Data Processing Agreement

Last updated: April 27, 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between you (the “Customer”) and MI INNOVATIONS LLC (“Tendwa” or “Processor”) and applies whenever Tendwaprocesses personal data on the Customer’s behalf.

1. Definitions

  • Customer Data means any data, including personal data, that the Customer or its end users submit to Tendwa.
  • Personal Data has the meaning given in applicable data protection law (e.g., GDPR Art. 4, CPRA).
  • Sub-processor means any third party engaged by Tendwa to process Personal Data.
  • Data Subject means an identified or identifiable natural person whose Personal Data is processed.

2. Roles and responsibilities

For the purposes of this DPA, the Customer is the “Controller” and Tendwais the “Processor” of Personal Data contained in Customer Data. Tendwaprocesses Personal Data only on the Customer’s documented instructions, including with respect to international transfers, unless otherwise required by law.

3. Scope and purpose of processing

  • Subject matter: provision of the Tendwa service.
  • Duration: for the term of the Customer’s subscription, plus any post-termination retention required by law.
  • Nature: hosting, storage, retrieval, organisation, and transmission of Customer Data.
  • Purpose: to deliver the contracted Service.
  • Categories of Data Subjects: Customer’s end users, employees, and customers (e.g., shop staff and shop customers).
  • Categories of Personal Data: contact details, account credentials, vehicle information, transactional data.

4. Confidentiality

Tendwa ensures that personnel authorised to process Personal Data are bound by appropriate confidentiality obligations, whether by contract or under applicable law.

5. Security measures

Tendwa implements appropriate technical and organisational measures to protect Personal Data, including:

  • Encryption in transit (TLS) and at rest.
  • Role-based access control with audit logging.
  • Regular backups with documented restore procedures.
  • JWT-based API authentication.
  • Vendor security review for sub-processors.

Full details are in our Security Policy.

6. Sub-processors

The Customer authorises Tendwa to engage Sub-processors to assist with the Service. Tendwamaintains a current list of Sub-processors and provides 30 days’ notice of any new or replacement Sub-processor. Current Sub-processors include:

  • Microsoft Azure — hosting and Azure Communication Services email delivery.
  • Stripe — payment processing.
  • NHTSA, Wheel-Size, PlateToVin — vehicle data lookups.
  • OpenAI — oil-spec parsing from OEM service data.

To object to a new Sub-processor, email privacy@tendwa.com within the notice period.

7. International transfers

Tendwa is based in the United States. Where Personal Data is transferred from the EEA, UK, or Switzerland, the parties rely on the Standard Contractual Clauses adopted by the European Commission, or equivalent safeguards.

8. Data Subject rights

Tendwa provides reasonable assistance to the Customer in responding to Data Subject requests for access, rectification, erasure, restriction, portability, or objection. Where a request is received directly by Tendwa, it will be promptly forwarded to the Customer.

9. Personal data breach

Tendwa notifies the Customer without undue delay (and in any event within 72 hours where reasonably possible) after becoming aware of a Personal Data breach affecting Customer Data, providing the information required for the Customer to fulfil its own notification obligations.

10. Audits

Upon written request, Tendwa provides the Customer with relevant certifications, summaries of audit reports, or written responses to a reasonable security questionnaire, no more than once per year. On-site audits are available to Enterprise customers under reasonable prior arrangement.

11. Return or deletion of data

Upon termination of the Service and at the Customer’s choice,Tendwa returns or deletes all Customer Data within 30 days, except where retention is required by applicable law.

12. Liability and term

Liability under this DPA is governed by the limitations in the Terms of Service. This DPA is effective for the duration of the Customer’s subscription.

13. Contact

For DPA inquiries or to request an executed copy, email privacy@tendwa.com.