SEOitis

Legal · DPA

Data Processing Addendum

Effective: 2026-05-16

This Data Processing Addendum ("DPA") supplements the SEOitis Terms of Service between SEOitis, Inc. ("Processor") and the customer ("Controller"). It governs how Processor processes Personal Data on behalf of Controller when Controller uses the Service, including the AI-search tracking subsystem ("Pulse").

1. Subject matter and duration

Processor processes Personal Data only to provide the Service to Controller, for the duration of the Terms.

2. Categories of data subjects

  • Controller's employees, contractors, and authorised users.
  • Visitors to Controller's websites (when Controller installs the Pulse referral pixel).

3. Categories of Personal Data

  • Account data: name, email, hashed password, role.
  • Usage data: hashed IPs, user-agent strings, audit log events.
  • AI-referral telemetry: landing URL, referrer URL, GA4 session/client IDs (if Controller integrates GA4).
  • AI bot visits: hashed IPs of AI crawlers (GPTBot, ClaudeBot, …) hitting Controller's site.

4. Special category data

Processor does not intentionally process special category data. Controller is responsible for ensuring its tracking prompts do not include sensitive Personal Data.

5. Sub-processors

See /legal/subprocessors. We give Controller 30 days' notice before adding a new sub-processor.

6. International transfers

EU/UK transfers rely on the European Commission's 2021 Standard Contractual Clauses (Modules 2 and 3), incorporated by reference into this DPA, plus supplementary measures (encryption in transit + at rest, minimisation, deletion windows).

7. Security measures

See /trust.

8. Data subject rights

Processor assists Controller in fulfilling data-subject access, rectification, deletion, restriction, and portability requests under Articles 15–22 GDPR.

9. Breach notification

Processor notifies Controller without undue delay (and in any case within 72 hours of discovery) of any Personal Data breach, with information sufficient to meet Controller's Article 33 GDPR obligations.

10. Audits

Once Processor completes its SOC 2 Type II audit (2026 Q4), the resulting report will be made available under NDA on request, in lieu of bespoke on-site audits.

11. Deletion and return

On termination Controller can export all data via the export endpoints; Processor deletes Personal Data within 30 days, except where required by law.

To execute this DPA on behalf of your organisation, email kalashvasaniya@gmail.comwith your DocuSign-eligible signatory.

Back to SEOitis home