Data Processing Agreement

Controller means the auto repair shop account that determines the purposes and means of processing vehicle owner customer personal data.

Processor means ApexPitCore LLC, which processes personal data on behalf of the Controller.

Personal Data has the meaning given under applicable data protection law, including CCPA/CPRA.

Subprocessor means any third party engaged by ApexPitCore to process Personal Data on behalf of the Controller.

ApexPitCore processes the following categories of personal data on behalf of shops:

• Vehicle owner names, contact information, and addresses
• Vehicle identification information (VIN, license plate, make, model, year)
• Repair history, service records, inspection results, and technician notes
• Communication records (SMS and email metadata)
• Payment transaction metadata (no card data — Stripe is PCI Level 1 certified)
• Appointment and scheduling records
• Photos and files uploaded during inspections or repair orders

Processing is performed for the purpose of providing the ApexPitCore platform to enable shop owners to manage their vehicle repair operations.

ApexPitCore LLC agrees to:

• Process personal data only on documented instructions from the Controller (i.e., use of the platform features as configured by the Controller)
• Ensure persons authorized to process personal data are bound by appropriate confidentiality obligations
• Implement appropriate technical and organizational security measures (see our Security page at apexpitcore.com/legal/security)
• Assist the Controller in responding to data subject rights requests using the tools provided in the platform
• Notify the Controller without undue delay upon becoming aware of a personal data breach affecting the Controller's data
• Delete or return all personal data upon termination of the service, subject to applicable legal retention requirements
• Make available information necessary to demonstrate compliance with this DPA upon reasonable request
• Not engage new subprocessors without providing prior notice as described in Section 4

ApexPitCore engages the subprocessors listed at apexpitcore.com/legal/subprocessors. ApexPitCore will notify Controllers of new subprocessors with at least 30 days' advance notice via email or in-platform notification.

Controllers may object to a new subprocessor by emailing [email protected] within 14 days of receiving notice. If ApexPitCore cannot provide the service without the new subprocessor and a reasonable alternative cannot be agreed upon, either party may terminate the agreement with 30 days' written notice.

ApexPitCore enters into written agreements with all subprocessors imposing data protection obligations at least as protective as those in this DPA.

ApexPitCore implements the following categories of security measures:

• Encryption in transit (TLS 1.2+) and encryption at rest for sensitive fields
• Role-based access control and multi-factor authentication
• Audit logging for all significant data operations
• Intrusion monitoring and security event logging
• Automated backup and tested restore procedures
• Vulnerability management and dependency scanning
• Access controls ensuring only authorized personnel access customer data

See apexpitcore.com/legal/security for full details.

ApexPitCore will notify affected Controllers without undue delay — and in any event within 72 hours of discovery — upon becoming aware of a personal data breach. Initial notification will include:

• Nature of the breach
• Categories and approximate number of records affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach and mitigate its effects

For California residents, breach notification will comply with California Civil Code § 1798.82 and applicable regulations. ApexPitCore will cooperate with Controllers in their own breach notification obligations.

ApexPitCore provides platform tools (data export, customer deletion, correction) to help Controllers respond to data subject rights requests. For requests that cannot be fulfilled through the platform, contact [email protected]. ApexPitCore will respond to such requests within 5 business days.

Upon termination of the subscription, Controllers may export their data for 30 days using the platform's export tools. After that period, ApexPitCore will delete or anonymize personal data within 90 days of the export window closing, except where retention is required by applicable law (e.g., financial records retained for 7 years per IRS guidelines).

ApexPitCore will provide written confirmation of deletion upon written request from the Controller.

ApexPitCore will make available information necessary to demonstrate compliance with this DPA and allow for reasonable audits by Controllers or their authorized agents, subject to: (a) at least 30 days' written notice; (b) execution of a mutual NDA; and (c) audit costs being borne by the Controller. Audits may not occur more than once per 12-month period absent a suspected breach.

Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service, Section 11.

To request a countersigned copy of this DPA for enterprise compliance purposes, or to ask questions about data processing, contact [email protected].

ApexPitCore LLC · [REGISTERED ADDRESS]