DealerX Partners LLC. Terms of Service Agreement

    • 1.1 Term. The term (“Term”) of the Agreement shall begin on the Schedule Effective Date of the Schedule referencing this Agreement and continue until terminated in accordance with Section 1.2 below. The term of any Schedule shall be as set forth therein.
    • 1.2 Termination. Either Party may immediately terminate this Agreement or an affected Schedule upon written notice to the other Party if: (a) the other Party is in default of this Agreement or the affected Schedule and fails to cure, or begin implementation of a mutually-agreed-upon plan to cure, such default within thirty (30) business days of written notice from the other Party specifying the nature of such default and requiring its remedy; (b) the other Party petitions for relief under the Federal Bankruptcy Code or any involuntary petition is filed against the other Party and is not dismissed within sixty (60) days; (c) relief under the Federal Bankruptcy Code is granted with respect to the other Party as a debtor; (d) the other Party makes a general assignment for the benefit of creditors; or (e) the other Party ceases doing business, assigns, or attempts to assign any portion of this Agreement to an entity other than as provided in Section 12.5 below.
    • 1.3 Effect of Termination. Upon termination: (a) DealerX shall not (and shall not permit any third-party to) access or use Company Data, unless expressly licensed by Company to DealerX in/on a Schedule, and (b) Company shall not (and shall not permit any third-party to) access or use any of DealerX’s Services (or part thereof) made accessible by DealerX, unless expressly licensed by DealerX to Company in an accompanying Schedule. “Company Data ” means any data that Company owns or licenses from a third-party and provides (either itself or by a third-party) to DealerX for use in the performance of Services. For clarity, Company Data does not include any data that was or is independently obtained or derived by DealerX. If Company Data includes any information that can be used to distinguish or trace an individual’s offline identity, including, without limitation, name, email address, phone number and/or postal address, as well as any information that is directly linked to these identifiers, then such information shall constitute personally identifiable information (“PII”). PII that has been transformed using a one-way salt and hash, encryption, or other equivalent or more stringent cryptographic technique (e.g., tokenizing) shall (in such state) no longer be considered PII for the purposes of this Agreement.
    • 2.1 Schedules. The “Services” to be provided by DealerX to Company will be set forth in one or more schedules, statements of work, order forms, work orders, or other documents executed by the Parties and expressly made subject to this Agreement, including any amendments thereto (each, a “Schedule”), and will describe such Services, the applicable fees, and any other terms agreed to by the Parties. Any legal entity that either directly or indirectly (through one or more intermediaries) controls, is controlled by, or is under common control, with a Party to this Agreement (each, an “Affiliate”) shall be authorized to enter into a Schedule pursuant to this Agreement. With respect to a Schedule executed by any Affiliate of either Party, all references in this Agreement to such Affiliate’s related Party (either DealerX or Company) will be deemed to include the Affiliate unless the context indicates otherwise, and the Affiliate agrees to abide by all such terms. For purposes of this Agreement, “control” means possessing, directly or indirectly, the power to direct or cause the direction of the management, policies, and/or operations of an entity, whether through ownership of voting securities, by contract, or otherwise.
    • 2.2 Excusable Delay. Each Party’s delay or nonperformance of its obligations under this Agreement or any Schedule shall be excused to the extent caused by the other Party’s failure to perform its obligations thereunder. The non-performing Party will provide the other Party with reasonable notice of such non-performance or delay and will use commercially reasonable efforts to continue to perform. Company shall continue to pay DealerX for Services actually performed by DealerX prior to and during any such period.
    • 2.3 DealerX Locations and Personnel. All Services performed pursuant to any Schedule may be performed, in whole or in part, by any DealerX director, officer, employee, affiliate, consultant, subcontractor, or representative (collectively, “DealerX Personnel”) from any environment that is owned or leased by DealerX or a DealerX Affiliate or is otherwise maintained by DealerX Personnel. Any such environment must meet, in all material respects, the applicable requirements established in this Agreement and any Schedule hereto. DealerX Personnel shall access Company Data only to the extent required to perform the Services or processing assigned to such DealerX Personnel. All DealerX Personnel shall be required to comply with the terms of this Agreement and the applicable Schedule(s), including any confidentiality and information security requirements set forth in Exhibit A. Any act or omission of DealerX’s Personnel shall be deemed to be the act or omission of DealerX, for which DealerX will be liable in accordance with the terms of the Agreement.
    • 3.1 Pricing. The pricing for the Services shall be set forth in each applicable Schedule. Unless otherwise specified, all fees are exclusive of applicable taxes.
