Data Processing Addendum

1. Roles

Roles under applicable data protection laws, including GDPR where applicable.

The customer determines what data it collects from its buyers via inquiries, lead forms and contact forms. DealerHub processes that data only on behalf of the customer and according to its instructions, except where we are legally required otherwise.

Payment cards and sensitive payment data do not pass through DealerHub infrastructure. Online checkout is performed via Lemon Squeezy as Merchant of Record.

2. Scope of processing

2.1 Type of data

• Buyer identification data (first name, last name)
• Contact data (email, phone)
• Interaction data (vehicle questions, messages, communication history)
• Technical data (IP addresses, browser types) — collected by us for security

We do not process special categories of sensitive data (health, race, political, religious) for customers; if a dealer inadvertently collects such data, the responsibility lies with the dealer.

2.2 Purposes of processing

• Displaying the lead in the customer's CRM panel
• Sending notifications to the dealer customer (new lead, new comment)
• Campaign analytics (per platform, per vehicle)
• Archiving the history (up to 12 months unless explicitly deleted)

2.3 Duration

For as long as the contract with the dealer customer lasts, plus 90 days for export / return / deletion.

3. Obligations of DealerHub as processor

We:

• Process data only on documented instructions from the customer
• Our team is under a contractual confidentiality obligation
• Implement appropriate technical and organisational security measures (Article 32 GDPR)
• Assist the customer in responding to data subject requests (access, deletion)
• Assist the customer in fulfilling GDPR obligations (DPIA, consultations with the DPA)
• Notify of personal data incidents within 48h
• At the end of the contract, delete or return all personal data
• Provide information for audit and review

4. Technical and organisational measures

4.1 Encryption

• At rest: sensitive columns (tokens, passwords) encrypted with AES-256-GCM
• In transit: all communication over HTTPS/TLS 1.2+

4.2 Access control

• Multi-tenant system — one customer's data is not accessible to another
• SSH key-based authentication for server access
• Role-based access for team members (OWNER / ADMIN / EDITOR / VIEWER)
• All access activity is logged

4.3 Infrastructure security

• Hosted in a data center in the EU (Hetzner, Nuremberg, Germany)
• ISO 27001 certification (Hetzner)
• DDoS protection via Cloudflare
• Regular security updates of the operating system and dependencies
• Penetration testing (annually)

4.4 Backup and recovery

• Daily encrypted backups
• Offsite backup (separate location) daily
• 30-day backup rotation
• RTO (recovery time): up to 4h
• RPO (recovery point): up to 24h
• Quarterly recovery tests

5. Sub-processors

We use the following sub-processors. All are within the EEA or have Standard Contractual Clauses:

Lemon Squeezy is not our sub-processor — they act as an independent controller for payment and checkout data (see §1). Their list of own processors is available at lemonsqueezy.com/legal/dpa.

We reserve the right to add or replace sub-processors. The customer will be notified 30 days in advance by email. If the customer has a reasonable basis to object to a new sub-processor, the customer may terminate the contract without penalty.

6. International transfers

The primary data is in the EU. For sub-processors outside the EEA (USA):

• International transfers are based on Standard Contractual Clauses (SCC)
• Where applicable, we rely on the EU–US Data Privacy Framework (DPF)
• No transfer of special categories of sensitive data is performed

7. Data subject rights

When a customer's buyer requests access to, correction or deletion of their data:

1. The customer receives the request directly and decides on the response
2. If our technical assistance is required (export, deletion), we assist at no extra charge
3. We respond within 72 hours to your assistance request

The customer is responsible for informing data subjects of the rules and their rights.

8. Incident notification

In the event of a personal data security breach:

• We notify you within 48 hours of identification
• We provide details: nature, scope, categories of affected data, likely consequences, measures taken
• We assist the customer in notifying AZLP (the 72h obligation under GDPR Article 33)
• We assist in notifying data subjects if required (Article 34)

9. Audit

The customer has the right to verify our compliance:

• Through our SOC 2 / ISO 27001 reports (when available)
• Via a security questionnaire (we respond within 10 business days)
• Through an on-site audit (with 30 days' prior notice and at the customer's expense)

10. Upon termination of the contract

Upon termination of the relationship:

1. 30 days — the customer has full export access
2. 31–90 days — data is archived; on customer request it is returned or deleted
3. After 90 days — all personal data is automatically deleted from the production system and backup archives (unless a legal obligation requires retention — e.g. financial records for 10 years)

11. Liability and indemnity

Each party is liable for its own GDPR violations. Our total liability for breaches of this DPA is limited in accordance with the Terms of Service, except where the law does not permit such limitation (e.g. malicious intent, gross negligence).

12. Effect and changes

This DPA enters into force upon activation of the subscription and remains in effect for as long as the relationship lasts. Material changes will be communicated 30 days in advance.