Data Processing Addendum

1. Definitions

“Applicable Data Protection Laws” means U.S. state comprehensive privacy laws (including the California Consumer Privacy Act / CPRA, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, the Texas Data Privacy and Security Act, and similar state laws), the Gramm-Leach-Bliley Act and the FTC Safeguards Rule, and any other privacy or data protection laws that apply to a party’s processing of Personal Information.

“Personal Information” means information within Customer Data that identifies, relates to, or could reasonably be linked to an identified or identifiable individual.

“Customer Data” has the meaning set out in the Terms of Service. Capitalized terms not defined here have the meanings given to them in the Terms of Service or in Applicable Data Protection Laws (e.g., “controller,” “processor,” “business,” “service provider,” “sale,” “share,” “sub-processor,” “data subject”).

2. Roles of the parties

Customer is the “controller” or “business” with respect to Personal Information in Customer Data. SnapinAI is the “processor” or “service provider” and processes Personal Information only on Customer’s documented instructions, including as set out in the Terms of Service, an order form, or this DPA. We will inform Customer if, in our opinion, an instruction violates Applicable Data Protection Laws.

3. Subject matter, duration, nature, and purpose

Subject matter and duration. Processing of Personal Information by SnapinAI for the duration of the Services.

Nature and purpose. Providing, operating, securing, supporting, and improving the Services for Customer, including AI-generated communications, appointment workflows, customer portals, and reporting.

Categories of data subjects. Customer’s personnel and the consumers Customer communicates with through the Services (e.g., service customers, lead inquirers, vehicle owners).

Categories of Personal Information. Identifiers (name, email, phone, address); vehicle information; service and transaction history; communication content (SMS, email, chat); appointment and scheduling data; internal identifiers; and any other categories Customer provides through connected systems.

4. SnapinAI obligations

SnapinAI will:

• process Personal Information only on Customer’s documented instructions and only for the limited and specified purposes set out in this DPA and the Terms of Service;
• not sell or share Personal Information, and not process Personal Information for cross-context behavioral advertising or for any purpose outside the direct business relationship with Customer, except as permitted by Applicable Data Protection Laws;
• not combine Personal Information received from Customer with Personal Information from other sources, except as permitted by Applicable Data Protection Laws (for example, to provide the Services or to detect security incidents);
• ensure that personnel authorized to process Personal Information are bound by appropriate confidentiality obligations;
• implement and maintain the security measures described in Section 7;
• promptly notify Customer if SnapinAI determines it can no longer meet its obligations under Applicable Data Protection Laws.

5. Sub-processors

Customer authorizes SnapinAI to engage sub-processors to help provide the Services, including infrastructure and hosting providers, AI model providers, email and SMS delivery providers, analytics providers, and connectors to systems Customer authorizes us to integrate with. A current list of sub-processors is available on request to admin@snapin.ai.

SnapinAI imposes data protection terms on each sub-processor that are no less protective than those in this DPA and remains responsible for each sub-processor’s performance. We will give Customer reasonable notice of new sub-processors; Customer may object on reasonable data protection grounds, in which case we will work with Customer in good faith to find a workable solution.

6. Data subject requests

Taking into account the nature of the processing, SnapinAI will provide reasonable assistance to Customer in responding to verifiable requests from data subjects to access, correct, delete, or port their Personal Information, or to opt out of processing where required by Applicable Data Protection Laws. If a data subject contacts SnapinAI directly with such a request, we will refer the request to Customer unless Applicable Data Protection Laws require otherwise.

7. Security

SnapinAI maintains an information security program with administrative, technical, and physical safeguards designed to protect Personal Information against unauthorized access, disclosure, alteration, or destruction. Measures include encryption in transit, encryption of credentials and secrets at rest, role-based access controls, least-privilege provisioning, logging and monitoring, vulnerability management, secure software development practices, and personnel security training.

