Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between the customer ("Controller") and PartsPerk LLC ("Processor") for use of the PartsPerk platform. It describes how we process personal data on Controller's behalf and the safeguards in place under GDPR, U.K. GDPR, the Swiss FADP, and U.S. state privacy laws (CPRA, VCDPA, CPA, CTDPA, UCPA, and equivalents).

1. Definitions

Personal Data: Any information relating to an identified or identifiable natural person processed under the agreement.
Processing: Any operation performed on Personal Data, automated or not.
Sub-processor: A third party engaged by Processor to process Personal Data on its behalf.
SCCs: European Commission Standard Contractual Clauses (2021/914) and the U.K. International Data Transfer Addendum where applicable.

2. Roles and scope

Controller determines purpose and means; Processor processes Personal Data only on documented Controller instructions reflected in the agreement, the platform configuration, and Controller's lawful use of the service.
Subject matter, duration, nature, and types of data are described in Schedule 1 of the order; categories typically include business contacts, sourcing data, and workflow records.

3. Security measures

TLS 1.2+ in transit; AES-256 at rest for primary databases and backups.
Role-based access control with least privilege; SSO and MFA available.
Audit logs for administrative and data-access events.
Annual third-party security testing and continuous internal review.
Incident-response and notification procedures aligned with the Security Overview.

4. Sub-processors

Processor maintains a list of sub-processors at /legal/subprocessors. Processor obtains general written authorization to engage sub-processors and gives Controller advance notice of changes via the Trust Center, which Controller may object to on reasonable data-protection grounds.

5. International transfers

Where transfers leave the European Economic Area, the United Kingdom, or Switzerland, the parties rely on the SCCs (2021/914), the U.K. IDTA, and the Swiss FADP supplementary clauses. The transfer impact assessment is available on request.

6. Data subject rights

Processor will assist Controller in responding to data subject requests by providing the technical and organizational measures available within the platform (export, deletion, correction). Direct requests received by Processor are forwarded to Controller without action.

7. Return and deletion

On termination, Processor will, at Controller's choice, delete or return Personal Data within 30 days, except where retention is required by law.

8. Audits

Controller may audit Processor's compliance through the Trust Center materials, third-party attestations, or, on reasonable notice and at Controller's expense, through a mutually-agreed independent auditor under confidentiality.

9. U.S. state privacy laws (CPRA / VCDPA / CPA / CTDPA / UCPA)

Processor acts as a 'service provider' / 'processor' under U.S. state privacy laws and is prohibited from selling, sharing for cross-context behavioral advertising, retaining outside the agreement, or combining Personal Data received under the agreement with Personal Data from other sources, except as permitted by law.

Question, request, or follow-up?

Reach the PartsPerk team for clarification, escalation, or to start a related conversation.

Open a contact thread Back to Trust Center

PartsPerk LLC · Delaware, United States · Doc /legal/dpa · v1.0

Data Processing Addendum

1. Definitions

Personal Data: Any information relating to an identified or identifiable natural person processed under the agreement.
Processing: Any operation performed on Personal Data, automated or not.
Sub-processor: A third party engaged by Processor to process Personal Data on its behalf.
SCCs: European Commission Standard Contractual Clauses (2021/914) and the U.K. International Data Transfer Addendum where applicable.

2. Roles and scope

Controller determines purpose and means; Processor processes Personal Data only on documented Controller instructions reflected in the agreement, the platform configuration, and Controller's lawful use of the service.
Subject matter, duration, nature, and types of data are described in Schedule 1 of the order; categories typically include business contacts, sourcing data, and workflow records.

3. Security measures

TLS 1.2+ in transit; AES-256 at rest for primary databases and backups.
Role-based access control with least privilege; SSO and MFA available.
Audit logs for administrative and data-access events.
Annual third-party security testing and continuous internal review.
Incident-response and notification procedures aligned with the Security Overview.

Question, request, or follow-up?

Reach the PartsPerk team for clarification, escalation, or to start a related conversation.

Open a contact thread Back to Trust Center

PartsPerk LLC · Delaware, United States · Doc /legal/dpa · v1.0

Data Processing Addendum

1. Definitions

2. Roles and scope

3. Security measures

4. Sub-processors

5. International transfers

6. Data subject rights

7. Return and deletion

8. Audits

9. U.S. state privacy laws (CPRA / VCDPA / CPA / CTDPA / UCPA)

Question, request, or follow-up?

Related

Data Processing Addendum

1. Definitions

2. Roles and scope

3. Security measures

4. Sub-processors

5. International transfers

6. Data subject rights

7. Return and deletion

8. Audits

9. U.S. state privacy laws (CPRA / VCDPA / CPA / CTDPA / UCPA)

Question, request, or follow-up?

Related