    • 3.2 Taxes. Company shall pay all taxes of a transactional nature (including sales, use, and value added taxes) levied in connection with this Agreement in accordance with applicable tax laws. Each Party is responsible for taxes based on its own net income, corporate franchise, business license, property, and employee payroll. To the extent required by law, DealerX will collect applicable taxes from the Company unless the Company provides an exemption certificate, direct pay permit, or other valid documentation. If Company is required under the laws of any jurisdiction to withhold taxes from payments made to DealerX pursuant to this Agreement, Company shall deduct and withhold the amount of such taxes for the account of DealerX. Amounts payable to DealerX shall be reduced by the amount of taxes so deducted and withheld, provided that Company transmits to DealerX an official tax certificate or other evidence of such tax obligations.
    • 3.3 Payment. Unless otherwise set forth in a Schedule, DealerX shall invoice and charge Company for: (a) any fixed fees, including minimum fees, provided for under any Schedule(s), in advance; and (b) for all variable fees provided for under any Schedule(s), as estimated in advance and increased or decreased by what has been incurred on a monthly basis. Payment will be debited and all fees are due within three (3) calendar days of the Company’s receipt of invoice (if sent via electronic transmission, Company’s receipt is deemed to be the date of such transmission). DealerX will deliver auto-generated invoices to the Company via email. Any other invoice delivery method (e.g., through third-party portals) will be subject to prior review and mutual agreement of the Parties, provided that Company remains responsible for any applicable processing fees that are outside the scope of DealerX’s standard invoice delivery. If Company fails to make timely payments, DealerX may, without limiting any other remedies available to it, suspend Company’s access to the Services until Company has payment in full to DealerX for any outstanding invoices.
    • DealerX may provide, as a courtesy, supporting documentation and/or assets that may be submitted by the Company to an OEM cooperative advertising program for reimbursement. Both Parties agree that this courtesy is not intended to, and does not, constitute an admission of liability for the accuracy or completeness of any information provided by DealerX as supporting documentation and/or assets towards cooperative marketing material. DealerX will not be responsible for any incurred penalty imposed by the OEM cooperative advertising program as the result of any improper or inaccurate submission. It is the responsibility of the Company to review any supporting documentation and/or assets for accuracy prior to submission. The Company accepts responsibility to be familiar with, and to observe, any and all user agreement and/or submission regulations of the OEM cooperative advertising program in their entirety.
    • 5.1 Company Intellectual Property. Company owns and retains all right, title, and interest (including, without limitation, all intellectual property rights) in and to Company Data exclusive of any updates or modifications to the foregoing.
    • 5.2 DealerX Intellectual Property. DealerX owns and retains all right, title, and interest (including, without limitation, all intellectual property rights) in any data, technology, infrastructure, methods, or know-how (excluding Company Data) in providing its Services.
    • 5.3 Other Intellectual Property Rights. Each Party may only access and use the other Party’s data and technology as expressly set forth herein, and each Party retains all intellectual property rights in its own data and technology. Nothing in this Agreement shall affect or modify either Party’s ownership rights in any pre-existing or future works, trademarks, copyrights, or technologies independently developed or created by either Party. As between the Parties, DealerX will own any software functionality provided to Company that establishes the linkage between any Company Data and any third-party identifier, including any DealerX identifier, that enables such linkage and may only be used as set forth in this Agreement and the applicable Schedule(s).
    • 5.4 No Implied Rights. Except for the limited rights and licenses expressly granted under this Agreement, nothing in this Agreement grants, by implication, waiver, estoppel, or otherwise, to Company or any third party any intellectual property rights or other right, title, or interest in or to the Services.
    • 6.1 Restrictions on the Use of Company Data. Other than the rights expressly granted to DealerX by this Agreement or any Schedule, no right, title or interest in Company Data is transferred to DealerX. DealerX shall not, and shall not authorize any third party to process, retain, use, sell, transfer, disclose, or otherwise share Company Data for any purposes other than as directed under this Agreement or applicable Schedules. Notwithstanding the foregoing, DealerX may disclose Company Data to its own vendors, subprocessors, or service providers where DealerX has carried out adequate due diligence on each such service provider and included terms in the contract between DealerX and such service provider that are equivalent to those set out in this Agreement or applicable Schedule(s) solely in connection with providing services for the Company.
    • 6.2 Testing Company Data. DealerX may use Company Data internally in order to perform quality control and improve the functionality of its core Services. Such internal uses shall include enhancements of existing Services received by Company.
    • 6.3 Enabling Individual Requests. DealerX shall promptly and in good faith take reasonable actions and provide such information and assistance as Company may reasonably request as directly related to the DealerX Services to enable Company to honor requests of individuals to exercise their rights under relevant law. DealerX may determine, in its sole discretion, the mechanism that Company must use to communicate such requests to DealerX.