Where Customer is subject to the Gramm-Leach-Bliley Act and the FTC Safeguards Rule, SnapinAI maintains safeguards consistent with that rule with respect to nonpublic personal information SnapinAI receives from Customer.

8. Security incidents

SnapinAI will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a confirmed Security Incident affecting Customer’s Personal Information. “Security Incident” means a breach of SnapinAI’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Information processed by SnapinAI. Our notice will describe the nature of the incident, the categories and approximate volume of data affected (to the extent known), the measures taken or proposed in response, and a contact for further information.

Notice of or response to a Security Incident is not an acknowledgement by SnapinAI of fault or liability.

9. Audits

Once per year, on at least 30 days’ written notice and subject to reasonable confidentiality and security protections, SnapinAI will respond to a reasonable security questionnaire from Customer to verify SnapinAI’s compliance with this DPA. Where SnapinAI maintains independent third-party assessments or certifications, sharing the corresponding report or summary will satisfy this obligation.

10. International transfers

SnapinAI processes Personal Information in the United States. If SnapinAI transfers Personal Information from a jurisdiction whose laws restrict such transfers, the parties will cooperate in good faith to put in place a lawful transfer mechanism (for example, applicable standard contractual clauses).

11. Return or deletion of Personal Information

On termination or expiration of the Services, SnapinAI will, at Customer’s election, return or delete Personal Information in its possession, except where retention is required by law. Customer may export Personal Information for 30 days after termination as set out in the Terms of Service; after that period, SnapinAI may delete or de-identify the data.

12. U.S. state law specific terms

California (CCPA / CPRA). SnapinAI acts as a “service provider” with respect to Personal Information disclosed by Customer. SnapinAI will not (a) sell or share Personal Information; (b) retain, use, or disclose Personal Information outside the direct business relationship with Customer or for any purpose other than the business purposes specified in this DPA and the Terms of Service; or (c) combine Personal Information received from Customer with Personal Information from other sources, except as permitted by the CCPA. SnapinAI certifies that it understands and will comply with these restrictions.

Virginia, Colorado, Connecticut, Utah, Texas, and similar state laws. SnapinAI processes Personal Information as a “processor” on Customer’s behalf and only for the purposes set out in this DPA and the Terms of Service. SnapinAI will assist Customer in meeting its obligations under these laws to the extent reasonably required.

13. Messaging compliance (CAN-SPAM, TCPA)

Where Customer uses the Services to send commercial emails or text messages to consumers, Customer is the “sender” of those messages under the CAN-SPAM Act, the Telephone Consumer Protection Act (TCPA), state mini-TCPAs, the Canadian Anti-Spam Legislation (CASL) where applicable, and similar laws. Customer is responsible for:

• obtaining and maintaining records of any consent required by applicable law before any marketing email or message is sent, including written express consent for marketing SMS where required by the TCPA;
• ensuring all messages identify Customer as the sender, contain a working unsubscribe or opt-out mechanism (and, for SMS, support standard HELP and STOP keywords), include Customer’s valid physical postal address where required, and avoid deceptive headers or subject lines;
• honoring opt-out requests promptly and across channels;
• complying with carrier requirements for application-to-person (A2P) messaging in the United States, including 10DLC brand and campaign registration where applicable, and with quiet-hours and frequency restrictions in applicable jurisdictions.

SnapinAI provides tooling to support Customer’s compliance, including suppression of recipients who have opted out, rendering of unsubscribe links and STOP keyword handling in supported templates, and capture of consent metadata where Customer configures the Services to do so. SnapinAI is not the sender of Customer’s commercial messages and does not independently verify the lawfulness of any individual message.

14. Liability and order of precedence

Each party’s liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service or the applicable order form. In the event of a conflict between this DPA and the Terms of Service or an order form, this DPA controls with respect to the processing of Personal Information; otherwise, the order form, then the Terms of Service, controls.

15. Contact

Questions about this DPA? Reach us at admin@snapin.ai.