This Data Processing Addendum (the “DPA”) forms part of, and is subject to, the Enterprise Terms of Use, Master Services Agreement, or other written or electronic agreement between Rinsed, Inc. (“Rinsed”) and the customer identified in that agreement (“Customer”) (the “Agreement”). This DPA governs Rinsed’s Processing of Personal Data on behalf of Customer in connection with the services Rinsed provides to Customer under the Agreement (the “Services”).
In the event of a conflict between this DPA and the Agreement with respect to the Processing of Personal Data, this DPA controls. Capitalized terms used but not defined here have the meanings given in the Agreement.
1. Definitions
1.1 “Applicable Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under this DPA, including, as applicable:. (a) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (“CCPA”), and its implementing regulations; (b) comprehensive consumer privacy laws in Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and other U.S. states as in effect; (c) Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”); (d) Quebec’s Act Respecting the Protection of Personal Information in the Private Sector, as amended by Law 25; (e) British Columbia’s Personal Information Protection Act; (f) Alberta’s Personal Information Protection Act; and (g) any other data protection or privacy law applicable to the Services.
1.2 “Controller,” “Processor,” “Data Subject,” “Processing,” and “personal data breach”. have the meanings given to analogous concepts under Applicable Data Protection Laws. The terms “Business,” “Service Provider,” “consumer,” “personal information,” “sell,” “share,” and “process” have the meanings given to them under the CCPA.
1.3 “Personal Data”. means any personal data or personal information (as defined under Applicable Data Protection Laws) that Rinsed Processes on behalf of Customer in connection with the Services. For clarity, Personal Data does not include Aggregated De-identified Data (as defined in Section 10.7) or other deidentified data.
1.4 “Security Incident”. means a confirmed breach of Rinsed’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data Processed by Rinsed. Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial-of-service attacks, or other network activity that does not result in access to Personal Data.
1.5 “Subprocessor”. means a third party engaged by Rinsed to Process Personal Data on behalf of Customer.
2. Scope and Roles of the Parties
2.1 Roles. Customer is the Controller and Business with respect to Personal Data. Rinsed is the Processor and Service Provider. Each party will comply with its obligations under Applicable Data Protection Laws.
2.2 Scope. This DPA applies to Rinsed’s Processing of Personal Data on behalf of Customer in connection with the Services. Details of the Processing are set out in Annex A.
2.3 Data Location. Rinsed Processes Personal Data in the United States. Customer acknowledges this location and, where required by Applicable Data Protection Laws (including Quebec Law 25), is responsible for providing any notices, conducting any assessments, and obtaining any consents required from Data Subjects regarding cross-border Processing.
2.4 Customer Responsibilities. Customer is responsible for: (a) the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data; (b) providing all required notices to, and obtaining all required consents and rights from, Data Subjects for the Processing contemplated by the Agreement, including for the use of Personal Data described in Section 4; (c) configuring the Services and using any administrative controls made available by Rinsed appropriately for Customer’s compliance obligations; and (d) securing Customer’s accounts, credentials, and authorized user access.
2.5 Customer Security Determination. Customer is solely responsible for independently determining whether the technical and organizational measures described in Annex B adequately meet Customer’s obligations under Applicable Data Protection Laws and any other laws or regulations applicable to Customer’s business or industry. Customer is also responsible for the secure use of the Services, including protecting the security of Personal Data during transmission to and from the Services, and for maintaining the security of Customer’s own systems, credentials, and authorized user access.
2.6 Customer Indemnification. Customer will defend, indemnify, and hold Rinsed harmless from and against any claims, fines, penalties, damages, and reasonable legal fees arising out of or related to: (a) Customer’s failure to comply with its responsibilities under Section 2.4 of this DPA; (b) instructions provided by Customer to Rinsed that violate Applicable Data Protection Laws; (c) Customer’s failure to provide required notices to, or obtain required consents from, Data Subjects as required by Applicable Data Protection Laws; or (d) Customer’s or its end users’ violation of any Applicable Data Protection Law in connection with their use of the Services. This indemnification obligation is in addition to, and does not limit, any indemnification obligations set forth in the Agreement.
