Skip to main content

Data Processing Addendum

Last Updated: January 21, 2026

Introduction

This Data Processing Addendum ("DPA") forms part of and is incorporated into the Terms of Service (the "Agreement") between Oasis Auto Konnect LLC ("OAK," "we," "us," or "our") and the entity or individual agreeing to these terms ("Customer," "you," or "your").

This DPA sets forth the parties' obligations with respect to the processing of Personal Data in connection with Customer's use of the Services. This DPA applies to the extent OAK processes Personal Data on behalf of Customer as a Data Processor.

By using the Services, you acknowledge that you have read, understood, and agree to be bound by this DPA. If you are accepting on behalf of an organization, you represent and warrant that you have authority to bind that organization.

1. Definitions

Capitalized terms not defined herein shall have the meanings set forth in the Agreement. The following definitions apply to this DPA:

"Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under this DPA, including but not limited to: (a) the General Data Protection Regulation (EU) 2016/679 ("GDPR"); (b) the UK General Data Protection Regulation and Data Protection Act 2018 ("UK GDPR"); (c) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 ("CCPA"); (d) the Virginia Consumer Data Protection Act ("VCDPA"); (e) the Colorado Privacy Act ("CPA"); (f) the Connecticut Data Privacy Act ("CTDPA"); (g) the Personal Information Protection and Electronic Documents Act ("PIPEDA"); and (h) any other applicable data protection or privacy laws.

"Customer Data" means any data, including Personal Data, that Customer or its End Users upload, submit, store, or transmit through the Services, including but not limited to contact information, messaging content, lead data, and any information processed by the Services on Customer's behalf.

"Data Controller" (or "Controller") means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. For purposes of this DPA, Customer is the Data Controller with respect to Customer Data.

"Data Processor" (or "Processor") means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Data Controller. For purposes of this DPA, OAK is the Data Processor with respect to Customer Data.

"Data Subject" means an identified or identifiable natural person whose Personal Data is processed.

"Data Subject Request" means a request from a Data Subject to exercise any rights afforded to them under Applicable Data Protection Law with respect to their Personal Data, including but not limited to rights of access, rectification, erasure, restriction, portability, and objection.

"End User" means any individual whose Personal Data is processed through the Services as a result of Customer's use thereof, including but not limited to Customer's leads, contacts, prospects, and customers.

"Instructions" means the documented instructions provided by Customer to OAK regarding the processing of Personal Data, as set forth in: (a) this DPA; (b) the Agreement; (c) Customer's configuration and use of the Services; and (d) any other written instructions agreed upon by the parties.

"Personal Data" means any information relating to an identified or identifiable natural person, as defined under Applicable Data Protection Law. This includes "personal information" as defined under the CCPA and similar terms under other applicable laws.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

"Processing" (and its cognates) means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

"Security Measures" means the technical and organizational measures implemented by OAK to protect Personal Data against Personal Data Breaches, as described in Section 7 of this DPA.

"Services" means the OAK platform and related services provided to Customer pursuant to the Agreement.

"Sub-Processor" means any third party engaged by OAK to process Personal Data on behalf of Customer in connection with the Services.

2. Roles and Responsibilities

2.1 Customer as Data Controller

Customer is the Data Controller with respect to all Customer Data processed through the Services. As Data Controller, Customer:

  • (a) Determines the purposes and means of Processing Personal Data;
  • (b) Is solely responsible for the accuracy, quality, and legality of Customer Data and the means by which Customer acquired such data;
  • (c) Is responsible for ensuring that the Processing of Personal Data has a valid legal basis under Applicable Data Protection Law, including but not limited to obtaining all necessary consents;
  • (d) Is responsible for providing all required notices to Data Subjects;
  • (e) Is responsible for responding to Data Subject Requests (with assistance from OAK as set forth herein); and
  • (f) Retains all rights, title, and interest in and to Customer Data.

2.2 OAK as Data Processor

OAK is the Data Processor with respect to Customer Data. As Data Processor, OAK:

  • (a) Processes Customer Data only on behalf of and in accordance with Customer's Instructions;
  • (b) Does not determine the purposes or means of Processing Customer Data;
  • (c) Treats Customer Data as confidential information;
  • (d) Implements appropriate Security Measures to protect Customer Data; and
  • (e) Assists Customer in fulfilling its obligations under Applicable Data Protection Law as set forth in this DPA.

