Data Processing Addendum
Last updated: April 11, 2026
Note: This is a v1 working document under legal review. Contact legal@dealerpulse.app for a countersigned version or to propose redlines.
1. Parties
This Data Processing Addendum (“DPA”) is entered into between:
- Controller:The organization (“Tenant”) that has subscribed to the DealerPulse platform under the applicable Terms of Service. The Tenant determines the purposes and means of processing personal data within the platform.
- Processor:DealerPulse, operated by Bankston Motor Homes, Huntsville, Alabama, United States (“DealerPulse,” “we,” “us”). DealerPulse processes personal data on behalf of the Tenant solely to provide the Service.
This DPA supplements and forms part of the DealerPulse Terms of Service. In the event of a conflict between this DPA and the Terms, this DPA shall prevail with respect to data processing matters.
2. Definitions
Terms not defined here carry the meaning given to them in the Terms of Service or in the EU General Data Protection Regulation (GDPR), as applicable.
- “Personal Data” means any information relating to an identified or identifiable natural person that is processed by DealerPulse on behalf of the Tenant through the Service.
- “Processing” means any operation or set of operations performed on Personal Data, including collection, storage, alteration, retrieval, transmission, deletion, or destruction.
- “Sub-Processor” means a third party engaged by DealerPulse to process Personal Data on behalf of the Tenant.
- “Data Subject” means an identifiable natural person whose Personal Data is processed under this DPA.
- “Security Incident” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
- “Standard Contractual Clauses” (SCCs) means the standard contractual clauses approved by European Commission Implementing Decision (EU) 2021/914.
3. Subject Matter and Duration
This DPA governs the processing of Personal Data by DealerPulse on behalf of the Tenant for the duration of the Tenant's subscription to the Service, plus any post-termination retention period described in Section 14 and the Data Retention Policy.
4. Nature and Purpose of Processing
DealerPulse processes Personal Data to provide the following services on behalf of the Tenant:
- Connect: Routing multi-channel messages (SMS, web chat, social media) between dealership staff and customers; storing conversation history; managing contact records; delivering broadcast messages.
- Assist (Claire AI): Processing natural language queries from website visitors; generating AI responses using tenant inventory and configuration data; capturing lead information; scheduling appointment requests; transcribing phone calls.
- Insight: Aggregating and visualizing analytics dashboards from data across Connect and Assist.
- Portal: Managing user identities, roles, product entitlements, and cross-product single sign-on.
5. Categories of Data Subjects
The Personal Data processed under this DPA may relate to:
- Tenant employees and representatives: Dealership staff who use the platform, including sales agents, managers, BDC representatives, service advisors, and administrators.
- Tenant customers: Individuals who interact with the dealership through DealerPulse-powered channels, including website chat visitors, SMS recipients, phone callers, and email correspondents.
- Prospective customers: Individuals whose data is submitted via lead forms, third-party lead providers, or marketing campaigns and imported into DealerPulse.
6. Categories of Personal Data
The following categories of Personal Data may be processed through the Service:
| Category | Examples |
|---|---|
| Contact information | Name, email address, phone number, mailing address |
| Vehicle interest data | VIN, year, make, model, trim, stock number, pricing |
| Trade-in data | Vehicle year, make, model, mileage, condition, estimated value |
| Messaging content | SMS messages, web chat transcripts, social media messages |
| Voice data | Call recordings and AI-generated transcriptions |
| Appointment data | Service and sales appointment dates, times, types, and associated notes |
| Usage identifiers | User IDs, session tokens, IP addresses, browser metadata |
DealerPulse does not process special categories of data (Article 9 GDPR) and Tenants should not submit such data to the Service. DealerPulse does not process payment card data directly; all payment processing is handled by Stripe.
7. Processor Obligations
7.1 Documented Instructions
DealerPulse shall process Personal Data only on documented instructions from the Tenant, unless required to do so by applicable law. The Tenant's instructions are defined by the Service features the Tenant activates and configures, the Terms of Service, and this DPA. If DealerPulse believes an instruction infringes applicable data protection law, it will promptly notify the Tenant.
