Preamble
This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between:
Data Controller ("Client"):
The entity that has executed the AUTONOMi Terms of Service and is identified in the associated Order Form.
Data Processor ("AUTONOMi"):
AUTONOMi
Email: gdpr@goautonomi.com
Website: goautonomi.com
Together referred to as the "Parties."
This DPA governs the processing of personal data by AUTONOMi on behalf of the Client in connection with the AUTONOMi platform and services ("Services"). In the event of a conflict between this DPA and the Terms of Service with respect to data processing matters, this DPA shall govern.
Article 1 — Definitions
For the purposes of this DPA:
- "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.
- "Personal Data" has the meaning given in Article 4(1) GDPR.
- "Processing" has the meaning given in Article 4(2) GDPR.
- "Data Subject" has the meaning given in Article 4(1) GDPR.
- "Controller" has the meaning given in Article 4(7) GDPR. For the purposes of this DPA, the Client is the Controller.
- "Processor" has the meaning given in Article 4(8) GDPR. For the purposes of this DPA, AUTONOMi is the Processor.
- "Sub-processor" means any third party engaged by AUTONOMi to process Personal Data on the Controller's behalf.
- "Client Data" means all Personal Data submitted to or processed through the Services by or on behalf of the Client.
- "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Data.
- "SCCs" means the Standard Contractual Clauses adopted by the European Commission under Decision 2021/914 for transfers of personal data to third countries.
- "EEA" means the European Economic Area.
Article 2 — Subject Matter and Duration
2.1 Subject Matter
AUTONOMi processes Client Data for the sole purpose of providing the Services as described in the Terms of Service and this DPA.
2.2 Duration
This DPA remains in effect for the duration of the Agreement and terminates automatically upon termination or expiry of the Agreement, subject to Article 12 (Return and Deletion of Data).
Article 3 — Nature, Purpose, and Scope of Processing
3.1 Nature of Processing
AUTONOMi processes Client Data by automated means, including:
- Storage, retrieval, and transmission to advertising platforms
- Data matching and audience activation
- Attribution and reporting computations
- Backup and archival storage
3.2 Purpose of Processing
AUTONOMi processes Client Data exclusively for the following purposes:
- Activating first-party CRM and DMS data across advertising platforms (Google, Meta, TikTok, YouTube, Microsoft Advertising, and others) on the Client's behalf
- Generating inventory-specific advertising creative
- Managing multi-channel campaign orchestration
- Providing attribution reporting connecting media spend to business outcomes
- Providing technical support and platform maintenance
3.3 Instructions
AUTONOMi processes Client Data only on documented instructions from the Client, including the instructions set out in this DPA and the Terms of Service. If AUTONOMi is required by EU or member state law to process Client Data beyond the Client's instructions, AUTONOMi will inform the Client of that requirement before processing, unless such law prohibits disclosure on grounds of public interest.
If AUTONOMi believes that an instruction from the Client would violate GDPR or applicable EU law, AUTONOMi will promptly inform the Client.
Article 4 — Categories of Personal Data and Data Subjects
4.1 Categories of Personal Data Processed
| Category | Examples |
|---|---|
| Contact and identity data | Name, email address, phone number |
| Vehicle ownership data | VIN, purchase date, model, trim |
| Service and transaction data | Service history, purchase history, transaction amounts |
| Advertising interaction data | Ad impressions, clicks, conversion events |
| CRM data | Lead records, customer lifecycle stage, sales notes |
| First-party audience identifiers | Hashed emails, phone numbers for platform matching |
4.2 Categories of Data Subjects
| Category | Description |
|---|---|
| Dealership customers | Individuals who have purchased or serviced a vehicle at the Client's dealership |
| Dealership prospects | Individuals identified as potential customers in the Client's CRM |
| Website visitors | Individuals who have visited the Client's website and are tracked via pixel or tag |
| Service customers | Individuals with an open or historical service record at the Client's dealership |
Article 5 — Obligations of AUTONOMi as Processor
AUTONOMi undertakes to:
5.1 Process Only on Instructions
Process Client Data only on documented instructions from the Client, except where required by applicable law.
5.2 Confidentiality
Ensure that personnel authorized to process Client Data are subject to a binding confidentiality obligation with respect to that data.
5.3 Security
Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with GDPR Article 32 and AUTONOMi's Security Policy. See Article 9 for details.
5.4 Sub-processors
Engage Sub-processors only in accordance with Article 7 of this DPA.
