Terms of Service

Last Updated: June 2026

These Terms of Service (the “Terms”) govern the use of the WakeWorks dealership management platform (the “Platform”) provided by WakeWorks, LLC, a Florida limited liability company (“Provider”), to the customer identified in the applicable Order Form (“Customer”). By executing an Order Form that references these Terms, Customer agrees to be bound by these Terms.

Provider and Customer may each be referred to individually as a “Party” and collectively as the “Parties.”

1. Definitions

“Authorized Users” means the employees, contractors, and agents of Customer who are authorized by Customer to access and use the Platform under the rights granted pursuant to these Terms.

“Beta Features” means any Platform features, modules, integrations, or services designated by Provider as “beta,” “preview,” “early access,” or similar terminology.

“Customer Data” means all data, information, records, files, and content entered into or generated through the Platform by Customer or its Authorized Users, including but not limited to customer records, inventory data, deal records, service records, financial information, and communications.

“Order Form” means the executed ordering document between Provider and Customer specifying the subscription plan, pricing, term, and other deal-specific details, which incorporates these Terms by reference.

“Platform” means the WakeWorks cloud-based dealership management software application, including the web-based desktop application, the native mobile companion application for iOS and Android devices, all modules, features, updates, and enhancements made available to Customer during the Subscription Term.

“Security Incident” means a confirmed unauthorized access to, disclosure of, or loss of Customer Data.

“Subscription Term” means the initial term specified in the Order Form and any renewal periods thereafter.

“Subprocessor” means any third-party service provider engaged by Provider to process, store, or transmit Customer Data in connection with the delivery of the Platform.

2. Access and Use Rights

2.1 License Grant

Subject to Customer’s compliance with these Terms and timely payment of all applicable fees, Provider grants Customer a non-exclusive, non-transferable, non-sublicensable right to access and use the Platform during the Subscription Term solely for Customer’s internal dealership management operations.

2.2 User Accounts

Customer is responsible for managing access credentials for its Authorized Users and ensuring that each user account is used only by the designated individual. Customer shall promptly notify Provider of any unauthorized access or security breach involving user accounts.

2.3 Acceptable Use

Customer shall not and shall not permit any Authorized User to: (a) reverse engineer, decompile, disassemble, or otherwise attempt to derive the source code of the Platform; (b) sublicense, resell, distribute, or make the Platform available to any third party; (c) use the Platform for any unlawful purpose or in violation of applicable law; (d) circumvent or disable any security, access control, or usage-limiting features of the Platform; (e) introduce malicious code, viruses, or other harmful materials into the Platform; (f) access or use the Platform in excess of the user licenses or store count specified in the Order Form; (g) use the Platform to develop a competing product or service; or (h) use any automated means, including bots, scrapers, or crawlers, to access the Platform except through Provider-authorized APIs.

2.4 Compliance with Laws

Customer is solely responsible for ensuring that its use of the Platform complies with all applicable federal, state, and local laws and regulations, including but not limited to consumer protection, data privacy, anti-spam, and motor vehicle dealer licensing requirements.

3. CRM and Communications Compliance

3.1 Customer Responsibility for Outbound Communications

The Platform includes customer relationship management features that enable Customer to send email and SMS communications to Customer’s contacts. Customer acknowledges and agrees that it is solely responsible for the content, timing, frequency, and legal compliance of all outbound communications sent through the Platform, including compliance with the Telephone Consumer Protection Act (TCPA), the CAN-SPAM Act, and all other applicable federal, state, and local laws governing electronic communications.

3.2 Consent and Opt-In Requirements

Customer shall obtain and maintain all required consents, opt-ins, and authorizations from recipients before sending any communications through the Platform. Customer shall honor all unsubscribe and opt-out requests in accordance with applicable law and shall not use the Platform to send unsolicited communications to recipients who have not provided valid consent.

3.3 Prohibited Communications

Customer shall not use the Platform’s communication features to send communications that: (a) are deceptive, fraudulent, or misleading; (b) contain illegal content; (c) violate the intellectual property rights of any third party; (d) constitute harassment or threats; or (e) otherwise violate applicable law or these Terms.

3.4 Provider’s Right to Intervene

Provider reserves the right to suspend Customer’s access to CRM communication features if Provider reasonably believes Customer is using such features in violation of applicable law or these Terms. Provider shall provide notice of such suspension and an opportunity to cure where commercially practicable.

4. Fees and Payment

4.1 Subscription Fees

Customer shall pay the subscription fees specified in the Order Form. Unless otherwise stated in the Order Form, fees are invoiced monthly and due within fifteen (15) days of the invoice date.