    • 7.1 Confidential Information. During the Term, the Parties may disclose certain confidential or proprietary information (“Confidential Information”) to each other, including, without limitation: (a) with respect to Company, Company’s intellectual property, Company Data, tapes, mailing lists, product designs, business and marketing plans, and product strategies; (b) with respect to DealerX, DealerX’s intellectual property, pricing information, designs, capabilities, specifications, solution design documents, flowcharts, presentations, and analysis reports or results from testing of its Services, as well as any information of DealerX’s clients, prospects, and vendors that is stored and used within a DealerX facility; (c) the terms and conditions of this Agreement, including pricing information, which shall be the Confidential Information of both Parties; and (d) any other materials marked or reasonably considered “confidential” or “proprietary”.
    • 7.2 Confidential Information shall not include information that: (a) is or becomes a part of the public domain through no act or omission of the receiving Party; (b) was in the lawful possession of the receiving Party prior to the disclosure and had not been obtained, either directly or indirectly, from the disclosing Party; (c) is, insofar as is known to the receiving Party, lawfully disclosed by a third-party without restriction on disclosure; or (d) has been or is independently developed by a Party without use of, or reference to, Confidential Information of the other Party. The details of an occurrence of a data breach of the Company Data by DealerX, and the facts and circumstances related thereto, do not qualify as the Confidential Information of either Party.
    • 7.3 Obligations. Each receiving Party shall: (a) hold the disclosing Party’s Confidential Information in strict confidence; (b) except as required by any court or regulatory or government agency pursuant to a written court order, subpoena, deposition, regulatory or civil investigative demand, or other process of applicable local, state, federal, or international law (collectively, “Law”), not disclose such Confidential Information to any third-party or use it for any purpose other than as specifically authorized by the disclosing Party and permitted by this Agreement; and (c) employ commercially reasonable steps to protect the disclosing Party’s Confidential Information from unauthorized or inadvertent disclosure, including those steps that it takes to protect its own confidential and proprietary information. Each receiving Party may disclose the disclosing Party’s Confidential Information only to those of its and its Affiliates’ respective directors, officers, employees, agents, representatives and advisors (including without limitation, legal counsel, accountants, auditors and consultants) (collectively, and when acting at the direction or for the benefit of thee applicable Party, its “Representatives”) on a “need to know” basis and only to the extent necessary to enable the Parties to adequately perform their respective responsibilities. Each receiving Party hereby undertakes to ensure the individual compliance of such Representatives with the terms hereof. No copies of any Confidential Information may be made by a receiving Party except as necessary to perform its obligations pursuant to this Agreement and the applicable Schedule(s). Confidential Information may not be translated into another format or language, or decompiled or reverse engineered without the disclosing Party’s prior written consent. Upon termination of this Agreement for any reason, each receiving Party shall destroy all Confidential Information of the disclosing Party and any copies thereof. Following any such destruction, each receiving Party shall promptly confirm to the disclosing Party in a writing (email being sufficient) that it has fully complied with the requirements of this Section.
    • 7.4 Injunctive Relief. The Parties each acknowledge that a Party’s breach of Sections 7.1, 7.2, and/or 7.3 may result in irreparable harm and significant injury to the other Party and its clients and/or partners that may be difficult to ascertain. The non-breaching Party will have the right to seek, in addition to any other remedies that may be available to the non-breaching Party at law or in equity (including an award of reasonable attorneys’ fees where it is a prevailing Party), an immediate injunction in the event of any breach of any of Sections 7.1, 7.2, and/or 7.3 without posting bond.
    • 7.5 Unauthorized Disclosure. Each Party will, as soon as reasonably practical, after discovery, report to the other Party any unauthorized disclosure of or access to the other Party’s Confidential Information, subject to any reasonable restrictions placed on the timing of such notice by a law enforcement or regulatory agency investigating the incident, and take all reasonable measures to prevent any further unauthorized disclosure or access.
    • 7.6 Mandated Disclosure. If a receiving Party is requested or required to provide Confidential Information of a disclosing Party pursuant to Section 7.3 above (“Mandated Disclosure”), the receiving Party must: (a) unless requested or required by applicable Law, provide the disclosing Party with prompt written notice and reasonable cooperation if a protective order is sought; (b) take reasonable steps to limit any such disclosure only to the Confidential Information required to be compliant with the Mandated Disclosure; and (c) continue to otherwise protect all Confidential Information disclosed in response to such Mandated Disclosure.
    • 7.7 Encryption. Unless expressly authorized in a Schedule, Company must encrypt any PII, using industry standard encryption measures, before transferring such information to DealerX over a public network or on physical media.