5.5 Data Subject Rights
Assist the Client in responding to data subject rights requests, as set out in Article 10.
5.6 Security and Compliance Assistance
Assist the Client in ensuring compliance with GDPR Articles 32–36, including security, breach notification, DPIAs, and prior consultation with supervisory authorities, taking into account the nature of processing and the information available to AUTONOMi.
5.7 Deletion or Return
Upon termination of the Agreement, delete or return all Client Data in accordance with Article 12 and at the Client's choice.
5.8 Audit
Make available to the Client all information necessary to demonstrate compliance with GDPR Article 28 obligations, and allow for and contribute to audits and inspections by the Client or a mandated auditor, as set out in Article 11.
Article 6 — Obligations of the Client as Controller
The Client undertakes to:
- Ensure that it has a valid legal basis for processing the personal data it submits to the Services and that it is entitled to transfer or make available such data to AUTONOMi for the purposes of this DPA
- Ensure that all data subjects whose personal data is processed through the Services have been notified of such processing in accordance with GDPR Articles 13 and 14
- Comply with applicable GDPR obligations as a data controller, including maintaining its own privacy notices and processing records
- Ensure that any CRM, DMS, or customer data shared with AUTONOMi complies with all applicable privacy laws in the jurisdictions from which the data originates
- Promptly inform AUTONOMi of any changes to its instructions that may affect AUTONOMi's processing activities
Article 7 — Sub-processors
7.1 Authorization
The Client grants AUTONOMi general written authorization to engage Sub-processors for the purposes set out in this DPA. AUTONOMi maintains a list of current Sub-processors, available at gdpr@goautonomi.com.
7.2 Current Sub-processors
AUTONOMi currently uses the following categories of Sub-processors who may process Client Data:
| Category | Purpose | Location |
|---|---|---|
| Cloud infrastructure (e.g., AWS, Google Cloud) | Data storage and compute | United States / EU regions |
| Advertising platforms (Google, Meta, TikTok, LinkedIn, Microsoft) | Campaign delivery and audience matching on Client's behalf | United States |
| Analytics infrastructure | Platform performance monitoring | United States |
| Support and CRM tools (e.g., HubSpot, Intercom) | Customer support operations | United States |
| Email delivery (e.g., SendGrid) | Transactional and notification emails | United States |
A current, specific list of Sub-processors is available upon written request to gdpr@goautonomi.com.
7.3 Changes to Sub-processors
AUTONOMi will provide the Client with 30 days' prior written notice before adding or replacing a Sub-processor. The notice will be provided via email to the Client's registered contact address or published in a documented change log accessible to the Client.
7.4 Objection
The Client may object to a new Sub-processor on reasonable grounds relating to data protection by notifying AUTONOMi in writing within 14 days of the notice. The Parties will work in good faith to resolve the objection. If the objection cannot be resolved and AUTONOMi proceeds with the new Sub-processor, the Client may terminate the Agreement with 30 days' written notice without penalty.
7.5 Sub-processor Obligations
AUTONOMi ensures that each Sub-processor is bound by data protection obligations equivalent to those in this DPA, including appropriate technical and organizational security measures.
Article 8 — International Data Transfers
8.1 Transfers Within the EEA
Processing within the EEA requires no additional transfer mechanism under GDPR.
8.2 Transfers Outside the EEA
Where Client Data is transferred from the EEA to a third country (including the United States), AUTONOMi ensures an appropriate transfer mechanism is in place, including:
- Standard Contractual Clauses (SCCs): The SCCs approved by the European Commission under Decision 2021/914 are incorporated into this DPA by reference and apply to all transfers from the EEA to third countries. The applicable module is Module Two (Controller-to-Processor) for transfers from the Client to AUTONOMi, and Module Three (Processor-to-Processor) for onward transfers from AUTONOMi to Sub-processors.
- Adequacy Decisions: Where the European Commission has adopted an adequacy decision for the destination country, transfers may rely on that decision.
8.3 Transfer Impact Assessment
AUTONOMi has conducted a Transfer Impact Assessment (TIA) for transfers to the United States and other third countries and is satisfied that, taking into account supplementary measures and the nature of the data, the SCCs provide adequate protection. The TIA is available to the Client upon written request.
8.4 Advertising Platform Transfers
Transfers of Client Data to advertising platforms (Google, Meta, TikTok, LinkedIn, Microsoft) are made on the Client's documented instructions for the purpose of campaign delivery. These platforms operate under their own data processing agreements and SCCs. AUTONOMi will provide Client with relevant references upon request.
