Data Processing Addendum (DPA)

Last updated: May 15, 2026 · For GDPR / UK GDPR / LGPD compliance

For dealer customers: This DPA is automatically incorporated into your subscription agreement if you process personal data of EU/UK/Brazilian residents. No separate signature needed — agreement is established by your acceptance of our Terms.

1. Definitions

Terms have the meanings given in GDPR Article 4, UK GDPR, and LGPD Article 5 as applicable. Specifically:

Customer: the entity subscribing to Auttiv (you/your dealership)
Processor (Auttiv): processes personal data on the Customer's behalf
Sub-processor: third party engaged by Auttiv to process data (see Annex 1)
Data Subject: identified or identifiable natural person (leads, buyers)

2. Scope and roles

The Customer is the Data Controller. Auttiv is the Data Processor. Auttiv processes personal data only on documented instructions from the Customer (which include using the product in its intended manner).

3. Categories of data

Auttiv processes the following categories of personal data:

Contact information of leads (name, phone, email, vehicle interest)
Communication records (SMS, calls, email correspondence)
Behavioral data (which cars they viewed, when they engaged)
Trade-in vehicle data (photos, descriptions provided by buyer)
Appointment records

4. Purposes of processing

Providing the Auttiv platform per the Subscription Agreement
Sending communications you initiate (SMS, email, voice)
Generating AI suggestions and content
Maintaining audit logs for legal compliance
Security, fraud prevention, abuse detection

5. Auttiv's obligations

Auttiv will:

Process data only on Customer's documented instructions
Ensure persons authorized to process data are bound by confidentiality
Implement appropriate technical and organizational measures (see Annex 2)
Engage sub-processors only with prior general or specific written authorization
Assist Customer with Data Subject requests (access, deletion, etc.) without undue delay
Notify Customer of personal data breach within 72 hours of becoming aware
Delete or return all personal data after end of service (Customer's choice)
Make available all information necessary to demonstrate compliance

6. Sub-processors

Customer authorizes Auttiv to engage the sub-processors listed in Annex 1. Auttiv will notify Customer of any new sub-processors at least 30 days before engaging them. Customer may object on reasonable grounds; if unresolved, Customer may terminate the agreement.

7. International transfers

For transfers outside the EEA / UK / Brazil to a country without an adequacy decision, Auttiv relies on:

EU/UK: Standard Contractual Clauses (Commission Decision 2021/914), incorporated by reference into this DPA
UK: UK International Data Transfer Agreement (IDTA) or UK Addendum to SCCs
Brazil: ANPD-approved standard contractual clauses
Adequate safeguards: encryption in transit and at rest, access controls, audit logs

8. Data Subject Requests

If Auttiv receives a request from a Data Subject regarding Customer's data, Auttiv will:

Forward the request to Customer within 5 business days
Not respond directly to the Data Subject unless legally required
Assist Customer in fulfilling the request, including providing technical export tools

9. Audit rights

Customer may audit Auttiv's compliance with this DPA once per 12-month period at Customer's expense, with 30 days notice. Auttiv may satisfy audit requirements by providing third-party audit reports (e.g., SOC 2 Type II) when available.

10. Liability

Each party's liability under this DPA is subject to the limitations in the underlying Subscription Agreement.

11. Term and termination

This DPA remains in effect for the duration of the Subscription Agreement. On termination, Auttiv will delete or return personal data within 30 days, except as required by law for retention (billing records, audit logs).

Annex 1 — Sub-processors

As of last-update date:

Supabase Inc. (US) — Database, auth, file storage
Amazon Web Services (AWS) (US, EU available) — Infrastructure underlying Supabase
Stripe Inc. (US, Ireland) — Payment processing
Twilio Inc. (US) — SMS, voice (when used)
Anthropic PBC (US) — AI text generation (no data retention for training)
OpenAI L.L.C. (US) — Fallback AI (optional, on-demand)
ElevenLabs Inc. (US) — Voice cloning (Pro+ only)
Vapi Inc. (US) — AI phone receptionist (Pro+ only)
Vercel Inc. (US) — Static site hosting
Sentry / Functional Software Inc. (US) — Error monitoring (no message content)
Plausible Insights OÜ (Estonia) — Privacy-respecting analytics

Annex 2 — Technical and organizational measures

See Security page for full detail. Summary:

Encryption: TLS 1.3 in transit, AES-256 at rest
Access control: Row-Level Security, MFA, SSO available
Audit logging of admin and sensitive operations
Vulnerability scanning, dependency auditing
Incident response plan with 72-hour breach notification
Background checks for employees with data access
Annual security training
SOC 2 Type I (in progress) → Type II within 12 months