AutoCents™ Data Processing Agreement

Version: 2.0 | Last Updated: September 1, 2025

Your Data Privacy Matters to Us

At AutoCents™, we understand that your data is valuable and personal. This Data Processing Agreement outlines our commitment to protecting your information with the highest standards of security and privacy.

Trust & Transparency

We process your data only for the specific purposes of providing our services to you. We never sell your personal information or use it for advertising purposes outside of our direct relationship with you.

Security First

We implement industry-leading security measures including encryption, access controls, and continuous monitoring to protect your data from unauthorized access or misuse.

Your Rights Matter

We support your rights to access, correct, or delete your personal information, and we're here to help you exercise those rights quickly and easily.

Our Commitments to You

Limited Use: We only process your data to provide AutoCents services and support
No Data Sales: We never sell, rent, or share your personal information for profit
Strong Security: We maintain comprehensive technical and organizational safeguards
Quick Response: We respond to data incidents and your requests promptly
Legal Compliance: We meet or exceed all applicable privacy law requirements
Clear Communication: We notify you of any changes that might affect your data

Questions or Concerns? Our privacy team is available to answer any questions about how we protect your data. You can reach us at privacy@speedlimit.com or through your account dashboard.

Table of Contents

Legal Framework

Security & Compliance

Legal & Liability

Operations & Governance

Parties

This Data Processing Agreement ("DPA") is entered into between:

Processor: Nitron Digital LLC d/b/a AutoCents™ Smart Vehicle Analytics
Address: 923 ELM ST, PMB 23, MANCHESTER, NH 03101
("AutoCents," "Processor," "we," "us," or "our")

Controller: The customer entity identified in the AutoCents™ Terms of Service
("Customer," "Controller," "you," or "your")

1. FOUNDATIONAL PROVISIONS

1.1 Relationship to Master Agreement

This DPA supplements and is incorporated into the AutoCents™ Terms of Service or other master service agreement between the parties (the "Agreement"). In case of conflict between this DPA and the Agreement regarding data protection matters, this DPA shall control.

1.2 Scope of Application

This DPA applies to Personal Data processed by AutoCents on behalf of Customer in connection with the provision of AutoCents services, where such processing is subject to US federal privacy laws, the New Hampshire Privacy Act, or other applicable state privacy laws.

1.3 Effective Date and Term

This DPA becomes effective when Customer accepts the AutoCents Terms of Service and remains in effect until termination of the Agreement or earlier termination of data processing activities.

2. DEFINITIONS

For purposes of this DPA:

"Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with a party.

"Authorized Sub-processor" means a third-party service provider listed in Appendix A or subsequently authorized pursuant to Section 6 to assist AutoCents in processing Personal Data.

"Controller" means the entity that determines the purposes and means of processing Personal Data. Customer acts as Controller for Personal Data submitted to AutoCents services.

"Data Protection Laws" means all applicable US federal laws (including Section 5 of the Federal Trade Commission Act, 15 U.S.C. §45, and the Children's Online Privacy Protection Act, 15 U.S.C. §§6501-6506), the New Hampshire Privacy Act (RSA 507-H), and other applicable state privacy laws, as amended from time to time.

"Data Subject" means an identified or identifiable individual to whom Personal Data relates.

"Personal Data" means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, including but not limited to the definition of "personal information" under applicable state privacy laws.

"Processing" means any operation or set of operations performed on Personal Data, whether by automated means or otherwise, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.

"Processor" means an entity that processes Personal Data on behalf of a Controller. AutoCents acts as Processor for Personal Data processed pursuant to this DPA.

"Security Incident" means any actual or suspected unauthorized access to, acquisition of, use of, or disclosure of Personal Data that compromises the security, confidentiality, or integrity of Personal Data.

"Services" means the AutoCents Smart Vehicle Analytics platform and related services provided under the Agreement.

