Data Processing Agreement

1. Parties

Controller: the dealer rooftop signing up for VinReach (the "Customer").
Processor: VinReach (the operating entity identified in the countersigned order form).

2. Scope + subject matter

VinReach processes personal data the Customer collects via its dealer website, form submissions, CRM imports, and reply channels. Processing is for the sole purpose of delivering the remarketing services the Customer has enabled.

3. Data subject categories

• Website visitors to the dealer's public site
• Leads who submitted a form or chat conversation
• Existing customers imported from the dealer's CRM
• Reply senders on email + SMS channels

4. Data categories

• Identity — name, email, phone.
• Device + network — IP /24 bucket (never raw IP), UA, accept-language, hashed device fingerprint.
• Behavioral — VDP views, clicks, search filters, time on page, journey enrollment state.
• Consent — explicit opt-ins, opt-outs, GPC signals, CPRA sale-share flags.
• Communication content — outbound drafts, inbound replies, AI-generated subject lines.

5. Sub-processors

Current list + 30-day change-notice policy at /subprocessors. Customer has a contractual right to object to a new sub-processor, in which case we terminate the affected processing or the Customer terminates the contract.

6. Processor obligations

• Process only on documented Customer instructions (the platform config the Customer chooses, plus these terms).
• Confidentiality binding all personnel with access.
• Technical + organizational security measures per the Trust page + SOC 2 controls.
• Sub-processor flow-down — every sub-processor is bound to materially the same obligations.
• Assist with data-subject requests within 7 business days of receipt.
• Data-breach notification within 72 hours of confirmed incident.
• Return or destroy personal data at termination per the Terms §8.
• Make records available to support SOC 2 + privacy audits.

7. International transfers

Personal data is stored in the data-hosting region specified in your order form (currently US-East via the managed Postgres provider). Any transfer outside that region is preceded by 30 days' notice and Standard Contractual Clauses (or successor framework) before the transfer begins.

8. Security incident

On confirmed compromise of personal data VinReach notifies affected Customer(s) within 72 hours via the admin email on file, posts a public disclosure at /trust if the incident is platform-wide, and cooperates with the Customer's regulator notifications.

9. Audit rights

Customer may audit VinReach's compliance with this DPA once per 12-month period. VinReach will provide its current SOC 2 attestation or equivalent third-party report when one is available; until a Type II attestation is issued, VinReach will respond to a reasonable written security questionnaire in lieu. Direct on-site audit requires 30 days' notice, a mutual NDA, and reimbursement of VinReach time above 2 business days.

10. Data-subject requests

Customer-initiated (the dealer)

Customer may export, correct, or delete any personal data for a subject via the admin console at any time. No VinReach involvement required for routine requests.

Subject-initiated (direct to VinReach)

If a subject contacts VinReach directly, we route the request to the Customer's admin contact within 3 business days and do not respond substantively without Customer instruction.

11. Liability

Liability under this DPA is subject to the limitations in the master Terms §10. Processor indemnification covers a breach of this DPA by VinReach or any sub-processor; Controller indemnifies VinReach against consent + content violations introduced by the Customer.

12. Amendments

Material changes posted at /dpa with 30 days' notice. Continued use after the effective date constitutes acceptance.

13. Governing law

Specified in the countersigned master Terms (see Terms §12).

14. Signature

Signed electronically at onboarding by the account owner under clickwrap acceptance. A PDF-formatted version is available on request via /contact.