Data Processing Agreement

SaaS Car, Inc. dba myodo Effective Date: May 25, 2026

This Data Processing Agreement ("DPA") supplements the Fleet Customer Agreement between SaaS Car, Inc. dba myodo ("Service Provider") and the entity identified on the Fleet Customer Agreement ("Business").

---

1. Definitions

• Personal Information (PI): As defined in California Civil Code § 1798.140(v).
• Sensitive Personal Information (SPI): As defined in California Civil Code § 1798.140(ae).
• Processing: Any operation performed on PI, including collection, storage, use, disclosure, or deletion.
• Consumer: A California resident whose PI is processed under this DPA (includes fleet drivers/employees).

---

2. Scope of Processing

Category of PI	Purpose	Duration
Driver identifiers (name, email, phone)	Account management, notifications, messaging	Term of Agreement
Vehicle identifiers (VIN, plate)	Vehicle tracking, service history	Term of Agreement
Precise geolocation	Trip tracking, mileage logging	Term of Agreement
Vehicle telemetry (speed, RPM, DTCs)	Maintenance alerts, diagnostics	Term of Agreement
Trip data (start/end, distance, odometer)	Mileage reporting, fleet management	Term of Agreement
Uploaded documents (receipts, ROs)	Document parsing, verification, reimbursement	Term of Agreement
Financial data (receipt amounts, line items)	Reimbursement tracking, expense reporting	Term of Agreement

---

3. Service Provider Obligations

Service Provider shall:

(a) Process PI only as necessary to provide the Service and as instructed by Business — not for any other commercial purpose;

(b) Not retain, use, or disclose PI outside the direct business relationship with Business;

(c) Not combine PI received from Business with PI received from other sources or collected from Service Provider's own interactions with Consumers, except as permitted to: (i) detect security incidents; (ii) protect against fraud; (iii) debug/repair errors; (iv) provide the Service as specified in the Agreement;

(d) Not sell or share PI;

(e) Implement and maintain reasonable security measures appropriate to the nature of the PI (see Section 6);

(f) Comply with applicable provisions of the CCPA/CPRA;

(g) Notify Business within 72 hours of discovering any unauthorized access, disclosure, or breach of PI;

(h) Cooperate with Business in responding to Consumer rights requests (access, deletion, correction) within 10 business days of receiving notice from Business;

(i) Upon termination of the Agreement, at Business's election, return or delete all PI within 30 days and certify deletion in writing.

---

4. Business Obligations

Business shall:

(a) Provide all required notices and obtain all required consents from Consumers (including AB 984 employee notice) before PI is collected through the Service;

(b) Ensure it has a lawful basis for each category of PI processed;

(c) Provide instructions to Service Provider that comply with applicable law;

(d) Notify Service Provider promptly of any Consumer rights request that requires Service Provider's cooperation.

---

5. Subprocessors

Service Provider uses the following subprocessors:

Subprocessor	Purpose	Location
Google Cloud Platform	Cloud infrastructure, database, file storage, OCR (Document AI)	USA
OpenAI	Document parsing (receives raw OCR text containing PII)	USA
Cloudflare, Inc.	Edge compute, telemetry processing, CDN	USA
Soracom, Inc.	IoT SIM connectivity	USA/Japan
Teltonika	Device firmware OTA	Lithuania/USA
SendGrid (Twilio)	Transactional email delivery	USA
Twilio	SMS notifications	USA
Stripe	Payment processing	USA
CarsXE	License plate to VIN resolution (receives plate + state)	USA
NHTSA vPIC	VIN decoding to vehicle specs (public API, receives VIN only)	USA

Service Provider will notify Business at least 30 days before engaging a new subprocessor that processes PI. Business may object in writing within 15 days. If Business objects and the parties cannot resolve the objection within 15 days, Business may terminate the Agreement.

All subprocessors are bound by written agreements imposing obligations no less protective than this DPA.

---

6. Security Measures

Service Provider implements:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Role-based access controls
• Multi-factor authentication for administrative access
• Audit logging of all PI access
• Regular vulnerability assessments
• Incident response procedures
• Employee security training
• Secure development lifecycle practices

---

7. Audits

Business may audit Service Provider's compliance with this DPA:

• Up to once per year (or immediately following a security incident)
• With 30 days' advance written notice
• During normal business hours
• At Business's expense (unless audit reveals material non-compliance, in which case Service Provider bears cost)
• Service Provider may satisfy audit requests by providing a third-party security assessment or equivalent documentation

---

8. Consumer Rights Requests

When Service Provider receives a Consumer rights request directly from a fleet driver/employee:

• If the request relates to data processed on behalf of Business, Service Provider will redirect the Consumer to Business and notify Business within 5 business days
• Service Provider will not fulfill the request independently unless directed by Business or required by law
• Service Provider will provide Business with reasonable technical assistance to fulfill requests

---

9. Return and Deletion

Upon termination of the Agreement:

• Service Provider will make Customer Data available for export in machine-readable format (JSON or CSV) for 30 days
• After 30 days (or upon Business's written instruction to delete), Service Provider will delete all PI from production systems within 30 days
• Copies in backup systems will be deleted within 90 days of termination pursuant to normal backup rotation
• Service Provider will certify deletion in writing upon Business's request
• Exception: Service Provider may retain PI as required by applicable law (e.g., BAR 3-year requirement), identified and isolated from other processing

---

10. Liability

Each party's liability under this DPA is subject to the limitation of liability in the Fleet Customer Agreement.

---

11. Governing Law

This DPA is governed by the laws of the State of California. In the event of conflict between this DPA and the Fleet Customer Agreement, this DPA governs with respect to data processing matters.