3. DATA PROCESSING PRINCIPLES

3.1 Processing Limitations

AutoCents shall:

  • Process Personal Data solely on behalf of and in accordance with Customer's documented instructions as set forth in this DPA and the Agreement
  • Not process Personal Data for any purpose other than providing the Services to Customer
  • Not sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate Personal Data to third parties for monetary or other valuable consideration
  • Not use Personal Data for AutoCents' own commercial purposes, including targeted advertising, building user profiles, or enhancing AutoCents' own products or services outside the scope of Services provided to Customer
  • Not retain Personal Data longer than reasonably necessary to fulfill the purposes for which it was collected

3.2 Processing Instructions

Customer instructs AutoCents to process Personal Data for the following purposes:

  • Providing the AutoCents Smart Vehicle Analytics Services as described in the Agreement
  • Technical support and maintenance of the Services
  • Compliance with applicable legal obligations
  • Other processing activities as explicitly authorized by Customer in writing

3.3 FTC Act Compliance

AutoCents acknowledges that:

  • Any material misrepresentation about its data security practices or unfair data handling practices may violate Section 5 of the FTC Act
  • It will implement and maintain reasonable security measures as described in Section 4
  • It will not engage in deceptive practices regarding its handling of Personal Data

3.4 Unlawful Instructions

If AutoCents believes any instruction from Customer violates applicable Data Protection Laws, AutoCents will:

  • Immediately notify Customer in writing
  • Suspend processing of the affected Personal Data until the instruction is clarified or modified
  • Document the incident and resolution

4. SECURITY MEASURES

4.1 Security Requirements

AutoCents shall implement and maintain reasonable administrative, technical, and physical safeguards designed to protect Personal Data, appropriate to:

  • The volume and nature of Personal Data processed
  • The risks presented by the processing
  • The current state of technology
  • Industry best practices

4.2 Specific Security Measures

AutoCents' security measures include, at minimum:

Technical Measures:

  • • Encryption of Personal Data in transit using TLS 1.3 or equivalent
  • • Encryption of Personal Data at rest using AES-256 or equivalent industry-standard encryption
  • • Multi-factor authentication for all system access
  • • Regular security vulnerability assessments and penetration testing
  • • Intrusion detection and prevention systems
  • • Secure software development practices

Administrative Measures:

  • • Access controls based on principle of least privilege
  • • Background checks for personnel with access to Personal Data
  • • Regular security training for employees
  • • Incident response procedures
  • • Vendor management program for sub-processors

Physical Measures:

  • • Controlled access to facilities and equipment
  • • Environmental controls and monitoring
  • • Secure disposal of equipment and media

4.3 Security Updates

AutoCents shall:

  • Regularly review and update security measures to address new threats
  • Apply security patches and updates in a timely manner
  • Conduct annual security assessments
  • Maintain documentation of security measures and updates

5. SECURITY INCIDENT RESPONSE

5.1 Incident Notification

AutoCents shall notify Customer without unreasonable delay, and in no event later than 72 hours after becoming aware of a Security Incident affecting Customer's Personal Data. Notification shall include:

  • Description of the nature of the Security Incident
  • Categories and approximate number of Data Subjects affected
  • Categories and approximate number of Personal Data records affected
  • Contact information for AutoCents' incident response team
  • Likely consequences of the Security Incident
  • Measures taken or proposed to address the incident

5.2 Incident Response Cooperation

AutoCents shall:

  • Cooperate with Customer's reasonable requests for information about the Security Incident
  • Assist Customer in investigating the incident
  • Take reasonable measures to mitigate harm from the incident
  • Provide updates as the investigation progresses
  • Assist Customer in meeting any notification obligations to Data Subjects or regulatory authorities

6. SUB-PROCESSORS

6.1 Authorized Sub-processors

Customer authorizes AutoCents to engage the sub-processors listed in Appendix A. AutoCents shall:

  • Impose data protection obligations on sub-processors that are no less protective than those in this DPA
  • Ensure sub-processors comply with applicable Data Protection Laws
  • Remain fully liable for sub-processors' compliance with data protection obligations

6.2 New Sub-processors

AutoCents may engage new sub-processors provided:

  • AutoCents provides at least 30 days' prior written notice to Customer
  • Customer may object to the new sub-processor within 30 days if it has reasonable grounds related to data protection
  • If Customer objects and no resolution is reached, Customer may terminate the affected Services

7. DATA SUBJECT RIGHTS

7.1 Rights Support

AutoCents shall assist Customer in fulfilling Data Subject requests to exercise rights under applicable Data Protection Laws, including:

  • Access to Personal Data
  • Correction of inaccurate Personal Data
  • Deletion of Personal Data
  • Restriction of processing
  • Data portability
  • Opt-out of sale or targeted advertising

7.2 Direct Requests

If AutoCents receives a direct request from a Data Subject:

  • AutoCents shall promptly notify Customer
  • AutoCents shall not respond directly without Customer's written authorization
  • AutoCents shall provide reasonable assistance to Customer in responding

8. LIABILITY AND RISK ALLOCATION

IMPORTANT:

Any liability arising under this DPA shall be subject to the limitation of liability provisions in the Agreement. The parties acknowledge that liability for data protection matters should be allocated based on each party's specific responsibilities and control over the processing.

