Data Processing Agreement (DPA)

Last updated: April 14, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between GROW IT, SASU registered in France (SIRET: 984 879 932 00015), located at 3 impasse du parc, 14610 Cairon, France ("Processor", "we", "us") and the Customer ("Controller", "you") for the use of the ChatSEO service ("Service"), pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").

By using the Service, you agree to this DPA, which supplements our Terms of Service, Terms of Sale, and Privacy Policy.

1. Definitions

The following terms have the meanings set out below. Capitalized terms not defined herein shall have the meaning given to them in the GDPR.

  • "Controller": The Customer, who determines the purposes and means of the processing of Personal Data.
  • "Processor": GROW IT, which processes Personal Data on behalf of the Controller.
  • "Personal Data": Any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
  • "Processing": Any operation performed on Personal Data, as defined in Article 4(2) GDPR.
  • "Data Subject": An identified or identifiable natural person whose Personal Data is processed.
  • "Sub-processor": A third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Data Breach": A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
  • "SCCs": Standard Contractual Clauses adopted by the European Commission for international data transfers.
  • "DPF": The EU-US Data Privacy Framework.

2. Scope and Roles

2.1 Roles

GROW IT acts as Processor on behalf of the Customer, who acts as Controller for their data processed through the Service.

2.2 Categories of Data Subjects

  • Employees and representatives of the Controller
  • End users of the Controller's websites (via Google Search Console data, processed transiently)

2.3 Types of Personal Data Processed

  • Account data: Name, email address, profile image
  • Conversation data: Messages exchanged with the AI assistant, SEO analysis results
  • Google Search Console data: Search queries, impressions, clicks, rankings, page performance data (processed transiently, never stored)
  • Payment data: Billing details (processed by Stripe, not stored by the Processor)
  • Usage data: Feature interactions, session data, IP address

2.4 Duration

This DPA is effective for the duration of the service agreement between the Controller and the Processor, and shall remain in effect until all Personal Data has been deleted or returned as described in Section 8.

3. Processing Purpose and Scope

The Processor processes Personal Data solely for the following purposes:

  • Providing AI-powered SEO analysis through the ChatSEO Service
  • Processing Google Search Console data via the Google API in real-time (transient processing, no storage)
  • Generating AI-powered insights using Anthropic and Voyage AI APIs (real-time inference, no training)
  • Sending transactional emails and service communications
  • Processing payments and managing subscriptions
  • Technical infrastructure operation, monitoring, and customer support
  • Product analytics and improvement (subject to user consent)

The Processor shall not process Personal Data for any purpose other than those described above, unless required to do so by applicable law.

4. Obligations of the Processor

4.1 Processing Instructions

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller, including transfers to third countries, unless required by Union or Member State law. In such case, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law.
  • Immediately inform the Controller if, in the Processor's opinion, an instruction infringes the GDPR or other applicable data protection provisions.

4.2 Confidentiality

The Processor shall ensure that all persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3 Security Measures (Article 32 GDPR)

The Processor implements the following technical and organizational measures to ensure the security of Personal Data:

  • Encryption: Data encrypted in transit (TLS 1.3) and at rest
  • Access controls: Role-based access with per-user authentication
  • Infrastructure: All primary data hosted on Hetzner Online GmbH in Germany (EU), with physical and network security
  • Monitoring: Continuous error monitoring and alerting via Sentry
  • Incident response: Documented procedures for security incident detection, containment, and resolution
  • Employee training: Data protection awareness and best practices
  • Regular assessments: Security audits and vulnerability testing

4.4 Assistance to the Controller

The Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligations to respond to Data Subject requests (Articles 15-22 GDPR).

The Processor shall also assist the Controller in ensuring compliance with obligations under Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to the Processor.

5. Data Breach Notification

In the event of a Data Breach, the Processor shall:

  • Notify the Controller without undue delay and in any event no later than 72 hours after becoming aware of the breach
  • Provide the following information:
    • A description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records concerned
    • The name and contact details of the Processor's contact point
    • A description of the likely consequences of the breach
    • A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

6. Sub-processors

6.1 Current Sub-processors

The Controller grants the Processor general authorization to engage sub-processors. The complete and up-to-date list of sub-processors is maintained at /sub-processors.

