Data Processing Addendum

1. Definitions and Roles

This Data Processing Addendum ("DPA") supplements the SiteProof AI Terms of Service and applies whenever SiteProof AI ("Processor") processes Personal Data on behalf of the customer ("Controller") in connection with the Service. "Personal Data", "Processing", "Controller", and "Processor" have the meanings given to them in Regulation (EU) 2016/679 (the "GDPR") and equivalent local laws.

2. Scope and Purpose of Processing

• Nature of processing: Automated analysis of publicly available web content, storage of scan results and findings, generation of compliance reports.
• Categories of data subjects:Customer employees who hold a SiteProof AI account; visitors to the Controller's scanned websites only to the extent their personal data is publicly published on those pages.
• Categories of personal data: Account email, name (optional), site URLs, IP addresses logged for security and rate-limit purposes, scan results and findings.
• Duration of processing:For the duration of the Controller's subscription plus the retention periods set out in our Privacy Policy.

3. Processor Obligations

SiteProof AI will:

• Process Personal Data only on documented instructions from the Controller, including with regard to transfers to a third country or international organization.
• Ensure that personnel authorised to process Personal Data are bound by appropriate confidentiality obligations.
• Implement appropriate technical and organisational measures, including encryption in transit (TLS 1.2+), encryption at rest, access controls, and the security practices described in our Privacy Policy.
• Assist the Controller in fulfilling its obligations to respond to data-subject requests under Chapter III of the GDPR.
• At the choice of the Controller, delete or return all Personal Data after the end of the provision of services, unless EU or member-state law requires storage.
• Make available to the Controller all information necessary to demonstrate compliance with Art. 28 and allow for reasonable audits, subject to confidentiality and security obligations.

4. Sub-processors

SiteProof AI uses the sub-processors listed at /subprocessors. We will provide at least 30 days' prior notice of any intended additions or replacements of sub-processors via that page. The Controller may object to the change in writing within that period; in such case the parties will work in good faith to address the objection, and the Controller may terminate the affected portion of the Service if no reasonable resolution can be reached.

5. International Transfers

Where Personal Data of EU/UK data subjects is transferred to a country that does not benefit from an adequacy decision, the parties agree to rely on the EU Standard Contractual Clauses (Commission Decision (EU) 2021/914) and, for UK transfers, the UK Addendum issued by the ICO. The applicable Modules and docking clauses are listed in Annex II of this DPA.

6. Personal Data Breach

SiteProof AI will notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting the Controller's data, and will provide the information reasonably necessary for the Controller to comply with its obligations under Art. 33 and 34 of the GDPR.

7. Liability

Each party's liability under or in connection with this DPA is subject to the exclusions and limits of liability set out in the SiteProof AI Terms of Service, except that nothing in the Terms or this DPA limits either party's liability where such limitation is not permitted by applicable data-protection law.

8. Term and Termination

This DPA is effective for as long as SiteProof AI processes Personal Data on behalf of the Controller. Upon termination of the underlying agreement, SiteProof AI will delete or return Personal Data in accordance with section 3 above and our Privacy Policy.

9. Contact

Requests under this DPA — including data-subject assistance requests, sub-processor objections, and breach notifications — should be sent to:

support@siteproofai.com

A counter-signed copy of this DPA is available on request for customers who require one for their own records.