4.2 Fee Adjustments

For renewal terms, Provider may adjust subscription fees upon at least sixty (60) days’ written notice prior to the start of the applicable renewal period.

4.3 Taxes

All fees are exclusive of applicable taxes. Customer is responsible for all sales, use, value-added, and similar taxes arising from this agreement, excluding taxes based on Provider’s net income.

4.4 Late Payments

Amounts not paid when due shall accrue interest at the lesser of one and one-half percent (1.5%) per month or the maximum rate permitted by law. Provider reserves the right to suspend access to the Platform following fifteen (15) days’ written notice of non-payment.

4.5 Payment Processing

Certain payment processing features of the Platform are facilitated through third-party payment processors, including Stripe, Inc. Customer’s use of such features is subject to the applicable third-party terms and conditions. Provider is not liable for any acts or omissions of third-party payment processors.

5. Data Ownership, Privacy, and Security

5.1 Customer Ownership

Customer retains all right, title, and interest in and to Customer Data. Provider acquires no ownership rights in Customer Data by virtue of these Terms or Customer’s use of the Platform.

5.2 Limited License to Customer Data

Customer grants Provider a limited, non-exclusive license to access, use, process, and store Customer Data solely for purposes of providing, maintaining, and supporting the Platform for Customer’s internal dealership operations. Provider may use Customer Data to improve and develop the Platform only in de-identified or aggregated form in accordance with Section 5.3, and shall not use Customer Data in identifiable form to train, fine-tune, or develop any artificial-intelligence or machine-learning model. Provider shall not sell Customer Data, disclose Customer Data to competitors of Customer, or use Customer Data for any purpose unrelated to the services provided under these Terms.

5.3 Aggregated and Anonymized Data

Provider may collect and use aggregated and anonymized data derived from Customer’s use of the Platform solely for Provider’s internal purposes, including product development, performance optimization, and internal analytics. Such data shall not identify Customer, any individual, or any specific dealership, and shall not be published, disclosed, or made available to any third party. For purposes of this Section, “aggregated and anonymized data” means data that has been irreversibly de-identified so that it cannot reasonably be used, alone or in combination with other information, to re-identify Customer, any individual, or any specific dealership. Such data shall exclude, and Provider shall not derive such data from, any manufacturer or dealer cost, invoice, or wholesale pricing information or any personal information. Provider shall not use Customer Data to train, fine-tune, or develop any artificial-intelligence or machine-learning model.

5.4 Security Measures

Provider shall maintain commercially reasonable administrative, technical, and physical safeguards designed to protect Customer Data against unauthorized access, disclosure, alteration, or destruction. These safeguards include, without limitation, encryption of data in transit and at rest and role-based access controls. Provider further requires multi-factor authentication for access to the Platform. Provider maintains a written information security program containing administrative, technical, and physical safeguards aligned to the Gramm-Leach-Bliley Act and the FTC Standards for Safeguarding Customer Information, 16 C.F.R. Part 314, as further described in the Service Provider Addendum, and maintains and periodically tests a documented incident response plan.

5.5 Data Breach Notification

In the event Provider becomes aware of a Security Incident, Provider shall: (a) notify Customer in writing within seventy-two (72) hours of confirming the Security Incident; (b) take reasonable steps to contain and remediate the Security Incident; and (c) cooperate with Customer in investigating and responding to the Security Incident.

5.6 Subprocessors

Customer acknowledges that Provider utilizes third-party Subprocessors to provide infrastructure, hosting, data storage, payment processing, email delivery, SMS delivery, and other services necessary to operate the Platform. Provider takes reasonable steps to select Subprocessors that are capable of maintaining safeguards appropriate to the Customer Data they process. Provider shall be liable for a Subprocessor’s processing of Customer Data only to the extent that Provider failed to meet its own obligations under these Terms with respect to the selection, oversight, or instruction of such Subprocessor. A list of the Subprocessors that process Customer Data as of the Effective Date is set forth in Schedule 1 to the Service Provider Addendum. Provider shall (i) process Customer Data with each Subprocessor under that Subprocessor’s applicable terms of service and data-processing terms, which obligate the Subprocessor to maintain safeguards for, and to notify Provider of security incidents affecting, the data it processes; (ii) remain responsible, as between the Parties, for its Subprocessors’ compliance with the data-protection and security obligations applicable to the Customer Data they process; and (iii) provide Customer with reasonable advance notice, including by updating a written or publicly posted list, before engaging a new Subprocessor to process Customer Data, during which Customer may object on reasonable data-protection grounds and, if the Parties are unable to resolve the objection, terminate the affected Order Form without penalty.

