Data Processing Agreement

Last updated: May 13, 2026

This DPA is incorporated into and forms part of the ShopCommand Terms of Service.

1. Parties and Purpose

This Data Processing Agreement ("DPA") is entered into between ShopCommand, Inc. ("ShopCommand" or "Data Processor") and the business entity subscribing to the ShopCommand Service ("Customer" or "Data Controller"). This DPA governs ShopCommand's processing of personal data on behalf of the Customer in connection with the delivery of the ShopCommand platform and associated services.

For the purposes of applicable data protection law, including the General Data Protection Regulation (GDPR) where applicable, the Customer acts as the Data Controller and ShopCommand acts as the Data Processor. ShopCommand processes personal data only as directed by the Customer and only for the purposes set out in this DPA and the main Terms of Service.

By subscribing to the Service, the Customer agrees to the terms of this DPA. This DPA does not replace or supersede any other data processing agreement separately negotiated and executed between the parties; if such an agreement exists, it takes precedence.

2. Data We Process on Your Behalf

In the course of providing the Service, ShopCommand processes the following categories of personal data on behalf of the Customer:

Customer (End-Customer) Data

Names, phone numbers, email addresses, and vehicle information belonging to the auto shop's customers. This data is entered by the shop operator or collected via customer-facing status pages.

Technician Data

Names, clock-in and clock-out timestamps, work records, efficiency metrics, and repair assignments for employees of the auto shop.

Repair Order Data

Repair order content, service histories, technician assignments, parts used, status updates, and associated communications including SMS messages sent to end-customers.

The data subjects are the Customer's own customers and employees. The Customer, as Data Controller, is responsible for ensuring there is a lawful basis for collecting and sharing this personal data with ShopCommand for processing.

3. How We Process Data

ShopCommand processes personal data only on documented instructions from the Data Controller. In practice, those instructions are provided through your configuration and use of the ShopCommand platform — for example, entering a repair order, assigning a technician, or triggering an SMS notification. ShopCommand will not process personal data for its own independent purposes without the Controller's explicit instruction, except where required to do so by applicable law, in which case ShopCommand will notify the Controller before processing unless prohibited by law.

ShopCommand ensures that all personnel with access to Customer personal data are bound by appropriate confidentiality obligations, whether contractual or statutory.

4. Sub-processors

The Customer grants ShopCommand general authorization to engage sub-processors to assist in delivering the Service. ShopCommand's current sub-processors are:

Twilio Inc.

San Francisco, CA, USA

SMS delivery. Receives end-customer phone numbers and message content to transmit repair order notifications.

Vercel Inc.

San Francisco, CA, USA

Cloud hosting and infrastructure. Stores and processes all Customer Data on ShopCommand's behalf.

Stripe Inc.

San Francisco, CA, USA

Payment processing. Handles subscription billing. Processes account holder name, email, and payment card data.

ShopCommand will notify the Customer at least 14 days before adding any new sub-processor that will process Customer personal data. This notification will be sent via email to the address on file for your account. The Customer may object to the appointment of a new sub-processor within that 14-day window by contacting dpa@shopcommand.io. If no objection is received, the Customer is deemed to have accepted the new sub-processor.

5. Security Measures

ShopCommand implements and maintains appropriate technical and organizational measures to protect Customer personal data against unauthorized access, disclosure, loss, destruction, or alteration. These measures include, but are not limited to:

  • Encryption in transit: All data transmitted between users and the Service is encrypted using TLS (Transport Layer Security).
  • Encryption at rest: Customer Data stored in ShopCommand's systems is encrypted using AES-256.
  • Access controls: Access to production systems and Customer Data is restricted to authorized ShopCommand personnel on a need-to-know basis, enforced through role-based access controls and multi-factor authentication.
  • Regular audits: ShopCommand conducts regular internal security reviews and vulnerability assessments of its systems and infrastructure.
  • Employee training: All personnel with access to Customer Data receive appropriate data protection and security training.

ShopCommand will review and update these measures as necessary to maintain an appropriate level of security given the nature of the data processed and evolving threats.

6. Data Subject Requests

ShopCommand will provide commercially reasonable assistance to the Customer in fulfilling its obligations to respond to requests from data subjects exercising their rights under applicable data protection law, including rights of access, rectification, erasure, restriction, portability, and objection.

If ShopCommand receives a data subject request directly that relates to Customer Data, ShopCommand will promptly forward that request to the Customer and will not respond to the data subject directly except as instructed by the Customer or required by law. ShopCommand will make relevant data available to the Customer within 5 business days of a Customer request to facilitate the Customer's response.

7. Data Breach Notification

In the event that ShopCommand becomes aware of a security breach involving Customer personal data, ShopCommand will notify the Customer without undue delay and in any event within 72 hours of becoming aware of the breach.

Breach notifications will include, to the extent known at the time of notification: a description of the nature of the breach; the categories and approximate number of data subjects affected; the categories and approximate number of personal data records affected; the likely consequences of the breach; and the measures ShopCommand has taken or proposes to take to address the breach and mitigate its effects.

The Customer is responsible for determining whether the breach triggers any notification obligations to data subjects or regulatory authorities under applicable law and for fulfilling those obligations.

8. Data Deletion

Upon termination or expiration of the Customer's subscription, the Customer's personal data will be handled as follows:

  • Customer Data remains accessible within the platform for 30 days following the subscription end date, during which the Customer may export their data using the platform's export tools.
  • After the 30-day export window, ShopCommand will permanently delete Customer Data from its production systems within 90 days.
  • Backups containing Customer Data may persist for a short additional period consistent with ShopCommand's backup rotation schedule, after which they will also be deleted.

Upon the Customer's written request, ShopCommand will provide written confirmation of data deletion. ShopCommand may retain anonymized or aggregated data derived from Customer Data that does not identify any individual data subject.

9. Governing Law

This DPA shall be governed by the laws of the State of Texas, consistent with the governing law provision of the ShopCommand Terms of Service. Any disputes arising under this DPA shall be resolved in the courts of Houston, Texas.

Where applicable data protection law requires specific contractual provisions (such as EU Standard Contractual Clauses), the parties agree to execute any additional documentation necessary to ensure compliance with those requirements upon request.

10. Contact

For questions about this DPA, to exercise data subject rights, or to request additional information about ShopCommand's data processing practices, contact:

dpa@shopcommand.io
ShopCommand, Inc.
Houston, Texas