Last updated: July 2, 2026
Softserve Software LLC d/b/a Car Storage SoftwareThis Data Processing Agreement (“DPA”) forms part of the agreement between Softserve Software LLC, a Florida limited liability company doing business as Car Storage Software (carstoragesoftware.com)(“Processor,” “we,” “us”) and the storage facility or other business customer (“Controller,” “you”) that subscribes to our car storage facility management software (the “Service”) under our Terms of Service (the “Agreement”).
This DPA applies to the extent we process personal data on your behalf that is subject to applicable data protection laws, including the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), the UK GDPR, the Swiss FADP, PIPEDA (Canada), and applicable US state privacy laws (collectively, “Data Protection Laws”). Where we process such data, you act as the controller (or a processor acting on behalf of another controller) and we act as your processor (or sub-processor, or “service provider” under US state laws).
This DPA is incorporated into the Agreement by reference and applies automatically to all customers. If you require a countersigned copy for your records, email matt@carstoragesoftware.com.
We will:
Where US state privacy laws apply, we act as your “service provider” / “processor”: we do not sell or share personal data, do not retain, use, or disclose it other than to provide the Service or as permitted by law, and will notify you if we can no longer meet these obligations.
You provide general written authorization for us to engage sub-processors to provide the Service. Our current sub-processors are listed on our Subprocessor List.
We implement and maintain appropriate technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access (Art. 32 GDPR), including:
A detailed description is available in our Information Security Policy and Access Controls Policy.
The Service includes self-service tools that let account holders view and correct their profile, export their personal data, and delete their account. For requests you receive directly (access, rectification, erasure, restriction, portability, objection), we will provide reasonable assistance, taking into account the nature of the processing.
If a data subject contacts us directly about data you control, we will direct them to you and will not respond substantively without your authorization unless legally required.
We will notify you without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting your personal data. The notification will describe, to the extent known, the nature of the breach, the categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed. We will provide timely updates as the investigation progresses and cooperate with your notification obligations under Articles 33–34 GDPR.
During the term, you can export Customer Data through the Service. Upon termination, we will, at your choice, return or delete personal data in accordance with our Data Retention and Disposal Policy, unless applicable law requires continued storage. Data in encrypted backups is deleted on the backup expiry schedule described in that policy.
Upon written request (no more than once per year, absent a personal data breach or regulator requirement), we will make available documentation reasonably necessary to demonstrate compliance with this DPA — including our security and retention policies and summaries of third-party assessments. Where this is insufficient, we will allow an audit by you or your independent auditor, subject to reasonable notice, scope, confidentiality, and cost allocation.
We are based in the United States and process personal data there and in other countries where our sub-processors operate. Where personal data protected by the GDPR, UK GDPR, or Swiss FADP is transferred to a country without an adequacy decision:
For the purposes of the SCCs: Clause 7 (docking) is included; Clause 9 option 2 (general authorization, 30 days' notice) applies; Clause 11 optional language is excluded; Clause 17 — the clauses are governed by Irish law; Clause 18 — disputes are resolved in the courts of Ireland. Annex I is completed by Section 2 of this DPA and the Agreement; Annex II by Section 5; Annex III by our Subprocessor List.
Questions about this DPA or requests for a countersigned copy:
Softserve Software LLC
d/b/a Car Storage Software (carstoragesoftware.com)
Email: matt@carstoragesoftware.com
Address: 3343 Port Royale Dr S, Fort Lauderdale, FL 33308
Powered by carstoragesoftware.com