Data Processing Agreement

Controller means the auto repair shop account that determines the purposes and means of processing vehicle owner customer personal data.

Processor means [Company Legal Name] (ApexPitCore), which processes personal data on behalf of the Controller.

Personal Data has the meaning given under applicable data protection law, including CCPA/CPRA.

Subprocessor means any third party engaged by ApexPitCore to process Personal Data on behalf of the Controller.

ApexPitCore processes the following categories of personal data on behalf of shops:

• Vehicle owner names, contact information, and addresses
• Vehicle identification information (VIN, license plate, make, model, year)
• Repair history, service records, inspection results, and technician notes
• Communication records (SMS and email metadata)
• Payment transaction metadata (no card data — see PCI section)
• Appointment and scheduling records
• Photos and files uploaded during inspections

Processing is performed for the purpose of providing the ApexPitCore platform to enable shop owners to manage their vehicle repair operations.

ApexPitCore agrees to:

• Process personal data only on documented instructions from the Controller (i.e., use of the platform).
• Ensure persons authorized to process personal data are bound by appropriate confidentiality obligations.
• Implement appropriate technical and organizational security measures (see our Security page).
• Assist the Controller in responding to data subject rights requests using the tools provided in the platform.
• Notify the Controller without undue delay upon becoming aware of a personal data breach affecting the Controller’s data.
• Delete or return all personal data upon termination of the service, subject to applicable retention requirements.
• Make available information necessary to demonstrate compliance with this DPA.

ApexPitCore engages the subprocessors listed at /legal/subprocessors. ApexPitCore will notify Controllers of new subprocessors with at least 30 days’ advance notice. Controllers may object to new subprocessors; if a reasonable alternative cannot be agreed upon, either party may terminate the agreement.

ApexPitCore enters into written agreements with all subprocessors that impose data protection obligations equivalent to those in this DPA.

ApexPitCore implements the following categories of security measures:

• Encryption in transit (TLS 1.2+) and encryption at rest for sensitive fields
• Role-based access control and multi-factor authentication
• Audit logging for all significant data operations
• Intrusion monitoring and security event logging
• Automated backup and tested restore procedures
• Vulnerability management and dependency scanning
• Background-checked personnel with need-to-know data access

See /legal/security for details.

ApexPitCore will notify affected Controllers without undue delay upon discovering a personal data breach. Initial notification will include: nature of the breach, categories and approximate number of records affected, likely consequences, and measures taken or proposed to address the breach.

For California residents, breach notification will comply with California Civil Code § 1798.82 and applicable regulations.

ApexPitCore provides platform tools (data export, customer deletion, correction) to help Controllers respond to data subject rights requests. For requests that cannot be fulfilled through the platform, contact privacy@[yourdomain].com.

Upon termination of the subscription, Controllers may export their data for 30 days. After that period, ApexPitCore will delete or anonymize personal data, except where retention is required by applicable law (e.g., financial records).

ApexPitCore will provide a written confirmation of deletion upon request.

ApexPitCore will make available information necessary to demonstrate compliance with this DPA and allow for reasonable audits by Controllers or their authorized agents, subject to reasonable notice and confidentiality requirements. Audit costs are borne by the Controller.

To execute a signed DPA or ask questions about data processing: legal@[yourdomain].com