AISEOLab
FeaturesPricingBlogDocs
Sign inStart free

Legal

Data Processing Agreement

The DPA between you and us, required for GDPR compliance when we process personal data on your behalf.

Effective: 3 May 2026Last updated: 3 May 2026Entity: AISEOLabJurisdiction: United Kingdom

Working draft — under legal review.

This document reflects how we currently operate. It is shared in good faith but has not yet been reviewed by qualified counsel. If anything here is inaccurate or ambiguous, please email privacy@aiseolab.ai.

This Data Processing Agreement (the “DPA”) supplements our Terms of Service and Privacy Policy. It applies whenever we process personal data on your behalf in connection with your use of the Service. By accepting our Terms, you accept this DPA as part of the same Agreement.

If your organization requires a signed DPA on letterhead, email dpo@aiseolab.ai. We send out a counter-signed PDF within five business days.

1. Parties and scope

The parties to this DPA are: (a) the customer that has agreed to our Terms of Service (“Customer”) and (b) AISEOLab (“Provider”).

This DPA applies to the processing of Customer Personal Data by Provider as part of providing the Service.

2. Definitions

Terms not defined here have the meaning given in UK/EU GDPR.

  • Customer Personal Data — personal data within content Customer or its end users provide to the Service.
  • Sub-processor — any third party engaged by Provider to process Customer Personal Data on Provider’s behalf.
  • Personal Data Breach — a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data.

3. Roles

For Customer Personal Data, Customer is the “controller” and Provider is the “processor” under UK/EU GDPR.

Provider also processes some data as an independent controller — for example, Customer’s billing information, signup metadata, and server logs (which we use to operate and improve the Service). That processing is governed by our Privacy Policy, not this DPA.

4. Processing instructions

Provider will process Customer Personal Data only on Customer’s documented instructions, which include the Terms of Service, the configuration choices Customer makes inside the Service, and any additional written instructions reasonable for the Service.

Provider will tell Customer if a Customer instruction infringes GDPR or another applicable data protection law, before complying.

5. Sub-processors

Customer authorises Provider to engage the sub-processors listed on our Privacy Policy to process Customer Personal Data. The current list is:

  • Supabase — Database, authentication, file storage (European Union (eu-central-1)).
  • Vercel — Application hosting and edge runtime (Global edge network).
  • Stripe — Payment processing and tax calculation (Global).
  • Resend — Transactional and product emails (United States).
  • Inngest — Background job orchestration (scanning, alerts) (United States).
  • Upstash — Rate limiting and ephemeral cache (Redis) (European Union).
  • Cloudflare — DDoS protection, bot challenge (Turnstile) (Global edge network).
  • Brave Search API — Citation rank tracking (Pro tier only) (United States).

Provider will give at least 30 days’ written notice (by email to billing contacts and a notice on this page) before adding or replacing a sub-processor that processes Customer Personal Data. Customer may object to a new sub-processor on reasonable grounds; if the parties cannot agree, Customer may terminate the affected parts of the Service for a pro-rata refund.

Provider remains liable to Customer for the acts and omissions of its sub-processors as if those acts and omissions were its own.

6. Security measures

Provider maintains appropriate technical and organizational measures to protect Customer Personal Data, including:

  • TLS 1.3 encryption in transit; encryption at rest.
  • Postgres row-level security on every multi-tenant table.
  • Principle-of-least-privilege on service credentials, scoped per sub-processor.
  • Audit logging of administrative actions for 2 years.
  • Annual review of access controls and rotation of keys.
  • Background-checked engineering team; access to production restricted to named individuals.

7. Personal data breach

On becoming aware of a Personal Data Breach affecting Customer Personal Data, Provider will notify Customer without undue delay (and within 72 hours) at the technical contact email on file. The notification will describe (so far as Provider knows): the nature of the breach, categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address it.

8. Data subject rights

Provider will help Customer respond to data subject requests (access, rectification, erasure, portability, etc.). Where a data subject contacts Provider directly with a request relating to Customer Personal Data, Provider will promptly forward the request to Customer rather than respond.

9. International data transfers

Where transfer of Customer Personal Data outside the UK or EEA is required, Provider relies on appropriate safeguards: UK International Data Transfer Agreements, EU Standard Contractual Clauses (2021/914), or transfer to countries with adequacy decisions.

The SCCs are deemed incorporated into this DPA by reference, with Provider acting as data importer and Customer as data exporter, where required.

10. Audits

Provider will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA, including by responding to Customer security questionnaires within 30 days. Provider will permit on-site audits at Customer’s expense on at least 30 days’ written notice, conducted no more than once per year, except where required by a supervisory authority.

11. Return and deletion

On termination of the Service, Customer may export Customer Personal Data in JSON or CSV from the dashboard for up to 30 days. After 30 days, Provider will permanently delete Customer Personal Data from its systems within 30 days of account closure, unless retention is required by law.

12. Liability

Each party’s liability under this DPA is subject to the limitation of liability set out in the Terms of Service.

13. Governing law

This DPA is governed by the laws of the United Kingdomand forms part of the Agreement between the parties.

On this page

  1. 01Parties and scope
  2. 02Definitions
  3. 03Roles
  4. 04Processing instructions
  5. 05Sub-processors
  6. 06Security measures
  7. 07Personal data breach
  8. 08Data subject rights
  9. 09International transfers
  10. 10Audits
  11. 11Return and deletion
  12. 12Liability
  13. 13Governing law
AISEOLab

Make your site visible to AI engines, navigable by AI agents.

hello@aeoptimiser.io

Product

  • Features
  • Pricing
  • Compared with
  • AEO & GEOOptimization
  • Agent Readiness
  • Agentic Commerce

Resources

  • Blog
  • Docs
  • API reference
  • Scanner checks
  • Changelog
  • llms.txt

Company

  • About
  • Contact
  • Security
  • Status

Legal

  • Privacy
  • Terms
  • Cookies
  • DPA

\u00A9 2026 AISEOLab. All rights reserved.

Built for the AI era \u00B7 v1.0