CarFai Data Processing Addendum (DPA) — B2B

Effective date: The date this DPA is signed by both parties or, if accepted electronically through the CarFai admin dashboard, the date of acceptance.

1. Parties

This Data Processing Addendum ("DPA") is between:

Customer ("you" or "Controller") — the entity identified in the CarFai subscription agreement.
CarFai — CarFai ("we" or "Processor"), located at address available on request via [email protected].

2. Scope and applicability

This DPA applies to the extent CarFai processes Personal Data (as defined under applicable Data Protection Laws) on behalf of Customer in connection with the CarFai service ("Service"). It supplements and is incorporated into the CarFai Terms of Service.

In the event of a conflict between this DPA and the Terms of Service, this DPA controls with respect to the processing of Personal Data.

3. Definitions

"Data Protection Laws" — GDPR (EU 2016/679), UK GDPR, Swiss FADP, applicable US state privacy laws (CCPA/CPRA, VCDPA, CTDPA, etc.), UAE PDPL, and any other privacy or data protection law applicable to the processing of Personal Data under this DPA.
"Personal Data", "Controller", "Processor", "Processing", "Data Subject" — as defined in GDPR or the equivalent term in applicable Data Protection Laws.
"Sub-processor" — any third party engaged by CarFai to process Personal Data.

4. Roles of the parties

Customer is the Controller of Personal Data uploaded to the Service.
CarFai is the Processor, acting on Customer's documented instructions (which include the use of the Service in accordance with the Terms of Service).
Each party shall comply with the obligations applicable to it under Data Protection Laws.

5. Processing details

Item	Description
Subject matter	Provision of the CarFai Service (vehicle and document management, AI advisory, OBD2 integration, multi-vehicle/fleet features)
Duration	The term of the subscription, plus 30 days after termination for data deletion
Nature and purpose	As described in the Terms of Service: hosting, displaying, processing, transmitting, and analyzing data Customer uploads or generates within the Service
Categories of Data Subjects	Customer's authorized users (employees, drivers, contractors, fleet operators, fleet members)
Categories of Personal Data	Account information, vehicle and document data, AI conversation history, OBD2 data, usage logs (see Privacy Policy §1 for detailed list)
Special categories	None expected. Customer agrees not to upload special-category data (health, biometric, etc.) without notifying CarFai in writing

6. CarFai's obligations as Processor

CarFai shall:

Process Personal Data only on Customer's documented instructions, including the instructions implicit in Customer's use of the Service in accordance with the Terms of Service. CarFai will inform Customer if it believes an instruction violates Data Protection Laws.
Ensure confidentiality — CarFai personnel with access to Personal Data are bound by confidentiality obligations.
Implement appropriate technical and organizational measures ("TOMs") to protect Personal Data, as described in Schedule 2 below.
Engage Sub-processors only as authorized under Section 7.
Assist Customer in:
- Responding to Data Subject rights requests (via the in-app Export and Delete flows; for unusual requests, via direct support).
- Conducting Data Protection Impact Assessments (DPIAs) — by providing documentation about the Service's processing.
- Engaging with supervisory authorities.
- Notifying Personal Data breaches (per Section 8).
At Customer's choice, return or delete Personal Data at the end of the agreement, except where retention is required by law (e.g., subscription history for tax compliance — anonymized after the legal retention period).
Make available information necessary to demonstrate compliance with this DPA, including audit reports of CarFai's controls. Where CarFai holds independent third-party audit reports (e.g., SOC 2, ISO 27001), they may be provided in lieu of permitting on-site audits, except where required by law.

7. Sub-processors

7.1 Customer authorizes CarFai to engage Sub-processors. The current list as of the effective date is in Schedule 1.

7.2 CarFai shall notify Customer of changes to Sub-processors at least 30 days in advance (via email to the admin contact on file or via in-app notice). Customer may object on reasonable grounds; if the parties cannot resolve the objection, Customer may terminate the affected portion of the Service for material breach.

7.3 CarFai imposes data protection obligations on its Sub-processors that are no less protective than those in this DPA.

7.4 CarFai remains liable to Customer for the performance of its Sub-processors with respect to data protection.

8. Personal Data breaches

CarFai shall:

Notify Customer without undue delay (and in any case within 48 hours of becoming aware of a Personal Data breach affecting Customer Personal Data).
Provide information reasonably required by Customer to comply with its breach-notification obligations (the nature of the breach, categories and approximate numbers of Data Subjects and records concerned, likely consequences, mitigation measures taken).
Cooperate in good faith with Customer's response.

9. International data transfers

If CarFai transfers Personal Data outside the EEA / UK / Switzerland to a country without an adequacy decision, the parties agree that:

The European Commission's Standard Contractual Clauses (SCCs) (2021/914) apply, with Module 2 (Controller-to-Processor) and Module 3 (Processor-to-Processor) where relevant.
The UK Addendum to the SCCs applies for UK transfers.
The Swiss FADP-equivalent assessment applies for Swiss transfers.
Both parties will implement supplementary measures as appropriate (e.g., encryption, access controls per Schedule 2).

