Data Processing Agreement

Last Updated: November 11, 2025

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer") and IgniteDMS ("Processor") for the provision of dealership management services ("Services").

2. Definitions

For the purposes of this DPA:

  • Personal Data: Any information relating to an identified or identifiable natural person
  • Processing: Any operation performed on Personal Data
  • Controller: The entity that determines the purposes and means of processing Personal Data (Customer)
  • Processor: The entity that processes Personal Data on behalf of the Controller (IgniteDMS)
  • Sub-processor: Any processor engaged by IgniteDMS

3. Scope and Applicability

This DPA applies to all Personal Data processed by IgniteDMS on behalf of Customer in connection with the Services, including but not limited to:

  • Customer contact information
  • Vehicle purchaser information
  • Payment and financial data
  • Transaction records

4. Roles and Responsibilities

4.1 Customer as Controller

Customer acts as the Controller and is responsible for:

  • Determining the purposes and means of processing Personal Data
  • Ensuring lawful basis for processing
  • Obtaining necessary consents from data subjects
  • Providing privacy notices to data subjects

4.2 IgniteDMS as Processor

IgniteDMS acts as the Processor and shall:

  • Process Personal Data only on documented instructions from Customer
  • Ensure persons authorized to process Personal Data are bound by confidentiality
  • Implement appropriate technical and organizational measures
  • Assist Customer in responding to data subject requests
  • Notify Customer of any Personal Data breaches without undue delay

5. Data Security

IgniteDMS implements appropriate technical and organizational measures including:

  • Encryption of data in transit and at rest
  • Regular security assessments and penetration testing
  • Access controls and authentication mechanisms
  • Regular backup and disaster recovery procedures
  • Security awareness training for personnel
  • Incident response and breach notification procedures

6. Sub-processors

Customer authorizes IgniteDMS to engage the following sub-processors:

  • Amazon Web Services (AWS): Cloud hosting infrastructure
  • Stripe, Inc.: Payment processing services
  • SendGrid: Email delivery services

IgniteDMS shall inform Customer of any changes to sub-processors with at least 30 days notice.

7. Data Subject Rights

IgniteDMS shall assist Customer in fulfilling data subject requests including:

  • Right of access
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to restriction of processing
  • Right to data portability
  • Right to object

8. Data Breach Notification

In the event of a Personal Data breach, IgniteDMS shall:

  • Notify Customer without undue delay and in any case within 72 hours of becoming aware
  • Provide details of the nature of the breach
  • Provide information about likely consequences and mitigation measures taken
  • Provide contact details for further information

9. Data Transfers

Personal Data is processed and stored in the United States. IgniteDMS ensures adequate safeguards are in place for any international data transfers in accordance with applicable laws.

10. Audits and Compliance

IgniteDMS shall make available to Customer all information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, upon reasonable notice and during business hours.

11. Data Retention and Deletion

Upon termination of Services:

  • Customer data will be available for export for 30 days
  • After 30 days, all Personal Data will be securely deleted
  • Customer may request immediate deletion at any time
  • Backups will be deleted within 90 days of termination

12. Liability and Indemnification

Each party shall be liable for damages caused by its failure to comply with this DPA. IgniteDMS shall indemnify Customer against claims arising from IgniteDMS's breach of its obligations under this DPA.

13. Term and Termination

This DPA shall remain in effect for as long as IgniteDMS processes Personal Data on behalf of Customer. Upon termination, IgniteDMS shall delete or return all Personal Data as directed by Customer.

14. Changes to DPA

IgniteDMS may update this DPA to reflect changes in data protection laws or our practices. We will notify Customer of material changes with at least 30 days notice.

15. Contact Information

For questions about this DPA or data protection matters:

  • Email: privacy@ignitedms.com
  • Phone: (817) 586-9634
  • Address: 1168 W Pioneer Parkway, Arlington, TX 76013