7.2 Confidentiality
All DealerPulse personnel authorized to process Personal Data are bound by written confidentiality obligations. Access to Personal Data is restricted to personnel who require it to perform their duties in delivering the Service.
7.3 Security Measures
DealerPulse implements and maintains appropriate technical and organizational measures to protect Personal Data, including:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Multi-tenant data isolation through database-level row-level security (RLS) policies
- Role-based access control (RBAC) with principle of least privilege
- Audit logging of all administrative and data access actions
- Regular vulnerability scanning and dependency updates
- Automated deployment pipelines with pre-deployment testing
- Incident detection and response procedures
7.4 Sub-Processor Engagement
The Tenant provides general written authorization for DealerPulse to engage Sub-Processors as listed in Section 8, subject to the change notification process in Section 9.
7.5 Data Subject Rights Assistance
DealerPulse will assist the Tenant in fulfilling its obligation to respond to Data Subject requests to exercise their rights under GDPR (access, rectification, erasure, portability, restriction, objection) and under CCPA/CPRA (right to know, delete, opt-out of sale). Where a Data Subject contacts DealerPulse directly, we will redirect them to the Tenant unless the request relates to DealerPulse's own processing of the Data Subject's data as a controller.
7.6 Breach Notification Assistance
In the event of a Security Incident, DealerPulse will assist the Tenant in meeting its breach notification obligations under applicable law, including providing the information necessary for the Tenant to notify supervisory authorities and affected Data Subjects.
7.7 Deletion at End of Contract
Upon termination of the Tenant's subscription, DealerPulse will delete all Personal Data processed on behalf of the Tenant within the timeframes specified in the Data Retention Policy, unless applicable law requires further retention. The Tenant may request data export before the deletion deadline.
8. Sub-Processors
DealerPulse engages the following Sub-Processors to deliver the Service. Each Sub-Processor processes Personal Data only as necessary for the stated purpose and is bound by data processing terms consistent with this DPA.
| Sub-Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Supabase, Inc. | PostgreSQL database hosting, user authentication, and file storage | All Tenant data stored in the platform: contacts, messages, leads, user profiles, uploaded files | United States |
| Railway Corporation | Application hosting, deployment, and compute infrastructure | All data in transit and in memory during request processing | United States |
| Stripe, Inc. | Payment processing and subscription billing | Tenant billing contact name, email, payment method details (handled directly by Stripe, not stored by DealerPulse) | United States / Ireland |
| Twilio, Inc. | SMS messaging and voice call routing | Phone numbers, SMS message content, call recordings, call metadata | United States |
| OpenAI, L.L.C. | Large language model inference for the Assist chatbot (Claire) | Chat conversation text, tenant inventory data, tenant configuration prompts. OpenAI does not use API data for training per their data usage policy. | United States |
| Deepgram, Inc. | Speech-to-text transcription of phone call recordings | Audio recordings of phone calls, resulting text transcriptions | United States |
| Resend, Inc. | Transactional email delivery | Recipient email addresses, email subject lines and body content | United States |
| Sentry (Functional Software, Inc.) | Application error monitoring and performance tracking | Error stack traces, request metadata, session identifiers. Sentry does not receive customer PII by design; data is scrubbed before transmission. | United States |
9. Changes to Sub-Processors
DealerPulse will notify the Tenant at least 30 days before adding or replacing a Sub-Processor. Notification will be sent to the email address associated with the Tenant's primary administrator account and posted on this page.
The Tenant may object to a new Sub-Processor by notifying DealerPulse in writing within the 30-day notice period. If DealerPulse cannot reasonably accommodate the objection (for example, by using an alternative Sub-Processor or by modifying the Service to avoid the Sub-Processor), the Tenant may terminate the affected subscription without penalty. DealerPulse will cooperate with data export before termination.
10. Data Subject Rights Cooperation
DealerPulse provides Tenant administrators with self-service tools to manage Data Subject requests where technically feasible, including:
- Viewing and exporting contact records (Connect)
- Deleting individual contact records and associated messages
- Editing contact information
- Configuring retention periods for AI conversations and call recordings
For requests that cannot be fulfilled through self-service tools, the Tenant may contact privacy@dealerpulse.app, and DealerPulse will assist within 15 business days.
