Data Processing Agreement

1. Definitions

For the purposes of this Data Processing Agreement ("DPA"), the following definitions apply:

Controller

The Customer, who determines the purposes and means of the processing of Personal Data.

Processor

Geo Attribution Limited, who processes Personal Data on behalf of the Controller.

Personal Data

Any information relating to an identified or identifiable natural person as defined under applicable Data Protection Laws.

Data Subjects

Individuals whose Personal Data is processed under this DPA.

Sub-processors

Third-party processors engaged by Geo Attribution to process Personal Data on behalf of the Customer.

Data Protection Laws

All applicable data protection and privacy laws, including but not limited to the UK GDPR, EU GDPR, and other relevant national legislation.

2. Roles and Responsibilities

Under this DPA:

• Customer acts as the Data Controller, determining the purposes and means of processing Personal Data.
• Geo Attribution acts as the Data Processor, processing Personal Data solely on documented instructions from the Customer.
• Customer remains responsible for complying with applicable Data Protection Laws in its role as Controller.
• Geo Attribution will assist Customer in meeting its compliance obligations as detailed in this DPA.

3. Scope of Processing

Geo Attribution processes the following categories of Personal Data on behalf of Customer:

• User account information (name, email address, company details)
• Usage data and analytics relating to the Geo Attribution platform
• Domain and website content submitted for LLM citation tracking
• Scan results and attribution data generated by the platform
• Communication data between Customer and Geo Attribution support

The processing is for the following purposes:

• Providing the Geo Attribution platform services
• Generating LLM citation reports and analytics
• Platform maintenance, support, and improvement
• Billing and account management

4. Customer Instructions

Geo Attribution will process Personal Data only on documented instructions from the Customer, including:

• The initial instructions set out in the main service agreement
• Subsequent written instructions agreed by both parties
• Instructions given through the platform's user interface and API
• Instructions related to data deletion, correction, or export requests

Geo Attribution will immediately notify Customer if any instruction appears to violate applicable Data Protection Laws.

5. Confidentiality

Geo Attribution ensures that all personnel with access to Personal Data:

• Are bound by contractual confidentiality obligations
• Receive appropriate data protection training
• Access Personal Data only on a need-to-know basis
• Are subject to background checks where legally permissible

6. Security Measures

Geo Attribution implements appropriate technical and organisational security measures, including:

• Encryption of Personal Data in transit using TLS 1.3
• Data stored on encrypted infrastructure provided by our hosting provider; database replicas encrypted at rest by Tigris server-side encryption
• Token-based authentication (JWT) with bcrypt password hashing and automatic refresh-token rotation
• Periodic security assessments appropriate to platform maturity
• Audit logging of administrative operations and webhook events
• Secure data centres with physical access controls
• Business continuity and disaster recovery procedures
• Regular security training for all personnel

7. Sub-processors

Customer authorises Geo Attribution to engage the following sub-processors:

• Stripe, Inc. (payment processing)
• Resend (email delivery services)
• Fly.io (cloud hosting infrastructure)
• Tigris Data (database backup and storage)
• OpenAI, Anthropic, Google, Perplexity (LLM API services for citation analysis)

Customer has the right to object to any new sub-processor. Geo Attribution will provide 30 days' notice before engaging new sub-processors. If Customer objects, both parties will work together to find an alternative solution or terminate the relevant service.

8. International Transfers

Personal Data may be transferred outside the European Economic Area (EEA) to:

• United States (for LLM API services and some infrastructure providers)
• Other countries where our sub-processors operate

All international transfers are protected by:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Appropriate additional safeguards where required
• Data is primarily hosted in London, UK to minimise international transfers

9. Data Subject Rights

Geo Attribution will assist Customer in responding to data subject requests by:

• Providing technical and organisational measures to enable Customer to respond to requests
• Promptly forwarding any data subject requests received directly to Customer
• Implementing data portability features within the platform
• Providing data deletion capabilities within 30 days of request
• Maintaining audit logs to demonstrate compliance

10. Data Breach Notification

In the event of a Personal Data breach, Geo Attribution will:

• Notify Customer within 72 hours of becoming aware of the breach
• Provide details of the nature of the breach and data affected
• Identify likely consequences and mitigation measures
• Assist Customer in notifying relevant supervisory authorities
• Cooperate in any investigation or remediation efforts
• Document all breaches and response measures

11. Audits and Inspections

Customer has the right to audit Geo Attribution's compliance with this DPA by:

• Requesting and reviewing SOC 2 Type II reports (when available)
• Conducting on-site inspections with reasonable notice
• Reviewing security documentation and certificates
• Engaging third-party auditors (at Customer's expense)
• Participating in Geo Attribution's annual compliance review process

All audit activities will be conducted during business hours and will not unreasonably interfere with Geo Attribution's operations.

12. Return and Deletion of Data

Upon termination of the service agreement, Geo Attribution will:

• Return or delete all Personal Data within 90 days
• Provide Customer with confirmation of deletion
• Retain Personal Data only if required by applicable law
• Ensure sub-processors also delete or return Personal Data
• Provide data export capabilities before termination

13. Liability and Indemnification

Liability for data protection compliance is governed by the main service agreement. Each party will:

• Be liable for its own breaches of Data Protection Laws
• Indemnify the other party for losses caused by its own non-compliance
• Cooperate in defending against any regulatory actions
• Maintain appropriate insurance coverage
• Limit liability as set out in the main service agreement