2.3 Customer Data Ownership

Customer Data remains the sole property of Customer. Nothing in this DPA or the Agreement shall be construed to transfer any ownership rights in Customer Data to OAK. OAK's right to process Customer Data is limited to what is necessary to provide the Services and as otherwise permitted by this DPA and Applicable Data Protection Law.

2.4 AI-Generated Content

Customer acknowledges that the Services include artificial intelligence features that generate content (including but not limited to message responses) based on Customer's configuration and Customer Data. All AI-generated content is created on Customer's behalf, at Customer's direction, and using Customer's data. Customer is the controller of such content and is responsible for ensuring its accuracy and compliance with Applicable Data Protection Law. OAK does not independently determine the content of AI-generated messages.

3. Obligations of Processor

3.1 Processing Instructions

OAK shall process Customer Data only in accordance with Customer's documented Instructions, unless required to do otherwise by applicable law to which OAK is subject. In such case, OAK shall inform Customer of that legal requirement before Processing, unless prohibited from doing so by law. Customer's Instructions are set forth in the Agreement, this DPA, and through Customer's configuration and use of the Services.

3.2 Confidentiality

OAK shall ensure that persons authorized to process Customer Data:

  • (a) Have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • (b) Process Customer Data only as necessary to provide the Services and in accordance with Customer's Instructions; and
  • (c) Are informed of the confidential nature of the Customer Data and receive appropriate training on their responsibilities.

3.3 Security

OAK shall implement and maintain appropriate technical and organizational Security Measures to protect Customer Data as described in Section 7 of this DPA.

3.4 Sub-Processing

OAK shall comply with the requirements for Sub-Processors set forth in Section 5 of this DPA.

3.5 Assistance with Data Subject Rights

Taking into account the nature of the Processing, OAK shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer's obligation to respond to Data Subject Requests. Customer shall reimburse OAK for any reasonable costs incurred in providing such assistance, at OAK's then-current rates for professional services.

3.6 Assistance with Compliance Obligations

OAK shall assist Customer in ensuring compliance with the following obligations under Applicable Data Protection Law, taking into account the nature of Processing and the information available to OAK:

  • (a) Security of Processing;
  • (b) Personal Data Breach notification;
  • (c) Data protection impact assessments; and
  • (d) Prior consultation with supervisory authorities.

Customer shall reimburse OAK for any reasonable costs incurred in providing such assistance beyond what is explicitly required by this DPA, at OAK's then-current rates for professional services.

3.7 Deletion and Return of Data

Upon termination of the Agreement, OAK shall, at Customer's election and within thirty (30) days of written request: (a) return Customer Data to Customer in a commonly used, machine-readable format; or (b) delete Customer Data, except to the extent OAK is required by applicable law to retain some or all of the Customer Data. After the thirty (30) day period following termination (or such longer period as may be specified in the Agreement), OAK may delete any remaining Customer Data in its possession.

3.8 Demonstrating Compliance

OAK shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits as described in Section 9 of this DPA.

3.9 Government and Law Enforcement Requests

If OAK receives a request from a government authority or law enforcement agency for access to Customer Data, OAK shall:

  • (a) Attempt to redirect the requesting party to Customer;
  • (b) Promptly notify Customer of the request unless legally prohibited from doing so;
  • (c) Provide only the minimum amount of information required when disclosure is compelled; and
  • (d) Cooperate with Customer's reasonable efforts to challenge or limit the scope of the request.

3.10 Records of Processing

OAK shall maintain written records of Processing activities carried out on behalf of Customer as required by Applicable Data Protection Law, including:

  • (a) The name and contact details of OAK and Customer;
  • (b) The categories of Processing carried out on behalf of Customer;
  • (c) Where applicable, transfers of Personal Data to third countries and the documentation of suitable safeguards; and
  • (d) A general description of the Security Measures implemented.

4. Customer Obligations

4.1 Lawful Basis for Processing

Customer represents and warrants that:

  • (a) Customer has and will maintain a valid legal basis for Processing Personal Data through the Services, including but not limited to obtaining all necessary consents from Data Subjects;
  • (b) Customer has provided and will provide all required notices to Data Subjects regarding the Processing of their Personal Data;
  • (c) Customer has complied and will comply with all Applicable Data Protection Law in connection with its collection and use of Customer Data; and
  • (d) Customer's Instructions to OAK comply with Applicable Data Protection Law.