3. Processing of Personal Data
3.1 Documented Instructions. Rinsed will Process Personal Data (a) on Customer’s documented instructions, including as set forth in the Agreement, this DPA, and Customer’s use and configuration of the Services; (b) as permitted under the Agreement; and (c) as required by applicable law, in which case Rinsed will, unless prohibited by law, inform Customer of that legal requirement before Processing.
3.2 Unlawful Instructions. Rinsed will inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Laws. Rinsed may suspend performance of the affected instruction until Customer confirms, modifies, or withdraws it. If Rinsed suspends performance of an instruction pursuant to this Section 3.2, Rinsed will not be liable to Customer under the Agreement or this DPA for any failure to perform the affected Services during the period of such suspension, provided that Rinsed has given Customer written notice and Customer has not issued new or modified instructions with which Rinsed is able to comply.
3.3 Restrictions. Rinsed will not (a) sell or share Personal Data within the meaning of the CCPA or other Applicable Data Protection Laws; (b) retain, use, or disclose Personal Data for any purpose other than for the business purposes set forth in the Agreement and this DPA (which include providing, maintaining, developing, and improving the Services), or as otherwise permitted by Applicable Data Protection Laws; (c) retain, use, or disclose Personal Data outside of the direct business relationship between the parties; or (d) combine Personal Data with personal information that Rinsed receives from or on behalf of another person, or collects from its own interaction with a consumer, except as permitted under Applicable Data Protection Laws.
3.4 Aggregated De-identified Data. As provided in the Agreement, Rinsed may create, use, and disclose Aggregated De-identified Data derived from Customer Data and Personal Data, including for product development, benchmarking, industry research and reporting, marketing, and improvement of the Services. Rinsed will take reasonable measures to ensure such data cannot be re-associated with a Data Subject or household and will contractually obligate any recipients of the data to comply with the same restrictions. Aggregated De-identified Data (as defined in Section 10.7) are not Personal Data under this DPA and are subject to the retention and use rights set forth in Section 10.7.
3.5 Feedback. Any feedback, suggestions, or recommendations Customer provides regarding the Services are subject to the Feedback license in the Agreement and may be used by Rinsed without restriction to improve the Services.
3.6 Instructions Defined. The parties agree that the Agreement (including this DPA), together with Customer’s use and configuration of the Services in accordance with the Agreement, constitute Customer’s complete documented instructions to Rinsed with respect to the Processing of Personal Data. Customer may provide additional processing instructions during the term of the Agreement, provided that such instructions are consistent with the Agreement, the nature of the Services, and Applicable Data Protection Laws. Rinsed is not obligated to comply with instructions that materially alter the nature, scope, or purpose of the Processing described in Annex A without a written amendment to this DPA.
4. Artificial Intelligence and Machine Learning
4.1 General Principle. Rinsed uses artificial intelligence and machine learning technologies to provide, maintain, and improve the Services (including, without limitation, voice-based support, sales enablement, analytics, and automation features). This Section 4 describes the parties’ commitments regarding AI and ML Processing of Personal Data.
4.2 Use of Personal Data for AI-Enabled Services. Rinsed and its AI Subprocessors Process Personal Data to provide AI-enabled features of the Services (including voice-based support, sales enablement, analytics, and automation). Rinsed does not use Personal Data to train or fine-tune foundation models, and contractually requires its AI Subprocessors not to use Personal Data to train their models and not to retain Personal Data submitted as prompts, retrieval context, or inputs beyond the duration of the applicable API transaction, except as necessary to provide the Services to Rinsed.. Rinsed may use Personal Data to evaluate and improve the configuration, prompts, and retrieval systems that deliver AI-enabled features, subject to the restrictions in Section 3.3 and the safeguards in Annex B.
