Data Processing Agreement

Effective date: 2026-05-26 · Version 1.0

1. Definitions

The terms “Personal Data”, “Processing”, “Controller”, “Processor”, and “Data Subject” have the meanings given in Regulation (EU) 2016/679 (GDPR) and equivalent terms have the corresponding meaning in any other applicable data protection law. “Service”, “Customer Materials”, “Provider”, and “Customer” have the meanings given in our EULA.

2. Subject matter and duration

Provider Processes Personal Data on Customer’s behalf solely to deliver the Service as described in the EULA. This DPA applies for as long as Provider Processes Personal Data on Customer’s behalf and remains in effect after termination for any period during which Personal Data is still held under the EULA’s wind-down terms.

3. Nature and purpose of processing

Processing consists of: receiving the Customer Website content; mirroring selected pages; serving the China Mirror Site to visitors from mainland China; collecting operational logs and aggregate analytics; and operating the China Mirror Site, including any regulatory communications required by law.

4. Categories of Data Subjects and Personal Data

The Service is intended for static informational marketing content. The Personal Data Processed is limited to:

• Visitor IP addresses and rough geographic information derived from them.
• Browser, device, and operating-system identifiers contained in standard HTTP headers.
• Outreach codes and URL parameters that Customer or its agents place in links to the Customer Website (e.g. ?biz=, ?source=, ?utm_*).
• Any Personal Data Customer chooses to embed in mirrored page content (for example, a named contact in a footer). Customer is responsible for the lawfulness of such embedding.

The Service is not intended to Process special categories of Personal Data (Article 9 GDPR), payment data, authentication credentials, health data, or biometric data. Customer shall not transmit such categories through the Service unless an additional agreement is signed.

5. Provider obligations as Processor

Provider shall:

• Process Personal Data only on documented instructions from Customer, including with regard to international transfers, except where Provider is required to Process by law — in which case Provider shall inform Customer of that requirement before Processing, unless that law prohibits such information.
• Ensure confidentiality. Personnel authorized to Process Personal Data are bound by confidentiality obligations.
• Implement appropriate technical and organizational measures as described in our Security page, taking into account the state of the art, the costs of implementation, and the risk to Data Subjects.
• Assist Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling Customer’s obligations to respond to Data Subject requests.
• Make available all information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer (subject to Section 9).
• Notify Customer without undue delay after becoming aware of a Personal Data breach affecting Customer’s data, with the goal of an initial notice within seventy-two (72) hours of confirmation.

6. Subprocessors

Customer authorizes Provider to engage Subprocessors as needed to deliver the Service. The current list of Subprocessors is provided to Customer on request and updated when material changes occur. Provider shall:

• Impose contractual obligations on each Subprocessor that are no less protective than those in this DPA.
• Remain fully liable to Customer for the performance of each Subprocessor’s obligations.
• Notify Customer of any intended addition or replacement of a Subprocessor with reasonable advance notice (typically 30 days), giving Customer the opportunity to object on reasonable grounds. Where Customer reasonably objects, Provider shall use commercially reasonable efforts to make available a workable alternative or, failing that, Customer may terminate the affected Service for that reason.

7. International transfers

Provider is located in mainland China and uses Subprocessors located in the United States, the European Union, and elsewhere. For transfers from the European Economic Area, the United Kingdom, or Switzerland to Provider or to non-adequate-status countries, the parties incorporate by reference the European Commission’s Standard Contractual Clauses (Module 2: Controller to Processor) as adopted in 2021/914, as may be updated. Where applicable, the UK International Data Transfer Addendum (IDTA) or equivalent Swiss adaptations apply with the corresponding choice of law and supervisory authority.

Customer accepts that delivery of the Service inherently involves mainland China hosting. Customer remains responsible for any cross-border transfer disclosure, consent, or filing required in Customer’s own jurisdiction with respect to Customer’s visitors.

8. Data Subject rights

Provider will assist Customer, on commercially reasonable terms and insofar as technically feasible, in responding to verified requests from Data Subjects to access, correct, delete, restrict, or port Personal Data Processed under this DPA. Customer shall direct Data Subject requests to Customer in the first instance and shall be the primary point of contact with Data Subjects.

9. Audit

Customer may, no more than once per twelve (12) months and on at least thirty (30) days’ advance written notice, request documentary evidence of Provider’s compliance with this DPA. Provider may satisfy this obligation by providing recent third-party reports (where available), responses to standard questionnaires (such as SIG or CAIQ), or written attestations. On-site audits are conducted at Customer’s expense, during regular business hours, with reasonable scope, and subject to confidentiality undertakings. Provider may decline access to areas containing data of other customers or to facilities of Subprocessors where Provider is not contractually permitted to grant access; in such cases Provider shall make alternative arrangements to address Customer’s reasonable concern.

10. Return or deletion

Upon termination of the Service, and at Customer’s election made in writing, Provider shall return or delete all Personal Data Processed under this DPA within ninety (90) days, except (a) Personal Data that Provider is legally required to retain, in which case Provider shall continue to protect it under this DPA, and (b) anonymized or aggregated data from which the Data Subject can no longer be identified.

11. Liability

Each party’s liability under this DPA is subject to the aggregate liability cap and the exclusions of indirect damages set forth in the EULA. To the extent applicable law requires a different allocation, that law prevails over this Section to the minimum extent required.

12. Conflict and order of precedence

In case of conflict between this DPA and the EULA on a matter relating to the Processing of Personal Data, this DPA prevails. In case of conflict between this DPA and a customer-specific signed DPA referencing this Service, the customer-specific signed DPA prevails.

13. Governing law

This DPA is governed by the law specified in the EULA. Where mandatory data-protection law of a Data Subject’s jurisdiction grants rights that this DPA cannot modify, those rights continue to apply.

How to sign

Most customers do not require a wet-ink signature. By accepting our EULA at the point of purchase or by instructing us to start work, this DPA forms part of your contract.

If you require a signed paper or electronic version (DocuSign or equivalent), email chinasiteready@autoinfra.cn with the subject “DPA request”, attach your preferred template if any, and we will return a signed version within five business days. There is no separate charge for executing this DPA.