Data Processing Agreement

Last updated: {lastUpdated}

This Data Processing Agreement ("DPA") forms part of the Terms of Service between {appName} ("Processor") and the customer ("Controller") who has entered into a subscription agreement for the Service.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person as defined in GDPR Article 4(1).
"Processing" means any operation performed on Personal Data, as defined in GDPR Article 4(2).
"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

2. Scope and Purpose of Processing

The Processor processes Personal Data solely for the purpose of providing the Service as described in the Terms of Service. Processing activities include:

Account management (name, email address)
Google Search Console data synchronisation and analysis
WordPress content inventory and publishing
AI-assisted content generation (using Controller-provided API keys)
SEO analysis, recommendations, and reporting
Audit logging for security and compliance

3. Obligations of the Processor

The Processor shall:

Process Personal Data only on documented instructions from the Controller (GDPR Art. 28(3)(a))
Ensure that persons authorised to process Personal Data are bound by confidentiality obligations (GDPR Art. 28(3)(b))
Implement appropriate technical and organisational security measures (GDPR Art. 32), including encryption at rest (AES-256) for sensitive data, HTTPS with HSTS, and rate limiting
Not engage another processor without prior written authorisation of the Controller (GDPR Art. 28(2))
Assist the Controller in responding to data subject requests (GDPR Art. 28(3)(e))
Notify the Controller without undue delay upon becoming aware of a Personal Data breach (GDPR Art. 33)
Delete or return all Personal Data upon termination of the Service, unless retention is required by law (GDPR Art. 28(3)(g))
Make available all information necessary to demonstrate compliance and allow for audits (GDPR Art. 28(3)(h))

4. Sub-processors

The Controller authorises the use of the sub-processors listed on our{' '} Sub-Processors page . The Processor will notify the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object.

5. International Data Transfers

Where Personal Data is transferred outside the EEA, the Processor ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the European Commission, or reliance on the EU-US Data Privacy Framework where applicable. Transfer details are documented in our{' '} Privacy Policy .

6. Data Retention

The Processor retains Personal Data in accordance with the retention schedule published in the Privacy Policy. Upon account deletion, all Personal Data is permanently removed, with audit logs anonymised (PII stripped) as permitted under GDPR for compliance purposes.

7. Security Measures

The Processor implements the following technical and organisational measures:

Encryption at rest (AES-256) for API keys, OAuth tokens, and HMAC secrets
HTTPS with HSTS enforcement for all connections
Secure, HTTP-only, SameSite session cookies
Content Security Policy headers
Rate limiting on authentication and API endpoints
Structured audit logging with PII sanitisation
Automated data retention enforcement via scheduled jobs

8. Breach Notification

In the event of a Personal Data breach, the Processor will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach, in accordance with GDPR Article 33. The notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken to address the breach.

9. Audit Rights

The Controller may audit the Processor's compliance with this DPA once per calendar year, with 30 days prior written notice. The Processor will cooperate with reasonable audit requests and provide access to relevant documentation and systems.

10. Term and Termination

This DPA remains in effect for the duration of the Service agreement. Upon termination, the Processor will delete all Personal Data within 30 days, unless retention is required by applicable law.

11. Governing Law

This DPA is governed by the laws applicable to the Terms of Service. For data protection matters, the provisions of the GDPR take precedence where there is a conflict.

12. Contact

To request a signed copy of this DPA or discuss data processing terms, please contact our Data Protection Officer at{' '} dpo@{new URL(app_url).hostname} .