DATA PRIVACY AND SECURITY ADDENDUM This Data Privacy and Security Addendum (“Addendum”) is entered into by and between DealerVantage, Inc. (“DealerVantage”) and the dealership entity executing the underlying Master Services Agreement (“Dealer”). This Addendum supplements the Master Services Agreement (the “Agreement”) and governs the transient processing, transformation, and transmission of data handled by DealerVantage’s pipeline infrastructure. 1. Definitions “Dealer Data” means any and all digital data—including non-public personal information (NPI), customer transactional records, vehicle identification numbers (VINs), financial details, and service histories—extracted from Dealer’s Data Management System (DMS), Customer Relationship Management (CRM) system, or alternate authorized integrations for transmission. “Privacy Laws” means all applicable federal, state, and local data protection, privacy, and security laws, regulations, and directives in the United States, including but not limited to the Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.) (“GLBA”), the FTC Safeguards Rule (16 CFR Part 314), the Driver’s Privacy Protection Act (18 U.S.C. § 2721 et seq.) (“DPPA”), and any applicable state comprehensive consumer privacy laws (including the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and similar statutes in states such as Texas, Virginia, Colorado, Florida, and others, as amended from time to time). “Service Provider” and “Processor” shall have the meanings ascribed under applicable Privacy Laws. 2. Scope, Processing Limits, and Roles Ownership and Control: The parties acknowledge and agree that Dealer is the owner and Data Controller (or Business/Owner) of the Dealer Data and retains ultimate regulatory responsibility for such data. Strict Processing Limits: DealerVantage acts strictly as a Service Provider and Data Processor with respect to Dealer Data. DealerVantage’s role is limited to the automated extraction, schematic formatting, and transient processing required to securely route files to Dealer’s chosen third-party vendors. DealerVantage shall not retain or use Dealer Data for any purpose other than providing the transmission services outlined in the Agreement. 3. Federal Compliance: GLBA and FTC Safeguards Rule To the extent that DealerVantage processes or temporarily handles “customer information” or non-public personal information (NPI) protected under the GLBA during pipeline execution, DealerVantage expressly covenants and agrees to: • Implement, maintain, and enforce a comprehensive, written information security program containing administrative, technical, and physical safeguards reasonably designed to protect the security, confidentiality, and integrity of such data in strict compliance with the FTC Safeguards Rule (16 CFR Part 314). • Limit pipeline configuration access solely to authorized personnel who have a legitimate technical need to manage data transformations or connection endpoints. 4. State Compliance: Comprehensive Privacy Laws DealerVantage certifies that it understands and will comply with its specific statutory obligations as a Service Provider/Processor under all applicable state privacy frameworks. Specifically, DealerVantage shall not: • “Sell” or “Share” Dealer Data (as those terms are defined under applicable state privacy statutes). • Retain, use, or disclose Dealer Data outside of the direct business relationship between DealerVantage and Dealer. • Combine Dealer Data with personal information received from other sources, except to compile completely de-identified, anonymized, and aggregated pipeline performance metrics that cannot reasonably identify Dealer or any individual consumer. 5. Consumer Rights and Data Conduits The parties acknowledge that because DealerVantage operates as a transient data pipe and does not store or maintain permanent customer database records: • If a consumer contacts Dealer to exercise a statutory privacy right (such as access or deletion), Dealer is responsible for executing that deletion at the source database level (DMS/CRM). DealerVantage’s automated pipeline will naturally reflect those deletions in subsequent scheduled SFTP file deliveries. • If a consumer contacts DealerVantage directly regarding Dealer Data, DealerVantage will promptly forward the request to Dealer and will not respond directly to the consumer without Dealer’s explicit written approval. 6. Information Security, SFTP, and Breach Notification Technical Safeguards: DealerVantage shall utilize industry-standard cryptographic protocols to encrypt all Dealer Data both in transit across its pipelines and at rest while awaiting retrieval on its hosting environments (utilizing secure protocols such as TLS 1.3 and AES-256 bit encryption). Dual-SFTP Liability Split: • Where DealerVantage writes data to a vendor’s SFTP server, DealerVantage’s data security boundaries end upon successful file acknowledgment by the receiving server. • Where DealerVantage hosts the SFTP depository, DealerVantage is responsible for server environment security. However, Dealer and its receiving third-party vendors are entirely responsible for protecting their unique access credentials. DealerVantage is not liable for data exposures resulting from a vendor’s credential leaks or compromised internal systems. Incident Response: In the event that DealerVantage confirms an unauthorized access to, or data breach of, its core pipeline or hosted SFTP servers (a “Security Incident”), DealerVantage shall notify Dealer in writing without unreasonable delay, and in no event later than seventy-two (72) hours after confirmation, and provide reasonable cooperation to mitigate the event. 7. Term and Data Purging Because the Services function as a processing pipeline, DealerVantage does not maintain permanent data repositories of Dealer Data. Upon expiration or termination of the Agreement, DealerVantage shall immediately deactivate all extraction sequences and connection keys. Any temporary cached files or payload logs remaining in transmission directories will be permanently overwritten and purged within a commercially reasonable technical window, unless federal or state law requires brief logging retention. By using this website and the Services, you acknowledge, accept, and agree to be bound by the terms of this Data Privacy and Security Addendum.