Loading...
Last updated: March 1, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service or other written agreement between SEO RITE Inc. ("SEO RITE," "Processor," "we," "us," or "our") and the customer ("Controller," "you," or "your") that governs your use of the SEO RITE platform and related services (the "Services").
This DPA applies where and to the extent that SEO RITE processes Personal Data on behalf of the Controller in the course of providing the Services. This DPA is designed to ensure compliance with the requirements of the European Union General Data Protection Regulation (EU 2016/679) ("GDPR"), the United Kingdom General Data Protection Regulation ("UK GDPR"), and other applicable data protection laws.
This DPA shall take precedence over any conflicting terms in the Terms of Service to the extent that such conflict relates to the processing of Personal Data. By using the Services, the Controller agrees to be bound by the terms of this DPA.
For the purposes of this DPA, the following definitions apply in addition to any definitions provided in the GDPR or our Terms of Service:
The Processor shall process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such notification on important grounds of public interest.
The subject matter, duration, nature, and purpose of the processing, as well as the types of Personal Data processed and the categories of Data Subjects, are described in the Terms of Service and the Privacy Policy. The Processor shall process Personal Data solely for the purposes of providing the Services as described in the service agreement, including website crawling, SEO auditing, keyword tracking, content analysis, rank monitoring, report generation, and related analytical functions.
The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other applicable data protection provisions. The Processor shall not be required to assess the legality of the Controller's instructions but shall act in good faith to flag concerns.
The Processor shall ensure that all persons authorized to process Personal Data have committed themselves to confidentiality obligations or are under an appropriate statutory obligation of confidentiality. This obligation shall survive the termination of their engagement with the Processor.
The Processor shall not disclose Personal Data to any third party except as expressly permitted by this DPA, required by applicable law, or with the prior written consent of the Controller. Access to Personal Data within the Processor's organization shall be limited to personnel who require such access for the performance of the Services.
The Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects. These measures include, but are not limited to:
The Processor shall regularly evaluate the effectiveness of these measures and make improvements as necessary to maintain an appropriate level of security.
The Controller provides general written authorization for the Processor to engage Sub-processors to assist in the provision of the Services, subject to the conditions set forth in this section. The Processor shall maintain a current list of Sub-processors, which is available on our GDPR Compliance page.
Notification of changes. The Processor shall notify the Controller at least 30 days prior to the addition or replacement of any Sub-processor, providing the Controller with the opportunity to object to such changes. Notifications shall be sent to the email address associated with the Controller's account. If the Controller objects to a new Sub-processor on reasonable data protection grounds, the parties shall discuss the objection in good faith. If no resolution is reached, the Controller may terminate the affected Services without penalty.
Sub-processor obligations. The Processor shall impose on each Sub-processor, by way of a written contract, data protection obligations no less protective than those set out in this DPA. The Processor shall remain fully liable to the Controller for the performance of each Sub-processor's obligations.
The Processor shall not transfer Personal Data to a country outside the European Economic Area (EEA) or the United Kingdom unless appropriate safeguards are in place as required by the GDPR.
Where Personal Data is transferred to countries that have not received an adequacy decision from the European Commission, the Processor shall rely on Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision (EU) 2021/914) as the primary transfer mechanism. The applicable SCCs are incorporated into this DPA by reference. Where required, the Processor shall implement supplementary technical and organizational measures to ensure that the transferred data is afforded a level of protection essentially equivalent to that guaranteed within the EEA.
The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests to exercise their rights under the GDPR, including rights of access, rectification, erasure, data portability, restriction of processing, and objection. The Processor shall promptly notify the Controller if it receives a request directly from a Data Subject and shall not respond to such request independently unless authorized by the Controller or required by applicable law.
The Processor shall implement appropriate technical and organizational measures to assist the Controller in responding to Data Subject requests, including the ability to search, export, rectify, and delete Personal Data within the Services. Where technically feasible, self-service tools shall be made available to the Controller through the platform to facilitate the exercise of Data Subject rights without requiring manual intervention by the Processor.
The Processor shall notify the Controller of any Personal Data Breach without undue delay and in any event within 72 hours of becoming aware of the breach. The notification shall include, to the extent available at the time of notification:
Where it is not possible to provide all information at the time of the initial notification, information may be provided in phases without undue further delay. The Processor shall cooperate fully with the Controller in the investigation and remediation of any Personal Data Breach and shall take all reasonable steps to mitigate the effects and minimize any damage resulting from the breach.
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or a qualified auditor mandated by the Controller.
Audits shall be conducted with reasonable prior written notice of at least 30 days, during normal business hours, and in a manner that does not unreasonably disrupt the Processor's operations. The Controller shall bear the costs of any audit, unless the audit reveals a material breach of this DPA by the Processor. The Processor may satisfy audit requests by providing relevant certifications, audit reports (such as SOC 2 Type II reports), or other evidence of compliance from qualified third-party auditors, provided such documentation reasonably addresses the Controller's audit objectives.
This DPA shall remain in effect for the duration of the service agreement between the Controller and the Processor and shall automatically terminate upon the expiration or termination of the service agreement. The obligations of confidentiality and data protection set forth in this DPA shall survive termination for as long as the Processor retains any Personal Data processed on behalf of the Controller.
Either party may terminate this DPA immediately upon written notice if the other party materially breaches this DPA and fails to cure such breach within 30 days of receiving written notice of the breach.
Upon termination of the service agreement or upon the Controller's written request, the Processor shall, at the Controller's election, return all Personal Data to the Controller in a structured, commonly used, and machine-readable format, or securely delete all Personal Data and existing copies, unless applicable law requires continued storage of the Personal Data.
The Processor shall provide the Controller with a data export period of 30 days following termination, during which the Controller may retrieve its data through the platform's export functionality. After expiration of this period, the Processor shall delete all Personal Data from its active systems within 30 additional days. Personal Data contained in backup systems shall be deleted in accordance with the Processor's backup retention schedule, which shall not exceed 90 days.
Upon request, the Processor shall provide written certification that all Personal Data has been deleted in accordance with this section.
For questions, requests, or concerns regarding this Data Processing Agreement, please contact:
SEO RITE Inc.
Legal inquiries: legal@seorite.com
Data Protection Officer: dpo@seorite.com
General support: support@seorite.com
Website: seorite.com
Enterprise customers may request a customized DPA or negotiate specific data processing terms by contacting our legal team at legal@seorite.com. Custom DPA negotiations are available for all Enterprise plan subscribers.