5.7 Data Portability

Upon written request following termination or expiration of the Subscription Term, Provider shall make Customer Data available for export in a commercially reasonable, machine-readable format within thirty (30) days. Following successful delivery and Customer’s written confirmation of receipt, Provider shall delete Customer Data from active production systems within sixty (60) days and, upon Customer’s request, provide written certification of such deletion. Any Customer Data remaining in Provider’s routine, encrypted backups shall be retained only for Provider’s standard backup-retention period, not to exceed [thirty (30)] days, after which it is automatically overwritten or expired, except as otherwise required by applicable law.

5.8 GLBA / FTC Safeguards Rule; Service Provider

The Parties acknowledge that Customer may be a “financial institution” subject to the Gramm-Leach-Bliley Act and the FTC Standards for Safeguarding Customer Information, 16 C.F.R. Part 314 (the “Safeguards Rule”), and that Provider acts as a service provider to Customer with respect to Customer Data. Provider shall maintain a written information security program that contains administrative, technical, and physical safeguards appropriate to the sensitivity of the Customer Data and consistent with the Safeguards Rule, including a designated qualified individual responsible for the program, periodic risk assessments, the security safeguards described in Section 5.4, workforce security training, oversight of Subprocessors, a written incident response plan, and periodic testing and monitoring. The specific obligations of Provider as a service provider are further set forth in the Service Provider Addendum, which is incorporated into these Terms by reference.

6. Confidentiality

6.1 Confidential Information

“Confidential Information” means any non-public information disclosed by one Party to the other in connection with these Terms, including business plans, financial information, technical information, customer lists, pricing structures, and proprietary operational processes. Customer Data is deemed Confidential Information of Customer.

6.2 Obligations

Each Party agrees to: (a) hold the other Party’s Confidential Information in confidence using the same degree of care it uses to protect its own confidential information, but in no event less than reasonable care; (b) not disclose Confidential Information to any third party except as necessary to perform its obligations under these Terms and subject to confidentiality obligations no less restrictive than those set forth herein; and (c) not use Confidential Information for any purpose outside the scope of these Terms.

6.3 Exceptions

Confidentiality obligations do not apply to information that: (a) is or becomes publicly available without breach of these Terms; (b) was known to the receiving Party prior to disclosure; (c) is received from a third party without restriction; or (d) is independently developed without use of or reference to the disclosing Party’s Confidential Information.

6.4 Competitive Protection

Provider agrees that Customer-specific operational information, pricing structures, customer lists, sales performance data, and other proprietary dealership information obtained through use of the Platform shall not be intentionally disclosed to or used for the benefit of competing dealerships.

7. Intellectual Property

7.1 Provider Ownership

Provider retains all right, title, and interest in and to the Platform, including all software, source code, object code, documentation, designs, workflows, trade secrets, trademarks, and other intellectual property associated with the Platform. Nothing in these Terms transfers or assigns any intellectual property rights to Customer except the limited access rights expressly granted herein.

7.2 Feedback

If Customer provides suggestions, enhancement requests, recommendations, or other feedback regarding the Platform (“Feedback”), Provider shall have a royalty-free, worldwide, irrevocable, perpetual license to use, modify, and incorporate such Feedback into the Platform without obligation or compensation to Customer.

8. Service Availability

8.1 Availability

The Platform is hosted on enterprise-grade cloud infrastructure provided by Cloudflare, Inc. (NYSE: NET), a global network and edge computing provider operating across hundreds of cities worldwide, and Supabase, Inc., a managed database and serverless platform built on Amazon Web Services (AWS) and PostgreSQL. Both providers maintain their own high-availability architectures, geographic redundancy, automated backups, and published service level agreements, which are available on their respective websites along with real-time public status pages. Provider shall use commercially reasonable efforts to maintain the availability of the Platform, leveraging the reliability and scale of its underlying infrastructure providers. Provider does not guarantee uninterrupted or error-free operation and shall not be liable for any downtime, interruptions, or performance degradation, including outages attributable to third-party infrastructure providers.

8.2 Scheduled Maintenance

Provider may perform scheduled maintenance on the Platform and will use commercially reasonable efforts to provide advance notice of planned maintenance windows that may affect availability.

8.3 Updates and Modifications

Provider may modify, enhance, or update the Platform from time to time in the ordinary course of business and product development. Provider shall use commercially reasonable efforts to ensure that material changes do not materially diminish the core functionality of the Platform during the Subscription Term.

