Data Processing Addendum (Controller→Processor)
Effective date: 01 January 2025 | Last updated: 16 September 2025
This Data Processing Addendum (“DPA”) forms part of and is subject to the Master Terms/Order or other agreement between:
Customer (the “Controller” or, where applicable, a processor acting on behalf of a third‑party controller): the legal entity identified in the Customer account or Order at the time of acceptance, with registered office and company/VAT registration details as provided therein; and
ELEC FLEET TECHNOLOGIES SRL (“3L3C”, the “Processor”), a company incorporated in Romania (Trade Registry no. J2020010598405; VAT RO42971823), with registered office at Sector 1, Str. CĂPRIORILOR, Nr. 5B, Et. 1, Ap. 12, București, Romania.
Capitalised terms not defined here have the meanings in the Agreement or in the GDPR. If there is a conflict between this DPA and the Agreement regarding processing of Personal Data, this DPA prevails.
1) Subject matter and duration
Subject matter. 3L3C will process Personal Data on behalf of Customer for the purpose of providing the 3L3C marketing automation platform and related services described in the Agreement.
Duration. This DPA applies for the term of the Agreement and until all Personal Data is deleted or returned in accordance with §10.
2) Roles and processing instructions
Roles. Customer is the Controller (or a processor acting on behalf of a controller); 3L3C is the Processor. Where Customer acts as a processor, 3L3C acts as Sub‑processor and Customer warrants it has authority to instruct 3L3C.
Instructions. 3L3C will process Personal Data only on documented instructions from Customer: the Agreement, this DPA, and Customer's in‑product settings and written instructions. 3L3C will promptly notify Customer if it cannot follow an instruction or believes it infringes GDPR or other applicable law.
Prohibited purposes. 3L3C shall not (i) sell or share Personal Data; (ii) use it for advertising or cross‑context behavioural profiling; or (iii) train foundation/ML models on Personal Data, unless Customer explicitly opts in or instructs otherwise in writing.
3) Nature and purpose; categories; data subjects
Nature/Purpose: hosting, storage, creation, scheduling, publishing, optimisation and analytics for campaigns; account administration; support; security; and other services described in the Agreement.
Categories of Personal Data: names, contact details, identifiers/handles, images/video within assets, online identifiers (e.g., IP, device IDs), role/permission data, campaign metadata and analytics, and any other personal data Customer includes in Customer Content. Special categories are not intended to be processed.
Data subjects: Customer's employees/contractors, customers/prospects, social media audience members, and other individuals whose data Customer includes.
4) Confidentiality and personnel
3L3C will ensure that persons authorised to process Personal Data are bound by confidentiality and receive appropriate data protection and security training.
5) Security
3L3C will implement and maintain appropriate technical and organisational measures (“TOMs”) described in Annex II to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. 3L3C may update the TOMs from time to time provided the overall level of protection is not materially diminished.
6) Sub‑processors
Authorisation. Customer authorises 3L3C to engage Sub‑processors to provide the Services. Current Sub‑processors are listed at the URL or page notified to Customer and in Annex III (if included).
New Sub‑processors. 3L3C will give prior notice (email or in‑app, at least 15 days in advance) of changes. Customer may object on reasonable, data‑protection grounds within that period. If the parties cannot resolve the objection, Customer may suspend the affected Service or terminate the relevant Order for convenience, with a pro‑rata refund of prepaid fees for the terminated portion.
Flow‑down. 3L3C will impose data protection obligations on Sub‑processors equivalent to those in this DPA and remains responsible for their performance.
7) Data subject requests; assistance
Taking into account the nature of processing, 3L3C will assist Customer with reasonable technical and organisational measures to respond to Data Subject Requests (access, rectification, erasure, restriction, portability, objection) and with DPIAs and prior consultations with supervisory authorities, as required by GDPR Articles 35–36. Requests received directly by 3L3C will be forwarded to Customer without undue delay.
8) Security incidents
3L3C will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data and will provide information reasonably required for Customer to meet its notification obligations under Article 33 GDPR. 3L3C will take appropriate steps to remediate or mitigate the impact and will cooperate with Customer.
9) Audits and information
3L3C will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR, and will allow and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer, no more than once in any 12‑month period (unless required by a competent authority or following a confirmed Personal Data Breach), with reasonable advance notice and during normal business hours. Before on‑site audits, the parties will first endeavour to satisfy Customer's audit needs through independent third‑party reports (e.g., penetration test summaries) or questionnaires. Audits must not unreasonably interfere with 3L3C's operations, and auditors will sign confidentiality undertakings. Customer bears its own costs and reasonable time/materials costs of 3L3C for on‑site audits.
