BenchKey — Data Processing Addendum (DPA)
Effective date: July 4, 2026 · Version: 2026-07-04
This Data Processing Addendum ("DPA") forms part of the Terms of Service (the "Agreement") between MDrepairs, LLC, a New Jersey limited liability company doing business as BenchKey ("BenchKey," "Processor"), and the customer that accepts the Agreement ("Customer," "Controller"). It governs BenchKey's processing of Personal Data on Customer's behalf when Customer uses the Service. It applies automatically to every Customer — no signature is required beyond acceptance of the Agreement. If there is a conflict between this DPA and the Agreement regarding the processing of Personal Data, this DPA controls.
1. Definitions
Capitalized terms not defined here have the meaning in the Agreement. "Data Protection Laws" means all privacy and data‑protection laws applicable to a party's processing, including U.S. state privacy laws (such as the California Consumer Privacy Act as amended by the CPRA, "CCPA"), the EU General Data Protection Regulation 2016/679 ("GDPR"), and the UK GDPR. "Personal Data," "Controller," "Processor," "Service Provider," "Business," "Data Subject," "Processing," and "Personal Data Breach" have the meanings given in the applicable Data Protection Laws. "Customer Personal Data" means Personal Data within Customer Data that BenchKey processes on Customer's behalf. "Subprocessor" means a third party engaged by BenchKey to process Customer Personal Data.
2. Roles of the parties
The parties agree that, for Customer Personal Data, Customer is the Controller (or "Business") and BenchKey is the Processor (or "Service Provider"). Where Customer is itself a processor acting on behalf of a third‑party controller, BenchKey is a subprocessor and Customer warrants it has the authority to engage BenchKey on those terms. Each party will comply with its obligations under Data Protection Laws.
3. Scope and instructions
3.1 BenchKey will process Customer Personal Data only (a) to provide, secure, and support the Service in accordance with the Agreement; (b) as further documented in Customer's use of the Service and its configuration; and (c) as otherwise instructed by Customer in writing, unless required by law (in which case BenchKey will, where lawful, inform Customer first).
3.2 Customer's instructions are set out in the Agreement, this DPA, and Annex A. Customer is responsible for the accuracy and lawfulness of its instructions and for having a lawful basis and all necessary notices/consents for the processing (including consent for messaging Data Subjects through the Service).
3.3 BenchKey will notify Customer if, in its reasonable opinion, an instruction infringes Data Protection Laws (without obligation to provide legal advice).
3.4 BenchKey does not use Customer Personal Data to train artificial‑intelligence models. Inputs to AI features are processed only to generate the requested output (see the Agreement, "AI features").
4. Service‑provider / CCPA terms
BenchKey acts as a Service Provider under the CCPA. BenchKey will not: (a) sell or share Customer Personal Data; (b) retain, use, or disclose it for any purpose other than the business purposes specified in the Agreement, or outside the direct business relationship, or as otherwise permitted by the CCPA; or (c) combine it with personal information from other sources except as permitted by the CCPA. BenchKey certifies it understands and will comply with these restrictions, and will notify Customer if it can no longer meet them, in which case Customer may take reasonable steps to stop or remediate unauthorized use.
5. Confidentiality
BenchKey will ensure that personnel authorized to process Customer Personal Data are bound by confidentiality obligations and are trained on their responsibilities, and will limit access to those who need it to provide the Service.
6. Security
BenchKey will implement and maintain the technical and organizational measures set out in Annex C, designed to protect Customer Personal Data against a Personal Data Breach, appropriate to the risk. BenchKey may update its measures provided they do not materially reduce the overall level of protection.
7. Subprocessors
7.1 General authorization. Customer provides general authorization for BenchKey to engage Subprocessors to process Customer Personal Data. The current list is published at app.benchkey.com/legal/subprocessors.
7.2 Obligations. BenchKey will impose data‑protection obligations on each Subprocessor that are, in substance, no less protective than those in this DPA, and remains responsible for its Subprocessors' performance.
7.3 Changes and objection. BenchKey will update the subprocessor page at least 30 days before a new Subprocessor begins processing Customer Personal Data (except for emergency replacements needed to maintain the Service, in which case BenchKey will update the page as soon as practicable). Customer may object on reasonable data‑protection grounds within that period by emailing support@benchkey.com; the parties will work in good faith to resolve the objection, and if they cannot, Customer may terminate the affected part of the Service (or the Agreement, if the affected part is central to the Service) as its remedy.
