Data Processing Agreement

7.1 Definitions

Terms used in this DPA have the meanings given to them in the UK GDPR and EU GDPR (Regulation (EU) 2016/679). Specifically:

• Controller — The customer, who determines the purposes and means of processing personal data.
• Processor — SEORav, who processes personal data on behalf of the Controller.
• Data Subject — An identifiable natural person whose personal data is processed.
• Personal Data — Information relating to an identified or identifiable natural person.
• Processing — Any operation performed on personal data (collection, storage, transmission, deletion, etc.).
• Sub-processor — A third party engaged by SEORav to process personal data — listed at /legal/sub-processors.

7.2 Subject matter and duration

1. Subject matter: The processing of personal data necessary to provide the Services to the Controller.
2. Duration: For the term of the Controller’s subscription, plus the retention periods set out in our Privacy Policy.
3. Nature and purpose: Hosting, storing, transmitting, analyzing, and processing personal data to provide content generation, optimization, publishing, and citation tracking services.
4. Type of personal data: Account data (names, emails, OAuth identifiers), Customer Content (which may incidentally contain personal data submitted by the Controller), usage data including session recordings, and authentication credentials.
5. Categories of data subjects: The Controller’s employees, contractors, and end-users whose data the Controller submits to the Services.

7.3 Processor obligations

SEORav agrees to:

1. Process personal data only on documented instructions from the Controller, including with regard to international transfers.
2. Ensure that personnel authorized to process personal data are committed to confidentiality.
3. Implement appropriate technical and organizational security measures (described in Section 7.6 below).
4. Respect conditions for engaging sub-processors (Section 7.4 below).
5. Assist the Controller in fulfilling data subject rights requests (access, rectification, erasure, etc.).
6. Assist the Controller with data protection impact assessments and consultations with supervisory authorities, where required.
7. Notify the Controller without undue delay of any personal data breach that is likely to result in a risk to data subjects’ rights and freedoms (within 72 hours of awareness, in accordance with Article 33 UK GDPR).
8. Make available to the Controller all information necessary to demonstrate compliance with this DPA.
9. Allow for audits, including inspections, conducted by the Controller or an auditor mandated by the Controller (subject to reasonable notice and confidentiality terms).
10. Delete or return all personal data to the Controller after the end of the provision of services, unless retention is required by law.

7.4 Sub-processors

1. The Controller authorizes SEORav to engage the sub-processors listed at /legal/sub-processors.
2. SEORav will notify the Controller of any intended changes (additions, replacements) at least 30 days in advance, giving the Controller the opportunity to object.
3. If the Controller objects to a new sub-processor on reasonable grounds, the Controller may terminate the affected Services with a pro-rata refund for the unused portion.
4. SEORav imposes the same data-protection obligations on each sub-processor by contract, and remains fully liable for the sub-processor’s performance.

7.5 International transfers

1. SEORav transfers personal data outside the UK / EEA only where adequate protection is in place: through Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement (IDTA), an adequacy decision, or another lawful transfer mechanism.
2. The Controller authorizes these transfers as part of accepting this DPA.
3. A list of transfer mechanisms in place is available on request.

7.6 Security measures

SEORav implements the following technical and organizational measures:

Encryption

• TLS 1.3 for all data in transit
• Encryption at rest for all Supabase Postgres data and Storage objects
• CMS credentials encrypted with AES-256-GCM authenticated encryption using customer-isolated encryption keys — no shared key material between customers

Access controls

• Postgres Row-Level Security (RLS) policies enforce multi-tenant data isolation; RLS coverage is reviewed and hardened on every schema change as part of our standard migration process.
• Service-role database access restricted to the Python API server (never exposed to customer browsers)
• Role-based access control (RBAC) for SEORav staff
• Principle of least privilege for staff access
• Quarterly access reviews

Operational security

• Automated dependency vulnerability scanning
• Sentry-based error tracking with PII scrubbing
• OpenTelemetry distributed tracing
• Documented incident response plan with 72-hour assessment process for personal data breaches

Data segregation

• Multi-tenant architecture with row-level security (RLS) preventing cross-tenant data access
• Logical separation of customer data via Postgres schemas (contentos.* and blog.*) and policies
• Service-role bypasses RLS only inside the Python API server, with code-level access controls

Backup & recovery

• Supabase-managed daily encrypted backups
• Point-in-time recovery available
• Disaster recovery testing as part of normal operational cadence

7.7 Data subject rights

SEORav assists the Controller in responding to data subject requests by:

• Providing self-service tools where possible (e.g., account deletion in the dashboard, Markdown export of articles)
• Responding to Controller-forwarded requests within 14 days
• Forwarding direct data subject requests received by SEORav to the Controller without undue delay (subject to verifying the requester’s identity)

7.8 Breach notification

1. SEORav will notify the Controller of any personal data breach that is likely to result in a risk to data subjects’ rights and freedoms, within 72 hours of becoming aware.
2. The notification will include: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.
3. SEORav will cooperate with the Controller’s investigation and remediation.

7.9 Audits

1. The Controller may conduct an audit (or appoint a qualified third-party auditor) to verify SEORav’s compliance with this DPA, with at least 30 days’ written notice.
2. Audits will be conducted during business hours, will not unreasonably disrupt SEORav’s operations, and will be subject to a mutual confidentiality agreement.
3. The Controller bears the cost of audits, except where the audit reveals a material breach by SEORav.
4. For most audit needs, SEORav’s published security documentation and sub-processor list are intended to be sufficient.

7.10 Liability

The liability provisions in the Terms of Service apply to this DPA. Neither party limits liability beyond what is permitted by applicable data protection law.

7.11 Termination

1. This DPA terminates automatically when the underlying subscription terminates.
2. Upon termination, SEORav will, at the Controller’s choice, delete or return all personal data within 30 days, except where retention is required by law (e.g., billing records for tax purposes).

7.12 Governing law

This DPA is governed by the laws of England & Wales. Disputes will be resolved in the courts of England & Wales.

7.13 Contact