Data Processing Agreement

This Data Processing Agreement ("DPA") is incorporated into the Terms of Service between EZLeads Management, Corp. ("EZLeads", "Processor") and the customer entity ("Customer", "Controller") and applies whenever EZLeads processes Personal Data on behalf of the Customer in connection with the Services. It is designed to satisfy the requirements of the EU/UK GDPR, the California Consumer Privacy Act / California Privacy Rights Act ("CCPA/CPRA"), and similar laws.

Customers wishing to execute this DPA may sign and return it via privacy@ezleads.io or accept it electronically by clicking through during onboarding.

Overview

EZLeads acts as a Processor of Customer Personal Data — and, where applicable, as a "Service Provider" under the CCPA/CPRA. Customer is the Controller and Business; EZLeads processes data only on Customer's documented instructions and for the purposes set out below.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person processed by EZLeads on behalf of Customer.
• "Data Protection Laws" means all applicable laws relating to the protection of personal data, including the EU GDPR, UK GDPR, CCPA/CPRA, Canada PIPEDA, Brazil LGPD, and U.S. state-level privacy laws.
• "Sub-processor" means a third party engaged by EZLeads to process Personal Data.
• Other capitalised terms have the meaning given in the Data Protection Laws.

2. Roles & scope of processing

• Subject matter: Provision of the EZLeads Services described in the Terms.
• Duration: Until termination of the Services.
• Nature & purpose: Hosting, storing, transmitting, organising, retrieving, deleting and otherwise processing Personal Data to provide the Services and comply with law.
• Categories of data subjects: Customer's personnel, dealership leads & customers, finance applicants, vehicle prospects.
• Categories of Personal Data: Contact details, login credentials, vehicle and finance information, communications metadata, advertising-platform identifiers, device/network information.
• Special categories: Generally none. Customer warrants it will not upload special categories outside of features designed to handle them.

3. Instructions & duration

EZLeads will process Personal Data only on documented instructions from Customer (including via configuration of the Services) and in accordance with Data Protection Laws. EZLeads will notify Customer if, in its opinion, a Customer instruction infringes Data Protection Laws.

4. Security measures

EZLeads implements appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256);
• Role-based access control with least-privilege defaults and SSO/MFA for production access;
• Network segmentation, web-application firewall, and DDoS protections;
• Centralised logging, intrusion detection and 24/7 alerting;
• Annual penetration testing and continuous vulnerability scanning;
• Documented incident-response and disaster-recovery plans;
• Vendor security review for all Sub-processors;
• Background checks and confidentiality obligations for personnel.

See our Security page for the full description.

5. Sub-processors

Customer authorises EZLeads to engage Sub-processors listed at /legal/sub-processors. EZLeads will:

• Impose data-protection obligations no less protective than this DPA;
• Remain responsible for the acts and omissions of Sub-processors;
• Provide reasonable advance notice of new Sub-processors via that page or email; Customer may object on reasonable grounds.

6. Data subject rights & assistance

EZLeads will, taking into account the nature of processing, provide reasonable assistance to enable Customer to respond to data subject requests (access, correction, deletion, portability, restriction, objection, opt-out of "sale" or "sharing" under CCPA/CPRA). Where appropriate we offer self-service tooling and a public Data Deletion Request form.

7. Personal data breaches

EZLeads will notify Customer without undue delay (and in any event within 72 hours where feasible) after becoming aware of a Personal Data Breach affecting Customer Personal Data. Notifications will include known facts, expected impact and remediation steps.

8. International transfers

EZLeads' infrastructure is located in the United States. Where Customer Personal Data originates from the EEA, UK or Switzerland, the parties agree that the EU Standard Contractual Clauses (Module 2: Controller to Processor) and the UK International Data Transfer Addendum are incorporated by reference and form part of this DPA. The Swiss FDPIC is recognised as the relevant supervisory authority for transfers from Switzerland.

9. Audits

EZLeads will make available information necessary to demonstrate compliance with this DPA, including its current SOC-2 Type II report and ISO 27001 mapping (where available). Customers may request, no more than once per year, a remote audit at their cost subject to reasonable confidentiality protections.

10. Return / deletion at termination

Upon termination of the Services, EZLeads will, at Customer's choice, return or delete all Customer Personal Data within 90 days, save where retention is required by applicable law.

11. Liability

The aggregate liability of either party under this DPA is subject to the liability cap in the Terms of Service, and is in addition (not in addition to) the cap there.

12. Governing law

This DPA is governed by the laws of the State of Florida, USA, except where Data Protection Laws require a different governing law.

13. Contact

Privacy & Data Protection Office: privacy@ezleads.io · (786) 755-0991. EZLeads Management, Corp. is a fully online service incorporated under the laws of the State of Florida, United States.