Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between SitePulsar ("we", "us", "our", the "Processor") and the customer ("you", the "Controller") and applies wherever we process personal data on your behalf in the course of providing our Agent Readiness audit services. It reflects the requirements of Article 28 of the EU General Data Protection Regulation (Regulation 2016/679, "GDPR"). Where there is a conflict between this DPA and the Terms of Service in respect of data protection, this DPA prevails.

A countersigned copy of this DPA is available for your organisation on request at info@sitepulsar.ai.

2. Definitions

"Controller", "Processor", "Data Subject", "Personal Data", "Processing", "Sub-processor", and "Personal Data Breach" have the meanings given to them in the GDPR. "Applicable Data Protection Law" means the GDPR and any national implementing or supplementary legislation applicable to the processing under this DPA.

3. Roles & Scope

For personal data you submit or that is generated on your behalf through the services, you act as the Controller and SitePulsar acts as the Processor. SitePulsar processes such personal data only to provide the services and on your documented instructions, including as set out in this DPA and the Terms of Service. Where SitePulsar determines the purposes and means of processing for its own operational data (for example, account security and aggregate service analytics), it acts as an independent Controller, and that processing is governed by our Privacy Policy.

4. Subject Matter, Duration & Details of Processing

• Subject matter & duration — the provision of Agent Readiness / AEO audit services for the duration of your account, after which the terms of Section 10 apply.
• Nature & purpose — collection, storage, analysis, and generation of audit reports relating to the website(s) and brand(s) you submit.
• Types of personal data — account identifiers (such as your email address) and any personal data contained in the URLs, brand names, or publicly available website content you submit for analysis.
• Categories of data subjects — your authorised users, and any individuals whose personal data appears on the public web pages submitted for audit.

5. Processor Obligations

SitePulsar shall:

• process personal data only on your documented instructions, including with regard to international transfers, unless required to do otherwise by EU or Member State law (in which case we will inform you, unless legally prohibited);
• ensure that persons authorised to process the personal data are bound by an obligation of confidentiality;
• implement the technical and organisational security measures described in Section 8 (Article 32 GDPR);
• taking into account the nature of the processing, assist you by appropriate measures in fulfilling your obligation to respond to data subject requests and your obligations under Articles 32 to 36 GDPR;
• at your choice, delete or return all personal data on termination as set out in Section 10; and
• make available the information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits as set out in Section 9.

6. Sub-processors

You provide general authorisation for SitePulsar to engage sub-processors to support the services. Each sub-processor is bound by data protection obligations no less protective than those in this DPA. Current sub-processors include our infrastructure providers (Supabase for database and authentication; Vercel for hosting) and the AI model providers used to generate audits (including Anthropic and OpenAI, among others as described in our Privacy Policy). Data shared with AI model providers is limited to your audit inputs and publicly available website content. We will inform you of any intended changes concerning the addition or replacement of sub-processors, giving you the opportunity to object on reasonable data-protection grounds.

7. International Transfers

SitePulsar is established in the European Union and processes personal data within the EU/EEA where practicable. Where a sub-processor processes personal data outside the EU/EEA, such transfers are made on the basis of an adequacy decision or appropriate safeguards under Chapter V GDPR, including the European Commission's Standard Contractual Clauses, together with any supplementary measures required.

8. Security Measures

Taking into account the state of the art and the risks of the processing, SitePulsar implements appropriate technical and organisational measures, including encryption of personal data in transit (TLS), access controls and authentication, row-level data isolation between accounts, the principle of least privilege for internal access, and logging and monitoring of access to production systems.

9. Personal Data Breach & Audits

SitePulsar shall notify you without undue delay after becoming aware of a Personal Data Breach affecting your personal data, and shall provide the information reasonably necessary for you to meet your notification obligations under Articles 33 and 34 GDPR. SitePulsar shall make available information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate, subject to reasonable notice, confidentiality, and frequency limits.

10. Return & Deletion of Data

On termination of the services, and at your choice, SitePulsar shall delete or return all personal data processed on your behalf and delete existing copies, unless EU or Member State law requires continued storage. Unless you request return, personal data is deleted within 30 days of account closure, except where retention is required by law.

11. Contact

For any questions about this DPA, to exercise data-protection rights, or to request a countersigned copy, contact us at:

SitePulsar
Email: info@sitepulsar.ai

See also our Privacy Policy and Terms of Service.