Data processing addendum

This Data Processing Addendum (the “DPA”) supplements the AskRanker Terms of Service (the “Agreement”) between the individual sole proprietor based in the United States doing business as AskRanker (“AskRanker”, “Processor”) and the customer identified in the Agreement (“Customer”, “Controller”). It applies to the extent AskRanker processes Personal Data on behalf of Customer in the course of providing the Service.

Capitalised terms not defined here have the meaning given in the GDPR (Regulation (EU) 2016/679), the UK GDPR, the California Consumer Privacy Act (“CCPA”), or similar applicable law.

For Personal Data submitted by Customer to the Service or generated through Customer's use of the Service, Customer is the Controller and AskRanker is a Processor.

For Personal Data of visitors to the AskRanker marketing site (askranker.com), AskRanker is an independent Controller and this DPA does not apply. The AskRanker Privacy Policy applies instead.

AskRanker will process Personal Data only on Customer's documented instructions. The Agreement, including this DPA and the configuration choices Customer makes within the Service, constitutes those instructions.

AskRanker will inform Customer if, in its opinion, an instruction infringes applicable data protection law, unless prohibited from doing so by that law.

Subject matter: the provision of the AskRanker Service.

Duration: the term of the Agreement, plus any retention period in Section 12.

Nature and purpose: hosting Customer Content, sampling AI assistants on Customer's behalf, generating mention rate reports and predictions, and any other features Customer enables.

Categories of Data Subjects: Customer's authorized users (e.g. workspace members), and any individuals identified within buyer questions or scan results.

Categories of Personal Data: contact details (name, email), authentication metadata, organization configuration, buyer questions, and AI responses that may contain incidental references to identifiable individuals. Customer should not submit special category data (Article 9 GDPR) through the Service.

AskRanker will, taking into account the nature of the processing, assist Customer through appropriate technical and organisational measures, insofar as possible, to fulfil Customer's obligations to respond to data subject requests under applicable law. Where AskRanker receives a data subject request directly, it will, unless legally prohibited, refer the request to Customer.

AskRanker will ensure that any person it authorises to process Personal Data is bound by appropriate obligations of confidentiality.

Customer authorises AskRanker to engage the sub-processors listed below to provide the Service. The current list at the effective date of this DPA is:

• Vercel Inc. — application hosting (United States).
• Convex, Inc. — primary database (United States).
• Amazon Web Services, Inc. — email (SES), object storage (S3), DNS (Route 53), Lambda functions (United States).
• Stripe, Inc. — payment processing (United States).
• Google LLC — Workspace, Analytics (United States).
• Cloudflare, Inc. — Browser Run for crawling on Customer's behalf (United States, with global edge).
• OpenAI OpCo, LLC, Anthropic PBC, Google LLC (Gemini), Perplexity AI, Inc., and other AI providers — execute model queries that produce scan results.

AskRanker will give at least 30 days' prior notice of any new sub-processor and any change of an existing sub-processor. Customer may object to such a change on reasonable data-protection grounds within that period; if the parties cannot agree on a resolution, Customer may terminate the affected portion of the Service.

AskRanker remains responsible for the acts and omissions of its sub-processors to the same extent as for its own.

AskRanker will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, where applicable:

• Encryption of Personal Data in transit (TLS 1.2 or higher) and at rest.
• Logical access controls, including the principle of least privilege and separation of admin and end-user sessions.
• Secure software development practices, including code review and dependency monitoring.
• Logging and monitoring of access and key operations.
• Documented incident response and business continuity plans.
• Regular review and improvement of security measures.

A current overview of AskRanker's security measures is available on request.

AskRanker will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer's Personal Data. The notification will describe, to the extent known, the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed.

To the extent AskRanker processes Personal Data of EU, UK, or Swiss data subjects in a country that is not subject to an adequacy decision, the EU Standard Contractual Clauses (Module Two, Controller to Processor) are incorporated into this DPA by reference, completed as follows:

• Annex I.A (Parties): Customer is the data exporter; AskRanker is the data importer.
• Annex I.B: as set out in Section 4 of this DPA.
• Annex I.C (Competent supervisory authority): the supervisory authority of the EU member state in which Customer is established, or as otherwise required by Clause 13 of the SCCs.
• Annex II: as set out in Section 8.
• Annex III: the sub-processor list in Section 7.
• Optional Clause 7 (docking): not adopted.
• Optional Clause 11 (independent body): not adopted.
• Clause 17 governing law: the law of Ireland (the default for Module Two SCCs where the data importer is outside the EU).
• Clause 18 forum: the courts of Ireland.

For UK data subjects, the UK International Data Transfer Addendum (the “IDTA”) is incorporated and forms part of the SCCs as required.

AskRanker will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, conducted by Customer or an independent auditor mandated by Customer. To minimise disruption, audits will be conducted no more than once per twelve-month period (except where required by a supervisory authority or following a Personal Data Breach), on at least 30 days' written notice, during normal business hours, and subject to reasonable confidentiality undertakings.

On termination or expiry of the Agreement, AskRanker will, at Customer's choice, delete or return Personal Data, and delete existing copies, unless retention is required by applicable law. Customer may export Personal Data through the Service at any time prior to termination. Backups containing Personal Data are deleted on the rolling schedule set out in the Privacy Policy.

Each party's liability under or in connection with this DPA is subject to the limitations of liability in the Agreement. The SCCs and any local-law liability provisions prevail over this Section to the extent required.

In the event of a conflict between (a) the SCCs, (b) this DPA, and (c) the rest of the Agreement, the order of precedence is (a), (b), (c). Otherwise this DPA prevails over the rest of the Agreement on data-protection matters.

Questions about this DPA, or to request a counter-signed copy, email hello@askranker.com.