    • 7.8 Prohibited Data. Unless expressly authorized in a Schedule, Company shall not provide to DealerX, or permit any third-party to provide to DealerX on Company’s behalf, any of the following information (“Prohibited Data”): (a) any government-issued identification number (e.g., Social Security Number, driver’s license number, state identification number, or passport number); (b) any financial or customer account number, including financial institution or bank account number or a credit or debit card number; (c) information describing any individual’s known health or medical condition(s), including Protected Health Information, as defined in 45 CFR 160.103; (d) sensitive personal data or special categories of personal data as defined by CCPA, CPRA if applicable, or applicable data breach notification laws; (e) unique biometric data or digital representation of biometric data; (f) any individual’s full date of birth (e.g., month, date, and year); (g) maiden name of any individual’s mother; (h) any individual’s digitized or other electronic signature; (i) any username, email address or other unique electronic identifier or routing code, which is sent in combination with a personal identification code, password, or security question and answer and would permit access to any online account; or (j) any data associated with any individual under the age of eighteen (18). If Company should transfer any Prohibited Data to DealerX in violation of this Section, Company shall immediately notify DealerX and inform DealerX of the date, time, and other pertinent information related to the transfer so DealerX may take the steps necessary to remove the Prohibited Data from its systems.
    • 7.9 Prohibited Uses. Company shall not use any Services to send or facilitate any advertising for
      • 7.9.1 adult entertainment, e.g., pornography;
      • 7.9.2 illegal firearms
      • 7.9.3 illegal gambling; and/or
      • 7.9.4 any product, service, or advertising that is illegal in the locality in which the advertisement is sent or received, including, without limitation, to discriminate on the basis of race, gender, religion, sexual orientation, or in any way that could be deemed unfair under applicable law. Further, Company shall not use any Services for the purposes of:
      • 7.9.5 employment eligibility;
      • 7.9.6 health care eligibility; and/or
      • 7.9.7 insurance eligibility, underwriting, and pricing; and/or any other FCRA purposes.
    • 8.1 Mutual. Each Party represents and warrants to the other that: (a) it has full power and authority to enter into and perform this Agreement; (b) the execution and delivery of this Agreement have been duly authorized; (c) its entry into this Agreement does not violate any Law, statute, or regulation and does not place such Party in breach of any other agreement or covenant to which it is a party or is bound; (d) its Confidential Information has been legally obtained; (e) the provision of its Confidential Information to the other Party does not violate any laws or agreements with third parties; and (f) it will otherwise comply with all applicable Laws, rules, and regulations, including those Laws designed to protect the privacy and data rights of data subjects in those applicable countries or geographies where DealerX provides Services for Company (e.g.,CCPA, CPRA). Furthermore, each Party represents and warrants to the other Party that it shall promptly (and in all cases, within seventy-two (72) hours) notify the other Party of any access or acquisition of such Party’s Confidential Information, and to provide (at the notifying Party’s own expense) reasonable cooperation in investigations determining and resolving any such access or acquisition of data.
    • 8.2 DealerX. DealerX represents and warrants that: (a) it has the necessary equipment, computer capacity, software, programs, and trained personnel to properly perform the Services consistent with standard industry practices; (b) it will perform the Services in a professional and competent manner; (c) except with Company’s prior written consent, it shall not, and shall not authorize or contract with any third-party to, resell, lease, assign, rent, sublicense, distribute, transfer, disclose, time-share, or otherwise share Company Data for any purposes other than fulfilling its obligations hereunder and under the applicable Schedule(s); and (d) it has implemented and will maintain the information security program detailed in Exhibit A hereto and such security program contains administrative, technical, and physical safeguards that are appropriate to its size and complexity, the nature and scope of its activities, and the sensitivity of any applicable consumer information at issue.
    • 8.3 Company. For any Company Data disclosed to DealerX, Company represents and warrants that: (a) it fully owns or has the authority to use the Company Data as set forth in this Agreement and any applicable Schedule(s), and that in obtaining or collecting the Company Data, it did not violate any applicable law or regulation, or the rights of any third-party; (b) it shall not instruct DealerX to process or to take any other action with respect to any such Company Data that Company knows, or should reasonably know, would violate an applicable Law, Company’s own published privacy policies, or any other applicable privacy policies, notices, or disclosure statements; (c) it has complied with all user requests, including, without limitation, requests of individuals to exercise their rights under consumer privacy laws, and it shall inform DealerX of any such requests (including providing DealerX with updated Company Data) within a reasonable time period, as required by law, during the course of the applicable Schedule(s); (d) except with DealerX’s prior written consent, it will not resell, lease, rent, sublicense, distribute, or transfer any Services or any other rights granted in this Agreement or any Schedule; and (e) it shall not attempt to re-identify or otherwise reverse engineer any data it receives in connection with the implementation of any Schedule(s), including, without limitation to derive directly identifiable personal information from, or merge directly identifiable personal information with, any pseudonymous, anonymous, or de-identified information provided by DealerX without explicit permission under the applicable Schedule(s).