Article 9 — Technical and Organizational Security Measures
AUTONOMi implements the following technical and organizational measures, consistent with GDPR Article 32:
9.1 Encryption
- Encryption of Client Data in transit using TLS 1.2 or higher
- Encryption of Client Data at rest using AES-256 or equivalent
- Encryption key management with defined rotation schedules and access controls
9.2 Access Controls
- Role-based access control (RBAC) limiting access to Client Data to authorized personnel
- Multi-factor authentication (MFA) required for all production system access
- Least-privilege access model; access rights reviewed periodically
- Immediate revocation of access upon personnel departure
9.3 Network Security
- Firewalls and network segmentation isolating production environments
- Intrusion detection and monitoring
- All external interfaces protected by TLS
9.4 Availability and Resilience
- Redundant infrastructure to support service availability
- Automated daily backups of Client Data, stored encrypted in separate geographic locations
- Backup restoration tested periodically
9.5 Testing and Assessment
- Regular internal security reviews and vulnerability assessments
- Annual penetration testing by qualified security professionals
- Remediation of identified vulnerabilities based on severity
9.6 Personnel Measures
- Confidentiality obligations for all personnel with access to Client Data
- Annual security awareness training for all staff
- Background screening for personnel in sensitive roles, subject to applicable law
9.7 Physical Security
- Physical access controls at office facilities
- Cloud infrastructure physical security managed by certified cloud providers (SOC 2 / ISO 27001)
AUTONOMi may update security measures over time provided the overall level of security is not materially reduced. Clients may request a current description of security measures at gdpr@goautonomi.com.
Article 10 — Data Subject Rights
10.1 Assistance
AUTONOMi will provide reasonable assistance to the Client in fulfilling data subject rights requests under GDPR Articles 15–22, taking into account the nature of the processing and the information available to AUTONOMi.
10.2 Forwarding Requests
If AUTONOMi receives a data subject rights request relating to Client Data, AUTONOMi will:
- Promptly forward the request to the Client
- Not respond to the request directly unless instructed by the Client or required by law
- Assist the Client in preparing a response if requested
10.3 Erasure and Restriction
AUTONOMi will action documented Client instructions to delete or restrict processing of specific personal data within a reasonable timeframe, subject to any applicable retention obligations.
Article 11 — Audits and Inspections
11.1 Information and Compliance Evidence
AUTONOMi will make available to the Client, upon written request, all information reasonably necessary to demonstrate compliance with this DPA and GDPR Article 28.
11.2 Audit Rights
The Client may conduct audits of AUTONOMi's data processing activities, subject to the following:
- The Client provides 30 days' prior written notice of any audit
- Audits are conducted during normal business hours and no more than once per calendar year (except following a Security Incident)
- The Client bears the costs of the audit unless the audit reveals material non-compliance by AUTONOMi
- The auditor is bound by confidentiality obligations
- The audit does not unreasonably interfere with AUTONOMi's business operations
11.3 Third-Party Certifications
In lieu of a direct audit, AUTONOMi may satisfy the Client's audit requirements by providing third-party audit reports, certifications, or security questionnaire responses (e.g., SOC 2 reports, ISO 27001 certificates, CAIQ responses) where these adequately cover the scope of the Client's inquiry.
Article 12 — Return and Deletion of Data
12.1 Termination
Upon termination or expiry of the Agreement:
- Client Data will be made available for export by the Client for 30 days following the termination date
- Upon expiry of the 30-day export period, AUTONOMi will delete all Client Data from its systems, including backups, unless retention is required by applicable law
12.2 Deletion Certification
Upon written request, AUTONOMi will provide the Client with written confirmation that Client Data has been deleted following the export period.
12.3 Mandatory Retention
Where AUTONOMi is required by EU or member state law to retain certain data beyond the deletion period, AUTONOMi will notify the Client of such requirement and continue to process that data only to the extent required by applicable law.
Article 13 — Security Incidents
13.1 Notification
AUTONOMi will notify the Client without undue delay — and in any event within 48 hours — of becoming aware of a Security Incident affecting Client Data. Notification will be provided to the Client's registered email contact.
13.2 Notification Content
The notification will include, to the extent known at the time:
- Nature of the Security Incident and categories of data affected
- Approximate number of data subjects and records affected
- Likely consequences of the Security Incident
- Measures taken or proposed to address the incident
AUTONOMi may provide this information in stages if it is not all available at the time of initial notification.
