DATA PROCESSING AGREEMENT
Last Updated: December 4, 2023
1. AGREEMENT
1.1. Subject Matter of the Agreement
This Data Processing Agreement is concluded between SE Ranking (hereinafter, the Processor) and an individual/legal entity that is using functional features of the Processor’s SEO tool (hereafter, the Services) and that is assigning the Processor to process personal data on his/her behalf (hereafter, the Controller).
The Processor shall be one of the following legal entities belonging to SE Ranking company group:
SERanking Ltd. with an address at Suite 209 15 Ingestre Place, London, England, W1F 0DU (hereafter, the UK Branch);
OR
SER Acquisition with an address at PO Box 19801, C/O the Corporation Trust Company, 1209 Orange Street, City of Wilmington, County Of New Castle, Delaware, United States (hereafter, the US Branch).
The Processor under current Data Processing Agreement is defined under the following rules:
- If the Controller pays fees under the Processor’s Terms of Services in GBP and EUR, the Processor is the UK Branch;
- Starting from May 2023, if the Controller pays fees under the Processor’s Terms of Services in USD, the Processor is the US Branch;
- Starting from August 2023, if the Controller pays fees under the Processor’s Terms of Services in any other currency other than EUR and/or GBP, the Processor is the US Branch.
The Processor will process personal data on behalf of the Controller within all the services provided in the context of the Processor’s SEO tool functionality usage.
1.2. Term of this Agreement
The Agreement will be valid as long as the Controller is having a registered account in the Processor’s SEO tool.
1.3. Types of Personal Data processed
The processing activities in the context of the present agreement will affect the following personal data and its categories:
- SEO data: projects, user settings, back-links, editor content, researches, marketing details, lead generator details, report builder details, IP address;
- Analytics data: geolocation, IP address, browser details, operating system details, device details, user ID, URL access details, application interactions.
1.4. Data Processing Purposes
The Processor shall process personal data on behalf of the Controller only for the purposes of providing the Controller with the Services functionality. Any new purposes of the data processing activities shall be provided to the Processor in the form of respective written instructions.
1.5. Affected Data Subjects
The following groups of individuals will be affected by processing activities in the context of the present agreement:
- the Controller’s customers.
- any individual whose personal data are uploaded to the Processor’s SEO tool.
1.6. Technical and Organizational Measures
The Processor shall apply all necessary technical and organizational measures to protect personal data on behalf of the Controller. Such measures should be implemented taking into account the state of the art in the cybersecurity sphere as well as the costs of implementation of such measures. In any case the Processor guarantees the compliance of its technical and organizational measures with applicable privacy and data protection regulations.
2. CONTROLLER’S INSTRUCTIONS
2.1. The Processor processes personal data on behalf of the Controller. The Controller is responsible for maintaining compliance with data protection regulations.
2.2. During the processing of personal data, the Processor is obligated to follow only the instructions of the Controller. Such instructions must be given in writing or by electronic mail. Outside the scope of these instructions, the Processor may not use the data provided to it for processing either for its own purposes or for the purposes of third parties. The Processor shall adjust, delete or block the data processed in the order in accordance with the Controller’s instructions. If the Processor is of the opinion that instructions of the Controller are in breach of the applicable data protection regulations, it must notify the Controller accordingly without delay.
3. PROCESSOR’S OBLIGATIONS
3.1. The Processor shall assist the Controller in satisfying the data subjects’ rights to access, rectification, restriction of processing, objection, erasure, and data portability regarding their personal data. If a data subject contacts the Processor directly regarding the rights listed above, the Processor shall forward this request to the Controller without delay.
3.2. The Processor undertakes to provide data protection training for its employees entrusted with the processing of the data provided by the Controller, and to impose on such employees an obligation to observe data secrecy (compliance with the confidentiality of personal data).
3.3. The Processor shall provide the Controller with the contact details of the contact partners for data protection and information security. If the Processor is subject to a statutory obligation to appoint a data protection officer, it shall appoint such an officer in writing and shall send the Controller their name(s) and contact details.
