessary to provide the Deal Desk Pro services
• In compliance with applicable data protection laws

4. Data Categories

Personal Data processed under this DPA may include:

• Customer names and contact information
• Addresses
• Vehicle purchase/lease information
• Transaction history

The Processor explicitly does NOT process government ID numbers, Social Security numbers, credit scores, or financial account information.

5. Security Measures

The Processor implements appropriate technical and organizational measures including:

• Encryption of data in transit and at rest
• Access controls and authentication
• Regular security assessments
• Employee training on data protection
• Incident response procedures

6. Sub-processors

The Controller authorizes the Processor to engage sub-processors for hosting and infrastructure services. The Processor maintains contracts with sub-processors containing data protection obligations substantially similar to this DPA.

7. Data Subject Rights

The Processor shall assist the Controller in responding to requests from data subjects exercising their rights under applicable data protection laws, including rights of access, rectification, erasure, and data portability.

8. Data Breach Notification

The Processor shall notify the Controller without undue delay upon becoming aware of a personal data breach. The notification shall include the nature of the breach, categories of data affected, and measures taken to address the breach.

9. Data Deletion

Upon termination of services or upon Controller's request, the Processor shall delete or return all Personal Data and delete existing copies, unless retention is required by law.

10. Audit Rights

The Processor shall make available to the Controller information necessary to demonstrate compliance with this DPA and allow for audits conducted by the Controller or an auditor mandated by the Controller.

11. Contact

For DPA-related inquiries, contact us at privacy@getdealdeskpro.com.