Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between AutoChain Limited ("Processor") and the garage, service provider, or third-party system provider ("Controller") that uploads or transfers personal data to the AutoChain platform.

This DPA is entered into in accordance with:

• UK GDPR
• EU GDPR
• Data Protection Act 2018

1. Roles of the Parties

1.1 The Controller determines the purposes and means of processing personal data.

1.2 AutoChain acts as a Data Processor when importing, storing, and managing personal data on behalf of the Controller.

1.3 In limited circumstances (e.g. where AutoChain provides consumer-facing services), AutoChain may act as an independent Data Controller, as described in its Privacy Policy.

2. Scope of Processing

AutoChain processes personal data solely to:

• Import customer, vehicle, and service data from third-party garage systems
• Store and maintain vehicle service records
• Provide access to authorised vehicle owners
• Prevent fraud and preserve service history integrity
• Comply with legal and regulatory obligations

3. Categories of Data Subjects

• Vehicle owners
• Drivers
• Garage customers
• Fleet operators
• Authorised representatives

4. Categories of Personal Data

• Identity data (name, contact details)
• Vehicle identifiers (registration, VIN)
• Service and repair records
• Invoices, receipts, and images
• Garage and technician identifiers
• Metadata related to service history

Special category data is not intentionally processed.

5. Processor Obligations

AutoChain shall:

• Process personal data only on documented instructions from the Controller
• Ensure staff are bound by confidentiality obligations
• Implement appropriate technical and organisational security measures
• Not engage sub-processors without appropriate safeguards
• Assist the Controller with data subject rights requests
• Assist with DPIAs and regulatory inquiries where required
• Delete or return personal data upon termination, unless legally required to retain it

6. Sub-Processors

AutoChain may engage sub-processors for:

• Cloud infrastructure
• Secure storage
• Analytics and monitoring
• Customer support tooling

A current list of sub-processors is available upon request at www.autochain.co.uk/sub-processors. All sub-processors are subject to equivalent data protection obligations.

7. International Transfers

Where personal data is transferred outside the UK or EEA, AutoChain ensures:

• Adequacy regulations apply, or
• Standard Contractual Clauses are in place, or
• Equivalent lawful transfer mechanisms are used

8. Security Measures

Measures include:

• Encryption at rest and in transit
• Role-based access controls
• Audit logging
• Incident detection and response procedures
• Regular security reviews

9. Personal Data Breaches

AutoChain will notify the Controller without undue delay upon becoming aware of a personal data breach and will provide reasonable assistance.

10. Audits

Upon reasonable notice, the Controller may request documentation demonstrating compliance with this DPA.

11. Liability

Each party's liability under this DPA is subject to the limitations set out in the main agreement, except where prohibited by law.