This Data Processing Addendum (“Addendum”) forms part of, and is incorporated into, any applicable agreement, order, invoice, proposal, campaign agreement, service agreement, or other written or electronic arrangement between Go2BDC (“Go2BDC,” “Processor,” “Service Provider,” “Contractor,” “we,” “us,” or “our”) and the client, business, dealership, group, operator, or other entity purchasing or using Go2BDC services (“Client,” “Controller,” or “Business”), to the extent Go2BDC processes personal information or personal data on behalf of Client in connection with the services.

This Addendum applies only to the extent applicable law requires contractual terms governing the processing of personal data, personal information, or similar regulated information by a processor, service provider, or contractor on behalf of a controller, business, or similar client entity. To the extent Go2BDC processes personal data solely on behalf of Client and under Client’s instructions, the parties agree that Client acts as the controller or business for that data and Go2BDC acts as the processor, service provider, or contractor, as applicable under law.

The subject matter of the processing under this Addendum is the performance of the services purchased by Client from Go2BDC, which may include managed activation, campaign execution, CRM activation, database reactivation, audience handling, appointment-setting support, communications support, reporting, onboarding, coordination, and related operational services. The duration of the processing is the period during which Go2BDC provides the applicable services to Client, together with any limited retention period reasonably necessary for compliance, documentation, security, backup, dispute resolution, legal obligations, enforcement of rights, or other purposes permitted by law and applicable agreement.

The nature and purpose of the processing may include receiving, storing, organizing, structuring, reviewing, using, transmitting, documenting, suppressing, cleaning, validating, coordinating, reporting on, or otherwise handling personal data as reasonably necessary to perform the services for Client, maintain service records, protect systems, support operations, and meet legal or contractual obligations. The categories of personal data processed may vary depending on the services and may include identifiers, contact information, business contact information, CRM records, lead data, communications history, appointment activity, engagement data, sales attribution data, device or technical data associated with service workflows, and similar commercial or consumer-related information provided by or for Client. The categories of data subjects may include Client’s customers, prospects, leads, employees, representatives, vendors, website users, business contacts, and other individuals whose data is provided to Go2BDC by or on behalf of Client in connection with the services.

Go2BDC shall process personal data only on documented instructions from Client, unless otherwise required by applicable law. Client instructs Go2BDC to process personal data as necessary to provide the services, to comply with applicable law, to preserve the integrity and security of systems and services, to prevent fraud or unlawful activity, to maintain records reasonably necessary for business and legal purposes, and to carry out other processing activities expressly authorized by the underlying agreement or by Client’s documented instructions. Client represents and warrants that it has all necessary rights, permissions, notices, disclosures, and legal bases required to provide personal data to Go2BDC for processing in connection with the services.

Client remains solely responsible for determining the lawfulness of the collection and use of personal data submitted to Go2BDC, including the lawfulness of Client’s notices, consent practices, privacy disclosures, consumer rights responses, website disclosures, form language, marketing practices, text messaging practices, and business purpose determinations, unless expressly stated otherwise in a separate written agreement signed by Go2BDC. Go2BDC does not assume Client’s role as controller, business, or owner of the underlying customer relationship merely by providing services.

Go2BDC shall ensure that persons authorized to process personal data on its behalf are subject to appropriate obligations of confidentiality, whether by contract, policy, professional duty, or other enforceable obligation. Go2BDC shall take commercially reasonable steps to limit access to personal data to those persons who require such access for legitimate service, support, compliance, security, documentation, or operational purposes.

Go2BDC shall implement and maintain commercially reasonable administrative, technical, and organizational measures designed to protect personal data against unauthorized or unlawful access, destruction, loss, alteration, disclosure, misuse, or other compromise, taking into account the nature of the data, the risks presented by the processing, the state of available technology, and the nature of the services provided. Nothing in this Addendum shall be construed as a representation that Go2BDC can guarantee absolute security or prevent every incident, compromise, or unauthorized act.

To the extent required by applicable law and taking into account the nature of the processing, Go2BDC shall provide commercially reasonable assistance to Client in responding to verified consumer or data subject requests that Client is legally required to honor, provided that Client remains responsible for receiving, validating, and responding to such requests unless applicable law expressly requires otherwise. If Go2BDC receives a request directly from a consumer or data subject relating to personal data processed on behalf of Client, Go2BDC may, as permitted by law, refer the request to Client, deny the request where permitted, or take such other action as is reasonably appropriate under the circumstances and applicable law.

To the extent required by applicable law and taking into account the nature of the processing and the information available to Go2BDC, Go2BDC shall provide commercially reasonable assistance to Client with respect to Client’s compliance obligations relating to security, breach response, legally required assessments, and consultations with regulators, in each case only to the extent such obligations are applicable to the services and only to the extent the requested assistance is reasonable, proportionate, and based on information available to Go2BDC.