4.3 AI Subprocessors. AI-enabled third-party service providers engaged by Rinsed to Process Personal Data are listed among Rinsed’s Subprocessors at https://trust.rinsed.com/?tab=subprocessors. Rinsed engages such AI Subprocessors under their standard data protection terms (which may take the form of a published Data Processing Addendum or equivalent terms incorporated into the provider’s service agreement), which Rinsed reviews for adequacy with respect to the confidentiality, security, and data retention practices applicable to Personal Data prior to engagement.
4.4 Safeguards. Rinsed will maintain appropriate technical and organizational measures with respect to AI and ML Processing, including access controls, logging, and the safeguards described in Annex B. Rinsed will not publish, disclose, or otherwise make available to third parties any Personal Data contained in prompts, retrieval context, or model outputs except as permitted under the Agreement. Personal Data submitted by Customer in connection with AI-enabled features is logically isolated and is not used to inform, train, or generate outputs for any other customer of the Services.
4.5 Transparency. Rinsed will make available, on reasonable written request and subject to confidentiality obligations a summary of the AI and machine learning functionality used to deliver the Services and the corresponding safeguards, including a description of the AI Subprocessors engaged and the data handling restrictions applicable to each.
4.6 AI Outputs; Disclaimers. Customer acknowledges that AI and ML models may produce outputs that contain errors, are incomplete, or are otherwise unsuitable for Customer’s particular use. Nothing in this DPA modifies, supersedes, or overrides the warranty disclaimers or limitations of liability regarding Third Party AI Tools, Company AI Tools, or AI Outputs set forth in the Agreement (including, where applicable, the Enterprise Terms of Use).
5. Confidentiality of Processing
Rinsed will ensure that personnel authorized to Process Personal Data are bound by written or statutory confidentiality obligations of a scope reasonably appropriate to their responsibilities. Rinsed will limit access to Personal Data to personnel who need access to perform the Services.
6. Security of Processing
6.1 Security Measures. Rinsed will implement and maintain appropriate technical and organizational measures designed to protect Personal Data against Security Incidents and to preserve the security, confidentiality, and integrity of Personal Data. A description of those measures is set out in Annex B.
6.2 Evaluation. Customer acknowledges that the measures in Annex B are subject to technical progress and development. Rinsed may update or modify those measures from time to time, provided that any replacement measures do not materially reduce the overall level of protection afforded to Personal Data.
6.3 Compliance Program. Rinsed maintains a Payment Card Industry Data Security Standard (PCI DSS) compliance program appropriate to its role as a service provider, and engages independent third-party assessors to evaluate the design and operation of its security controls. Rinsed will make current attestations, assessment summaries, or equivalent reports available to Customer on reasonable written request and subject to confidentiality obligations.
7. Subprocessors
7.1 Authorization and List. Customer authorizes Rinsed to engage Subprocessors to Process Personal Data. A current list of Rinsed’s Subprocessors is maintained at https://trust.rinsed.com/?tab=subprocessors. The Subprocessors listed at that URL as of the effective date of this DPA are approved by Customer. Rinsed will provide notice of new Subprocessors by updating the list at the URL above at least thirty (30) days before the new Subprocessor begins Processing Personal Data.
7.2 Objection. To object to a new Subprocessor on reasonable data protection grounds, Customer may, within thirty (30) days of receipt of the notice, terminate the portion of the Services that cannot be provided without the objected-to Subprocessor on written notice to Rinsed. Rinsed will work in good faith with Customer to identify an alternative approach where reasonably practicable. For the avoidance of doubt, Customer’s objection rights under this Section 7.2 do not apply to administrative updates to an existing Subprocessor’s information, including changes to legal name, address, contact person, or other contact details that do not alter the nature, scope, or location of the Subprocessor’s Processing of Personal Data.