    • 8.5 Suspension of Performance. Either Party may suspend or discontinue the performance of any Service(s) if, in its reasonable judgment, the performance of such Service(s) would violate any applicable Law, rule, or regulation. Such suspension or discontinuation, when exercised in good faith, shall not constitute a default under this Agreement or the applicable Schedule(s), and the Parties will use commercially reasonable efforts to implement an alternative method of performing such Service(s). If an alternative method cannot be reasonably implemented, DealerX will refund any fees prepaid by the Company for Services not performed.
  • 9. REMEDIES.
    • 9.1 DealerX’s primary obligation and Company’s first remedy for any claim of defective Services is for DealerX to correct, re-perform, or re-deliver, as applicable, the Services in question without additional charge or, if re-performance is commercially impracticable, to refund any fees pre-paid by Company for such Services. Company must provide written notice to DealerX of any such claim in sufficient detail with any necessary backup information and/or documentation.
    • 10.2 Aggregate Liability.
    • 10.3 Exclusions and Miscellaneous. The limitations in this Section: (a) shall not apply to a Party’s indemnification obligations or to damages resulting from a Party’s gross negligence or intentional misconduct; and (b) shall apply regardless of the legal theory or form under which any action is brought. Each Party shall have a duty to mitigate damages for which the other Party is responsible.
    • 11.1 General. Each Party (as an “Indemnifying Party”) agrees to indemnify and hold the other Party and its Representatives (each an “Indemnified Party”) harmless from and against any third-party claim, action, or liability (including damages, costs, expenses, and reasonable attorneys’ fees) that may arise against the Indemnified Party as the result of: (a) personal injuries or damages to tangible real property caused by the Indemnifying Party and/or its Representatives; (b) the Indemnifying Party’s failure to comply with all applicable Laws and regulations; or (c) the misappropriation or misuse of the Indemnified Party’s Confidential Information by the Indemnifying Party.
    • 11.2 Infringement.
      • 11.2.1 Except as provided below, each Indemnifying Party shall defend and indemnify the Indemnified Party from and against any damages, liabilities, costs and expenses (including reasonable attorneys’ fees) arising out of any third-party claim that the materials provided to it by the Indemnifying Party pursuant to this Agreement (including any Company-provided data or other content or Confidential Information) infringes a valid patent, trademark, or copyright, or misappropriation of a trade secret(s) of a third-party, provided that: (i) the Indemnified Party has provided prompt written notice of such claim and reasonable cooperation, information, and assistance in connection therewith; and (ii) the Indemnifying Party shall have sole control and authority with respect to the defense, settlement, and/or compromise of any such claim.
      • 11.2.2 Should the Services provided to Company, or any part thereof, become, or in DealerX’s opinion be likely to become, the subject of a third-party claim of infringement, DealerX may, at its option and expense, either procure for Company the right to continue using such Services or replace or modify such Services as to make them non-infringing. If replacement or modification is not possible or is commercially unreasonable, Company will receive a pro rata refund of the fees paid to DealerX exclusive of Media, Data or Pass Throughs with respect to the particular Services that are the subject of such claim.
      • 11.2.3 Sections 11.2(a) and 11.2(b) state the entire liability of DealerX and the sole and exclusive remedy of the Company with respect to any third-party claim of infringement. Neither Party shall have any liability or obligation to the other for any infringement claim to the extent caused by or based upon: (i) the combination of materials with other products or services not furnished or authorized by the Party providing the materials to the extent the infringement would not have occurred but for such combination; or (ii) additions or modifications made to the materials after delivery that are not made by the Party providing the materials or authorized by this Agreement and the applicable Schedule(s) to the extent the infringement would not have occurred but for such addition or modification.
    • 11.3 Indemnification Procedure. The Indemnifying Party shall have the right to exercise reasonable control over any litigation within the scope of these indemnities; provided, however, that the Indemnified Party shall have the right to participate in any such litigation insofar as it concerns claims against it. That right to participate includes the Indemnified Party’s right to select and retain counsel for representation at the Indemnified Party’s own expense. No Party shall have any obligation to defend or indemnify the other Party if the intended Indemnifying Party is not notified promptly of the claim and is materially prejudiced thereby. The Indemnified Party shall cooperate to the extent necessary in the defense of any claim within the scope of these indemnities.
  • 12. PUBLICITY.
    • 12.1 Except as required by Law, neither Party shall use the other Party’s name, logo, or trademark without the other Party’s approval. Neither Party shall issue any press release, advertising, or promotional material relating to this Agreement without the express written consent (email being sufficient) of the other Party.
    • 13.1 GLBA