10) Return and deletion
Upon termination/expiry of the Services, Customer may use self‑service export tools to retrieve Personal Data. Upon Customer's written instruction, 3L3C will delete or return all Personal Data (and delete existing copies) within 30 days, unless retention is required by law or for the establishment, exercise, or defence of legal claims. Backups will be overwritten in accordance with 3L3C's standard retention cycles (typically within 90 days).
11) International transfers
Location. 3L3C primarily processes and stores Personal Data in the EEA.
Transfers. Where Personal Data is transferred outside the EEA/UK/Switzerland to a recipient in a country without an adequacy decision, the parties agree that the EU Standard Contractual Clauses (Commission Decision (EU) 2021/914) apply and are incorporated by reference as set out in Annex IV (Module Two: Controller→Processor; and Module Three: Processor→Processor for onward transfers).
For UK transfers, the UK IDTA/Addendum applies; for Swiss transfers, the SCCs apply as adapted for Swiss law.
3L3C will conduct transfer impact assessments where appropriate and implement supplementary measures where needed.
12) Cooperation with authorities
3L3C will cooperate with competent data protection authorities regarding matters within its control and, where permitted, will notify Customer of any legally binding request for disclosure by a public authority unless prohibited by law.
13) Liability; indemnity
The parties' liability under this DPA is subject to the limitations and exclusions set out in the Agreement, except to the extent prohibited by law. Nothing in this DPA limits a party's liability for breach of confidentiality or intentional or grossly negligent breaches of data protection obligations.
14) Miscellaneous
Order of precedence. In case of conflict: SCCs (Annex IV) → this DPA → Agreement.
Severability. If any provision is invalid, the remainder remains effective.
Governing law & forum. This DPA is governed by Romanian law. Any disputes are subject to the exclusive jurisdiction of the courts of Bucharest, Romania, without prejudice to the SCCs' governing law for data transfer provisions.
Updates. 3L3C may update this DPA to reflect changes in law or Services. Material changes will be notified in advance; continued use constitutes acceptance.
Annex I — Description of Processing
A. List of Parties
Data exporter (Controller/Customer): As set out above. Contact: [contact email].
Data importer (Processor/3L3C): ELEC FLEET TECHNOLOGIES SRL, legal@3l3c.ai.
B. Description
Categories of data subjects: Customer personnel; contractors; customers and prospects; social media audience members; other individuals included by Customer.
Categories of personal data: Names; email addresses; phone numbers; role/permission data; online identifiers (IP, device IDs, cookie IDs); social handles; content in assets (text/images/video) that may contain personal data; analytics/engagement metrics; support correspondence.
Sensitive data: Not intended. Customer will not intentionally submit special category data or children's data.
Frequency & duration: Continuous for the term of the Agreement and as needed for deletion/return per §10.
Nature & purpose of processing: Hosting; storage; creation; scheduling; publishing; optimisation; analytics; support; security operations.
Retention & deletion: As set out in §10.
Sub‑processors: See Annex III / public sub‑processor list.
C. Competent supervisory authority
ANSPDCP (Romania), or where applicable under the SCCs, the authority determined by Article 56 GDPR.
Annex II — Technical and Organisational Measures (TOMs)
Information security management
Security governance, policies, and dedicated roles; employee background checks where permitted; mandatory confidentiality and security training.
Access control & authentication
Role‑based access; least privilege; MFA for privileged access; SSO options for customers; session management; timely de‑provisioning.
Encryption
Encryption in transit (TLS 1.2+) and at rest (industry‑standard AES‑256 or equivalent).
Segregation & isolation
Logical tenant separation; environment separation (production vs. non‑production).
Vulnerability & patch management
Secure SDLC; code review; dependency scanning; regular patching; vulnerability scanning; periodic third‑party penetration testing.
Logging & monitoring
Centralised logging; security event monitoring; alerting; protective controls against brute force and common web attacks.
Backups & continuity
Regular encrypted backups; tested restoration; disaster recovery procedures with defined RPO/RTO targets.
Physical security
Data centres with industry‑standard physical safeguards (badges, CCTV, mantraps) provided by cloud providers.
Incident response
Documented IR plan; 24/7 on‑call; breach assessment and notification workflows.
