Data Processing Agreement

Last updated: July 2, 2026

Softserve Software LLC d/b/a Car Storage Software
1. Introduction and Parties

This Data Processing Agreement (“DPA”) forms part of the agreement between Softserve Software LLC, a Florida limited liability company doing business as Car Storage Software (carstoragesoftware.com)(“Processor,” “we,” “us”) and the storage facility or other business customer (“Controller,” “you”) that subscribes to our car storage facility management software (the “Service”) under our Terms of Service (the “Agreement”).

This DPA applies to the extent we process personal data on your behalf that is subject to applicable data protection laws, including the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), the UK GDPR, the Swiss FADP, PIPEDA (Canada), and applicable US state privacy laws (collectively, “Data Protection Laws”). Where we process such data, you act as the controller (or a processor acting on behalf of another controller) and we act as your processor (or sub-processor, or “service provider” under US state laws).

This DPA is incorporated into the Agreement by reference and applies automatically to all customers. If you require a countersigned copy for your records, email matt@carstoragesoftware.com.

2. Scope and Details of Processing
  • Subject matter: provision of the Service — facility management, customer and vehicle records, scheduling, billing, communications, and related features.
  • Duration: the term of the Agreement, plus the deletion window described in our Data Retention and Disposal Policy.
  • Nature and purpose: hosting, storage, transmission, analysis (including AI-assisted photo and document processing you enable), and display of Customer Data to provide the Service.
  • Categories of data subjects: your customers and their contacts, your staff and other authorized users, vendors, and other individuals whose data you submit to the Service.
  • Categories of personal data: names, contact details, addresses, vehicle and insurance details, photos, billing and payment metadata, communications, appointment and usage records. The Service is not designed for special categories of data (Art. 9 GDPR), and you agree not to submit them.
3. Processor Obligations (GDPR Art. 28)

We will:

  • process personal data only on your documented instructions (including the Agreement, your configuration of the Service, and your use of its features), unless required by law — in which case we will inform you unless legally prohibited;
  • ensure persons authorized to process personal data are bound by confidentiality obligations;
  • implement appropriate technical and organizational measures (Section 5 and our Information Security Policy);
  • respect the sub-processor conditions in Section 4;
  • taking into account the nature of the processing, assist you with data subject requests (Section 6) and with your obligations under Articles 32–36 GDPR (security, breach notification, and data protection impact assessments);
  • delete or return personal data at the end of the engagement (Section 8);
  • make available information necessary to demonstrate compliance and allow for and contribute to audits as described in Section 9;
  • inform you immediately if, in our opinion, an instruction infringes Data Protection Laws.

Where US state privacy laws apply, we act as your “service provider” / “processor”: we do not sell or share personal data, do not retain, use, or disclose it other than to provide the Service or as permitted by law, and will notify you if we can no longer meet these obligations.

4. Sub-processors

You provide general written authorization for us to engage sub-processors to provide the Service. Our current sub-processors are listed on our Subprocessor List.

  • We impose data protection obligations on each sub-processor that are materially equivalent to this DPA, and remain liable for their performance.
  • We will update the Subprocessor List before adding or replacing a sub-processor. You may subscribe to change notifications by emailing matt@carstoragesoftware.com.
  • You may object on reasonable data protection grounds within 30 days of a change notice. If we cannot address your objection, you may terminate the affected services and receive a pro-rata refund of prepaid fees.
5. Security

We implement and maintain appropriate technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access (Art. 32 GDPR), including:

  • encryption of personal data in transit (TLS) and at rest;
  • role-based, least-privilege access controls and tenant isolation;
  • multi-factor authentication for administrative access to production systems;
  • security audit logging of privacy- and security-relevant events;
  • regular automated backups with defined retention;
  • secure development, dependency review, and security testing practices.

A detailed description is available in our Information Security Policy and Access Controls Policy.

6. Assistance with Data Subject Rights

The Service includes self-service tools that let account holders view and correct their profile, export their personal data, and delete their account. For requests you receive directly (access, rectification, erasure, restriction, portability, objection), we will provide reasonable assistance, taking into account the nature of the processing.

If a data subject contacts us directly about data you control, we will direct them to you and will not respond substantively without your authorization unless legally required.

7. Personal Data Breach Notification

We will notify you without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting your personal data. The notification will describe, to the extent known, the nature of the breach, the categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed. We will provide timely updates as the investigation progresses and cooperate with your notification obligations under Articles 33–34 GDPR.

8. Return and Deletion of Data

During the term, you can export Customer Data through the Service. Upon termination, we will, at your choice, return or delete personal data in accordance with our Data Retention and Disposal Policy, unless applicable law requires continued storage. Data in encrypted backups is deleted on the backup expiry schedule described in that policy.

9. Audits

Upon written request (no more than once per year, absent a personal data breach or regulator requirement), we will make available documentation reasonably necessary to demonstrate compliance with this DPA — including our security and retention policies and summaries of third-party assessments. Where this is insufficient, we will allow an audit by you or your independent auditor, subject to reasonable notice, scope, confidentiality, and cost allocation.

10. International Transfers

We are based in the United States and process personal data there and in other countries where our sub-processors operate. Where personal data protected by the GDPR, UK GDPR, or Swiss FADP is transferred to a country without an adequacy decision:

  • the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914, Module Two — controller to processor, and Module Three — processor to processor) are incorporated into this DPA by reference, with you as data exporter and us as data importer;
  • for UK transfers, the UK International Data Transfer Addendum to the SCCs applies; for Swiss transfers, the SCCs apply as adapted by the FDPIC's requirements;
  • where a sub-processor is certified under the EU–U.S. Data Privacy Framework (and UK and Swiss extensions), we may rely on that certification for the onward transfer.

For the purposes of the SCCs: Clause 7 (docking) is included; Clause 9 option 2 (general authorization, 30 days' notice) applies; Clause 11 optional language is excluded; Clause 17 — the clauses are governed by Irish law; Clause 18 — disputes are resolved in the courts of Ireland. Annex I is completed by Section 2 of this DPA and the Agreement; Annex II by Section 5; Annex III by our Subprocessor List.

11. General
  • Each party's liability under this DPA is subject to the limitations of liability in the Agreement.
  • If there is a conflict between this DPA and the Agreement regarding the processing of personal data, this DPA controls; the SCCs control over both where they apply.
  • We may update this DPA to reflect changes in law or the Service; material changes will be notified as described in the Agreement.
Contact

Questions about this DPA or requests for a countersigned copy:

Softserve Software LLC

d/b/a Car Storage Software (carstoragesoftware.com)

Email: matt@carstoragesoftware.com

Address: 3343 Port Royale Dr S, Fort Lauderdale, FL 33308