13.3 Cooperation
AUTONOMi will cooperate with the Client and provide reasonable assistance in connection with the Client's obligations to notify supervisory authorities and data subjects under GDPR Articles 33 and 34.
13.4 Client Notification Obligations
The Client is responsible for assessing the Security Incident and determining whether notification to supervisory authorities and/or data subjects is required under applicable law. AUTONOMi's notification to the Client does not constitute an acknowledgment that the incident triggers any specific regulatory notification obligation.
Article 14 — Data Protection Impact Assessments
Where the nature of the processing is likely to result in a high risk to data subjects and a DPIA is required under GDPR Article 35, AUTONOMi will provide reasonable assistance to the Client in conducting the DPIA and consulting with supervisory authorities where required under GDPR Article 36, to the extent AUTONOMi has information relevant to the assessment.
Article 15 — Liability
Each Party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service to the maximum extent permitted by applicable law. Nothing in this DPA limits either Party's liability for:
- Willful misconduct or gross negligence
- Death or personal injury caused by negligence
- Any liability that cannot be excluded or limited under applicable law
Article 16 — Governing Law
This DPA is governed by the same governing law as the applicable Terms of Service. For EU clients:
- This DPA is governed by the laws of the applicable EU member state
- EU data subjects retain all statutory rights available to them under GDPR and applicable national law regardless of the governing law of the Terms of Service
The SCCs incorporated herein are governed by the law of the EU member state in which the data exporter (Client) is established, or by the law of the Republic of Ireland where the Client's member state law does not permit this.
Article 17 — Execution
This DPA is incorporated into and forms part of the Terms of Service between AUTONOMi and the Client. By entering into the Terms of Service, the Client agrees to the terms of this DPA.
EU clients requiring a separately executed DPA for compliance or procurement purposes may contact gdpr@goautonomi.com to request a countersigned version.
Annex I — Description of Processing
| Field | Details |
|---|---|
| Controller | The Client (automotive dealership or dealer group) as identified in the Order Form |
| Processor | AUTONOMi (goautonomi.com) |
| Subject matter | Provision of the AUTONOMi automotive growth infrastructure platform |
| Duration | Duration of the Agreement |
| Nature of processing | Storage, retrieval, transmission, data matching, reporting, backup |
| Purpose of processing | Digital advertising activation, campaign management, attribution reporting |
| Categories of personal data | Contact data, vehicle ownership data, service history, CRM records, hashed audience identifiers, advertising interaction data |
| Categories of data subjects | Dealership customers, prospects, website visitors, service customers |
| Frequency of transfer | Continuous during the term of the Agreement |
Annex II — Technical and Organizational Security Measures
The technical and organizational measures described in Article 9 of this DPA are incorporated herein by reference. A full description of AUTONOMi's security measures is available in AUTONOMi's Security Policy at goautonomi.com/security-policy, and in further detail upon written request to gdpr@goautonomi.com.
Annex III — Sub-processors
The Sub-processors authorized under Article 7 of this DPA are those listed in Article 7.2. A current specific list identifying Sub-processor names, locations, and processing activities is available upon written request to gdpr@goautonomi.com and will be updated as changes are made in accordance with Article 7.3.
Annex IV — Standard Contractual Clauses
The Standard Contractual Clauses adopted by the European Commission under Decision 2021/914/EU are incorporated into this DPA by reference:
- Module Two (Controller-to-Processor): Applies to transfers of Client Data from the Client (as Controller and data exporter located in the EEA) to AUTONOMi (as Processor and data importer located outside the EEA, including the United States).
- Module Three (Processor-to-Processor): Applies to onward transfers by AUTONOMi to Sub-processors located outside the EEA.
Clients who require a fully executed copy of the SCCs as a standalone document may request one at gdpr@goautonomi.com. AUTONOMi will execute the SCCs as required under applicable regulatory guidance.
Governing law of SCCs:
The SCCs shall be governed by the law of the EU member state in which the Client (data exporter) is established, or by Irish law where the Client's member state law does not permit this.
Selected options within the SCCs:
- Clause 7 (Docking clause): Not applicable
- Clause 11 (Redress): Optional language on independent redress body not included
- Clause 17 (Governing law): As set out above
- Clause 18 (Choice of forum): Courts of the EU member state governing the SCCs
Contact
For all DPA-related inquiries, execution requests, sub-processor lists, and audit requests:
AUTONOMi GDPR / Legal
Email: gdpr@goautonomi.com
Website: goautonomi.com