      Activities and Entities Covered by the Privacy Rule

      1. Does the Privacy Rule apply to my Dealership’s use of DealerX’s Products or services?

      • The Privacy Rule applies to car dealers:
        • Extend credit to someone (for example, through a retail installment contract) in connection with the purchase of a car for personal, family, or household use;
        • Arrange for someone to finance or lease a car for personal, family, or household use; or
        • Provide financial advice or counseling to individuals.

      If you engage in these activities, any personal information that you collect to provide these services is covered by the Privacy Rule.

      Examples & Exemptions

      Summarized From FTC Website

      Q: I have to give the marketing company my customers’ names and addresses. I’ve provided my customers with a privacy notice, but because I don’t usually disclose their information except as required by law, I haven’t given them an opt-out notice. Do I now need to give an opt-out notice to my customers before disclosing this information to the marketing company?

      A: If you want to send a communication to all of your customers, you don’t need to give them an opt-out notice as long as you don’t distinguish between those who financed or leased and those who didn’t. A list of all your customers — without reference to whether they financed their car or paid for it outright — falls outside the Privacy Rule, as long as the list wasn’t derived from information about how they obtained their car.

      For additional resources and guidance:


      Please see the THE FTC’s Privacy Rule and Auto Dealers: FAQs

    • 13.2 Governing Law. This Agreement is governed by applicable Florida law without regard to its choice of law rules. Any dispute between the Parties shall be resolved exclusively in the state or local courts located in Miami-Dade, Florida to which jurisdiction both Parties irrevocably submit.
    • 13.3 Updates to Agreement URL. DealerX reserves the right, in its sole discretion, to make any changes to the Agreement that it deems necessary or useful to maintain or enhance: (a) the quality of its Services (as defined below) to Company; (b) the competitive strength of our market for its Services; or (c) the Services’ cost efficiency or performance; provided that no such change materially reduces or otherwise has a material adverse effect on: (i) DealerX’s level of effort in performing the Services; (ii) DealerX’s obligation to provide the Services under this Agreement; or (iii) Company’s rights hereunder. DealerX will notify the Company of any material updates to the Agreement URL. Additionally, the Parties acknowledge that the state of the Law with respect to privacy, including, without limitation, behavioral advertising, contextual advertising, cookies, personal information, and informational privacy is unsettled and therefore DealerX may update the terms of this Agreement from time to time to include such changes in Law by providing prior notice of those updated terms to Company in writing. Company agrees to comply with those change(s) in Law, which will become effective on the later the date mandated by the applicable change(s) in Law or thirty (30) days after the date of DealerX’s written notice.
    • 13.4 Conflicting Provisions. In the event of conflicting provisions between this Agreement and any Schedule the terms of the Schedule shall control and resolve the conflict, unless this Agreement specifically states otherwise with regard to the particular issue.
    • 13.5 Severance and Waiver. If any one or more of the provisions of this Agreement or any Schedule shall for any reason be held to be invalid or unenforceable, such provision shall be enforced to the maximum extent permissible to affect the original intent of the Parties, and the same shall not affect any of the other portions thereof. Failure or delay by either Party in exercising any right hereunder shall not be a waiver of such right; to be enforceable, a waiver must be in writing and signed by the waiving party.
    • 13.6 Assignment. Neither Party may assign its rights or obligations hereunder without the prior written consent of the other Party, which shall not be unreasonably withheld or delayed; provided, however, that no consent shall be required for assignment by either Party: (a) to an Affiliate or other entity under common control of the assigning Party; or (b) in connection with a direct or indirect purchase, merger, reorganization, consolidation, or sale of all or a portion of the assigning Party’s assets, but, in each case of (a) and (b), subject to the assigning Party’s prompt notice of such assignment to the other Party. Subject to the preceding sentence, this Agreement will be binding upon, inure to the benefit of and be enforceable by the Parties and their respective successors and assigns.
    • 13.7 No Third-Party Beneficiaries. This Agreement is solely on behalf of and for the benefit of the undersigned Parties. Unless otherwise expressly stated in an applicable Schedule, there are no intended third-party beneficiaries to this Agreement or any Schedule.
    • 13.8 Relationship. The Parties agree that they are independent contractors, and that no joint venture, partnership, employment, or agency relationship exists between the Parties as a result of this Agreement.
    • 13.9 Force Majeure. If performance of any obligation hereunder is directly prevented or interfered with by an act or condition outside the reasonable control of a Party (a “Force Majeure Event”), such as fire, strike or labor disputes of a third-party, war or violence, and/or court order or requirement of a government agency, the Party suffering such Force Majeure Event, upon giving prompt written notice to the other Party, shall be excused from such performance during such occurrence to the extent performance is not possible.
    • 13.10 Notices. Except as otherwise provided by this Agreement, an applicable Schedule, or Law, any notice or other communication required hereunder shall be made by electronic mail and deemed to be received upon transmission. A Party may change the name or address of the designated recipient by giving notice to the other Party. Any notice or communication shall be deemed given upon receipt.
      • 13.10.1 If to DealerX, notices or other communications required hereunder shall be sent to; and,
      • 13.10.2 If to Company, notices or other communications required hereunder shall be sent to the email address of the person executing this Agreement or such other email address as may be provided by Company under an applicable Schedule.
    • 13.11 Survival of Terms. Any provision of this Agreement that contemplates performance or observance subsequent to any termination or expiration of this Agreement, including, but not limited to, all provisions with respect to confidentiality, limitations on liabilities, and indemnification, shall survive any termination or expiration of this Agreement and continue in full force and effect.
    • 13.12 Headings, Good Faith, and Counterparts. The descriptive headings of the sections of this Agreement and any Schedule are for convenience only and do not constitute a part of this Agreement or such Schedule. With respect to all of their respective dealings under this Agreement and each Schedule, each Party will act fairly and in good faith, and in the event of a dispute arising under this Agreement or any Schedule, each Party agrees to engage first in a business meeting to resolve the dispute.
    • 13.13 Entire Agreement. The Agreement, together with the Exhibits & Schedules, constitutes the entire agreement between the Parties with respect to the subject-matter hereof and supersedes any and all written and oral prior agreements and understandings between the Parties.