7.3 Subprocessor Obligations. Rinsed will impose data protection obligations on its Subprocessors that are appropriate to the Processing they perform on Rinsed’s behalf, including obligations regarding confidentiality and security of Personal Data. AI Subprocessors are governed by Section 4.3. Rinsed remains responsible for the acts and omissions of its Subprocessors with respect to the Processing of Personal Data.
8. Data Subject Rights and Requests
8.1 Assistance. Taking into account the nature of the Processing, Rinsed will provide reasonable assistance to Customer, through appropriate technical and organizational measures and to the extent reasonably possible, in responding to requests by Data Subjects to exercise their rights under Applicable Data Protection Laws (including rights to access, correct, delete, port, or opt out). To the extent Customer requests assistance beyond what is available through Rinsed’s self-service tools described in Section 8.3, Rinsed will provide such additional assistance at Rinsed’s then-current professional services rates. Rinsed will provide Customer with a cost estimate before commencing any such assistance, and Customer will reimburse Rinsed for commercially reasonable costs incurred in connection with such requests.
8.2 Direct Requests. If Rinsed receives a request directly from a Data Subject concerning Personal Data, Rinsed will, unless legally prohibited, promptly forward the request to Customer and will not respond to the request except on Customer’s documented instructions or as required by law.
8.3 Self-Service Tools. Where the Services provide functionality that Customer may use to respond to Data Subject requests (for example, to retrieve, correct, or delete records), Customer will use that functionality as its first method of response before requesting Rinsed’s assistance.
9. Security Incidents
9.1 Notification. Rinsed will notify Customer of a Security Incident without undue delay and, in any event, no later than seventy-two (72) hours after Rinsed becomes aware of it.
9.2 Contents of Notice. The notice will include, to the extent reasonably available at the time: (a) a description of the nature of the Security Incident, including the categories and approximate number of Data Subjects and Personal Data records affected; (b) the likely consequences of the Security Incident; (c) the measures taken or proposed to address the Security Incident and mitigate its effects; and (d) a point of contact for further information. Rinsed will provide updates as further information becomes available.
9.3 Remediation. Rinsed will take reasonable steps to contain, investigate, and remediate the Security Incident and will reasonably cooperate with Customer’s investigation and response, including any regulatory or Data Subject notification obligations that Customer may have under Applicable Data Protection Laws. Rinsed will preserve relevant logs, records, and forensic evidence related to the Security Incident for a reasonable period not less than ninety (90) days following initial discovery, and will make such evidence available to Customer for legitimate investigation purposes subject to confidentiality obligations. To the extent that a Security Incident is caused primarily by Customer’s acts, omissions, or failure to comply with its obligations under this DPA or the Agreement (including unauthorized access using Customer’s credentials or misconfiguration of the Services), Customer will reimburse Rinsed for the commercially reasonable costs of notification, investigation, and response arising from such incident.
9.4 No Admission. Rinsed’s notice of, or response to, a Security Incident will not be construed as an acknowledgment of fault or liability.
9.5 Public Communications. Customer agrees that any public statement, press release, regulatory notification, or other external communication concerning a Security Incident that specifically identifies Rinsed by name as a source or contributing factor shall require Rinsed’s prior written consent, except to the extent that Customer is legally required to make such disclosure under Applicable Data Protection Laws or by order of a court or regulatory authority. In such cases, Customer will provide Rinsed with as much advance notice as reasonably practicable and will cooperate with Rinsed to minimize any inaccuracy or reputational harm.
9.6 Legal Demands. If Rinsed receives a subpoena, court order, warrant, or other legal demand from a third party, including any law enforcement or regulatory authority, seeking disclosure of Personal Data, Rinsed will: (a) unless legally prohibited, notify Customer in writing as promptly as practicable before disclosing any Personal Data; (b) cooperate with Customer, at Customer’s cost and reasonable direction, if Customer wishes to limit, challenge, or seek a protective order against such disclosure; and (c) disclose only the minimum Personal Data legally required to comply with the valid legal demand. Rinsed may comply with any legal demand without prior notice to Customer only where such notice is prohibited by law or court order, in which case Rinsed will notify Customer as soon as legally permissible thereafter.
