.svg)
Data Processing Agreement
Last Updated: January 17, 2025
This Gramm-Leach-Bliley Act and State Privacy Law DPA (“ “DPA” or “Data Processing Agreement”) entered by and between PureCars Technologies, LLC and/or any of its affiliated entities ( “PureCars”) and you (“Customer”) regulates the particularities of data processing in connection with your access to and use of any services and technical solutions provided by PureCars. This DPA is to be read in conjunction with the PureCars Privacy Policy and any other terms or agreements that link to this DPA.
1. SCOPE AND PURPOSE.
1.1 This DPA applies to PureCars’ processing of Personal Information on Your behalf as a processor for the provision of the Services specified in Your Service Agreement. Unless otherwise expressly stated in Your Service Agreement, this version of the Data Processing Agreement shall be effective and remain in force for the term of Your Service Agreement.
1.2 This DPA supplements and amends the PureCars Terms and Conditions or other service agreement (the “Service Agreement”) between Customer and PureCars with respect to Customer Information, as defined in 16 C.F.R. § 314.2, and Personal Information, as defined by Data Protections Laws, as defined below, and constitutes a Service Provider agreement subject to the Gramm-Leach-Bliley Act (“GLBA”) Safeguards Rule or Data Protection Laws. To the extent of any ambiguity or conflict between the Service Agreement and this DPA, as it applies to the safeguarding or privacy of Customer Information or Personal Information, the terms of this DPA shall apply.
2. DEFINITIONS.
Capitalized terms used herein shall have the meanings set forth in this Section 2 or 16 C.F.R. § 314.2 or Data Protection Laws, as defined below.
“Authorized Persons” means PureCars’ employees, contractors, agents, and auditors who have a need to know or otherwise access Customer Information or Personal Information to enable PureCars to perform its obligations under the Service Agreement and this DPA, and who are bound by confidentiality and other obligations sufficient to protect Customer Information or Personal Information in accordance with the terms and conditions of the Service Agreement.
“Data Protection Laws” means all applicable data protection laws with respect to Personal Information, such as federal and state data privacy laws (e.g., the GLBA and the Federal Trade Commission’s implementation or the California Consumer Privacy Act of 2018, as amended (“CCPA”); data breach notification laws; and information security laws).
“Notification Event” means unauthorized acquisition of unencrypted Customer Information, as defined under 16 C.F.R. § 314.2, owned by Customer. A security incident does not always rise to the level of a Notification Event or a data breach.
“Data Breach” is defined under relevant Data Protection Laws, but may be triggered by unauthorized acquisition of unencrypted Personal Information owned by Customer. A security incident does not always rise to the level of a Data Breach.
“Data Subject” as certain individuals are defined under applicable Data Protection Law.
“Personal Information” or “Personal Data” as defined under applicable Data Protection Law that PureCars is processing pursuant to the Service Agreement.
“Services” means the provision of access to the PureCars products and/or other services provided by PureCars as specified in an order form and subject to the Service Agreement.
“You” means the customer entity that has executed the Service Agreement.
3. DETAILS OF PROCESSING
3.1 The Service Agreement and this DPA shall form the “documented instructions” of the Customer, as used and further described in this DPA, in relation to the Processing of Customer Information and Personal Information in accordance with applicable Data Protection Laws. The nature and purpose of the processing, an overview of the types of Personal Information, and the categories of Data Subjects is set forth in the Service Agreement and PureCars’ privacy policy at https://www.purecars.com/privacy-policy[VB2] .
3.2 Customer has the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Information or Personal Information.
4. PURECARS AND CUSTOMER OBLIGATIONS.
4.1 PureCars will:
(a) Comply with and maintain the same level of privacy protection as required by the Data Protection Laws, this DPA, and industry-recognized standards and best practices;
(b) Be responsible for unauthorized creation, collection, receipt, transmission, access, storage, disposal, use, or disclosure of Customer Information and/or Personal Information under its control or in its possession, including ensuring that Authorized Persons engage in training and/or sign confidentiality agreements as appropriate;
(c) Not disclose Customer Information to any person other than its Authorized Persons without Customer’s prior written consent unless required by applicable law or if reasonable in light of PureCars’ Services and Customer’s expectations, in which case, PureCars will use reasonable efforts and to the extent permitted by applicable law notify Customer before such disclosure or as soon thereafter as reasonably possible;
(d) Only collect, use, retain, or disclose Customer Information and/or Personal Information obtained under this DPA for purposes that align with the underlying Service Agreement, this DPA, or as the law otherwise permits;
(e) Reasonably assist Customer with meeting the Customer’s compliance obligations under the relevant privacy and data security laws, taking into account the nature of processing and the information available to PureCars;
(f) Use and disclose Customer Information or Personal Information only for the purposes for which Customer provides it, or access to it, pursuant to the terms and conditions of the Service Agreement and this DPA, and not use or otherwise disclose or make available this information for PureCars’ own purposes or for other commercial purposes without Customer’s prior written consent;
(g) Notwithstanding clause (vi), PureCars may aggregate, de-identify, or anonymize Customer Information and/or Personal Information, and use such aggregated, de-identified, or anonymized data, which shall no longer be considered Customer Information and/or Personal Information, for its own research and development or other purposes permitted under law.
(h) Not sell or share any Personal Information it collects or obtains from or on behalf of Customer under the Service Agreement or this DPA. However, Customer and PureCars may agree that PureCars will share Customer’s Personal Information for the purposes of targeted advertising on behalf of the Customer based on the section on Targeted Ad Services below.
