Data Processing Agreement

1. Definitions

“Data Controller” means the Customer — the entity that determines the purposes and means of processing Personal Data through the AutoSAM platform.

“Data Processor” means GovCertix LLC, operating as AutoSAM, which processes Personal Data on behalf of the Customer.

“Personal Data” means any information relating to an identified or identifiable natural person, including names, email addresses, and account identifiers.

2. Scope of Processing

GovCertix LLC processes Personal Data solely for the purpose of providing the AutoSAM platform services as described in the Terms of Service. Processing activities include:

GovCertix LLC shall process Personal Data only on documented instructions from the Customer, unless required to do so by applicable law. If GovCertix LLC believes an instruction infringes applicable data protection law, it shall promptly notify the Customer.

3. Data Security

GovCertix LLC implements appropriate technical and organizational measures to protect Personal Data, including:

3a. Confidentiality of Processing Personnel

GovCertix LLC ensures that all persons authorized to process Personal Data are bound by appropriate confidentiality obligations, whether contractual or statutory. Such personnel are informed of their responsibilities regarding the protection of Personal Data and the requirements of applicable data protection laws.

4. Sub-processors

GovCertix LLC uses the following sub-processors to deliver the AutoSAM platform:

We will notify customers at least 30 days before adding or replacing a sub-processor.

GovCertix LLC shall impose the same data protection obligations on each sub-processor as set out in this DPA. GovCertix LLC remains liable to the Customer for the performance of its sub-processors' obligations. Customers may object to the addition of a new sub-processor within 30 days of notice; unresolved objections entitle the Customer to terminate the affected service without penalty.

5. Data Subject Rights

Customers may exercise their data subject rights (access, rectification, erasure, portability, restriction, objection) through their AutoSAM account settings or by contacting us at privacy@autosam.io.

AutoSAM provides self-service data export (JSON/ZIP) and account deletion that complies with GDPR Article 17 (Right to Erasure) and CCPA requirements.

5a. Assistance with Controller Obligations

GovCertix LLC shall assist the Customer, taking into account the nature of processing and information available to GovCertix LLC, in fulfilling the following obligations:

Assistance for requests that go beyond standard self-service tools available in the AutoSAM platform may be billed at cost.

5b. Audit Rights

GovCertix LLC shall make available to the Customer all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits and inspections conducted by the Customer or its designated auditor. Audits are subject to the following conditions:

6. Data Retention

Personal Data is retained for the duration of the service agreement. Upon account deletion, all Personal Data is permanently erased within 30 days, except where retention is required by law (e.g., IRS tax records retained for 7 years).

Upon termination or expiration of the service agreement, GovCertix LLC shall, at the Customer's election: (a) return all Personal Data in a structured, machine-readable format (JSON/ZIP export); or (b) securely delete all Personal Data within 30 days. GovCertix LLC will provide written confirmation of deletion upon request. This obligation does not apply to data retained under applicable law (e.g., financial records).

7. Breach Notification

In the event of a Personal Data breach, GovCertix LLC will notify the affected Customer within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33.

8. Contact

For DPA-related inquiries, contact:

GovCertix LLC
2461 Eisenhower Ave, Suite 200
Alexandria, VA 22314
privacy@autosam.io

8a. International Data Transfers

Where Personal Data is transferred to the United States from the EU/EEA or the United Kingdom, such transfers are made under Standard Contractual Clauses (SCCs) as approved by the European Commission (Commission Decision 2021/914). Customers may request a copy of the applicable SCCs by emailing privacy@autosam.io.

8b. Schrems II Supplementary Measures

In accordance with the European Data Protection Board's Recommendations 01/2020 on supplementary measures for EU→US data transfers following the Court of Justice of the European Union's Schrems II decision (C-311/18), GovCertix LLC implements the following supplementary measures:

These measures supplement the Standard Contractual Clauses referenced in §8a and are subject to periodic review and update.