BenchKey

BenchKey — Data Processing Addendum (DPA)

Effective date: July 4, 2026 · Version: 2026-07-04

This Data Processing Addendum ("DPA") forms part of the Terms of Service (the "Agreement") between MDrepairs, LLC, a New Jersey limited liability company doing business as BenchKey ("BenchKey," "Processor"), and the customer that accepts the Agreement ("Customer," "Controller"). It governs BenchKey's processing of Personal Data on Customer's behalf when Customer uses the Service. It applies automatically to every Customer — no signature is required beyond acceptance of the Agreement. If there is a conflict between this DPA and the Agreement regarding the processing of Personal Data, this DPA controls.

1. Definitions

Capitalized terms not defined here have the meaning in the Agreement. "Data Protection Laws" means all privacy and data‑protection laws applicable to a party's processing, including U.S. state privacy laws (such as the California Consumer Privacy Act as amended by the CPRA, "CCPA"), the EU General Data Protection Regulation 2016/679 ("GDPR"), and the UK GDPR. "Personal Data," "Controller," "Processor," "Service Provider," "Business," "Data Subject," "Processing," and "Personal Data Breach" have the meanings given in the applicable Data Protection Laws. "Customer Personal Data" means Personal Data within Customer Data that BenchKey processes on Customer's behalf. "Subprocessor" means a third party engaged by BenchKey to process Customer Personal Data.

2. Roles of the parties

The parties agree that, for Customer Personal Data, Customer is the Controller (or "Business") and BenchKey is the Processor (or "Service Provider"). Where Customer is itself a processor acting on behalf of a third‑party controller, BenchKey is a subprocessor and Customer warrants it has the authority to engage BenchKey on those terms. Each party will comply with its obligations under Data Protection Laws.

3. Scope and instructions

3.1 BenchKey will process Customer Personal Data only (a) to provide, secure, and support the Service in accordance with the Agreement; (b) as further documented in Customer's use of the Service and its configuration; and (c) as otherwise instructed by Customer in writing, unless required by law (in which case BenchKey will, where lawful, inform Customer first).

3.2 Customer's instructions are set out in the Agreement, this DPA, and Annex A. Customer is responsible for the accuracy and lawfulness of its instructions and for having a lawful basis and all necessary notices/consents for the processing (including consent for messaging Data Subjects through the Service).

3.3 BenchKey will notify Customer if, in its reasonable opinion, an instruction infringes Data Protection Laws (without obligation to provide legal advice).

3.4 BenchKey does not use Customer Personal Data to train artificial‑intelligence models. Inputs to AI features are processed only to generate the requested output (see the Agreement, "AI features").

4. Service‑provider / CCPA terms

BenchKey acts as a Service Provider under the CCPA. BenchKey will not: (a) sell or share Customer Personal Data; (b) retain, use, or disclose it for any purpose other than the business purposes specified in the Agreement, or outside the direct business relationship, or as otherwise permitted by the CCPA; or (c) combine it with personal information from other sources except as permitted by the CCPA. BenchKey certifies it understands and will comply with these restrictions, and will notify Customer if it can no longer meet them, in which case Customer may take reasonable steps to stop or remediate unauthorized use.

5. Confidentiality

BenchKey will ensure that personnel authorized to process Customer Personal Data are bound by confidentiality obligations and are trained on their responsibilities, and will limit access to those who need it to provide the Service.

6. Security

BenchKey will implement and maintain the technical and organizational measures set out in Annex C, designed to protect Customer Personal Data against a Personal Data Breach, appropriate to the risk. BenchKey may update its measures provided they do not materially reduce the overall level of protection.

7. Subprocessors

7.1 General authorization. Customer provides general authorization for BenchKey to engage Subprocessors to process Customer Personal Data. The current list is published at app.benchkey.com/legal/subprocessors.

7.2 Obligations. BenchKey will impose data‑protection obligations on each Subprocessor that are, in substance, no less protective than those in this DPA, and remains responsible for its Subprocessors' performance.

7.3 Changes and objection. BenchKey will update the subprocessor page at least 30 days before a new Subprocessor begins processing Customer Personal Data (except for emergency replacements needed to maintain the Service, in which case BenchKey will update the page as soon as practicable). Customer may object on reasonable data‑protection grounds within that period by emailing support@benchkey.com; the parties will work in good faith to resolve the objection, and if they cannot, Customer may terminate the affected part of the Service (or the Agreement, if the affected part is central to the Service) as its remedy.

8. Assistance to Customer

8.1 Data‑subject requests. Taking into account the nature of the processing, BenchKey will assist Customer, by appropriate technical and organizational measures (including the Service's built‑in search, export, correction, and deletion features) and insofar as possible, to respond to requests from Data Subjects to exercise their rights (access, rectification, erasure, restriction, portability, objection). If BenchKey receives such a request directly, it will, where lawful, promptly forward it to Customer and not respond except on Customer's instructions.

8.2 Compliance assistance. Taking into account the nature of processing and information available to it, BenchKey will assist Customer with data‑protection impact assessments, prior consultations, and its security and breach‑notification obligations under Articles 32–36 GDPR (and equivalents).

9. Personal Data Breach notification

BenchKey will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to it (the nature of the breach, categories and approximate volumes affected, likely consequences, and measures taken or proposed) to help Customer meet its own notification obligations, supplementing the notice as more information becomes available. BenchKey will take reasonable steps to mitigate and remediate. A notice is not an acknowledgment of fault or liability.

10. Deletion or return

On termination or expiry of the Agreement, and at Customer's choice, BenchKey will delete or return Customer Personal Data within a commercially reasonable period (see the Agreement's 30‑day post‑termination export window), and delete existing copies unless retention is required by law. Residual copies in routine backups will be deleted in the ordinary course of backup rotation and remain protected by this DPA until deleted.

11. Audits

BenchKey will make available to Customer information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Customer or an auditor it mandates, subject to reasonable notice, confidentiality, frequency limits (no more than once per year absent a Personal Data Breach or regulator requirement), and not disrupting BenchKey's operations. BenchKey may satisfy audit requests by providing then‑current third‑party reports or security documentation where available.

12. International transfers

Where BenchKey processes Customer Personal Data subject to GDPR/UK GDPR and transfers it to a country without an adequacy decision, the parties agree that the European Commission's Standard Contractual Clauses (Module 2, controller‑to‑processor) (and the UK Addendum, where applicable) are incorporated by reference and completed with the information in Annexes A–C, with BenchKey as "data importer" and Customer as "data exporter."

13. Liability and precedence

Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Agreement. This DPA does not create rights beyond those in Data Protection Laws. Except as amended here, the Agreement remains in effect.


Annex A — Details of processing

Annex B — Subprocessors

The current list at app.benchkey.com/legal/subprocessors is incorporated by reference.

Annex C — Technical and organizational security measures

BenchKey maintains measures including, as applicable:

BenchKey may update these measures as its security program evolves, provided the overall level of protection is not materially reduced.