Data Processing Addendum

Capitalized terms not defined here have the meaning given in applicable data protection law. “Personal Data”, “Processing”, “Controller”, “Processor”, and “Data Subject” carry their GDPR meanings.

Customer is the Controller of Personal Data submitted to the Service (including end-customer records, vehicles, bookings, and photos). Splash acts as Processor on Customer's behalf for the limited purpose of providing the Service in accordance with the agreement and Customer's documented instructions.

Subject matter: provision of the Splash Service. Duration: the term of the agreement plus any required retention period. Nature: hosting, storage, processing, and display of Personal Data necessary to operate bookings, payments via Stripe, photo evidence, and related features.

Personal Data may include contact details, vehicle details, booking history, photos of vehicles and surrounding location, and IP address. Data subjects include Customer's employees, contractors, and end customers.

Customer authorizes Splash to engage subprocessors for hosting, database, object storage, email, and payment processing (Stripe). Splash maintains a current list of subprocessors and will notify Customer of changes with reasonable advance notice. Splash imposes data protection obligations on subprocessors no less protective than those in this DPA.

Where Personal Data is transferred outside the EEA, UK, or Switzerland to a country without an adequacy decision, the parties rely on the EU Standard Contractual Clauses (Module Two, Controller to Processor) and, where applicable, the UK International Data Transfer Addendum.

Splash implements appropriate technical and organizational measures to protect Personal Data, including encryption in transit and at rest, access controls, audit logging, secure software development practices, and regular vulnerability management. A summary is published on our Security page.

Splash will notify Customer without undue delay after becoming aware of a Personal Data breach affecting Customer Data, and will provide information reasonably necessary to enable Customer to comply with its own breach-notification obligations.

Splash will provide reasonable assistance to enable Customer to respond to requests from data subjects to exercise their rights, including access, rectification, erasure, restriction, portability, and objection.

Customer may audit Splash's compliance with this DPA on reasonable prior written notice and no more than once per year, unless required more frequently by a competent supervisory authority. Splash may satisfy audit obligations by providing third-party reports where available.

Upon termination of the agreement, Splash will, at Customer's choice, return or delete Customer Personal Data within a reasonable period, except to the extent retention is required by applicable law.

In the event of a conflict between this DPA and the agreement, this DPA controls with respect to the processing of Personal Data.