8.4 Suspension for Cause

In addition to suspension for non-payment as described in Section 4.4, Provider reserves the right to suspend Customer’s access to the Platform, in whole or in part, if: (a) Customer’s use of the Platform violates the acceptable use provisions of Section 2.3; (b) Customer’s use poses a security risk to the Platform or other customers; (c) Customer’s use is causing material harm to the performance, integrity, or availability of the Platform for other tenants; or (d) suspension is required to comply with applicable law or a valid legal order. Provider shall provide reasonable advance notice of any suspension and an opportunity to cure where commercially practicable, except where immediate suspension is necessary to prevent harm or comply with legal requirements.

9. Support and Onboarding

9.1 Support Services

Provider shall provide reasonable technical support to Customer during normal business hours via email and in-app communication channels. Provider shall use commercially reasonable efforts to respond to support inquiries within one (1) business day.

9.2 Onboarding and Implementation

Provider shall provide initial configuration, onboarding assistance, and staff training as described in the Order Form. Customer agrees to provide all reasonably necessary access, information, and cooperation required for successful implementation.

9.3 Customer Responsibilities

Customer shall: (a) designate at least one primary internal contact for Platform-related communications; (b) maintain the accuracy and integrity of Customer Data entered into the Platform; (c) ensure that Authorized Users are properly trained and comply with these Terms; and (d) maintain adequate internet connectivity and compatible devices required to access the Platform.

10. Electronic Records and Signatures

10.1 Validity of Electronic Records

The Platform may generate, transmit, and store electronic records, including but not limited to invoices, buyer’s orders, purchase orders, repair orders, and other transactional documents. Customer acknowledges and agrees that electronic records generated through the Platform shall have the same legal validity, enforceability, and admissibility as their paper equivalents to the fullest extent permitted by the federal Electronic Signatures in Global and National Commerce Act (ESIGN), the Florida Uniform Electronic Transaction Act (UETA), and other applicable law.

10.2 Electronic Signatures

The Platform may facilitate the collection of electronic signatures on documents. Customer acknowledges and agrees that: (a) electronic signatures collected through the Platform constitute valid and binding signatures under applicable law; (b) Customer is responsible for ensuring that its use of electronic signatures complies with all applicable legal requirements, including any industry-specific or transaction-specific requirements for wet signatures; and (c) Provider does not warrant that electronic signatures are legally sufficient for all document types or jurisdictions.

11. Beta Features

11.1 Availability and Designation

Provider may, from time to time, make Beta Features available to Customer. Beta Features will be clearly designated as such within the Platform or in written communications to Customer. Customer’s use of Beta Features is voluntary.

11.2 No Warranty; As-Is

BETA FEATURES ARE PROVIDED “AS IS” AND “AS AVAILABLE” WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. PROVIDER MAKES NO REPRESENTATIONS OR WARRANTIES REGARDING THE RELIABILITY, AVAILABILITY, ACCURACY, OR COMPLETENESS OF BETA FEATURES. BETA FEATURES MAY CONTAIN BUGS, ERRORS, OR OTHER DEFECTS.

11.3 Modification and Discontinuation

Provider may modify, suspend, or discontinue any Beta Feature at any time without prior notice or liability. Beta Features may be promoted to generally available features, modified, or removed entirely at Provider’s sole discretion. Provider has no obligation to make any Beta Feature generally available.

11.4 Feedback on Beta Features

Provider may request and Customer may voluntarily provide feedback on Beta Features. Any such feedback shall be subject to the feedback provisions of Section 7.2.

11.5 Limitation of Liability for Beta Features

Provider shall have no liability arising out of or relating to Customer’s use of Beta Features, including but not limited to data loss, service interruptions, or inaccuracies in Beta Feature output. Customer uses Beta Features at its own risk.

12. Marketing and Publicity

12.1 Customer Reference

Provider may request permission to reference Customer as a user of the Platform in marketing materials, case studies, testimonials, press releases, and on Provider’s website. Any such use shall be subject to Customer’s prior written approval, which may be granted or withheld in Customer’s sole discretion.

12.2 Trademark Usage

Neither Party shall use the other Party’s name, logo, or trademarks without prior written consent, except as expressly permitted under this Section or as otherwise agreed in the Order Form.

13. Representations and Warranties

13.1 Mutual Representations

Each Party represents and warrants that: (a) it has the legal power and authority to enter into these Terms; (b) the execution and performance of these Terms does not conflict with any other agreement to which it is a party; and (c) it will comply with all applicable laws in connection with these Terms.

