Back to EasyRecon

EasyRecon Data Processing Agreement

Version 1.0 | Effective Date: May 4, 2026

This DPA applies when EasyRecon processes Customer Data on behalf of a dealership customer under the Customer Terms or a signed order form.

1. Parties and Scope

This Data Processing Agreement is between EasyRecon LLC as processor/service provider and the customer identified in the applicable Customer Terms, order form, signup record, or subscription agreement as controller/business.
This DPA applies only to Personal Data that EasyRecon processes on behalf of Customer as Customer Data through the Service.
If this DPA conflicts with the Customer Terms, this DPA controls only for the data processing topics it covers.

Customer Data means data, content, records, files, messages, photos, and information submitted to or generated in the Service by or on behalf of Customer.
Personal Data means Customer Data relating to an identified or identifiable natural person.
Processing means any operation performed on Personal Data, including collection, storage, use, access, disclosure, transmission, deletion, or return.
Security Incident means a confirmed unauthorized access to or disclosure, alteration, or destruction of Personal Data under EasyRecon's control.
Subprocessor means a third-party provider engaged by EasyRecon to process Personal Data to provide the Service.

Customer instructs EasyRecon to process Personal Data to provide, secure, maintain, support, troubleshoot, bill, and improve the Service, and as otherwise permitted by the Customer Terms and this DPA.
EasyRecon will process Personal Data only on Customer's documented instructions unless required by law.
Customer is responsible for the lawfulness of Customer's instructions and for providing required notices and obtaining required consents from data subjects.

Data subjects may include dealership employees, contractors, administrators, vendors, service providers, customers, vehicle owners, website visitors, support contacts, and other people whose data Customer submits to the Service.
Personal Data may include names, work emails, phone numbers, job titles, dealership roles, login identifiers, IP addresses, user activity, communication metadata, message content, vehicle-related identifiers, VINs, photos, notes, attachments, service/recon records, approvals, timestamps, billing contacts, support content, and technical logs.
Special categories of sensitive data are not required for normal use and should not be submitted unless Customer has a lawful basis and EasyRecon has agreed in writing where required.

EasyRecon will restrict Personal Data access to personnel and providers who need access to provide, secure, support, or maintain the Service.
EasyRecon personnel with access to Personal Data will be subject to confidentiality obligations.
EasyRecon will use reasonable internal access controls appropriate for its size, stage, systems, and risk profile.

EasyRecon will maintain reasonable administrative, technical, and organizational measures designed to protect Personal Data against unauthorized access, disclosure, alteration, and destruction.
Measures may include HTTPS/TLS in transit, provider-supported encryption at rest, authentication controls, role-based permissions, least-privilege internal access, logging, monitoring, backups, incident response procedures, and vendor security review.
Customer is responsible for account-side security, including user provisioning, permissions, endpoint/device security, password hygiene, and prompt removal of unauthorized users.

Customer authorizes EasyRecon to use subprocessors to provide the Service.
Authorized subprocessors may include, as applicable: Clerk for authentication; Railway or similar hosting infrastructure; Neon or similar database hosting; Stripe for payment and billing; Twilio for SMS and messaging; Sentry or similar monitoring; Anthropic or similar AI processing; object storage providers; email/support providers; and security/infrastructure providers.
EasyRecon will require subprocessors to protect Personal Data under terms materially consistent with this DPA for the services they provide.
EasyRecon remains responsible for subprocessors' processing of Personal Data under this DPA.
EasyRecon may add or replace subprocessors as the Service evolves and will provide notice of material changes through email, in-app notice, posting, or other reasonable method.

EasyRecon will notify Customer without undue delay after confirming a Security Incident involving Customer Personal Data.
Notice will include information reasonably available to EasyRecon, such as the nature of the incident, affected data categories, known impact, mitigation steps, and contact information for follow-up.
EasyRecon will take reasonable steps to investigate, contain, and remediate confirmed Security Incidents.
Notifications are not admissions of fault or liability.

Customer is responsible for responding to data subject requests where Customer controls the Personal Data.
EasyRecon will provide reasonable assistance, taking into account the nature of the Service, to help Customer respond to access, correction, deletion, portability, objection, or similar requests.
If EasyRecon receives a request directly about Customer Data, EasyRecon may redirect the requester to Customer unless legally required to respond.

During the subscription term and for 30 days after termination, Customer may request export of Customer Data in a reasonable machine-readable format.
After the export period, EasyRecon may delete or anonymize Customer Data from production systems unless retention is required for legal, billing, security, backup, compliance, or dispute purposes.
Backups may retain Customer Data for a limited period under normal backup and disaster recovery schedules before deletion or overwrite.
Upon reasonable request, EasyRecon may confirm completion of production deletion, subject to backup and legal retention limits.

Upon reasonable written request, EasyRecon will provide information reasonably necessary to demonstrate compliance with this DPA, such as completed security questionnaires, summaries of controls, or relevant third-party documentation where available.
On-site audits are not available unless required by applicable law or separately agreed in writing.
Customer must not use audit rights to access data of other customers, confidential infrastructure details, trade secrets, or information that would create security risk.

EasyRecon is based in the United States and the Service is generally operated from the United States and by U.S.-based providers unless otherwise disclosed.
If Customer Personal Data is transferred internationally in a way that requires a transfer mechanism, the parties will use an appropriate mechanism, such as standard contractual clauses or another lawful mechanism, where required.

Liability under this DPA is subject to the limitation of liability in the Customer Terms unless applicable law requires otherwise.
This DPA remains in effect for as long as EasyRecon processes Personal Data on behalf of Customer.
This DPA is governed by the law and dispute resolution terms in the Customer Terms.