4.2 Accuracy of Data

Customer is solely responsible for the accuracy, completeness, and quality of Customer Data. OAK has no obligation to verify the accuracy of Customer Data.

4.3 Data Subject Communications

Customer is solely responsible for responding to communications from Data Subjects regarding the Processing of their Personal Data, except to the extent OAK is required to respond directly under Applicable Data Protection Law.

4.4 Customer Configuration

Customer acknowledges that the Services are configurable and that Customer's configuration choices may affect the Processing of Personal Data. Customer is solely responsible for configuring the Services in compliance with Applicable Data Protection Law.

4.5 Prohibited Data

Unless explicitly agreed in writing, Customer shall not submit to the Services any:

  • (a) Special categories of Personal Data as defined in Article 9 of the GDPR (including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation);
  • (b) Personal Data relating to criminal convictions and offenses;
  • (c) Protected Health Information as defined under HIPAA;
  • (d) Payment card data subject to PCI DSS; or
  • (e) Social Security numbers, government-issued identification numbers, or financial account numbers.

Customer is solely responsible for any such data submitted in violation of this Section, and Customer shall indemnify OAK for any claims arising therefrom.

5. Sub-Processing

5.1 Authorized Sub-Processors

Customer provides general authorization for OAK to engage Sub-Processors to process Customer Data in connection with the Services. A current list of Sub-Processors is available upon request to Legal Email.

5.2 Sub-Processor Agreements

OAK shall ensure that each Sub-Processor is bound by written contractual obligations that:

  • (a) Are no less protective of Customer Data than the obligations imposed on OAK under this DPA;
  • (b) Require the Sub-Processor to process Personal Data only as necessary to provide the applicable services; and
  • (c) Require the Sub-Processor to implement appropriate Security Measures.

5.3 Notice of Changes

OAK shall notify Customer of any intended changes to Sub-Processors by updating its Sub-Processor list or by other reasonable means. Customer shall have fourteen (14) days from the date of such notice to object to the appointment or replacement of a Sub-Processor on reasonable grounds relating to data protection. If Customer objects, the parties shall discuss Customer's concerns in good faith. If the parties cannot reach a resolution, Customer may terminate the affected Services without penalty.

5.4 Sub-Processor Liability

OAK shall remain fully liable to Customer for the performance of each Sub-Processor's obligations in accordance with this DPA.

5.5 Current Sub-Processors

As of the effective date of this DPA, OAK's Sub-Processors include:

  • GoHighLevel, Inc. — Platform infrastructure and CRM services (United States)
  • Twilio Inc. — SMS messaging infrastructure (United States)
  • LC Phone — Telephony services (United States)
  • Amazon Web Services, Inc. — Cloud hosting and data storage (United States)
  • Google LLC — Calendar integration and API services (United States)
  • OpenAI — AI language model services (United States)

This list may be updated from time to time in accordance with Section 5.3.

Note: The list of authorized Sub-Processors above serves as the Sub-Processor schedule for this DPA. No separate Annex is required.

6. International Data Transfers

6.1 Transfer Mechanisms

To the extent that OAK processes or transfers (directly or via onward transfer) Personal Data originating from the European Economic Area ("EEA"), United Kingdom, or Switzerland to countries that do not provide an adequate level of data protection within the meaning of Applicable Data Protection Law, OAK shall ensure that appropriate safeguards are in place, which may include:

  • (a) The EU-U.S. Data Privacy Framework, UK Extension, and/or Swiss-U.S. Data Privacy Framework, as applicable;
  • (b) Standard Contractual Clauses approved by the European Commission or UK Information Commissioner's Office, as applicable;
  • (c) Binding Corporate Rules; or
  • (d) Other lawful transfer mechanisms recognized under Applicable Data Protection Law.

6.2 Standard Contractual Clauses

To the extent that Standard Contractual Clauses ("SCCs") are required for transfers of Personal Data, the parties agree that:

  • (a) For transfers from the EEA: The SCCs approved by European Commission Decision 2021/914 shall apply, with Customer as "data exporter" and OAK as "data importer" under Module Two (Controller to Processor);
  • (b) For transfers from the UK: The International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office shall apply; and
  • (c) For transfers from Switzerland: The SCCs shall apply with the modifications required by the Swiss Federal Data Protection and Information Commissioner.