(i) Not combine any Personal Information of consumers who opted out of sales/sharing/targeted advertising that PureCars received from or for Customer with Personal Information that PureCars either received from or for another person or collected from its own consumer interactions.
4.2 Customer will:
(a) Comply with the terms and conditions set forth in the Service Agreement, this DPA, and the Data Protection Laws, including by providing legally compliant privacy notices that reference PureCars, if required, and obtaining consent from consumers;
(b) Be responsible for any unauthorized creation, collection, receipt, transmission, access, storage, disposal, use, or disclosure of Customer Information and Personal Information under its control or in its possession, including user accounts that Customer controls;
(c) Only use secure methods, according to accepted industry standards, when transferring or otherwise making available Customer Information and Personal Information to PureCars; and
(d) Provide written notice to PureCars if any information Customer provides to PureCars under the Service Agreement contains Customer Information or Personal Information. PureCars will not be responsible for determining on its own that any information Customer provides under the Service Agreement qualifies as Customer Information or Personal Information.
5. TARGETED AD SERVICES.
5.1 To the extent that Customer engages PureCars to provide cross-context behavioral or targeted advertising or profiling services, as those terms are defined by relevant Data Protection Laws (“Targeted Ad Services”), the Parties agree as follows:
(a) While PureCars is generally a Service Provider, PureCars is a Third Party, as defined under the CCPA or similar Data Protection Laws, when processing Personal Information solely for the purpose of Targeted Ad Services;
(b) When acting as a Third Party, PureCars will not direct any Ad Services to consumers of Customer who have opted out of the sale or sharing of their data or Targeted Ad Services;
(c) PureCars will comply with any consumer opt-out requests, if applicable, and direct all PureCars subcontractors to comply as required under the Data Protection Laws. Upon written request from Customer, PureCars will certify in writing that it has complied with this requirement;
(d) Customer will ensure that it has provided all required notices to individuals, including notifying individuals about PureCars and any other third parties involved with targeted advertising, and obtaining consent from individuals before engaging in targeted advertising, including explicit consent when appropriate.
(e) PureCars may rely on Customer’s assertion that it has provided notice and obtained consent from individuals, as required under Data Protection Laws, if Customer engages PureCars for Targeted Ad Services; and
(f) Each party may audit the other’s privacy practices, as reasonable, based on opt-outs received from individuals.
6. INFORMATION SECURITY.
6.1 PureCars will comply with applicable laws and regulations, including the GLBA Safeguards Rule and implementing regulations and guidance from the Federal Trade Commission and relevant Data Protection Laws, in its creation, collection, receipt, access, use, storage, disposal, and disclosure of Customer Information and Personal Information.
6.2 PureCars will employ reasonable physical, administrative, and technical security measures to protect Customer Information and Personal Information in accordance with PureCars’ internal information security policy as amended from time to time (“Information Security Policy”).
6.3 Customer acknowledges that the Services include certain features and functionalities that Customer may elect to use that impact the security of the data processed by Customer’s use of the Services. Customer is further responsible for its users’ access to Personal Information and for using the available features and functionalities to maintain appropriate security in light of the nature of the data processed by its use of the Services.
7. NOTIFICATION EVENT/DATA BREACH PROCEDURES.
7.1 PureCars maintains a cyber incident breach response plan (“Incident Response Plan”) and will implement the procedures required under such plan on the occurrence of a Notification Event or Data Breach.
7.2 Depending on the relevant terms with the OEM, PureCars will notify Customer or the relevant OEM of a Notification Event or Data Breach that impacts the Customer’s Customer Information or Personal Information as soon as reasonably practicable so that the Customer or OEM may comply with the Notification Event obligations under 16 C.F.R. § 314.4(j)(1) or similar state law Data Breach obligations.
7.3 Immediately following PureCars’ notification to Customer of a Notification Event or Data Breach, the parties will coordinate with each other, as necessary, to investigate the Notification Event or Data Breach.
7.4 PureCars will reimburse Customer for actual reasonable costs incurred by Customer to provide any legally required notice or services to individuals affected by a Notification Event or Data Breach, to the extent that PureCars caused a Notification Event or Data Breach.
7.5 PureCars agrees that it will not inform any third party of any Notification Event that impacts Customer’s Customer Information or Data Breach that impacts Customer’s Personal Information without Customer’s prior consent, other than to inform a complainant that the matter has been forwarded to Customer.
8. SECURITY CONTROLS REVIEW OR AUDIT. At least annually, PureCars will obtain a security controls review or audit performed by an independent third party based on recognized industry standards. PureCars will make results of such controls review or audit available to Customer upon request and will timely address any noted exceptions. PureCars will provide reasonably necessary information to allow Customer to comply with any assessments or audits required under Data Protection Laws.
9. RETURN OR DISPOSAL OF PERSONAL INFORMATION. At any time during the term of the Service Agreement at Customer’s written request or at a reasonable interval after the termination or expiration of the Service Agreement, PureCars will securely dispose of all Customer Information and Personal Information in its possession or in the possession of Authorized Persons. If requested, PureCars will notify Customer that such Customer Information or Personal Information has been disposed of securely. If PureCars is not reasonably able to securely dispose of Customer Information or Personal Information, including, but not limited to, Customer stored on backup media, PureCars will continue to protect such Customer Information or Personal Information in accordance with the terms of this DPA until such time that it can reasonably securely dispose of such information.
© Copyright 2025. All Rights Reserved. PureCars Technologies,
Last Updated: January 17, 2025