10. Return and Deletion of Personal Data
10.1 During the Term. During the term of the Agreement, Rinsed will retain Personal Data as reasonably necessary to provide the Services and as otherwise permitted by the Agreement. Rinsed will not retain Personal Data for purposes beyond those described in this DPA.
10.2 On Termination. Following termination or expiration of the Agreement, Rinsed will make Personal Data available to Customer for electronic retrieval for a period of thirty (30) days (the “Retrieval Period”). Following the Retrieval Period, Rinsed will delete Personal Data from its active production systems within ninety (90) days. During the Retrieval Period, Rinsed will make Customer’s Personal Data available for electronic retrieval in Rinsed’s standard export formats. To the extent Customer requests custom data formats, bulk data extraction assistance, or other services beyond Rinsed’s standard self-service export functionality, Rinsed may provide such assistance at its then-current professional services rates, with advance notice of costs to Customer.
10.3 Backups. Personal Data contained in Rinsed’s routine backups will expire in accordance with Rinsed’s standard backup retention schedule (typically within ninety (90) days). Backup copies remain subject to the protections of this DPA until they expire.
10.4 Delinquency. As set forth in the Enterprise Terms of Use (or equivalent provisions of the Agreement), Customer Data (including Personal Data) may be irretrievably deleted if Customer’s account is ninety (90) days or more delinquent on payment obligations.
10.5 Legal Retention. Notwithstanding the foregoing, Rinsed may retain Personal Data to the extent, and for the period, required by applicable law or for the establishment, exercise, or defense of legal claims. Any Personal Data retained under this Section 10.5 remains subject to the protections of this DPA.
10.6 Certification. On Customer’s written request, Rinsed will provide written confirmation that it has completed the deletion required under this Section 10.
10.7 Aggregated De-identified Data Retention. Notwithstanding the deletion obligations in this Section 10, Rinsed may retain data derived from Personal Data that has been de-identified in accordance with Section 3.4 and this Section 10.7 (collectively, "Aggregated De-identified Data") indefinitely for product development, industry benchmarking, research, and improvement of the Services. Aggregated De-identified Data is not Personal Data and is not subject to the deletion obligations of this Section 10, provided that Rinsed: (a) has applied technical and organizational measures reasonably designed to prevent re-identification of any individual, household, or Customer; (b) maintains internal policies and processes that prohibit attempts to re-identify Aggregated De-identified Data; (c) contractually obligates any recipients of Aggregated De-identified Data to maintain equivalent restrictions; and (d) does not use Aggregated De-identified Data in a manner that identifies or could reasonably be used to identify Customer by name without Customer's prior written consent. Upon written request at termination, Customer may elect either: (i) deletion of all data derived from Customer's Personal Data, including Aggregated De-identified Data; or (ii) standard termination processing under Section 10.2, under which Personal Data is deleted and Aggregated De-identified Data is retained subject to this Section 10.7. If Customer makes no election, the standard process in clause (ii) applies. For clarity, Aggregated De-identified Data retained by Rinsed pursuant to this Section consists solely of aggregated, non-attributable data points such as wash frequency, plan type, transaction amounts, and market or regional data, stored without any identifier, token, or key that could be used to re-associate such data with any individual or Customer.
11. Audits and Demonstrated Compliance
11.1 Independent Assessments. Rinsed maintains a Payment Card Industry Data Security Standard (PCI DSS) compliance program appropriate to its role as a service provider and engages independent third-party assessors to conduct annual penetration testing of the Services and to evaluate the design and operation of its security controls.