Exhibit A: Information Security

This Exhibit describes the information security measures that DealerX uses in providing Services under this Agreement.

  • 1. General. DealerX will use industry-standard security measures designed to protect against unauthorized access, loss and misuse of hashed or encrypted IDs, including: (a) encryption of stored information behind a secured server network; and (b) organizational, contractual, technological, and managerial safeguards as more thoroughly described herein. DealerX security measures may be subject to change at DealerX’s sole discretion, however any such changes will not diminish or reduce the requirements provided herein. All capitalized terms that are not expressly defined herein shall have the meanings given to them in the Agreement.
  • 2. Shared Processing Environment. DealerX may perform the Services from a facility that is owned by a third-party (a portion of which is available for use by DealerX or its Affiliates), through a cloud platform provider, or a similar environment that is managed by DealerX Personnel. Any such facility, location, or environment will meet, in all material respects, the applicable requirements established herein.
  • 3. Safeguards. DealerX will maintain reasonable administrative, technical and physical controls designed to ensure the security and confidentiality of Company Data (“Safeguards”), and that comply with this Exhibit, applicable industry standards, and Laws:
    • a. Physical Access. DealerX will maintain physical access controls designed to secure relevant facilities, infrastructure, data centers, hard copy files, servers, backup systems, and equipment (including mobile devices) that are in DealerX’s control and used to access Company Data, including controls to prevent, detect, and respond to attacks, intrusions, and other system failures. DealerX will log physical access, conduct regular reviews, and require visitors to sign in and out of facilities housing systems in DealerX’s control that process, store, and/or transmit Company’s Confidential Information
    • b. User Authentication. DealerX will maintain user authentication and access controls within operating systems, applications, equipment, and media.
    • c. Personnel Security. DealerX will maintain personnel security policies and practices restricting access to Company Data, including written confidentiality agreements and background checks if necessary consistent with applicable Law for all personnel with access to Company Data or who maintain, implement, and/or administer DealerX’s information security program and Safeguards.
    • d. Logging and Monitoring. DealerX will log and monitor the details of access to Company’s Confidential Information on networks, systems, and devices operated by DealerX. DealerX logging and monitoring systems will meet applicable industry standards.
    • e. Malware Controls. DealerX will maintain reasonable and up-to-date controls designed to protect its networks, systems, and devices that access Company Data from malware and unauthorized software.
    • f. Security Patches. DealerX will maintain controls and processes designed to ensure that networks, systems, and devices (including operating systems and applications) that access Company Data are up-to-date, including application of security updates and patches to systems and applications that process Company Data in accordance with the applicable manufacturers’ best practice recommendations or guidelines.
    • g. User Account Management. DealerX will implement reasonable user account management procedures to securely create, amend, and delete user accounts on DealerX networks, systems, and devices, including monitoring redundant accounts and ensuring that information owners properly authorize user account requests. DealerX will continually manage its user accounts. User account management will include:
      • i. unique user IDs for access;
      • ii. a review of user access rights, including privileged accounts, at most every six (6) months; and
      • iii. allow limited and controlled access to DealerX’s internal network.
    • h. Password Requirements. DealerX will maintain a password policy for its systems and applications that process Company’s Confidential Information that, at a minimum, requires passwords to:
      • i. be a minimum of eight (8) characters in length;
      • ii. contain a mix of upper and lower case letters and at least one (1) number and one (1) special character;
      • iii. not be the username;
      • iv. not be the same as any previous three (3) passwords;
      • v. be changed at the first logon after initial password;
      • vi. be encrypted at rest and in transit;
      • vii. be masked when entered into a system or application;
      • viii. lock accounts after five (5) invalid login attempts;
      • ix. not be a PIN or secret question that is any less secure than the primary authentication password or mechanism; and
      • x. have a minimum password age.
  • 4. Encryption Requirements. Using a reasonable encryption standard, DealerX will encrypt all Company Data that is
    • a. stored on portable devices or portable electronic media;
    • b. stored or maintained outside of DealerX’s facilities, excluding hard-copy documents; or
    • c. transferred across any network other than an internal network owned and managed by DealerX.
  • 5. Cloud Infrastructure Security.

    All of our services are hosted with AWS and GCP. They employ a robust security program with multiple certifications. For more information on our provider’s security processes, please visit AWS Security , GCP Security.

  • 6. Data Hosting Security.

    All of our data is hosted on AWS and GCP databases. These databases are all located in the United States, United Kingdom, or Europe elsewhere. Please reference the above vendor specific documentation linked above for more information.