13.2 Provider Warranty

Provider warrants that the core functionality of the Platform (excluding Beta Features) will perform materially in accordance with its documentation during the Subscription Term. Customer’s sole remedy and Provider’s sole obligation for breach of this warranty shall be for Provider to use commercially reasonable efforts to correct the non-conformity. If Provider is unable to correct a material non-conformity in core Platform functionality within ninety (90) days of written notice, Customer may terminate the affected Order Form and receive a pro-rata refund of prepaid fees for the unused portion of the Subscription Term. For purposes of this Section, “core functionality” means the primary operational modules described in the Order Form, and does not include ancillary features, integrations, cosmetic issues, or functionality not materially affecting Customer’s dealership operations.

13.3 Disclaimer

EXCEPT AS EXPRESSLY SET FORTH IN SECTION 13.2, THE PLATFORM IS PROVIDED “AS IS” AND “AS AVAILABLE.” PROVIDER DISCLAIMS ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT.

14. Indemnification

14.1 Provider Indemnification

Provider shall defend, indemnify, and hold harmless Customer from and against any third-party claims, damages, losses, liabilities, and expenses (including reasonable attorneys’ fees) arising from allegations that the Platform, as provided by Provider, infringes or misappropriates a third party’s intellectual property rights, provided that Customer: (a) promptly notifies Provider of the claim; (b) grants Provider sole control of the defense and settlement; and (c) provides reasonable cooperation at Provider’s expense.

14.2 Customer Indemnification

Customer shall defend, indemnify, and hold harmless Provider from and against any third-party claims, damages, losses, liabilities, and expenses (including reasonable attorneys’ fees) arising from: (a) Customer Data or Customer’s use of the Platform in violation of these Terms or applicable law; (b) Customer’s breach of its representations or warranties; (c) Customer’s outbound communications sent through the Platform, including any claims arising under the TCPA, CAN-SPAM Act, or similar laws; or (d) any dispute between Customer and its own customers or vendors unrelated to the Platform’s functionality.

15. Limitation of Liability

15.1 Exclusion of Damages

IN NO EVENT SHALL EITHER PARTY BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, INCLUDING WITHOUT LIMITATION LOST PROFITS, LOST REVENUE, LOSS OF DATA, OR BUSINESS INTERRUPTION, REGARDLESS OF THE THEORY OF LIABILITY, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

15.2 Liability Cap

EACH PARTY’S AGGREGATE LIABILITY ARISING OUT OF OR RELATING TO THESE TERMS SHALL NOT EXCEED THE TOTAL AMOUNTS ACTUALLY PAID OR PAYABLE BY CUSTOMER TO PROVIDER DURING THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM. Notwithstanding the foregoing, Provider shall be liable for damages arising out of a Security Incident that results from Provider’s failure to maintain the safeguards set forth in Section 5.4 of these Terms and Section 3 of the Service Provider Addendum. Provider’s aggregate liability for such a Security Incident shall not exceed the greater of (a) the total amounts paid or payable by Customer to Provider during the twelve (12) months immediately preceding the event giving rise to the claim or (b) [three (3) times] that amount. For a Security Incident, this Section 15.2 governs notwithstanding Section 15.3(b).

15.3 Exceptions

The limitations in Sections 15.1 and 15.2 shall not apply to: (a) either Party’s indemnification obligations; (b) either Party’s breach of confidentiality obligations, provided that except as provided in Section 15.2 for a Security Incident, liability for breach of confidentiality obligations shall not exceed three (3) times the amounts actually paid or payable by Customer during the twelve (12) months preceding the event giving rise to the claim; (c) Customer’s payment obligations; or (d) liability arising from a Party’s gross negligence or willful misconduct.

16. Term and Termination

16.1 Term

The Subscription Term shall commence on the Effective Date specified in the Order Form and continue for the initial period stated therein. Upon expiration of the initial term, the subscription shall automatically renew on a month-to-month basis at Provider’s then-current pricing unless either Party provides written notice of non-renewal at least thirty (30) days prior to the end of the then-current term.

16.2 Termination for Cause

Either Party may terminate the affected Order Form upon: (a) a material breach by the other Party that remains uncured for thirty (30) days following written notice specifying the nature of the breach; or (b) the other Party’s insolvency, bankruptcy filing, or cessation of business operations.

16.3 Termination for Convenience

Customer may terminate for convenience upon sixty (60) days’ written notice, effective at the end of the then-current billing period. No refund shall be due for prepaid fees covering the period following the effective date of termination for convenience unless otherwise specified in the Order Form.

16.4 Effect of Termination

Upon termination or expiration: (a) Customer’s access rights shall immediately cease; (b) Customer shall pay all fees accrued through the effective date of termination; (c) each Party shall return or destroy the other Party’s Confidential Information upon request; and (d) Provider shall make Customer Data available for export in accordance with Section 5.7.

