Data Processing Agreement

1. Roles and scope

For personal data contained in the Customer's own website, audit and integration data, the Customer is the Controller and Vantacron is the Processor. This DPA forms part of the Terms of Service and lasts for the duration of the subscription.

2. Nature and purpose of processing

Providing the Vantacron SEO intelligence service: crawling and analyzing the Customer's nominated websites, generating audits, reports and action plans, and processing connected integration data (e.g., Google Search Console, Google Analytics).

3. Data subjects and categories

As determined by the Customer's use of the Service — typically the Customer's website visitors and contacts, and any personal data incidentally present in crawled pages or connected analytics.

4. Processor obligations

• Process personal data only on the Customer's documented instructions.
• Ensure persons authorized to process the data are bound by confidentiality.
• Implement appropriate technical and organizational security measures (Art. 32).
• Engage sub-processors only under a general written authorization (the Sub-processors list), with prior notice of changes and a 30-day objection right.
• Assist the Customer with data-subject requests and with obligations under Arts. 32–36.
• Delete or return personal data at the end of the engagement, subject to legal retention.
• Make available information needed to demonstrate compliance and allow for audits.

5. International transfers

Where sub-processors are outside the EEA, transfers rely on the EU–US Data Privacy Framework (where certified) or EU Standard Contractual Clauses with supplementary safeguards, incorporated into this DPA by reference.

6. Annexes

Annex I (parties and processing details), Annex II (technical and organizational measures) and Annex III (approved sub-processors, equal to our Sub-processors list) are provided with the executable copy on request.