Data Processing Agreement

This Data Processing Agreement ("DPA") supplements the Terms of Service between the Customer ("Controller") and GM Sunshine LLC, d/b/a SEOlvl ("Processor"), and applies where SEOlvl processes Personal Data on the Customer's behalf in the course of providing the Service. It is offered for business customers who require data-processing terms (e.g. under the EU GDPR or UK GDPR). Capitalized terms not defined here have the meaning given in the GDPR.

1. Roles and scope

The Customer is the Controller and SEOlvl is the Processor of Personal Data submitted to the Service. SEOlvl processes Personal Data only to provide and support the Service and on the Controller's documented instructions (including via use of the Service), unless required by law.

2. Nature of processing

• Subject matter: provision of the SEOlvl Service.
• Duration: the term of the subscription plus deletion period.
• Purpose: domain authority/SEO monitoring, auditing, alerting and account administration.
• Categories of data subjects: the Customer's authorized users.
• Categories of Personal Data: account identifiers (email, name), authentication data, and limited billing metadata. The Customer must not submit special-category data.

3. Processor obligations

• Process Personal Data only on documented instructions, including for international transfers, unless required by law (in which case it will inform the Controller unless legally prohibited).
• Ensure persons authorized to process Personal Data are bound by confidentiality.
• Implement appropriate technical and organizational security measures (Section 5).
• Assist the Controller, taking into account the nature of processing, with data-subject requests and with security, breach-notification and impact-assessment obligations.
• At the Controller's choice, delete or return Personal Data at the end of the services and delete existing copies unless storage is required by law.
• Make available information necessary to demonstrate compliance and allow for reasonable audits (Section 7).

4. Sub-processors

The Controller provides general authorization for SEOlvl to engage the sub-processors listed at Sub-processors. SEOlvl imposes data-protection obligations on each sub-processor that are no less protective than this DPA, and remains liable for their performance. SEOlvl will give notice of intended changes (by updating that page) and the Controller may object on reasonable data-protection grounds by contacting [email protected].

5. Security

SEOlvl maintains measures including encryption in transit, hashed credentials, access controls on a least-privilege basis, network protection, logging and regular patching, appropriate to the risk of the processing.

6. Personal data breach

SEOlvl will notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting the Controller's data, and will provide information reasonably available to assist the Controller's own notification obligations.

7. Audits

SEOlvl will respond to reasonable written audit requests by providing relevant documentation and answers. On-site audits, where required by law, will be at the Controller's expense, with reasonable prior notice, no more than once per year (absent a breach or regulator requirement), and conducted so as not to disrupt the Service or compromise other customers' data.

8. International transfers

Where SEOlvl transfers Personal Data outside the EEA/UK, it does so under an appropriate transfer mechanism such as the EU Standard Contractual Clauses (and the UK Addendum where applicable), which are incorporated by reference where required.

9. Liability and conflict

Liability under this DPA is subject to the limitations in the Terms of Service. In case of conflict between this DPA and the Terms regarding data protection, this DPA prevails for that subject matter.

10. Contact

Data protection contact: [email protected] — GM Sunshine LLC, 8 McCullough Dr, New Castle, DE 19720, USA.