The SCCs are hereby incorporated by reference into this DPA. In the event of any conflict between this DPA and the SCCs, the SCCs shall prevail to the extent required by Applicable Data Protection Law.

6.3 Supplementary Measures

OAK shall implement appropriate supplementary measures to ensure that Personal Data transferred internationally receives a level of protection essentially equivalent to that guaranteed within the EEA, including encryption in transit and at rest, access controls, and security measures as described in Section 7.

6.4 U.S. Data Location

Customer acknowledges that the Services are primarily hosted in the United States, and Customer Data will be transferred to and processed in the United States. By using the Services, Customer consents to such transfers and represents that Customer has provided all necessary notices to and obtained all necessary consents from Data Subjects for such transfers.

7. Data Security

7.1 Security Program

OAK shall implement and maintain a comprehensive written information security program that includes appropriate technical and organizational measures to protect Customer Data against Personal Data Breaches. Such measures shall take into account:

  • (a) The state of the art;
  • (b) The costs of implementation;
  • (c) The nature, scope, context, and purposes of Processing; and
  • (d) The risk of varying likelihood and severity for the rights and freedoms of natural persons.

7.2 Security Measures

OAK's Security Measures shall include, at a minimum:

  • (a) Encryption: Encryption of Personal Data in transit using TLS 1.2 or higher, and encryption of Personal Data at rest using AES-256 or equivalent;
  • (b) Access Controls: Role-based access controls, unique user identification, strong password requirements, and multi-factor authentication for administrative access;
  • (c) Network Security: Firewalls, intrusion detection systems, and regular vulnerability assessments;
  • (d) Physical Security: Secure data center facilities with access controls and environmental safeguards;
  • (e) Data Integrity: Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of Processing systems and services;
  • (f) Incident Recovery: The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
  • (g) Testing: Regular testing, assessing, and evaluating the effectiveness of Security Measures;
  • (h) Personnel: Appropriate training for personnel with access to Customer Data and background checks where permitted by law; and
  • (i) Vendor Management: Due diligence and contractual controls for Sub-Processors.

7.3 No Guarantee

CUSTOMER ACKNOWLEDGES THAT NO SECURITY MEASURES ARE PERFECT OR IMPENETRABLE. OAK DOES NOT GUARANTEE THAT CUSTOMER DATA WILL NOT BE ACCESSED, DISCLOSED, ALTERED, OR DESTROYED BY BREACH OF ANY OF OAK'S SECURITY MEASURES. OAK's liability for any Personal Data Breach is limited as set forth in the Agreement.

8. Personal Data Breach Notification

8.1 Notification to Customer

OAK shall notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Data. Such notification shall be made to the email address associated with Customer's account or to such other address as Customer has designated in writing.

8.2 Information Provided

OAK's notification shall include, to the extent known at the time of notification and as information becomes available:

  • (a) A description of the nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
  • (b) The name and contact details of OAK's point of contact from whom more information can be obtained;
  • (c) A description of the likely consequences of the Personal Data Breach; and
  • (d) A description of the measures taken or proposed to be taken by OAK to address the Personal Data Breach, including measures to mitigate its possible adverse effects.

8.3 Cooperation

OAK shall cooperate with Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of each Personal Data Breach. Customer shall reimburse OAK for any costs incurred in providing assistance beyond initial notification, at OAK's then-current rates for professional services.

8.4 Customer Notification Obligations

Customer is solely responsible for determining whether a Personal Data Breach triggers notification obligations to Data Subjects or supervisory authorities under Applicable Data Protection Law and for making any such notifications. OAK shall provide reasonable assistance upon request, at Customer's expense.

8.5 No Public Disclosure

OAK shall not inform any third party of any Personal Data Breach without first obtaining Customer's prior written consent, except where required by applicable law or where necessary to address the breach (e.g., notification to law enforcement or engagement of forensic investigators).

9. Audit Rights

9.1 Audit Reports

Upon Customer's written request (no more than once per calendar year), OAK shall provide Customer with:

  • (a) A summary of OAK's then-current Security Measures;
  • (b) Copies of any relevant third-party audit reports, certifications, or assessments (e.g., SOC 2 reports, if available) that OAK is permitted to disclose; and
  • (c) Written responses to reasonable security questionnaires submitted by Customer.