16.5 Survival

Sections 5 (Data Ownership), 6 (Confidentiality), 7 (Intellectual Property), 10 (Electronic Records), 14 (Indemnification), 15 (Limitation of Liability), and 17 (General Provisions) shall survive any termination or expiration of these Terms.

17. General Provisions

17.1 Governing Law and Venue

These Terms shall be governed by and construed in accordance with the laws of the State of Florida, without regard to conflicts of law principles. Any legal action arising under these Terms shall be brought exclusively in the state or federal courts located in Pinellas County, Florida, and each Party consents to the personal jurisdiction of such courts.

17.2 Dispute Resolution

Prior to initiating any legal proceeding, the Parties agree to attempt in good faith to resolve any dispute through informal negotiation for a period of not less than thirty (30) days following written notice of the dispute. If the dispute cannot be resolved informally, either Party may pursue available legal remedies.

17.3 Force Majeure

Neither Party shall be liable for any delay or failure in performance resulting from causes beyond its reasonable control, including but not limited to acts of God, natural disasters, pandemics, government actions, internet or utility outages, cyberattacks, or labor disputes, provided that the affected Party promptly notifies the other Party and uses commercially reasonable efforts to mitigate the impact.

17.4 Assignment

Neither Party may assign or transfer this agreement without the prior written consent of the other Party, except that either Party may assign this agreement in connection with a merger, acquisition, or sale of substantially all of its assets, provided the assignee assumes all obligations under these Terms.

17.5 Notices

All notices required or permitted under these Terms shall be in writing and shall be deemed given when: (a) delivered personally; (b) sent by email with confirmation of receipt; or (c) sent by nationally recognized overnight courier, addressed to the contact information specified in the Order Form or such other address as a Party may designate in writing.

17.6 Severability

If any provision of these Terms is held to be invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect. The invalid provision shall be modified to the minimum extent necessary to make it valid and enforceable while preserving the Parties’ original intent.

17.7 Waiver

The failure of either Party to enforce any provision of these Terms shall not constitute a waiver of such provision or the right to enforce it at a later time.

17.8 Entire Agreement

These Terms, together with the applicable Order Form and any exhibits or schedules attached thereto, constitute the entire agreement between the Parties with respect to the subject matter hereof and supersede all prior and contemporaneous negotiations, discussions, and agreements, whether oral or written.

17.9 Amendments

Provider may update these Terms from time to time. Provider shall provide Customer with at least thirty (30) days’ written notice of material changes. Customer’s continued use of the Platform following the effective date of such changes constitutes acceptance of the updated Terms. If Customer does not agree to the updated Terms, Customer may terminate in accordance with Section 16.3.

17.10 Relationship of the Parties

The Parties are independent contractors. Nothing in these Terms shall be construed to create a partnership, joint venture, agency, or employment relationship between the Parties. Individuals associated with Provider may separately maintain employment, advisory, ownership, or investment relationships with Customer independent of these Terms, and such relationships shall not affect the validity, enforceability, or operation of these Terms or the Platform.

17.11 Third-Party Services

The Platform may integrate with or facilitate access to third-party services, including but not limited to payment processors, communication providers, and data services. Customer’s use of such third-party services is subject to the applicable third-party terms and conditions. Provider makes no warranties regarding third-party services and is not liable for any acts or omissions of third-party providers.

This Service Provider Addendum (the “Addendum”) supplements and is incorporated into the WakeWorks Terms of Service and the applicable Order Form (together, the “Agreement”) between WakeWorks, LLC (“Provider”) and the customer identified in the Order Form (“Customer”). Capitalized terms not defined in this Addendum have the meanings given in the Agreement. In the event of a conflict between this Addendum and the Terms of Service with respect to information security or the handling of Customer Data, this Addendum controls.

1. Purpose and Service Provider Status

Customer may be a “financial institution” subject to the Gramm-Leach-Bliley Act (“GLBA”) and the Federal Trade Commission’s Standards for Safeguarding Customer Information, 16 C.F.R. Part 314 (the “Safeguards Rule”). With respect to Customer Data that constitutes “customer information” under the Safeguards Rule, Provider acts as a service provider to Customer. Provider shall maintain safeguards designed to protect such information in a manner consistent with the Safeguards Rule and this Addendum.