8.1 Limitation of Liability

AutoCents' liability to Customer under this DPA is limited to direct damages actually caused by:

  • AutoCents' material breach of its specific obligations under this DPA
  • AutoCents' failure to implement required security measures as specified in Section 4
  • AutoCents' processing of Personal Data outside the scope of Customer's documented instructions

9. NEW HAMPSHIRE PRIVACY ACT COMPLIANCE

New Hampshire Residents:

For Personal Data subject to the New Hampshire Privacy Act (RSA 507-H), AutoCents shall assist Customer in responding to consumer rights requests within 45 days as required by law, maintain reasonable data security practices, and support Customer's data protection assessment obligations.

9.1 Consumer Rights Support

AutoCents shall provide technical assistance to enable Customer to fulfill New Hampshire consumers' rights to:

  • Access their Personal Data
  • Correct inaccurate Personal Data
  • Delete Personal Data
  • Opt-out of processing for targeted advertising
  • Opt-out of sales of Personal Data

10. COPPA COMPLIANCE

Children's Data Protection:

AutoCents' Services are not directed to children under 13. If AutoCents becomes aware that Personal Data of a child under 13 is being processed, AutoCents shall immediately notify Customer and delete such data if directed by Customer or required for legal compliance.

10.1 Enhanced Protection for Children's Data

If any Personal Data relates to children under 13, additional requirements apply:

  • Separate parental consent required for any third-party disclosures
  • Enhanced security measures and monitoring
  • Strict data minimization principles
  • Compliance with updated COPPA Rule requirements

11. DATA TRANSFERS AND RETENTION

11.1 Data Location

Personal Data will be processed and stored primarily in the United States. AutoCents may access Personal Data from other locations for support, maintenance, or disaster recovery purposes, subject to appropriate safeguards.

11.2 Data Retention

AutoCents shall:

  • Retain Personal Data only as long as reasonably necessary to fulfill the purposes in Section 3.2
  • Not retain Personal Data indefinitely
  • Implement automated deletion procedures where technically feasible
  • Provide Customer with information about retention periods upon request

12. COMPLIANCE MONITORING AND AUDITS

12.1 Audit Rights

Customer may audit AutoCents' compliance with this DPA through:

  • Review of AutoCents' compliance documentation
  • Third-party security certifications and reports
  • On-site inspections with 30 days' prior notice (limited to once annually unless there is reasonable suspicion of non-compliance)

13. INSURANCE AND FINANCIAL SAFEGUARDS

13.1 Cyber Liability Insurance

AutoCents shall maintain cyber liability insurance coverage with minimum limits commensurate with the volume and sensitivity of Personal Data processed, including coverage for:

  • Data breach response costs
  • Regulatory fines and penalties
  • Third-party liability claims
  • Business interruption
  • Crisis management and public relations

14. GENERAL PROVISIONS

14.1 Governing Law

This DPA shall be governed by the laws of New Hampshire, except where federal law provides exclusive jurisdiction. Any disputes shall be resolved in the state or federal courts of New Hampshire.

14.2 Amendment

This DPA may only be modified by written agreement signed by both parties. AutoCents may update Appendix A (Sub-processors) in accordance with Section 6.

APPENDIX A: AUTHORIZED SUB-PROCESSORS

AutoCents may engage the following sub-processors to assist in providing the Services:

Sub-processorService FunctionLocation
Microsoft CorporationCloud infrastructure (Azure)United States
Google LLCCloud services and analyticsUnited States
SupabaseDatabase hosting and backend servicesUnited States
Stripe, Inc.Payment processingUnited States
Vercel, Inc.Web hosting and CDNUnited States
Mailgun Technologies, Inc.Email delivery servicesUnited States
SMTP2GO, Inc.Email relay servicesUnited States

Note: AutoCents will update this list in accordance with Section 6.2 when engaging new sub-processors.

Contact Information

For questions regarding this Data Processing Agreement, please contact:

Nitron Digital LLC

Data Protection Officer

Email: privacy@speedlimit.com

Website: https://speedlimit.com