9.2 On-Site Audits

If Customer reasonably determines that the information provided pursuant to Section 9.1 is insufficient to demonstrate OAK's compliance with this DPA, Customer may conduct or commission an audit of OAK's Processing activities, subject to the following conditions:

  • (a) Customer shall provide at least thirty (30) days' prior written notice;
  • (b) Audits shall be conducted during normal business hours and shall not unreasonably disrupt OAK's operations;
  • (c) Customer shall bear all costs and expenses of any audit, including OAK's reasonable personnel costs at OAK's then-current rates for professional services;
  • (d) The auditor shall execute a confidentiality agreement acceptable to OAK;
  • (e) Audits shall be limited in scope to matters relevant to OAK's compliance with this DPA; and
  • (f) Customer shall not be entitled to access any data of other OAK customers or any confidential business information of OAK.

9.3 Remediation

If an audit reveals any material non-compliance with this DPA, OAK shall promptly implement reasonable remediation measures. If OAK has confirmed that no material vulnerability exists or has implemented remediation, OAK shall notify Customer accordingly.

10. California Consumer Privacy Act (CCPA) Provisions

10.1 Service Provider Designation

For purposes of the CCPA, OAK is a "Service Provider" as defined in California Civil Code Section 1798.140(ag). OAK is prohibited from:

  • (a) Selling or sharing Personal Information received from Customer;
  • (b) Retaining, using, or disclosing Personal Information for any purpose other than for the specific purpose of performing the Services specified in the Agreement, including retaining, using, or disclosing the Personal Information for a commercial purpose other than providing the Services;
  • (c) Retaining, using, or disclosing the Personal Information outside of the direct business relationship between OAK and Customer; and
  • (d) Combining the Personal Information with personal information that OAK receives from or on behalf of another person or collects from its own interaction with Data Subjects, unless expressly permitted by the CCPA.

10.2 CCPA Certifications

OAK certifies that it:

  • (a) Understands the restrictions in Section 10.1 and will comply with them;
  • (b) Will notify Customer if it determines that it can no longer meet its obligations under the CCPA; and
  • (c) Grants Customer the right to take reasonable and appropriate steps to ensure that OAK uses Personal Information in a manner consistent with Customer's obligations under the CCPA.

10.3 No Sale of Personal Information

OAK does not "sell" or "share" (as those terms are defined under the CCPA) Personal Information that OAK receives from Customer.

10.4 CCPA Consumer Rights

OAK shall reasonably assist Customer in responding to verifiable consumer requests from California residents to exercise their rights under the CCPA, including rights to know, delete, correct, and opt-out. Customer shall reimburse OAK for any costs incurred in providing such assistance.

11. Other U.S. State Privacy Law Provisions

11.1 VCDPA, CPA, CTDPA, and Similar Laws

To the extent the Virginia Consumer Data Protection Act, Colorado Privacy Act, Connecticut Data Privacy Act, or similar state privacy laws apply to Customer's use of the Services, OAK shall:

  • (a) Process Personal Data only as directed by Customer and consistent with Customer's Instructions;
  • (b) Assist Customer in meeting its obligations to respond to consumer rights requests;
  • (c) Provide information reasonably necessary to enable Customer to conduct and document data protection assessments;
  • (d) Engage Sub-Processors only as permitted by this DPA; and
  • (e) Allow and cooperate with reasonable assessments by Customer or Customer's designated assessor.

11.2 Duty to Inform

OAK shall inform Customer if, in OAK's opinion, an Instruction from Customer violates applicable U.S. state privacy laws.

12. Indemnification

12.1 Customer Indemnification

Customer shall defend, indemnify, and hold harmless OAK, its affiliates, and their respective officers, directors, employees, agents, successors, and assigns from and against any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or relating to:

  • (a) Customer's breach of this DPA or the Agreement;
  • (b) Customer's violation of Applicable Data Protection Law;
  • (c) Customer's Processing of Personal Data, including the collection of Personal Data and the instructions provided to OAK;
  • (d) Any Data Subject claim arising from Customer's failure to obtain proper consent or provide required notices;
  • (e) Any Data Subject claim related to the content of AI-generated messages sent on Customer's behalf;
  • (f) Customer's submission of Prohibited Data in violation of Section 4.5; and
  • (g) Any third-party claim that Customer's use of the Services infringes such third party's privacy or data protection rights.