11.2 Customer Access to Reports. Rinsed will make available to Customer, on reasonable written request and subject to confidentiality obligations, the most recent of the following: (a) Rinsed’s current PCI DSS attestation or self-assessment documentation; (b) summary results of Rinsed’s annual third-party penetration test; and (c) any other independent assessments or attestations Rinsed maintains with respect to the Services. The parties agree that Customer’s audit rights under Applicable Data Protection Laws are satisfied by Rinsed’s provision of these materials. Customer may request the materials described in this Section 11.2 no more than once per calendar year, unless Customer has reasonable grounds to believe that Rinsed is in material non-compliance with this DPA, in which case Customer may make an additional request with written explanation of the basis for such belief. Rinsed will respond to any such written request within thirty (30) business days.
11.3 Privacy Impact Assessments. Taking into account the nature of the Processing and the information available to Rinsed, Rinsed will reasonably assist Customer with privacy impact assessments and prior consultations to the extent required under Applicable Data Protection Laws, by providing the information Rinsed makes available under this Section 11.
12. U.S. State Privacy Laws
12.1 Service Provider Status. Where Customer is a Business and Rinsed is a Service Provider under the CCPA (or an equivalent role under another U.S. state privacy law), Rinsed will comply with the obligations of Service Providers under those laws.
12.2 Certification. Rinsed certifies that it understands and will comply with the restrictions in Section 3.3 of this DPA.
12.3 Compliance Notice. Rinsed will notify Customer if Rinsed determines that it can no longer meet its obligations under Applicable Data Protection Laws. Following notice, Customer may take reasonable and appropriate steps to stop and remediate unauthorized Processing.
12.4 Sensitive Personal Information. Customer will not provide, and will not direct Rinsed to Process, Sensitive Personal Information (as defined under the CCPA) unless expressly agreed in writing. If Customer provides Sensitive Personal Information, Rinsed will treat it as Personal Data subject to this DPA.
12.5 No Sale of Personal Data. The parties acknowledge and agree that Customer’s disclosure of Personal Data to Rinsed in connection with the Services does not constitute a “sale” of Personal Data within the meaning of the CCPA or any other Applicable Data Protection Law, and does not form part of any monetary or other valuable consideration exchanged between the parties. Rinsed does not receive Personal Data as consideration for the Services.
13. Canadian Privacy Laws
13.1 Applicability. This Section 13 applies where Customer collects, uses, or discloses personal information subject to PIPEDA, Quebec’s Act Respecting the Protection of Personal Information in the Private Sector (as amended by Law 25), or another Canadian privacy law (collectively, “Canadian Privacy Laws”).
13.2 Comparable Protection. Rinsed will use contractual and technical measures consistent with this DPA to provide a comparable level of protection for personal information transferred to Rinsed by Customer, as required under PIPEDA.
13.3 Customer Notices and Assessments. Customer is responsible for (a) notifying individuals that their personal information may be transferred outside of Canada (or outside of Quebec, as applicable) for Processing and that the information may be subject to the laws of the jurisdiction where Rinsed Processes it; and (b) conducting any privacy impact assessment required by Applicable Data Protection Laws, including under Quebec Law 25, prior to transferring personal information to Rinsed. Rinsed will reasonably cooperate with Customer in connection with any such assessment.
13.4 Breach Reporting. Rinsed’s notification obligations under Section 9 apply to Security Incidents involving personal information subject to Canadian Privacy Laws and are intended to enable Customer to meet its breach reporting obligations to the Office of the Privacy Commissioner of Canada, the Commission d’accès à l’information du Québec, and affected individuals where applicable.
14. Liability
Each party’s liability arising under or in connection with this DPA, whether in contract, tort, or under any other theory of liability, is subject to the exclusions and limitations of liability set forth in the Agreement. Any reference to the liability of a party in the Agreement means the aggregate liability of that party under the Agreement and this DPA together.
15. Term and Termination
This DPA becomes effective on the effective date of the Agreement and continues until the Agreement terminates or expires. Rinsed’s obligations under this DPA survive the termination or expiration of the Agreement for so long as Rinsed Processes Personal Data.