3.4. Upon request, the Processor shall provide the Controller with the information necessary to enable the Controller to satisfy notification obligations, maintain records of processing activities, or perform a data protection impact assessment.
3.5. Each party to the present agreement shall be liable towards the other party for damage or losses incurred as a result of culpable violations of the present agreement or applicable data protection regulations. If both parties are at fault, they shall be liable according to their respective share of culpability.
3.6. The Controller may at any time instruct the immediate erasure of the data processed under the present agreement. Irrespective of this, the Processor is under obligation to surrender the data in a generally readable format at any time, at the request of the Controller. Once the term of the present agreement has ended, the Processor shall be obliged to surrender the data processed under the present agreement in a generally readable format or to delete it, at the Controller’s discretion. In case of erasure, it must be ensured that the data cannot be reconstructed. The Processor shall prove to the Controller and confirm in writing, including in electronic form, that all of the data, copies and storage media have been returned and deleted. If binding legal requirements do not allow the erasure of certain data or categories of data, the Processor must inform the Controller about such requirements.
4. PROCESSOR’S SUB-PROCESSORS
4.1. If the Processor engages sub-contractors, it must first obtain the prior consent of the Controller in writing, including in electronic form. The contractual arrangements between the Processor and the subcontractor or freelancer must be structured in such a way that they correspond with the agreements concluded here between the Controller and the Processor. In particular, the Processor must ensure that the Controller can also perform checks relating to the subcontractors or freelancers in accordance with section 6 of the present agreement. The Controller is entitled to receive information from the Processor concerning the essential contractual provisions and the implementation of the obligations arising from the present agreement – if necessary also by inspecting the relevant contractual documents.
4.2. The Controller is deemed to have consented to the involvement of the subcontractors and functions listed in the Processor list. The Processor must ensure that the subcontractors comply with the technical and organizational requirements specified in the present agreement in the same way as the Processor itself.
4.3. If subcontractors are replaced or added during the term of the present agreement, the Processor must first obtain the consent of the Controller in writing, including in electronic form. If the Processor intends to involve subcontractors other than those agreed on, it shall notify the Controller via communication features of the Processor’s Services. If the Controller does not object within 10 calendar days after Processor’s notification, the new sub-processor is deemed to be agreed on by the Controller as prescribed by the current provisions.
5. SECURITY OF PROCESSING
5.1. The Processor undertakes to use state-of-the-art technology to safeguard all of the Controller’s information and data at all times by implementing technical and organizational measures that are appropriate to the risk associated with the processing. This includes protection against unauthorized access, unauthorized or accidental modification, destruction or loss, unauthorized transfer, other unauthorized processing or any other form of misuse. Section 1.2 notwithstanding, the obligation to protect the information and data shall apply for as long as the Processor stores said data and information, or otherwise processes it or has it processed by subcontractors.
5.2. The Processor must establish an Information Security Management System. Considering the risks, the Processor must determine what measures it needs to implement, regularly review them, and amend them. The Processor must document and substantiate both the risks and the measures implemented.
5.3. Compliance with approved codes of conduct or an approved certification procedure may be included as factors for substantiating technical and organizational measures. Certifications of the information security management system may also be included as a factor for substantiating the use of technical and organizational measures. However, such substantiation does not replace examination in individual cases. If such substantiation is used as a factor it must be appended to the present agreement.
5.5. The Processor may only grant authorization to access the Controller’s data to its own employees in accordance with the authorization concept, and to the extent required for the task in question in connection with the execution of the present agreement. The Processor undertakes not to disclose the access authorizations assigned to it for the use of the system to any unauthorized persons.
5.6. If the Processor is granted access to the IT systems of the Controller or its subcontractors, the Processor undertakes to only access the data and information required.
5.7. The Processor must notify the Controller’s contract management function in writing, including in electronic form, about significant changes to the technical and organizational measures described in the current agreement via any prescribed communication channels. In the event of any foreseeable reduction in the effectiveness of the security, the consent of the controller must be obtained in writing before the change is carried out.
6. CHECKS
6.1. The Controller or its representative have the right to carry out checks on compliance with the requirements of the present agreement. The Processor shall provide the desired information and, at the request of the Controller and within a reasonable period, submit documentary evidence that it has met its obligations by completing a questionnaire supplied by the Controller or by confirming in writing that the measures agreed on in the current agreement are appropriate and up-to-date.
6.2. Subject to advance notice, the Controller or its representative shall be granted access to the offices and IT systems in/on which the Controller’s data is processed so that the implementation of the present agreement and the appropriateness of the technical and organizational security measures can be verified.
6.3. The Processor must inform the Controller without delay of any control procedures by supervisory authorities, which take place in its company or the IT infrastructure used by it, and which involve the processing of the Controller’s personal data. In the event of impending access to data of the Controller in the context of seizure, confiscation, judicial inquiries or other official measures, which are carried out at the Processor, or in the context of insolvency proceedings or other measures of third parties, the Processor shall inform the Controller accordingly without delay.
6.4. In the context of section 6.3, the Processor shall inform all parties involved in any such action without delay that the power of disposal over the data subject to the present agreement lies with the Controller, and shall not transfer any data to third parties or allow third parties to access the data without the Controller’s consent. If the Processor is sworn to secrecy in the event of a check, access or other measure in relation to the Controller’s data by a party authorized to access the data, it must exercise due diligence on behalf of the Controller and will take any opportunity to take action against the measures and the confidentiality obligations.
7. REPORTING OF DATA BREACHES
7.1. The Processor must report any data protection security breaches (unintentional or unauthorized destruction, loss, amendment, disclosure or access involving personal data processed under the present agreement) or violation of client confidentiality to the Controller without delay in order to give the Controller the opportunity to report the incident to the relevant authorities within 72 hours.
7.2. In consultation with the Controller, the Processor shall initiate all steps necessary to clarify the matter and remedy the security incident without delay, and provide the Controller all information necessary to document the event and potentially submit a report to the relevant supervisory authority.
8. NON-DISCLOSURE
8.1. The Processor undertakes to treat as confidential all information – including but not limited to technical and commercial information, plans, findings, intelligence, designs, and documents – that becomes known to it or that it receives from the Controller in connection with the present agreement. That includes, not to disclose this information to third parties, to protect it from third-party access, to use it only for the purposes of the present agreement, and to disclose it only to employees who are themselves under an obligation to observe confidentiality, unless otherwise agreed in writing between the parties.
8.2. This confidentiality obligation shall not apply in respect of information
- That can be proven to have been known to the Processor before the present agreement came into effect
- That can be proven to have been lawfully obtained by the Processor from a third party without being subject to a confidentiality obligation
- That is already in the public domain or that enters into the public domain without any infringement of the obligations contained in the present agreement
- That can be proven to have been developed by the Processor during the course of its own independent work.
8.3. If the Controller is a financial services company that is subject to bank/client confidentiality requirements, the Processor undertakes to comply with the same requirements.
8.4. The Processor undertakes to impose on its employees to whom this information is disclosed the same obligations that it entered into above unless said employees are already subject to an equivalent confidentiality obligation by virtue of their employment contracts.
8.5. If any development results that are capable of being protected by intellectual property rights are reported, the parties reserve all rights in respect of any such property rights subsequently applied for or granted.
8.6. The confidentiality obligations in respect of information that has been made available during the term of the present agreement shall continue to apply for a period of five years after the present agreement has ended.
9. DATA PROCESSING IN A THIRD COUNTRY
9.1. If the Processor or its subcontractor process personal data emanating from the EU outside the European Economic Area (EU member states plus Iceland, Liechtenstein and Norway) or outside a country recognized by the European Commission as having an adequate level of data protection, or if the Processor or its subcontractor access EU-sourced personal data from outside the countries specified above, additional legal safeguards ensuring adequate level of data protection shall be applied.
9.2. The adequate level of data protection with respect to processing in third countries can be ensured by the application of the EU’s standard contractual clauses (Annex A) or any other additional legal safeguard available on the basis of applicable privacy and data protection laws.
9.3. Provisions of section 9 also apply to the situations where personal data emanating from countries not included to European Economic Area (EU member states plus Iceland, Liechtenstein and Norway) or from a country recognized by the European Commission as having an adequate level of data protection are transferred to the Processor located in European Economic Area or in a country recognized by the European Commission as having an adequate level of data protection.
4.2
4.8
4.7
4.6
The choice of SEO tools is huge and the range of services and prices is also wide. We were looking for a tool that supports us in our daily work in the best possible way, offers a high usability, extensive functionality and a fair price at the same time. SE Ranking meets these requirements perfectly and we do not want to miss this tool anymore in order to push the rankings of our customers.
Clear view of rankings and positions, site audit tool for quick scan and backlink checker are very useful. I use it a lot and also use the lead generator to get a free scan for potential clients which runs automated when they fill in the form. The dashboard gives you a good view of changes in traffic and positions. The marketing plan is a bit simple but it gives you some direction of what to do first on the website and you can also check the boxes when you finished a task which works very well
SE Ranking is the best seo platform our company has used so far. The interface of the platform is great & user-friendly. The available options are many. From tracking rankings, monitoring backlinks, keyword research to competitor analysis and website audit, everything we need to optimize our sites is just one click away. Also, for any questions or anything else we needed, the live support team replied & helped me with straight away.
I like the automatic reports best. They are very much customisable until customer level and of course have the ability to style it to your own. This makes it easier for us, as we don’t have to make them manually anymore. Apart from that the tools inside SE Ranking are great for a quick analyses or where you want, go in to the dept.
I was used to work with Tools like Sistrix, Ahrefs or Searchmetrics and did not know about SE Ranking before. But those tools were too cost-intensive for a small and quick start into SEO so I tried it out and I am quite satisfied with it. I like the ability to pay for certain services with credits, as I am not using them on a very frequent level, so it actually gives me greater flexibility to only use them when needed and not paying for them even when not using them.
The tool is very complete: keywords planning and tracking, backlinks analysis, competitions research… A very few SEO software provides all those features in this price range. Although, the customer experience is optimal: the UI is clear and intuitive and SE Ranking’s people are very kind, empathic and helpful.
I also loved that, before ever reaching out to ask for a trial account or set up a sales call, they have a demo account where you can actually play with the tool and see what the features look like beyond just a screenshot.
I like the competition analysis tools, it provides paid and organic data, which gives me an idea on how to catch up and outrank the immediate competition for my clients. It also provides data for the potential traffic, which helps show clients the potential gains of the campaign. And with the marketing plan, I know what needs to be improved in order to get results for my clients.
After trying a lot (10+ years of experience) SE ranking stands out on top of others because it combines everything we need for our clients. We do only provide the client with rankings, but also with the potential traffic (and revenue) of those ranking when they hit top 3 in Google. The tool let us provide the client with in depth analysis of the technical stuff ánd a marketing plan tool, so we can set goals and follow a checklist of monthly activities. And to top it all off it’s fully whitelabel.
We’ve used other tools in the past, but SE Ranking offers more up-to-date data and information, which benefits our agency and clients. SE Ranking allows us to access historical data with just a few clicks without ever having to leave the interface. From daily ranking updates to current search volume trends, there are numerous aspects that are essential when formulating client strategies, and with SE Ranking’s continuously updated system we are able to use this data to help our clients succeed.
It does all the important jobs incredibly well and reliably with no fuss. Site audit, Google rank tracking, traffic analysis, competitive analysis… Every step of the setup and the reporting is intuitive, and is accompanied by clear and helpful advice. And the rare times I have had the slightest problem, their client support is quick, helpful and efficient (best in the market!). All of which adds to a no-fuss, high performance platform for an expert like myself, and also the perfect tool for anyone still getting up to speed on SEO. 100% recommended.
