Skip to content
Home » Data Processing Addendum (DPA)

Data Processing Addendum (DPA)

This Data Processing Addendum (“DPA”) is an addendum to the Eligant AI, LLC Terms and Conditions (“Agreement”) between Eligant AI, LLC (“Processor” or “Eligant”) and the auto shop Professional (“Controller” or “Customer”) who subscribes to the Services. This DPA is effective as of the date the Customer agrees to the Agreement and will terminate automatically upon the termination of the Agreement.

  1. Definitions
  • Controller,” “Processor,” “Data Subject,” “Personal Data,” and “Processing” shall have the meanings given to them in applicable Data Protection Laws.
  • Data Protection Laws” means all applicable data privacy and security laws, including the California Consumer Privacy Act (CCPA) and any other applicable U.S. state or federal laws.
  • Controller Data” means the Personal Data that the Controller inputs into the Services about their own customers (e.g., names, phone numbers, vehicle data). For this data, the Controller is the “Data Controller,” and Eligant is the “Data Processor”.
  • Services” means the services provided by Eligant to the Controller under the Agreement.
  1. Processing of Controller Data
  • 2.1. Roles: The parties acknowledge that for Controller Data, the Customer is the Controller and Eligant is the Processor.
  • 2.2. Subject Matter: The subject matter of the Processing is the provision of the Services to the Controller.
  • 2.3. Duration: The Processing will continue for the duration of the Agreement.
  • 2.4. Purpose: The purpose of the Processing is to provide, maintain, and improve the Services as described in the Agreement and the Privacy Policy .
  • 2.5. Categories of Data Subjects: Data Subjects are the end-customers and clients of the Controller.
  • 2.6. Categories of Personal Data: Controller Data includes identifiers (name, phone number, email), professional information (vehicle details, service history), and any other Personal Data the Controller chooses to input into the Services.
  • 2.7. Processor’s Obligations: Eligant shall:
    a) Process Controller Data only in accordance with the Controller’s lawful, written instructions (including the Agreement and this DPA) and for no other purpose.
    b) Ensure that all Eligant personnel authorized to process Controller Data are bound by a duty of confidentiality.
    c) Implement and maintain the technical and organizational security measures set forth in Appendix A to this DPA.
  1. Sub-processors
  • 3.1. Authorization: The Controller provides a general authorization for Eligant to engage third-party sub-processors to process Controller Data in order to provide the Services.
  • 3.2. Current Sub-processors: The Controller specifically authorizes the engagement of Eligant’s current sub-processors, which include payment processors (Stripe), cloud hosting providers (e.g., AWS), and analytics providers (Google Analytics).
  • 3.3. New Sub-processors: Eligant will provide the Controller with notice of any new sub-processors before they are engaged, and the Controller will have a reasonable opportunity to object.
  • 3.4. Liability: Eligant shall remain responsible for the acts and omissions of its subprocessors to the same extent Eligant would be liable if performing the services of each sub-processor directly.
  1. Data Subject Rights & Assistance
  • Eligant will, to the extent legally permitted, promptly notify the Controller of any request received from a Data Subject to exercise their rights (e.g., access, deletion) under Data Protection Laws. Eligant will provide the Controller with reasonable assistance, at the Controller’s expense, to help the Controller respond to such requests.
  1. Security Incidents
  • Upon becoming aware of a security incident that affects Controller Data, Eligant will notify the Controller without undue delay and provide reasonable cooperation to the Controller in their investigation and response.
  1. Data Deletion
  • Upon termination of the Agreement, Eligant will delete or return all Controller Data in its possession as set forth in the Agreement (e.g., within 30 days), unless required by law to retain it.
  1. Audits
  • Upon reasonable request, Eligant will make available to the Controller information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by the Controller (or their auditor), at the Controller’s expense and no more than once per year, to ensure compliance.

Appendix A to the DPA


Technical and Organizational Security Measures


Processor (Eligant) will implement and maintain the following measures:

  1. Access Control: Policies and controls to limit access to systems processing Controller Data to authorized personnel only.
  2. Encryption: Encryption of Controller Data at rest and in transit.
  3. Resilience: Measures to ensure the on-going confidentiality, integrity, availability, and resilience of processing systems (e.g., system backups, disaster recovery plans).
  4. Testing: Regular testing and evaluation of the effectiveness of security measures.
  5. Monitoring: Use of security monitoring tools to detect and respond to potential threats.