16. General
16.1 Order of Precedence. In the event of a conflict between this DPA and the Agreement, this DPA controls with respect to the Processing of Personal Data, except that Sections 4.6 (AI Outputs; Disclaimers) and 14 (Liability) preserve the applicable provisions of the Agreement and do not modify them.
16.2 Amendment. Rinsed may update this DPA from time to time by posting a revised version and providing reasonable notice to Customer, provided that no such update will materially reduce the protections afforded to Personal Data under this DPA.
16.3 Privacy Contact. Customer may direct privacy and security inquiries to privacy@rinsed.co.
16.4 Governing Law. This DPA is governed by the laws of the State of New York without regard to its conflict of laws provisions. The parties consent to exclusive jurisdiction and venue in the state and federal courts located in New York County, New York.
16.5 Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions remain in full force and effect.
16.6 No Third-Party Beneficiaries. Except as expressly provided, this DPA does not confer any rights or remedies on any person other than the parties.
16.7 Entire Addendum. This DPA is the entire agreement of the parties with respect to the subject matter and supersedes all prior or contemporaneous communications and agreements with respect to that subject matter.
Annex A – Details of Processing
A.1 Subject Matter, Duration, Nature, and Purpose
The subject matter of the Processing is the provision of the Services to Customer under the Agreement. Processing continues for the term of the Agreement and any additional period during which Rinsed retains Personal Data in accordance with Section 10. Rinsed Processes Personal Data to provide the Services, which include customer relationship management, membership management, marketing and communications, payment facilitation, sales enablement (including SalesPath), AI-assisted customer support (including Support Agent), analytics, and related functions for car wash operators. Processing is continuous for the term of the Agreement.
A.2 Categories of Data Subjects
• End customers and members of Customer’s car wash business
• Prospective customers and leads
• Customer’s employees, contractors, and other authorized users of the Services
A.3 Categories of Personal Data
• Contact information (name, email, phone number, mailing address)
• Vehicle information (license plate, vehicle make/model, RFID identifiers)
• Membership and transaction data (plan, sign-up date, wash history, billing history)
• Marketing engagement data (email and SMS opens, clicks, opt-outs)
• Audio recordings and transcripts of phone interactions handled by Support Agent, where applicable
• Account credentials for authorized users of the Services
• Limited payment-related data, handled in accordance with the Services architecture (cardholder data is routed through tokenization providers and is not stored in Rinsed’s application database)
A.4 Excluded Data Categories
As stated in Rinsed’s publicly posted terms, the Services are not intended for the Processing of Protected Health Information (as defined under HIPAA) or Nonpublic Personal Information (as defined under GLBA), and Customer will not provide such data to Rinsed. Rinsed does not require Sensitive Personal Information (as defined under the CCPA) to provide the Services and does not intend to Process it unless expressly agreed in writing with Customer.
A.5 Retention and Data Location
During the Agreement, Personal Data is retained as reasonably necessary to provide the Services. After termination, Customer has a 30-day retrieval window, followed by deletion from active production systems within ninety (90) days; backup copies expire within approximately 90 days of termination. Personal Data may be irretrievably deleted if Customer's account is ninety (90) days or more delinquent on payment obligations. Rinsed may retain Personal Data to the extent and for the period required by applicable law or for the establishment, exercise, or defense of legal claims. Personal Data is Processed in the United States. Aggregated De-identified Data derived from Personal Data and retained pursuant to Section 10.7 is not subject to the deletion timeline above and may be retained indefinitely subject to the conditions of that section. Such retained Aggregated De-identified Data is limited to aggregated service usage patterns, plan categories, transaction values, and geographic market data, and does not include any direct or indirect identifiers.