6.2 Notification of Changes

The Processor shall notify the Controller at least 30 days before adding or replacing a sub-processor, by:

  • Updating the sub-processors page with the change and date
  • Sending an email notification to Controllers who have subscribed to sub-processor change notifications

6.3 Right to Object

The Controller may object to a new or replacement sub-processor within 15 days of being notified. The objection must be based on reasonable grounds relating to data protection. If the Processor cannot reasonably accommodate the Controller's objection, the Controller may terminate the service agreement.

6.4 Sub-processor Obligations

The Processor shall:

  • Impose the same data protection obligations as set out in this DPA on each sub-processor by way of a contract
  • Remain fully liable to the Controller for the performance of each sub-processor's obligations

7. Data Subject Rights

The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under the GDPR, including:

  • Right of access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure (Article 17)
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20)
  • Right to object (Article 21)

The Processor shall respond to the Controller's assistance requests within 30 days.

8. Data Deletion and Return

Upon termination of the service agreement:

  • The Processor shall delete all Personal Data within 30 days of termination, unless Union or Member State law requires further storage
  • The Controller may export their data before termination via the Service interface
  • The Processor shall certify the deletion of Personal Data upon written request from the Controller
  • Backups containing Personal Data shall be overwritten within the normal backup rotation cycle, not exceeding 90 days

9. Audits and Inspections

The Processor shall:

  • Make available to the Controller all information necessary to demonstrate compliance with this DPA and the obligations laid down in Article 28 GDPR
  • Allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller
  • Require reasonable prior notice of at least 30 days for on-site audits
  • Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations

10. International Data Transfers

10.1 Primary Hosting

All primary data is hosted on Hetzner Online GmbH servers located in Germany (European Union). No primary data storage occurs outside the EU.

10.2 Transfers to the United States

Certain sub-processors are located in the United States. These transfers are governed by:

  • EU-US Data Privacy Framework (DPF): For sub-processors certified under the DPF (Anthropic, Stripe, Mixpanel, Customer.io, Sentry, Google, Meta)
  • Standard Contractual Clauses (SCCs): As supplementary transfer mechanism, adopted by the European Commission pursuant to Article 46(2)(c) GDPR

The complete list of sub-processors with their applicable transfer mechanisms is available at /sub-processors.

10.3 EU-based Sub-processors

The following sub-processors process data exclusively within the EU and require no international transfer mechanism:

  • Hetzner Online GmbH (Germany)
  • Crisp IM SAS (France)
  • Firecrawl (self-hosted on Hetzner, Germany)
  • Flagsmith (EU)

11. Specific Data Handling Practices

11.1 Google Search Console Data

ChatSEO accesses Google Search Console data via the Google API using the read-only OAuth scope (webmasters.readonly). This data is:

  • Fetched in real-time from Google's API upon user request
  • Returned directly to the user's browser session
  • Never stored in the Processor's database
  • Never cached in Redis or any other data store
  • Never persisted in any form

Only OAuth credentials (access token, refresh token, expiry date) are stored in the database to authenticate API requests. Users can revoke access at any time through their Google security settings.

11.2 AI Processing

ChatSEO uses the following AI services:

  • Anthropic Claude API (Claude Sonnet 4, Claude Haiku): For real-time SEO analysis and conversation. Under Anthropic's commercial API terms of service, data submitted via the API is not used for model training.
  • Voyage AI: For vector embedding generation in the memory system. Data is processed for embedding generation only, with no retention beyond the API request.

No user data is used to train, fine-tune, or improve any AI model. All AI processing is ephemeral: data is processed and the result returned, with no retention by the AI provider.

12. Liability

The liability of the Processor under this DPA shall be subject to the limitations set out in the main service agreement (Terms of Sale, Article 3.3), except where such limitation is not permitted by the GDPR.

13. Term and Termination

  • This DPA is effective for the duration of the service agreement between the Controller and the Processor
  • This DPA shall automatically terminate upon the termination of the service agreement
  • The obligations regarding data deletion (Section 8), confidentiality (Section 4.2), and audit rights (Section 9) shall survive termination

14. Governing Law and Jurisdiction

  • This DPA is governed by French law
  • The GDPR applies regardless of the governing law
  • For professional Customers (B2B): any dispute shall be subject to the exclusive jurisdiction of the Commercial Court of Caen
  • For consumer Customers (B2C): as provided by applicable consumer protection law

15. Contact

For any questions regarding this DPA or data protection matters:

Data Controller: GROW IT
SIRET: 984 879 932 00015
3 impasse du parc
14610 Cairon, France
Email: [email protected]