Data Processing Addendum

This Data Processing Addendum (“DPA”) supplements the Terms of Service and applies when AgentSEO processes personal data on your behalf as a processor or service provider.

This DPA is intended to address the controller-processor contract requirements in Article 28 of the GDPR and UK GDPR, together with related obligations that commonly apply when a customer uses a SaaS API provider to process personal data. If you need a signed copy for procurement or compliance review, contact daniel@joytecnologies.com.

1. Parties, Scope, and Order of Precedence

This DPA forms part of the agreement between you and AgentSEO for the provision of the Service. It applies only to the extent AgentSEO processes personal data for you as a processor or service provider in connection with the Service.
If there is a conflict between this DPA and the general commercial terms of the Terms of Service, this DPA controls with respect to the processing of customer personal data.

2. Roles

You are the controller or business for customer personal data you submit to AgentSEO. AgentSEO acts as your processor or service provider for that data, except where AgentSEO acts as an independent controller for account, billing, security, and legal-compliance data described in the Privacy Policy.

3. Processing Details

Subject matter: provision of the AgentSEO platform, including API request handling, dashboard features, hosted MCP access, support, and related operational services.
Duration: for the term of the services, plus limited retention as required for security, billing, and legal obligations.
Nature and purpose: hosting, storage, authentication, request processing, job orchestration, analytics, support, abuse prevention, and operational monitoring.
Types of personal data: account identifiers, contact details, usage metadata, business and location inputs, request content, webhook configuration data, support submissions, and other personal data you submit or instruct us to process through the Service.
Categories of data subjects: your end users, employees, contractors, prospects, customers, and other individuals whose data you choose to submit through the Service.

4. Customer Instructions

AgentSEO will process customer personal data only on your documented instructions, including as reflected in your use of the Service, API calls, account settings, support requests, and configuration choices, unless otherwise required by applicable law. If AgentSEO believes an instruction infringes applicable data protection law, AgentSEO may inform you and suspend the affected processing until the issue is resolved.

5. Confidentiality

AgentSEO will ensure that persons authorized to process customer personal data are subject to appropriate confidentiality obligations, whether by contract, professional duty, or statutory obligation.

6. Security Measures

AgentSEO maintains technical and organizational safeguards designed to protect customer personal data, including access controls, encrypted transport, environment-scoped secrets, least-privilege access, logging, monitoring, backup practices, and incident-response procedures. As with any online service, no method of transmission or storage is completely secure, but AgentSEO will maintain measures appropriate to the risk presented by the processing and the nature of the data involved.

7. Subprocessors

AgentSEO may use subprocessors that support identity, hosting, storage, payments, monitoring, and analytics. Current material subprocessors include Clerk, Supabase, Stripe, PostHog, Sentry, and Vercel, together with other providers used for email and upstream request processing. AgentSEO remains responsible for its subprocessors to the extent required by law.
By using the Service, you authorize AgentSEO to use subprocessors in accordance with this DPA. AgentSEO will require subprocessors to protect customer personal data under written terms that provide a level of protection materially consistent with this DPA for the processing they perform.

8. Assistance with Data Subject Requests and Compliance

Taking into account the nature of the processing and the information available to AgentSEO, AgentSEO will provide reasonable assistance to help you respond to data subject requests and meet applicable obligations relating to security, breach notification, impact assessments, and prior consultation with supervisory authorities, where such assistance is legally required and commercially reasonable.

9. Security Incident Notification

If AgentSEO becomes aware of a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, customer personal data, AgentSEO will notify you without undue delay and provide information reasonably available to AgentSEO to help you understand the nature of the incident and meet applicable legal obligations.

10. Audits and Information Rights

AgentSEO will make available information reasonably necessary to demonstrate compliance with this DPA. Where required by applicable law, AgentSEO will allow for and contribute to reasonable audits or inspections by you or an auditor appointed by you, subject to appropriate confidentiality protections, reasonable advance notice, proportional scope, security safeguards, and no more than commercially reasonable frequency unless a security incident or regulatory requirement justifies more.

11. Deletion and Return

Upon termination or expiration of the relevant services, AgentSEO will delete or return customer personal data in accordance with the Service functionality, your documented instructions, and applicable law. AgentSEO may retain limited copies where required by law or reasonably necessary for security, fraud prevention, dispute resolution, tax, accounting, or backup integrity purposes, subject to continued protection of the retained data.

12. International Transfers

Where customer personal data is transferred across borders in a way that requires a recognized transfer mechanism, the parties will rely on an appropriate safeguard supported by applicable law, such as the European Commission’s standard contractual clauses, the UK International Data Transfer Addendum, the UK IDTA, an adequacy decision, or another lawful transfer mechanism.

13. Liability

This DPA does not independently expand either party’s liability beyond the liability allocation and limitations set out in the Terms of Service, except to the extent such a limitation is prohibited by applicable data protection law.

14. Contact

For DPA requests, procurement review, or signed enterprise copies, contact daniel@joytecnologies.com.