10. Data Subject rights

CarFai will, taking into account the nature of the processing, provide reasonable assistance to Customer in fulfilling its obligations to respond to Data Subject requests:

The Service includes self-serve Export my data and Delete account flows that handle most Data Subject requests directly.
For requests CarFai receives directly, CarFai will redirect the Data Subject to Customer (the Controller) and notify Customer.
For unusual or escalated requests, CarFai will respond to Customer's instructions within reasonable timeframes.

11. Audits

11.1 No more than once per year (and additionally in response to a documented Personal Data breach), Customer may audit CarFai's compliance with this DPA, subject to:

30 days' written notice;
Reasonable scope and duration agreed in advance;
Confidentiality obligations;
Conducted at Customer's expense by Customer or a mutually-agreed third-party auditor;
Conducted during business hours and in a manner that does not disrupt CarFai's operations.

11.2 CarFai may satisfy audit obligations by providing independent third-party audit reports covering the same period (when CarFai obtains such certifications; the current roadmap is in the Roadmap appendix below).

Roadmap appendix — security infrastructure milestones (informational, not contractual)

The following infrastructure additions are planned but not currently in place. They are listed here for transparency; they are NOT a contractual obligation and may shift based on operational priorities.

Milestone	Target
Personnel background checks	When CarFai's first non-founder hire is made
SOC 2 Type II / ISO 27001 certification	Future, contingent on customer demand
Marketing-site cookie consent banner	Before first EU traffic activation

12. Liability

The liability provisions of the Terms of Service apply to this DPA, subject to any non-excludable statutory liability under GDPR or equivalent data protection law in the Customer's jurisdiction.

13. Term and termination

This DPA remains in effect for as long as CarFai processes Personal Data on behalf of Customer. Sections 6 (Processor obligations), 8 (breach notification), 9 (transfers), 10 (Data Subject rights), and 11 (audits) survive termination as long as CarFai retains any Customer Personal Data.

14. Changes

CarFai may update this DPA to reflect changes in applicable law or in CarFai's processing practices. Material changes will be notified to Customer with at least 30 days' notice. Customer's continued use of the Service after the effective date constitutes acceptance.

15. Governing law

This DPA is governed by the laws of Quebec, Canada to the extent consistent with applicable Data Protection Laws. Mandatory provisions of Data Protection Laws supersede the choice of law where they apply.

Schedule 1 — Sub-processors (as of 2026-05-20)

Sub-processor	Service provided	Region	Privacy link
Anthropic, PBC	AI processing (Claude)	United States	https://www.anthropic.com/legal/privacy
Supabase Inc.	Database, authentication, storage	United States (us-east region as of effective date)	https://supabase.com/privacy
RevenueCat, Inc.	Subscription state	United States	https://www.revenuecat.com/privacy
Resend Inc.	Transactional email	United States	https://resend.com/legal/privacy-policy
Apple Inc.	iOS distribution + IAP	United States	https://www.apple.com/legal/privacy/
Google LLC	Android distribution + Play Billing + OAuth	United States	https://policies.google.com/privacy
Microsoft Corp.	OAuth (when used)	United States	https://privacy.microsoft.com

Schedule 2 — Technical and organizational measures (TOMs)

CarFai implements the following TOMs to protect Personal Data:

Encryption

In transit — TLS 1.2+ for all client-server communication
At rest — AES-256 encryption (provider-managed via Supabase)

Access control

Role-based access control (RBAC) for B2B organizations enforced at the database level via row-level security (RLS) policies
Production access by CarFai personnel logged and audited
Multi-factor authentication required for all CarFai administrator accounts

Data segregation

Multi-tenant architecture with per-organization isolation enforced by RLS
Cross-organization access blocked at the database query layer

Network security

Web Application Firewall (WAF) at edge
Rate limiting per user and per endpoint
Webhook signature verification for all incoming webhooks (RevenueCat, etc.)

Application security

Pre-commit secret scanning (Gitleaks)
Dependency vulnerability scanning (Dependabot, npm audit) on every PR
Manual security review against the OWASP Mobile and ASVS controls relevant to the Service
AI prompt injection defenses: system/user prompt separation, untrusted-content tagging, output validation, web-search content quarantine

Monitoring and incident response

Crash and error reporting
Security event logging
Documented incident response runbook
48-hour breach notification commitment per Section 8

Personnel

Confidentiality obligations on all personnel
Annual security awareness training

Backup and recovery

Point-in-time recovery (PITR) on production database
Daily backups retained for 30 days
Documented disaster recovery procedures

Third-party risk management

Sub-processor selection includes data protection review
Sub-processors bound by data protection obligations no less protective than this DPA

Signatures

Customer: Name: __________________________ Title: __________________________ Date: __________________________ Signature: __________________________

CarFai: Name: __________________________ Title: __________________________ Date: __________________________ Signature: __________________________

Revision history

Version	Date	Notes
v1	2026-05-20	Initial publication.