12.2 Third-Party Lead Data

Without limiting Section 12.1, Customer shall indemnify OAK for any claims arising from Customer's use of third-party lead data, including but not limited to claims that such data was obtained without proper consent or in violation of Applicable Data Protection Law.

13. Limitation of Liability

13.1 Liability Cap

THE TOTAL AGGREGATE LIABILITY OF OAK ARISING OUT OF OR RELATING TO THIS DPA SHALL BE SUBJECT TO THE LIMITATIONS OF LIABILITY SET FORTH IN THE AGREEMENT. For the avoidance of doubt, the liability cap set forth in the Agreement applies to all claims arising under or relating to this DPA, the Agreement, and the Services collectively, and is not a per-incident or per-claim cap.

13.2 Exclusion of Consequential Damages

IN NO EVENT SHALL OAK BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO LOSS OF PROFITS, LOSS OF DATA, LOSS OF BUSINESS OPPORTUNITY, OR REPUTATIONAL HARM, ARISING OUT OF OR RELATING TO THIS DPA, REGARDLESS OF WHETHER SUCH DAMAGES WERE FORESEEABLE OR WHETHER OAK WAS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

13.3 Customer's Sole Remedy

Customer's sole and exclusive remedy for any breach of this DPA by OAK shall be as set forth in the Agreement.

14. Term and Termination

14.1 Term

This DPA shall remain in effect for the duration of the Agreement and shall terminate automatically upon termination of the Agreement.

14.2 Survival

The following provisions shall survive termination of this DPA: Section 1 (Definitions), Section 2.3 (Customer Data Ownership), Section 3.7 (Deletion and Return of Data), Section 12 (Indemnification), Section 13 (Limitation of Liability), Section 14.2 (Survival), and Section 15 (General Provisions).

14.3 Effect of Termination

Upon termination of this DPA, OAK shall cease Processing Customer Data, except as required to comply with applicable law or as necessary to wind down the Services in an orderly manner.

15. General Provisions

15.1 Governing Law

This DPA shall be governed by and construed in accordance with the laws of the State of Wyoming, without regard to its conflict of laws principles. Any disputes arising under or relating to this DPA shall be resolved in accordance with the dispute resolution provisions set forth in the Agreement.

15.2 Conflict

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the Processing of Personal Data. In the event of any conflict between this DPA and any applicable Standard Contractual Clauses, the Standard Contractual Clauses shall prevail to the extent required by Applicable Data Protection Law.

15.3 Amendments

OAK may update this DPA from time to time to reflect changes in Applicable Data Protection Law or OAK's data processing practices. OAK will notify Customer of material changes by posting the updated DPA on its website and, where appropriate, by email notification. Continued use of the Services after such notification constitutes acceptance of the updated DPA.

15.4 Severability

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect, and the invalid or unenforceable provision shall be modified to the minimum extent necessary to make it valid and enforceable.

15.5 Entire Agreement

This DPA, together with the Agreement and any documents incorporated by reference herein, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior or contemporaneous agreements, understandings, or representations with respect to such subject matter.

15.6 No Third-Party Beneficiaries

Except as expressly set forth in any applicable Standard Contractual Clauses, this DPA does not create any third-party beneficiary rights in any individual or entity that is not a party to this DPA.

15.7 Waiver

No waiver of any provision of this DPA shall be effective unless in writing and signed by the waiving party. No failure or delay in exercising any right under this DPA shall operate as a waiver thereof.

15.8 Notices

All notices under this DPA shall be sent in accordance with the notice provisions of the Agreement. Privacy and data protection inquiries may be directed to:

Oasis Auto Konnect LLC
Attn: Privacy Team
27524 Cashford Circle Suite 102
Wesley Chapel, Florida 33544
Email: Legal Email
Phone: (813) 515-3550

Annex 1: Scope of Processing

This Annex describes the Processing activities carried out by OAK on behalf of Customer.

A1.1 Categories of Data Subjects

The Personal Data processed concern the following categories of Data Subjects:

  • Customer's employees and authorized users of the Services;
  • Customer's leads, contacts, and prospects;
  • Customer's customers and clients;
  • Individuals who submit information through forms or landing pages operated by Customer; and
  • Other individuals whose Personal Data is uploaded or entered into the Services by Customer.