2. Information Security Program

Provider maintains a written information security program (the “Security Program”) that contains administrative, technical, and physical safeguards appropriate to Provider’s size and complexity, the nature and scope of its activities, and the sensitivity of the Customer Data it processes. The Security Program includes, at a minimum, the following elements:

• Designated Qualified Individual. Provider designates a qualified individual responsible for overseeing, implementing, and enforcing the Security Program.
• Risk Assessment. Provider performs periodic risk assessments to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of Customer Data, and to evaluate the sufficiency of safeguards in place to control those risks.
• Safeguards. Provider implements technical safeguards including access controls based on least privilege, encryption of Customer Data in transit and at rest, multi-factor authentication for access to the Platform, secure software development practices, change management, and logging and monitoring of activity within the Platform.
• Workforce Training. Provider provides security awareness training to personnel with access to Customer Data and maintains personnel practices designed to support the Security Program.
• Service Provider Oversight. Provider oversees its Subprocessors as described in Section 4, selecting Subprocessors capable of maintaining appropriate safeguards and relying on each Subprocessor’s own data-processing terms, which obligate it to maintain such safeguards.
• Incident Response. Provider maintains and periodically tests a written incident response plan addressing the detection of, response to, and recovery from a Security Incident.
• Testing and Monitoring. Provider periodically monitors and tests the effectiveness of its safeguards through continuous monitoring or periodic assessments such as vulnerability scanning and penetration testing.
• Reporting. Provider periodically reports to its management on the overall status of the Security Program and material risks.

3. Specific Security Controls

Without limiting Section 2, Provider represents that the following specific controls (the “Specific Security Controls”) are in effect for the Platform, each implementing the corresponding requirement of 16 C.F.R. § 314.4(c):

• (a) Access control and least privilege. Role-based access control with granular, configurable permissions; access is limited to what each user’s role requires (§ 314.4(c)(1)).
• (b) Tenant isolation. Each Customer’s data is logically isolated from every other Customer’s through row-level security enforced at the database layer on all tables containing Customer Data, so that no Customer user can access another Customer’s data (Provider administrative access is addressed in subsection (f)).
• (c) Multi-factor authentication. Access to the Platform requires multi-factor authentication (§ 314.4(c)(5)).
• (d) Encryption in transit. All connections to the Platform and its application programming interfaces are encrypted using current Transport Layer Security (§ 314.4(c)(3)).
• (e) Encryption at rest. The production database and file storage are encrypted at rest; integration and AI-provider credentials are additionally encrypted using authenticated encryption bound to the owning Customer (§ 314.4(c)(3)).
• (f) Administrative access. Administrative access by Provider personnel to Customer Data is restricted, role-gated, time-boxed, and logged (§ 314.4(c)(8)).
• (g) Secure development and change management. Provider follows secure software-development and change-management practices, including access-controlled source control and code review (§ 314.4(c)(4), (c)(7)).
• (h) Logging and monitoring. Activity within the Platform is logged, and Provider monitors for and is alerted to errors and anomalous conditions (§ 314.4(c)(8)).
• (i) Data minimization. Provider does not store government identification numbers (such as Social Security numbers), and payment-card data is tokenized by Provider’s payment processor such that full card numbers are not stored on the Platform.
• (j) Non-production data. Provider’s development and test environments use synthetic, non-production data and do not contain Customer’s production Customer Data.

The Specific Security Controls constitute the safeguards referenced in the limitation-of-liability provisions of the Terms of Service. A summary description of how Provider implements these controls is set forth in Schedule 2 (Security Overview).

4. Subprocessors and Flow-Down

Provider may engage Subprocessors to process Customer Data in connection with the Platform. With respect to such Subprocessors, Provider shall (a) take reasonable steps to select and retain Subprocessors that are capable of maintaining safeguards appropriate to the Customer Data they process, taking into account each Subprocessor’s published security and data-processing commitments and any third-party certifications or audit reports (such as SOC 2 or ISO 27001) where available; (b) process Customer Data with each Subprocessor under that Subprocessor’s applicable terms of service and data-processing terms, which obligate the Subprocessor to maintain safeguards for, and to notify Provider of security incidents affecting, the data it processes; (c) remain responsible, as between the Parties, for its Subprocessors’ compliance with the data-protection and security obligations applicable to the Customer Data they process; and (d) provide Customer with reasonable advance notice, including by updating the list in Schedule 1 or a publicly posted list, before engaging a new Subprocessor that will process Customer Data, during which Customer may object on reasonable data-protection grounds. A list of Provider’s current Subprocessors is set forth in Schedule 1 to this Addendum. Certain third-party services—including Customer’s AI provider, payment processor, and SMS provider—are connected and maintained under Customer’s own accounts and are not Provider’s Subprocessors.

