Data processing addendum
Version 1.2 · Last updated April 28, 2026
This DPA applies to dealers processing personal data of EU/UK residents through AutoDealerPro and is incorporated into the Terms of Service. We'll counter-sign on request — email legal@autodealerpro.io.
1. Roles
The dealer is the Controller of customer data; ADP is the Processor. Each party maintains records of processing activities (Article 30) and complies with applicable laws.
2. Sub-processors
Approved sub-processors as of the version date:
| Vendor | Purpose | Region |
|---|---|---|
| AWS | Object storage (S3) | EU-Central-1 |
| Hetzner | Database + app hosting | DE / FI |
| Stripe | Payment processing | US / IE |
| Twilio | Telephony + SMS | US / IE |
| Vapi | Voice AI orchestration | US |
| Anthropic | Concierge LLM | US |
| Resend | Transactional email | US / IE |
| Sentry | Error monitoring (no PII) | US / DE |
| Cloudflare | CDN + WAF | Global |
Customer is notified by email at least 30 days before any new sub-processor is added. Customer may object on reasonable grounds; if we can't accommodate, customer may terminate without penalty.
3. Security measures
AES-256 encryption at rest, TLS 1.3 in transit, per-tenant key envelope for PII, MFA on all production access, quarterly access review, annual penetration test by an independent firm. Full schedule of technical and organizational measures in Annex II of this DPA.
4. International transfers
For transfers from EEA / UK / Switzerland to the US, we rely on the EU Standard Contractual Clauses (Commission Decision 2021/914) and supplementary measures per Schrems II guidance.
5. Data subject requests
Where ADP receives a request directly from a data subject, we route it to the relevant dealer (controller). We assist the dealer to respond within statutory timelines.
6. Breach notification
ADP notifies affected customers without undue delay, and in any event within 72 hours of becoming aware of a personal data breach affecting their data. Notification includes nature, categories, and approximate volume of records, likely consequences, and measures taken or proposed.
7. Audit rights
Customer may audit ADP's compliance with this DPA once per year, on 30 days' notice, at customer's expense. ADP will provide its current SOC 2 Type II report under NDA in lieu of an on-site audit where the customer is satisfied with that level of assurance.
8. Deletion
On termination, ADP deletes or returns customer personal data within 30 days, subject to a longer retention period required by law (e.g., audit log retention for tax purposes).
Need a counter-signed copy or have a custom Annex requirement? legal@autodealerpro.io