8. Assistance to Customer
8.1 Data‑subject requests. Taking into account the nature of the processing, BenchKey will assist Customer, by appropriate technical and organizational measures (including the Service's built‑in search, export, correction, and deletion features) and insofar as possible, to respond to requests from Data Subjects to exercise their rights (access, rectification, erasure, restriction, portability, objection). If BenchKey receives such a request directly, it will, where lawful, promptly forward it to Customer and not respond except on Customer's instructions.
8.2 Compliance assistance. Taking into account the nature of processing and information available to it, BenchKey will assist Customer with data‑protection impact assessments, prior consultations, and its security and breach‑notification obligations under Articles 32–36 GDPR (and equivalents).
9. Personal Data Breach notification
BenchKey will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to it (the nature of the breach, categories and approximate volumes affected, likely consequences, and measures taken or proposed) to help Customer meet its own notification obligations, supplementing the notice as more information becomes available. BenchKey will take reasonable steps to mitigate and remediate. A notice is not an acknowledgment of fault or liability.
10. Deletion or return
On termination or expiry of the Agreement, and at Customer's choice, BenchKey will delete or return Customer Personal Data within a commercially reasonable period (see the Agreement's 30‑day post‑termination export window), and delete existing copies unless retention is required by law. Residual copies in routine backups will be deleted in the ordinary course of backup rotation and remain protected by this DPA until deleted.
11. Audits
BenchKey will make available to Customer information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Customer or an auditor it mandates, subject to reasonable notice, confidentiality, frequency limits (no more than once per year absent a Personal Data Breach or regulator requirement), and not disrupting BenchKey's operations. BenchKey may satisfy audit requests by providing then‑current third‑party reports or security documentation where available.
12. International transfers
Where BenchKey processes Customer Personal Data subject to GDPR/UK GDPR and transfers it to a country without an adequacy decision, the parties agree that the European Commission's Standard Contractual Clauses (Module 2, controller‑to‑processor) (and the UK Addendum, where applicable) are incorporated by reference and completed with the information in Annexes A–C, with BenchKey as "data importer" and Customer as "data exporter."
13. Liability and precedence
Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Agreement. This DPA does not create rights beyond those in Data Protection Laws. Except as amended here, the Agreement remains in effect.
Annex A — Details of processing
- Subject matter: provision of the BenchKey repair‑shop management Service.
- Duration: the term of the Agreement plus the post‑termination deletion/return period.
- Nature and purpose: hosting, storing, organizing, transmitting, and otherwise processing Customer Personal Data to provide repair‑shop management functionality (tickets, estimates/invoices, payments, inventory, messaging, shipping labels and tracking, lead capture, customer portal, reporting, and related features) on Customer's instructions.
- Categories of Data Subjects: Customer's End Customers; Customer's Authorized Users and staff.
- Categories of Personal Data: identifiers and contact details (name, email, phone, address); device and repair/service information; transaction, invoice, and payment‑related metadata; shipping and tracking information; communications content (email/SMS/notes); and usage information.
- Special categories: none intended to be processed. Customer agrees not to submit special‑category data (or payment card numbers outside the supported payment integrations) unless separately agreed in writing.
- Frequency: continuous, as directed by Customer's use of the Service.
Annex B — Subprocessors
The current list at app.benchkey.com/legal/subprocessors is incorporated by reference.
Annex C — Technical and organizational security measures
BenchKey maintains measures including, as applicable:
- Encryption: encryption of data in transit (TLS); encryption of designated sensitive credentials at rest.
- Access control: authentication through a managed identity provider; role‑based access controls; least‑privilege internal access; unique accounts.
- Tenant isolation: logical separation of each Customer's data in a dedicated per‑tenant database, so one Customer cannot access another's data.
- Network and application security: secured hosting environment, input validation, and protection against common web vulnerabilities.
- Logging and monitoring: audit logging of key actions and monitoring for anomalies.
- Resilience and backup: regular backups and documented restore procedures.
- Vulnerability management: dependency and code review, recurring security review, and remediation of identified issues.
- Personnel: confidentiality obligations and security awareness.
- Incident response: documented procedures to detect, respond to, and notify of Personal Data Breaches.
BenchKey may update these measures as its security program evolves, provided the overall level of protection is not materially reduced.