Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between Credit Vault LLC ("Credit Vault") and the business customer that uses the Service ("Customer") and governs the processing of personal data that Credit Vault processes on Customer's behalf in connection with the Service.

If there is a conflict between this DPA and the Terms of Service, this DPA controls with respect to personal data processed on behalf of Customer.

1. Roles of the Parties

To the extent Credit Vault processes personal data on behalf of Customer:

• Customer acts as controller, business, or equivalent role under applicable law, as applicable; and
• Credit Vault acts as processor, service provider, vendor, or equivalent role, as applicable.

Customer determines the purposes and means of the processing of personal data it submits to the Service, subject to the functionality of the Service and applicable law.

2. Processing Instructions

Credit Vault will process personal data only:

• to provide, maintain, support, secure, and improve the Service;
• as instructed by Customer through use of the Service or documented agreement;
• as required by applicable law; or
• as otherwise permitted by this DPA or the Terms.

Customer instructs Credit Vault to process personal data for the following purposes:

• account creation and administration;
• store-credit ledger maintenance;
• trade-in processing;
• sales and operational workflows;
• reporting and analytics;
• security and fraud prevention;
• support and troubleshooting; and
• related business operations.

3. Customer Responsibilities

Customer represents and warrants that:

• it has provided all required notices and obtained all required rights, consents, and authorizations to disclose personal data to Credit Vault;
• its instructions comply with applicable law;
• it will not use the Service to process personal data in violation of law; and
• it will not submit personal data for which it lacks a lawful basis to disclose.

Customer is solely responsible for the accuracy, quality, and legality of personal data and for the means by which Customer acquired the data.

4. Confidentiality

Credit Vault will ensure that persons authorized to process personal data are subject to confidentiality obligations appropriate to their role.

5. Security Measures

Credit Vault will implement and maintain reasonable administrative, technical, and organizational measures designed to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

Security measures may include:

• role-based access controls;
• password hashing;
• network and application security controls;
• logging and monitoring;
• access limitation principles;
• vendor management; and
• backup and recovery procedures.

6. Subprocessors

Customer authorizes Credit Vault to engage subprocessors to support the Service, including hosting, storage, email delivery, scheduling, payment processing, analytics, and related services.

Current or anticipated subprocessors may include:

• Vercel;
• Supabase;
• Calendly;
• Google Workspace / Gmail;
• Stripe;
• PriceCharting;
• eBay;
• PSA;
• CGC;
• EasyPost; and
• other vendors reasonably necessary to operate the Service.

Credit Vault will use commercially reasonable efforts to impose appropriate data protection obligations on subprocessors.

7. Data Subject Requests

To the extent legally required and operationally feasible, Credit Vault will reasonably assist Customer in responding to valid data subject, consumer, or end-user requests relating to personal data processed under the Service.

Customer is responsible for verifying the identity of the requesting individual and for deciding whether to honor any request.

8. Deletion and Return

Upon termination of the Service or Customer's account, Credit Vault may delete or anonymize personal data in accordance with its retention practices, unless retention is required by law, dispute preservation obligations, security needs, or legitimate business purposes.

If Customer requests deletion or return of data and such request is feasible, Credit Vault may provide export or deletion services subject to technical limitations, legal requirements, and reasonable administrative fees, if permitted by law.

9. Data Breach Notice

If Credit Vault becomes aware of a confirmed unauthorized acquisition, disclosure, or access involving personal data processed under this DPA, Credit Vault will notify Customer without undue delay and, where required by law, within a commercially reasonable time after confirming the incident.

Customer remains responsible for any statutory notices to regulators, affected individuals, or others, except to the extent Credit Vault is legally required to provide such notices directly.

10. Audit

Customer may request reasonable information necessary to demonstrate compliance with this DPA, subject to:

• confidentiality;
• security;
• privilege;
• third-party restrictions;
• reasonable frequency limits; and
• operational burden.

Any on-site audit right must be expressly agreed in writing and may be subject to strict limitations.

11. Cross-Border Transfers

To the extent personal data is transferred across borders, the parties will rely on lawful transfer mechanisms as applicable. Customer authorizes such transfers to the extent necessary to operate the Service.

12. Liability

Credit Vault will not be liable for:

• Customer's failure to provide adequate notices or obtain valid consent;
• Customer's unlawful instructions;
• Customer's misuse of the Service;
• Customer's failure to honor its own privacy obligations; or
• matters outside Credit Vault's reasonable control.

Any liability relating to this DPA is subject to the limitations of liability in the Terms, except where prohibited by law.

13. Term and Survival

This DPA remains in effect for so long as Credit Vault processes personal data on Customer's behalf. Sections concerning confidentiality, deletion, liability, and dispute resolution survive termination to the extent necessary.

14. Miscellaneous

This DPA may be updated to reflect changes in law, regulatory guidance, or the Service. If a material change is required, Credit Vault may provide notice and, where required, Customer's continued use of the Service after notice will constitute acceptance.

15. Contact

Credit Vault LLC
PO Box 284
Winchester, KY 40391
Support@creditvaultapp.com