A1.2 Categories of Personal Data

The Personal Data processed includes the following categories:

  • Identification Data: Name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name;
  • Contact Data: Telephone number (including MSISDN/mobile number), mailing address, email address;
  • Demographic Data: Age, date of birth, gender;
  • Communication Data: Message content (SMS, MMS), communication preferences, opt-in/opt-out status;
  • Commercial Information: Records of products or services purchased, obtained, or considered, purchasing or consuming histories or tendencies;
  • Internet/Network Activity: Browsing history, search history, information on interaction with websites, applications, or advertisements;
  • Geolocation Data: Physical location or movements (to the extent provided by Customer);
  • Professional Data: Current or past job-related information; and
  • Inferences: Inferences drawn from any of the above to create a profile about a consumer reflecting preferences, characteristics, behavior, attitudes, abilities.

A1.3 Sensitive Personal Data

The Services are not designed to process Sensitive Personal Data or Special Categories of Personal Data. Customer is responsible for ensuring that no such data is submitted to the Services without OAK's prior written consent. Notwithstanding the foregoing, Customer's use of the Services in the health insurance industry may involve limited health-related data subject to OAK's health insurance industry acknowledgments in the Agreement.

A1.4 Processing Purposes

OAK processes Personal Data for the following purposes:

  • Providing and operating the Services as specified in the Agreement;
  • Storing and managing Customer's contact database;
  • Sending and receiving SMS and MMS messages on Customer's behalf;
  • Generating AI-powered responses to messages based on Customer's configuration;
  • Managing Customer's lead pipeline and contact stages;
  • Scheduling and managing appointments;
  • Performing list scrubbing for compliance purposes (TCPA litigator, landline, duplicate checking);
  • Providing analytics and reporting on Customer's messaging activities;
  • Maintaining and improving the Services;
  • Complying with applicable legal requirements; and
  • Any other purposes specified in Customer's Instructions.

A1.5 Duration of Processing

OAK will process Personal Data for the duration of the Agreement. Following termination, Personal Data will be deleted or returned in accordance with Section 3.7 of this DPA and the Agreement.

A1.6 Location of Processing

Personal Data is primarily processed and stored in the United States. Processing may also occur in other jurisdictions where OAK's Sub-Processors maintain facilities, subject to the transfer safeguards described in Section 6 of this DPA.

Annex 2: Technical and Organizational Security Measures

OAK implements the following technical and organizational measures to protect Personal Data:

A2.1 Physical Security

  • Data center facilities with 24/7 security, access controls, and monitoring;
  • Environmental controls (fire suppression, climate control, backup power); and
  • Physical access restricted to authorized personnel only.

A2.2 Network Security

  • Firewalls and intrusion detection/prevention systems;
  • DDoS protection;
  • Network segmentation;
  • Regular vulnerability scanning and penetration testing; and
  • Secure configuration management.

A2.3 Data Encryption

  • TLS 1.2 or higher for data in transit;
  • AES-256 encryption for data at rest; and
  • Encryption key management procedures.

A2.4 Access Control

  • Role-based access control (RBAC);
  • Unique user identification;
  • Strong password policies;
  • Multi-factor authentication for administrative access;
  • Session timeout controls; and
  • Access logging and monitoring.

A2.5 Data Management

  • Regular data backups;
  • Backup encryption;
  • Disaster recovery procedures;
  • Data retention and deletion procedures; and
  • Secure data disposal.

A2.6 Personnel Security

  • Background checks for personnel with access to Personal Data (where legally permitted);
  • Confidentiality agreements;
  • Security awareness training;
  • Access revocation upon termination; and
  • Need-to-know access principles.

A2.7 Incident Response

  • Documented incident response procedures;
  • Incident detection and monitoring;
  • Breach notification procedures;
  • Post-incident review and remediation; and
  • Incident logging and documentation.

A2.8 Vendor Management

  • Security assessments of Sub-Processors;
  • Contractual security requirements;
  • Ongoing monitoring of Sub-Processor compliance; and
  • Sub-Processor due diligence procedures.

Contact Information

For questions about this Data Processing Addendum, please contact us at:

Oasis Auto Konnect LLC
27524 Cashford Circle Suite 102
Wesley Chapel, Florida 33544

Legal Address:
30 N Gould Street Suite R
Sheridan, WY 82801

Email: Legal Email
Support: Support Email
Phone: (813) 515-3550