Data minimisation & retention
Pseudonymisation where feasible; least data collection necessary; defined retention schedules and secure disposal.
Supplier risk management
Security and privacy due diligence for Sub‑processors; contractual TOMs; ongoing monitoring.
Customer controls
Features to support customer approvals, audit trails, and role segregation; export tools for data portability.
Annex III — Approved Sub‑processors
Maintain a live link/list; update with prior notice per §6 of this DPA.
| Vendor | Purpose | Location | Safeguard |
|---|---|---|---|
| Amazon Web Services, Inc. (AWS) | Cloud hosting, storage, backups, CDN | Primary: EEA; Secondary: global as needed | SCCs / DPA |
| Microsoft Ireland Operations Ltd. (Azure) | Cloud hosting & compute; optional AI services as configured | Primary: EEA; Secondary: global as needed | SCCs / DPA |
| Composio, Inc. | Integrations/orchestration layer to connect external tools/APIs at Customer's direction | EU/US | SCCs / DPA |
Third‑Party Platforms Connected at Customer's Direction (independent controllers, not 3L3C sub‑processors)
The platforms below are connected by Customer and process personal data under their own terms and privacy policies. 3L3C discloses data to them only at Customer's instruction to publish content, run ads, or read analytics.
| Platform | Services | Role | Typical data shared | Location | Legal basis/safeguard |
|---|---|---|---|---|---|
| Meta Platforms (Facebook, Instagram, Meta Ads) | Social publishing, advertising (Meta Ads), analytics/insights | Independent controller | Page/account IDs, content/creatives, campaign settings, performance metrics | EEA/US | Customer direction; platform terms; SCCs where applicable |
| Google (YouTube, Google Ads, Google Analytics) | Video publishing, advertising, and analytics | Independent controller | Channel/account IDs, content/creatives, campaign settings, event/traffic data | EEA/US | Customer direction; platform terms; SCCs; Consent Mode where applicable |
| TikTok (TikTok Technology Ltd. / TikTok Inc.) | Social publishing & ads | Independent controller | Account IDs, creatives, campaign settings, metrics | EEA/US | Customer direction; platform terms; SCCs where applicable |
| X Corp. (X) | Social publishing & analytics | Independent controller | Account IDs, content, scheduling, metrics | US | Customer direction; platform terms; SCCs where applicable |
Annex IV — International Transfers (EU SCCs 2021/914)
The parties agree the EU Standard Contractual Clauses are incorporated as follows:
- Module Two (Controller→Processor) and, where Customer acts as a processor and engages 3L3C as a sub‑processor, Module Three (Processor→Processor).
- Clause 7 (Docking clause): Applies.
- Clause 9 (Use of sub‑processors): Option 2 (General authorisation) with 15‑day notice.
- Clause 11 (Redress): Not applicable to 3L3C unless required by law.
- Clause 13 (Supervisory authority): As per Annex I(C).
- Clause 17 (Governing law): Romanian law.
- Clause 18 (Forum): Bucharest, Romania.
- Annex I(A–C), II, III: As set out above.
UK Addendum / Swiss Addendum. For UK or Swiss transfers, the parties incorporate the UK IDTA/Addendum and Swiss‑adapted SCCs, respectively, with the selections mirroring the above.
Annex V — CCPA/US State Privacy (Service Provider terms) [Optional]
Where applicable, 3L3C acts as a Service Provider/Processor with respect to Customer Personal Data under US state privacy laws (e.g., California, Virginia, Colorado, Connecticut, Utah). 3L3C shall: (i) process Personal Data solely for the Business Purpose of providing the Services; (ii) not sell or share Personal Data; (iii) not retain, use, or disclose Personal Data outside the Business Purpose; (iv) not combine Personal Data with data received from another source except as permitted by law; and (v) enable audits/assessments as required by such laws. Customer certifies that it will provide all required notices and obtain necessary consents.
15) Electronic execution; click‑wrap
The parties agree this DPA (including the SCCs and Annexes incorporated by reference) may be executed electronically, including via click‑through acceptance in the Services. Upon Customer's acceptance in the Services, this DPA is deemed executed by both parties as of the recorded acceptance timestamp. 3L3C's electronic records (including acceptance logs identifying account/entity, signatory, timestamp, IP, user agent, and the version/hash of this DPA, plus a stored copy) constitute prima facie evidence of execution and agreed terms. 3L3C will provide a countersigned PDF upon request.