11. Breach Notification
DealerPulse will notify the Tenant without undue delay, and in any event within 72 hoursof becoming aware of a confirmed Security Incident affecting the Tenant's Personal Data. The notification will include:
- A description of the nature of the Security Incident, including the categories and approximate number of Data Subjects and records concerned
- The name and contact details of DealerPulse's point of contact for the incident
- A description of the likely consequences of the incident
- A description of the measures taken or proposed to address the incident and mitigate its effects
DealerPulse will cooperate with the Tenant's investigation and provide updates as new information becomes available. DealerPulse will not notify Data Subjects directly unless instructed by the Tenant or required by applicable law.
12. Audit Rights
DealerPulse will make available to the Tenant the information necessary to demonstrate compliance with this DPA and GDPR Article 28. The Tenant (or a qualified third-party auditor appointed by the Tenant) may conduct an audit of DealerPulse's data processing activities, subject to the following conditions:
- Audits shall be conducted no more than once per year, unless a Security Incident has occurred
- The Tenant shall provide at least 30 days' written notice before an audit
- Audits shall be conducted during normal business hours and shall not unreasonably disrupt DealerPulse's operations
- The auditor shall be bound by confidentiality obligations at least as protective as those in this DPA
- The Tenant shall bear the costs of the audit, except where the audit reveals material non-compliance by DealerPulse
Where DealerPulse has obtained relevant third-party certifications or audit reports (such as SOC 2), it may provide those reports to satisfy audit requests in lieu of an on-site audit, provided the reports are current and relevant.
13. International Transfers
All DealerPulse infrastructure and Sub-Processors are located in the United States, with the exception of Stripe, which also processes data in Ireland. For transfers of Personal Data from the European Economic Area (EEA) or United Kingdom to the United States, DealerPulse relies on the Standard Contractual Clauses (SCC 2021/914) as adopted by the European Commission.
Where the Tenant is established in the EEA or UK, the parties agree that the Standard Contractual Clauses (Module Two: Controller to Processor) are incorporated into this DPA by reference. Copies of the executed SCCs are available upon request from legal@dealerpulse.app.
DealerPulse will implement supplementary measures where necessary to ensure the level of protection of Personal Data is not undermined by the transfer, taking into account the nature of the data, the transfer mechanism, and the legal framework of the receiving country.
14. Return or Deletion of Data
Upon termination or expiration of the Tenant's subscription, DealerPulse will:
- Provide a 30-day grace period during which the Tenant may access and export their data through the Service's standard export features or by requesting a data export from privacy@dealerpulse.app.
- After the grace period, permanently delete all Personal Data processed on behalf of the Tenant from primary storage, including database records, file storage, and message history.
- Delete Personal Data from backup systems within 30 days of the primary deletion (rolling backup cycle).
DealerPulse may retain limited data beyond these periods only where required by applicable law (for example, financial records retained for tax compliance) or where a legal hold is in effect. Such retained data will be isolated and processed only for the legally required purpose.
15. Applicable Law
This DPA is governed by the laws of the State of Alabama, United States, except to the extent that applicable data protection law (including GDPR) requires the application of the law of another jurisdiction. Where GDPR applies, the provisions of GDPR shall take precedence over any conflicting provision of this DPA.
For Tenants established in the European Economic Area, disputes relating to this DPA shall be resolved in accordance with the dispute resolution mechanism set out in the Standard Contractual Clauses.
16. Miscellaneous
- Entire agreement: This DPA, together with the Terms of Service and any applicable order form, constitutes the complete agreement between the parties regarding the processing of Personal Data.
- Amendments:Modifications to this DPA must be in writing and agreed by both parties, except that DealerPulse may update this DPA to reflect changes in applicable law, in which case 30 days' notice will be provided.
- Severability: If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.
- Order of precedence: In the event of a conflict, the order of precedence is: (1) Standard Contractual Clauses, (2) this DPA, (3) the Terms of Service.