Annex B – Technical and Organizational Measures
Rinsed maintains the following technical and organizational measures to protect Personal Data. These measures are reviewed regularly and updated to reflect evolving threats and business needs. They support Rinsed’s Payment Card Industry Data Security Standard (PCI DSS) compliance program and other applicable compliance obligations.
B.1 Governance and Compliance Program
• Documented information security policies and procedures covering the security, privacy, and operational resilience of the Services, with periodic review and approval, and designated executive ownership.
• Payment Card Industry Data Security Standard (PCI DSS) compliance program appropriate to Rinsed’s role as a service provider.
• Independent third-party assessments of security controls.
• Compliance program management supported by a third-party compliance platform.
B.2 Personnel
• Background checks for employees and contractors with access to Personal Data, to the extent permitted by law.
• Written confidentiality obligations applicable to all personnel.
• Security and privacy awareness training at onboarding and at least annually thereafter, with role-based training for personnel with elevated access.
• Documented onboarding and offboarding procedures, including timely revocation of access on separation.
B.3 Identity and Access Management
• Centralized identity management with single sign-on (SSO) and multi-factor authentication for production and administrative interfaces.
• Role-based access control with least-privilege defaults; access reviews conducted at least quarterly for production systems.
• Separation of production and non-production environments.
B.4 Data Protection
• Encryption in transit using TLS 1.2 or higher for all connections to the Services.
• Encryption at rest for databases, object storage, and backups using industry-standard algorithms (AES-256 or equivalent).
• Cardholder data handled through tokenization providers and not stored in Rinsed’s application database.
• Centralized management of encryption keys through the cloud provider’s key management service.
B.5 Infrastructure, Network, and Endpoint Security
• Production workloads deployed on a major hyperscale cloud platform with managed container orchestration; network segmentation and restricted ingress and egress at the cloud and cluster level.
• DDoS protection and a web application firewall at the edge; network monitoring and alerting.
• Centralized mobile device management for company-managed endpoints, with enforced disk encryption, screen lock, OS patching baselines, and endpoint detection and response controls.
• Production systems hosted in third-party cloud data centers operated by a major hyperscale cloud provider, which maintain industry-standard physical security controls; office and facility security controls for Rinsed-controlled premises.
B.6 Application Security and Vulnerability Management
• Secure development lifecycle including peer code review, automated testing, and dependency scanning.
• Change management controls and separation of duties between development and production deployment; secrets managed through a centralized vault and not committed to source control.
• Annual third-party penetration testing of the Services with remediation tracked to closure; regular automated vulnerability scanning of infrastructure and application dependencies; documented remediation service levels based on severity.
B.7 Logging, Monitoring, and Incident Response
• Centralized collection of security-relevant logs from production systems, with alerting on anomalous authentication and access events; log retention consistent with applicable compliance requirements.
• Documented incident response procedures and runbooks; defined roles, responsibilities, and communication channels for incident handling.
• Post-incident review and remediation tracking.
B.8 Operational Resilience, Vendor, and AI Subprocessor Management
• Documented business continuity and disaster recovery procedures; automated backups of production databases with defined recovery point and recovery time objectives.
• Documented vendor management procedures covering risk review, due diligence, and ongoing oversight; written contractual commitments with Subprocessors containing data protection terms appropriate to the Processing they perform; ongoing review of Subprocessors’ security posture.
• Access to AI-related data (including prompts, retrieval indexes, and model outputs) restricted to authorized personnel and governed by the access controls in B.3; inference activities occur within Rinsed’s controlled environments or with AI Subprocessors subject to the requirements of Section 4 and Section 7; logging and monitoring of AI Subprocessor activity consistent with B.7.
Annex C – Subprocessors
The current, authoritative list of Subprocessors engaged by Rinsed to Process Personal Data on behalf of Customer is maintained at https://trust.rinsed.com/?tab=subprocessors. Rinsed updates the list as new Subprocessors are engaged and provides notice in accordance with Section 7 of this DPA. Customers should consult that URL for the current list.