Get started

Menu

Legal

Data Processing Agreement

Last updated: April 27, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between you ("Customer", acting as data controller) and Your Company ("Processor", "we"). It applies to the processing of personal data on your behalf when you use Baaed FREE SEO Suite.

1. Definitions

Capitalised terms have the meanings given in the GDPR (Regulation (EU) 2016/679) and the UK GDPR. "Applicable Data Protection Law" includes the GDPR, the UK GDPR, the Swiss FADP, and equivalent laws in jurisdictions where you operate. "Standard Contractual Clauses" or "SCCs" means the European Commission's standard contractual clauses set out in Implementing Decision (EU) 2021/914, in the modules and forms applicable to the transfer.

2. Roles and Subject-Matter

Customer is the controller of the Customer Personal Data; we are the processor (and, where Customer is itself a processor, we are the sub-processor of Customer's controller). The subject-matter of the processing is the operation of the Service for Customer; the duration is the term of the Agreement plus the retention periods set out in our Privacy Policy § 7.

3. Categories of Data and Data Subjects

The categories of data subjects and personal data depend on Customer's use of the Service. Typically:

  • