DATA PROCESSING AGREEMENT
Last Updated: December 4, 2023
1. AGREEMENT
1.1. Subject Matter of the Agreement
This Data Processing Agreement is concluded between SE Ranking (hereinafter, the Processor) and an individual/legal entity that is using functional features of the Processor’s SEO tool (hereafter, the Services) and that is assigning the Processor to process personal data on his/her behalf (hereafter, the Controller).
The Processor shall be one of the following legal entities belonging to SE Ranking company group:
Seranking Ltd. with an address at 8 Gainsborough Road, Forest House Business Centre, Office 2, London, England E11 1HT (hereafter, the UK Branch);
OR
SER Acquisition with an address at PO Box 19801, C/O the Corporation Trust Company, 1209 Orange Street, City of Wilmington, County Of New Castle, Delaware, United States (hereafter, the US Branch).
The Processor under current Data Processing Agreement is defined under the following rules:
- If the Controller pays fees under the Processor’s Terms of Services in GBP and EUR, the Processor is the UK Branch;
- Starting from May 2023, if the Controller pays fees under the Processor’s Terms of Services in USD, the Processor is the US Branch;
- Starting from August 2023, if the Controller pays fees under the Processor’s Terms of Services in any other currency other than EUR and/or GBP, the Processor is the US Branch.
The Processor will process personal data on behalf of the Controller within all the services provided in the context of the Processor’s SEO tool functionality usage.
1.2. Term of this Agreement
The Agreement will be valid as long as the Controller is having a registered account in the Processor’s SEO tool.
1.3. Types of Personal Data processed
The processing activities in the context of the present agreement will affect the following personal data and its categories:
- SEO data: projects, user settings, back-links, editor content, researches, marketing details, lead generator details, report builder details, IP address;
- Analytics data: geolocation, IP address, browser details, operating system details, device details, user ID, URL access details, application interactions.
1.4. Data Processing Purposes
The Processor shall process personal data on behalf of the Controller only for the purposes of providing the Controller with the Services functionality. Any new purposes of the data processing activities shall be provided to the Processor in the form of respective written instructions.
1.5. Affected Data Subjects
The following groups of individuals will be affected by processing activities in the context of the present agreement:
- the Controller’s customers.
- any individual whose personal data are uploaded to the Processor’s SEO tool.
1.6. Technical and Organizational Measures
The Processor shall apply all necessary technical and organizational measures to protect personal data on behalf of the Controller. Such measures should be implemented taking into account the state of the art in the cybersecurity sphere as well as the costs of implementation of such measures. In any case the Processor guarantees the compliance of its technical and organizational measures with applicable privacy and data protection regulations.
2. CONTROLLER’S INSTRUCTIONS
2.1. The Processor processes personal data on behalf of the Controller. The Controller is responsible for maintaining compliance with data protection regulations.
2.2. During the processing of personal data, the Processor is obligated to follow only the instructions of the Controller. Such instructions must be given in writing or by electronic mail. Outside the scope of these instructions, the Processor may not use the data provided to it for processing either for its own purposes or for the purposes of third parties. The Processor shall adjust, delete or block the data processed in the order in accordance with the Controller's instructions. If the Processor is of the opinion that instructions of the Controller are in breach of the applicable data protection regulations, it must notify the Controller accordingly without delay.
3. PROCESSOR’S OBLIGATIONS
3.1. The Processor shall assist the Controller in satisfying the data subjects' rights to access, rectification, restriction of processing, objection, erasure, and data portability regarding their personal data. If a data subject contacts the Processor directly regarding the rights listed above, the Processor shall forward this request to the Controller without delay.
3.2. The Processor undertakes to provide data protection training for its employees entrusted with the processing of the data provided by the Controller, and to impose on such employees an obligation to observe data secrecy (compliance with the confidentiality of personal data).
3.3. The Processor shall provide the Controller with the contact details of the contact partners for data protection and information security. If the Processor is subject to a statutory obligation to appoint a data protection officer, it shall appoint such an officer in writing and shall send the Controller their name(s) and contact details.
3.4. Upon request, the Processor shall provide the Controller with the information necessary to enable the Controller to satisfy notification obligations, maintain records of processing activities, or perform a data protection impact assessment.
3.5. Each party to the present agreement shall be liable towards the other party for damage or losses incurred as a result of culpable violations of the present agreement or applicable data protection regulations. If both parties are at fault, they shall be liable according to their respective share of culpability.
3.6. The Controller may at any time instruct the immediate erasure of the data processed under the present agreement. Irrespective of this, the Processor is under obligation to surrender the data in a generally readable format at any time, at the request of the Controller. Once the term of the present agreement has ended, the Processor shall be obliged to surrender the data processed under the present agreement in a generally readable format or to delete it, at the Controller's discretion. In case of erasure, it must be ensured that the data cannot be reconstructed. The Processor shall prove to the Controller and confirm in writing, including in electronic form, that all of the data, copies and storage media have been returned and deleted. If binding legal requirements do not allow the erasure of certain data or categories of data, the Processor must inform the Controller about such requirements.
4. PROCESSOR’S SUB-PROCESSORS
4.1. If the Processor engages sub-contractors, it must first obtain the prior consent of the Controller in writing, including in electronic form. The contractual arrangements between the Processor and the subcontractor or freelancer must be structured in such a way that they correspond with the agreements concluded here between the Controller and the Processor. In particular, the Processor must ensure that the Controller can also perform checks relating to the subcontractors or freelancers in accordance with section 6 of the present agreement. The Controller is entitled to receive information from the Processor concerning the essential contractual provisions and the implementation of the obligations arising from the present agreement – if necessary also by inspecting the relevant contractual documents.
4.2. The Controller is deemed to have consented to the involvement of the subcontractors and functions listed in the Processor list. The Processor must ensure that the subcontractors comply with the technical and organizational requirements specified in the present agreement in the same way as the Processor itself.
4.3. If subcontractors are replaced or added during the term of the present agreement, the Processor must first obtain the consent of the Controller in writing, including in electronic form. If the Processor intends to involve subcontractors other than those agreed on, it shall notify the Controller via communication features of the Processor’s Services. If the Controller does not object within 10 calendar days after Processor’s notification, the new sub-processor is deemed to be agreed on by the Controller as prescribed by the current provisions.
5. SECURITY OF PROCESSING
5.1. The Processor undertakes to use state-of-the-art technology to safeguard all of the Controller's information and data at all times by implementing technical and organizational measures that are appropriate to the risk associated with the processing. This includes protection against unauthorized access, unauthorized or accidental modification, destruction or loss, unauthorized transfer, other unauthorized processing or any other form of misuse. Section 1.2 notwithstanding, the obligation to protect the information and data shall apply for as long as the Processor stores said data and information, or otherwise processes it or has it processed by subcontractors.
5.2. The Processor must establish an Information Security Management System. Considering the risks, the Processor must determine what measures it needs to implement, regularly review them, and amend them. The Processor must document and substantiate both the risks and the measures implemented.
5.3. Compliance with approved codes of conduct or an approved certification procedure may be included as factors for substantiating technical and organizational measures. Certifications of the information security management system may also be included as a factor for substantiating the use of technical and organizational measures. However, such substantiation does not replace examination in individual cases. If such substantiation is used as a factor it must be appended to the present agreement.
5.5. The Processor may only grant authorization to access the Controller's data to its own employees in accordance with the authorization concept, and to the extent required for the task in question in connection with the execution of the present agreement. The Processor undertakes not to disclose the access authorizations assigned to it for the use of the system to any unauthorized persons.
5.6. If the Processor is granted access to the IT systems of the Controller or its subcontractors, the Processor undertakes to only access the data and information required.
5.7. The Processor must notify the Controller's contract management function in writing, including in electronic form, about significant changes to the technical and organizational measures described in the current agreement via any prescribed communication channels. In the event of any foreseeable reduction in the effectiveness of the security, the consent of the controller must be obtained in writing before the change is carried out.
6. CHECKS
6.1. The Controller or its representative have the right to carry out checks on compliance with the requirements of the present agreement. The Processor shall provide the desired information and, at the request of the Controller and within a reasonable period, submit documentary evidence that it has met its obligations by completing a questionnaire supplied by the Controller or by confirming in writing that the measures agreed on in the current agreement are appropriate and up-to-date.
6.2. Subject to advance notice, the Controller or its representative shall be granted access to the offices and IT systems in/on which the Controller's data is processed so that the implementation of the present agreement and the appropriateness of the technical and organizational security measures can be verified.
6.3. The Processor must inform the Controller without delay of any control procedures by supervisory authorities, which take place in its company or the IT infrastructure used by it, and which involve the processing of the Controller's personal data. In the event of impending access to data of the Controller in the context of seizure, confiscation, judicial inquiries or other official measures, which are carried out at the Processor, or in the context of insolvency proceedings or other measures of third parties, the Processor shall inform the Controller accordingly without delay.
6.4. In the context of section 6.3, the Processor shall inform all parties involved in any such action without delay that the power of disposal over the data subject to the present agreement lies with the Controller, and shall not transfer any data to third parties or allow third parties to access the data without the Controller's consent. If the Processor is sworn to secrecy in the event of a check, access or other measure in relation to the Controller's data by a party authorized to access the data, it must exercise due diligence on behalf of the Controller and will take any opportunity to take action against the measures and the confidentiality obligations.
7. REPORTING OF DATA BREACHES
7.1. The Processor must report any data protection security breaches (unintentional or unauthorized destruction, loss, amendment, disclosure or access involving personal data processed under the present agreement) or violation of client confidentiality to the Controller without delay in order to give the Controller the opportunity to report the incident to the relevant authorities within 72 hours.
7.2. In consultation with the Controller, the Processor shall initiate all steps necessary to clarify the matter and remedy the security incident without delay, and provide the Controller all information necessary to document the event and potentially submit a report to the relevant supervisory authority.
8. NON-DISCLOSURE
8.1. The Processor undertakes to treat as confidential all information - including but not limited to technical and commercial information, plans, findings, intelligence, designs, and documents - that becomes known to it or that it receives from the Controller in connection with the present agreement. That includes, not to disclose this information to third parties, to protect it from third-party access, to use it only for the purposes of the present agreement, and to disclose it only to employees who are themselves under an obligation to observe confidentiality, unless otherwise agreed in writing between the parties.
8.2. This confidentiality obligation shall not apply in respect of information
- That can be proven to have been known to the Processor before the present agreement came into effect
- That can be proven to have been lawfully obtained by the Processor from a third party without being subject to a confidentiality obligation
- That is already in the public domain or that enters into the public domain without any infringement of the obligations contained in the present agreement
- That can be proven to have been developed by the Processor during the course of its own independent work.
8.3. If the Controller is a financial services company that is subject to bank/client confidentiality requirements, the Processor undertakes to comply with the same requirements.
8.4. The Processor undertakes to impose on its employees to whom this information is disclosed the same obligations that it entered into above unless said employees are already subject to an equivalent confidentiality obligation by virtue of their employment contracts.
8.5. If any development results that are capable of being protected by intellectual property rights are reported, the parties reserve all rights in respect of any such property rights subsequently applied for or granted.
8.6. The confidentiality obligations in respect of information that has been made available during the term of the present agreement shall continue to apply for a period of five years after the present agreement has ended.
9. DATA PROCESSING IN A THIRD COUNTRY
9.1. If the Processor or its subcontractor process personal data emanating from the EU outside the European Economic Area (EU member states plus Iceland, Liechtenstein and Norway) or outside a country recognized by the European Commission as having an adequate level of data protection, or if the Processor or its subcontractor access EU-sourced personal data from outside the countries specified above, additional legal safeguards ensuring adequate level of data protection shall be applied.
9.2. The adequate level of data protection with respect to processing in third countries can be ensured by the application of the EU's standard contractual clauses (Annex A) or any other additional legal safeguard available on the basis of applicable privacy and data protection laws.
9.3. Provisions of section 9 also apply to the situations where personal data emanating from countries not included to European Economic Area (EU member states plus Iceland, Liechtenstein and Norway) or from a country recognized by the European Commission as having an adequate level of data protection are transferred to the Processor located in European Economic Area or in a country recognized by the European Commission as having an adequate level of data protection.