    • a. Encryption at Rest – All databases are encrypted at rest.
    • b. Encryption in Transit – Our applications encrypt in transit with TLS/SSL only.
    • c. Vulnerability Scanning – We perform vulnerability scanning and actively monitor for threats.
    • d. Logging and Monitoring – We actively monitor and log various cloud services.
  • 7. Access Controls. DealerX will:
    • a. maintain reasonable controls to ensure that only individuals who have a legitimate need to access Company Data under the Agreement and/or applicable Schedule(s) will have such access;
    • b. promptly terminate an individual’s access to Company Data when such access is no longer required for performance under the Agreement and/or applicable Schedule(s); and
    • c. log the appropriate details of access to Company Data on DealerX’s systems and equipment.
  • 8. Training and Supervision. DealerX will use a “best efforts” approach to ongoing privacy and information protection training and supervise its personnel who access Company Data.
  • 9. Assessments & Corrections
    • a. Company Assessments. Upon Company’s (in current good standing) written request, DealerX will promptly and accurately complete Company’s written information security questionnaire regarding DealerX’s information security practices in relation to all Company Data that DealerX receives in order to provide the Services. Furthermore, and no more than once bi-annually, upon Company’s written request, which must be given to DealerX at least ten (10) business days in advance, Company may assess DealerX’s compliance and responses to Company’s information security questionnaire, or DealerX’s compliance with Laws to determine adequacy to protect Company Data. As a result, Company may request improvements of DealerX’s applicable security controls that are designed to prevent malicious or inappropriate access to source code, data, graphics, and/or audio/visual material used to perform Services for Company. Notwithstanding the foregoing, or anything to the contrary in the Agreement or any Schedule, DealerX shall have no obligation to provide Company with access to DealerX’s systems or certain information from DealerX’s shared processing environments, including, but not limited to, records of internal vulnerability scans and penetration tests, systems logs, detailed network diagrams, and application code.
    • b. DealerX­ Assessments. DealerX will continuously monitor risk to Company Data to help ensure that the Safeguards are properly designed and maintained in their use to prevent unauthorized access to Company Data. DealerX will periodically (but no less than once annually) assess and document the effectiveness of its Safeguards across its networks, systems, and devices (including infrastructure, applications, and Services) used to access Company Data and update its Safeguards as needed.
    • c. Vulnerability Testing. DealerX will periodically (but at least once annually) perform manual and automated vulnerability testing (including penetration testing based on recognized industry best practices) on DealerX internet-facing networks, systems, software, and devices used to access Company Data. Company shall have no right to perform vulnerability or penetration testing on DealerX networks or systems.
  • 10. Security Breach Response. DealerX will maintain policies and procedures for responding to Security Breaches. A “Security Breach” shall mean any actual or reasonably suspected:
    • a. unauthorized access to or theft of Company Data;
    • b. unauthorized use of Company Data by a person with authorized access to the information for purposes of actual or reasonably suspected theft, fraud or identity theft;
    • c. unauthorized disclosure or alteration of Company Data; and/or
    • d. loss of Company Data, including without limitation, any of the foregoing described in (1) – (3) caused by or resulting from a failure, lack of or inadequacy of security, physical intrusion of facilities, theft or loss of documents, laptops or storage media, or Representative malfeasance. If DealerX has a Security Breach it shall handle such Security Breach in accordance with its Security Incident Response Guide and:
      • i. notify Company within seventy-two (72) hours after the discovery of the Security Breach;
      • ii. use commercially reasonable efforts and take all necessary actions to prevent, contain, and mitigate the impact of the Security Breach;
      • iii. promptly and in no event more than seven (7) business days after the Security Breach provide a written status report to Company;
      • iv. collect and preserve all evidence concerning the discovery, cause, vulnerability, exploitation, remedial actions and impact related to the Security Breach, which shall be forensically admissible in legal proceedings; and
      • v. document incident response and remedial actions taken in detail, which shall be forensically admissible in legal proceedings.
      • vi. notify the Company in advance of any press releases or public statements made by DealerX related to the Security Breach.
  • 11. Business Continuity and Disaster Recovery. DealerX will implement and maintain Business Continuity & Disaster Recovery (“BCDR”) capabilities to ensure the availability of the Services in the event of a disaster scenario or outage. DealerX will assess each Service for BCDR requirements pursuant to its documented risk management guidelines. DealerX will ensure that each Service has, to the extent warranted by such risk assessment, and based on the business criticality of such Services provided to Company, maintained and validated BCDR capabilities consistent with industry-standard practices. DealerX will ensure that such plans are designed to deliver the specific Recovery Time Objective (“RTO”) set forth in the DealerX Backup, Business Continuity, and Disaster Recovery Standard.

DealerX is committed to privacy and the responsible use of information.

We strive to promote transparency by creating, publishing, and adhering to privacy policies across our products, services, and practices. We also continually strive to promote responsible use of personal information through the design of our products, ongoing monitoring and auditing, and information security safeguards.