Data Processing Addendum

AutoChain ↔ Garages / Third-Party Garage Management Systems

Effective Date: 21 January 2026

Important Legal Notice

This Data Processing Addendum (DPA) applies only when incorporated by reference into a binding agreement with AutoChain Limited. This template is provided for informational purposes and becomes legally binding only upon execution of a commercial services agreement.

This Data Processing Addendum ("DPA") forms part of the agreement between AutoChain Limited ("Processor") and the garage, service provider, or third-party system provider ("Controller") that uploads or transfers personal data to the AutoChain platform.

This DPA is entered into in accordance with:

  • UK GDPR
  • EU GDPR
  • Data Protection Act 2018

1. Roles of the Parties

1.1 The Controller determines the purposes and means of processing personal data.

1.2 AutoChain acts as a Data Processor when importing, storing, and managing personal data on behalf of the Controller.

1.3 In limited circumstances (e.g. where AutoChain provides consumer-facing services), AutoChain may act as an independent Data Controller, as described in its Privacy Policy.

2. Scope of Processing

AutoChain processes personal data solely to:

  • Import customer, vehicle, and service data from third-party garage systems
  • Store and maintain vehicle service records
  • Provide access to authorised vehicle owners
  • Prevent fraud and preserve service history integrity
  • Comply with legal and regulatory obligations

3. Categories of Data Subjects

  • Vehicle owners
  • Drivers
  • Garage customers
  • Fleet operators
  • Authorised representatives

4. Categories of Personal Data

  • Identity data (name, contact details)
  • Vehicle identifiers (registration, VIN)
  • Service and repair records
  • Invoices, receipts, and images
  • Garage and technician identifiers
  • Metadata related to service history

Special category data is not intentionally processed.

5. Processor Obligations

AutoChain shall:

  • Process personal data only on documented instructions from the Controller
  • Ensure staff are bound by confidentiality obligations
  • Implement appropriate technical and organisational security measures
  • Not engage sub-processors without appropriate safeguards
  • Assist the Controller with data subject rights requests
  • Assist with DPIAs and regulatory inquiries where required
  • Delete or return personal data upon termination, unless legally required to retain it

6. Sub-Processors

AutoChain may engage sub-processors for:

  • Cloud infrastructure
  • Secure storage
  • Analytics and monitoring
  • Customer support tooling

A current list of sub-processors is available upon request at www.autochain.co.uk/sub-processors. All sub-processors are subject to equivalent data protection obligations.

7. International Transfers

Where personal data is transferred outside the UK or EEA, AutoChain ensures:

  • Adequacy regulations apply, or
  • Standard Contractual Clauses are in place, or
  • Equivalent lawful transfer mechanisms are used

8. Security Measures

Measures include:

  • Encryption at rest and in transit
  • Role-based access controls
  • Audit logging
  • Incident detection and response procedures
  • Regular security reviews

9. Personal Data Breaches

AutoChain will notify the Controller without undue delay upon becoming aware of a personal data breach and will provide reasonable assistance.

10. Audits

Upon reasonable notice, the Controller may request documentation demonstrating compliance with this DPA.

11. Liability

Each party's liability under this DPA is subject to the limitations set out in the main agreement, except where prohibited by law.

Contact Information

For questions regarding this Data Processing Addendum or data protection matters:

Email: privacy@autochain.co.uk

Address: AutoChain Limited, Gladstone Place, Brighton, BN2 3QE, United Kingdom

About Data Protection at AutoChain

AutoChain is committed to processing personal data lawfully, fairly, and transparently in accordance with UK GDPR and the Data Protection Act 2018. As a platform handling both driver personal data (including vehicle registration numbers and service history) and business data from automotive service providers, we operate as a data controller for our own processing activities and as a data processor where we process data on behalf of our service provider customers.

All personal data collected and processed by AutoChain is stored in UK-based cloud infrastructure. Data is encrypted in transit using TLS and at rest using AES-256 encryption. Access to personal data is restricted to AutoChain employees and contractors who require it for their specific role, and is governed by internal data access policies and non-disclosure agreements.

AutoChain retains personal data only for as long as necessary for the purposes for which it was collected, or as required by applicable law. Driver account data is retained for the duration of the account and for a reasonable period thereafter to facilitate data access requests. Service history records are retained for the lifetime of the platform as they represent the permanent historical record of work carried out on a vehicle, which may be accessed by future vehicle owners.

AutoChain does not sell personal data to third parties and does not use personal data for purposes beyond those described in our Privacy Policy. We review our data protection practices annually and following any significant change in data processing activities. Questions about our data protection practices can be directed to privacy@autochain.co.uk.

Platform Logic

Why Clearer Infrastructure Matters to Both Drivers and Garages

Most problems in vehicle ownership are not caused by a lack of effort. They come from fragmented information. AutoChain is designed to close those gaps by giving both sides a clearer way to keep the history of the vehicle usable after the job is finished.

What better infrastructure fixes

A driver can care about the car and still lose track of service dates if reminders, invoices, MOT history, and approvals all live in different places. A garage can carry out good work and still struggle to retain customers if the record of that work is hard to retrieve later.

Better infrastructure matters because it makes the history usable again. It gives the owner and the workshop a stronger basis for the next decision instead of forcing both sides to reconstruct what happened from memory.

Why it matters in practice

Trust is built when the customer can see what happened, the garage can prove what was done, and the next decision starts with better context than the last one.

Trust improves

Customers can see what happened, garages can prove what was done, and the next decision starts with better context.

Economics improve

On-time reminders protect repeat business, cleaner records support price, and better visibility reduces wasted diagnosis.

Handovers improve

Approvals, complaints, resale discussions, and ownership transfers become easier to manage with a stronger evidence trail.

The market improves

Independent garages and informed drivers both benefit when the ownership story becomes easier to follow.

AutoChain combines driver tools, provider workflows, reminder systems, digital service history, and educational content because each part becomes more useful when it strengthens the same central outcome: a clearer, more credible, and more transferable record of what has happened to the vehicle and why it matters.