5. Security Incident Notification and Cooperation

In the event of a Security Incident, Provider shall: (a) notify Customer in writing without undue delay and in any event within seventy-two (72) hours of confirming the Security Incident; (b) take reasonable steps to contain and remediate the Security Incident; (c) provide Customer with information reasonably available to Provider regarding the nature and scope of the Security Incident; and (d) reasonably cooperate with Customer in connection with Customer’s investigation of, response to, and notification obligations arising from the Security Incident. Provider’s notification of, or response to, a Security Incident is not an acknowledgment by Provider of any fault or liability.

6. Assurance

Upon Customer’s reasonable written request, and no more than once per twelve (12) month period unless required by a regulator or following a Security Incident, Provider shall make available a summary of its Security Program and, if and when available, relevant third-party audit reports or certifications (such as a SOC 2 report), and shall respond to reasonable security questionnaires, subject to appropriate confidentiality obligations.

7. Return and Deletion of Customer Data

Upon termination or expiration of the Agreement, Provider shall make Customer Data available for export and shall delete Customer Data in accordance with Section 5.7 of the Terms of Service, including the applicable backup-retention period specified therein.

8. Customer Responsibilities

Customer remains responsible for its own compliance with the Safeguards Rule and applicable law, including: (a) managing and promptly deprovisioning its Authorized Users’ access; (b) requiring its Authorized Users to enroll in and use multi-factor authentication; (c) configuring its own connected third-party accounts (including its AI provider, payment processor, and SMS provider); and (d) ensuring it has the necessary rights and consents for the Customer Data it enters into the Platform.

Schedule 1 — Subprocessor List

The following list identifies Provider’s Subprocessors that process Customer Data on Provider’s behalf as of the Effective Date. This list is subject to update in accordance with Section 4.

Provider’s Subprocessors are among the most widely relied-upon infrastructure providers in the world — including Cloudflare, which powers a significant portion of global internet traffic, and Amazon Web Services, the world’s largest cloud platform, on which the Platform’s database and storage are hosted. Each maintains its own recognized information-security program and independent third-party certifications (such as SOC 2 and/or ISO 27001).

Customer-connected services (under Customer’s own accounts, not Provider Subprocessors): Customer’s selected AI provider (e.g., Anthropic, OpenAI, Google, OpenRouter, or self-hosted); Stripe, Inc. (payment processing); Twilio Inc. (SMS); and any optional integrations Customer elects to connect (e.g., QuickBooks, Xero, Boat Trader, Google Calendar).

Schedule 2 — Security Overview

This Schedule describes, in summary form, how Provider implements the Specific Security Controls in Section 3. It is provided for Customer’s understanding and diligence and does not expand or limit Provider’s obligations under the Agreement.

• Architecture and hosting. The Platform runs on Cloudflare (application and edge network) and Supabase on Amazon Web Services (managed PostgreSQL database, authentication, file storage, and serverless functions), hosted in the United States.
• Multi-tenant isolation. Every table containing Customer Data is protected by PostgreSQL row-level security. Access is mediated by store- and organization-scoped authorization functions, so a Customer user can reach only the data belonging to their own dealership and has no path to another Customer’s data; Provider personnel access is described under “Administrative access” below.
• Authentication and access. Users authenticate through Supabase Auth, and access to the Platform requires multi-factor authentication. Within a dealership, a role-based permission model with granular, configurable permissions limits each user to the functions their role requires.
• Administrative access. Provider does not maintain standing access to Customer Data. Privileged access by Provider personnel is obtained through a logged, time-boxed elevation that records which Provider individual accessed which Customer’s environment, when, and why.
• Encryption. All traffic to the Platform and its APIs is encrypted in transit using current TLS. The database and file storage are encrypted at rest on the managed infrastructure. Sensitive integration secrets — including Customer’s AI-provider and other API credentials — are additionally encrypted in the database using authenticated encryption (libsodium) bound to the owning dealership, so a credential cannot be used outside its Customer context.
• AI processing. AI-powered features run through Customer’s own AI-provider account; Customer Data processed by those features is sent only to Customer’s chosen provider. Provider does not route Customer Data through any Provider-owned AI account and does not use Customer Data to train or fine-tune any model.
• Data handling and minimization. The Platform does not store government identification numbers such as Social Security numbers. Payment-card data is tokenized by Stripe, and full card numbers are not stored on the Platform. Provider’s development and test environments use synthetic, non-production data.
• Logging, monitoring, and incident response. Application activity and administrative actions are logged. Provider monitors for errors and anomalies and maintains a documented incident-response plan; Provider notifies Customer of a confirmed Security Incident as set out in Section 5.
• Backups and deletion. Customer Data is included in routine encrypted backups. On termination, Customer Data is exported and deleted in accordance with Section 5.7 of the Terms of Service, including the stated backup-retention window.