Client authorizes Go2BDC to engage subprocessors, subcontractors, vendors, software providers, hosting providers, communications providers, data tools, analytics providers, support providers, and other third parties as reasonably necessary to provide the services. Go2BDC shall impose appropriate contractual or legal obligations on such subprocessors with respect to personal data to the extent required by applicable law. Client acknowledges and agrees that third-party providers may change over time in the ordinary course of business and service delivery.

Upon expiration or termination of the applicable services, Go2BDC shall, upon Client’s documented request and to the extent required by applicable law, delete or return personal data processed on behalf of Client, unless retention is required or permitted by law, required for the establishment, exercise, or defense of legal claims, required for security, backup, fraud prevention, or compliance purposes, or reasonably necessary to maintain records of business activity, consents, opt-outs, suppression lists, billing, enforcement rights, or other legitimate business and legal interests. Client acknowledges that complete deletion from all systems may not be immediate where data remains in secure backups, archived systems, logs, or disaster recovery environments, provided that such retained data remains protected and is not used except as permitted by law.

To the extent required by applicable law, Go2BDC shall make available to Client information reasonably necessary to demonstrate Go2BDC’s compliance with this Addendum, provided that such information shall be subject to reasonable confidentiality, proportionality, security, and privilege protections. Any audit, assessment, or review requested by Client shall be limited to what is reasonably necessary under applicable law, shall occur no more than once in any twelve-month period unless required by law or triggered by a documented security incident, shall be conducted during normal business hours upon reasonable prior written notice, shall avoid disruption to Go2BDC’s operations, systems, personnel, and other clients, and may be satisfied through existing documentation, summaries, certifications, questionnaires, or independent assessment materials made available by Go2BDC, where appropriate. Client shall bear all costs of any audit or assessment requested by Client unless applicable law expressly requires otherwise.

Go2BDC does not sell personal data processed on behalf of Client for money. Where Go2BDC processes personal information as a service provider or contractor under applicable California law, Go2BDC shall not retain, use, or disclose such personal information outside of the direct business relationship with Client or for any purpose other than the business purposes and services specified in the applicable agreement and as otherwise permitted by law. Go2BDC may use personal information for internal purposes permitted by law, including security, fraud prevention, quality control, service improvement that does not build or modify consumer profiles for unrelated purposes, legal compliance, and other uses expressly permitted by applicable law.

Client shall not disclose to Go2BDC any sensitive personal data, protected health information subject to HIPAA, payment card data requiring PCI-specific handling, Social Security numbers, driver’s license numbers, financial account credentials, or other highly sensitive regulated data unless the parties have expressly agreed in writing to such processing and have implemented any required contractual, technical, and operational controls. If such data is disclosed without authorization, Go2BDC may delete it, refuse to process it, suspend affected services, or require additional terms before continuing.

Each party shall comply with the obligations applicable to it under law. Client remains responsible for the accuracy, quality, legality, and authorized use of personal data and for the means by which Client acquired the personal data. Client shall defend, indemnify, and hold harmless Go2BDC from and against claims, investigations, actions, damages, liabilities, fines, penalties, costs, and expenses, including reasonable attorneys’ fees, arising out of or relating to Client’s instructions, Client’s data, Client’s notices, Client’s consent practices, Client’s consumer rights handling, Client’s compliance failures, or Client’s breach of this Addendum or applicable law.

Nothing in this Addendum requires Go2BDC to disclose information that is protected by attorney-client privilege, work product doctrine, trade secret protection, security confidentiality, or obligations owed to other clients or third parties. Nothing in this Addendum expands Go2BDC’s obligations beyond those required by applicable law and the underlying agreement. In the event of a conflict between this Addendum and the underlying agreement, this Addendum shall control only with respect to the subject matter of data processing to the extent required by applicable law; otherwise, the underlying agreement shall control.

This Addendum shall be governed by the laws of the State of New Jersey, without regard to conflict-of-law principles, except to the extent a specific privacy law mandatorily applies to the processing at issue. Any dispute arising out of or relating to this Addendum shall be resolved in accordance with the dispute resolution, venue, and forum provisions of the underlying agreement or, if none exists, exclusively in the state or federal courts located in New Jersey.

Go2BDC may update this Data Processing Addendum from time to time. The version in effect at the time of Client’s acceptance of the applicable services, payment, or written agreement shall govern unless otherwise required by law or expressly agreed in writing.

If you have questions regarding this Data Processing Addendum, please contact Go2BDC through https://go2bdc.com.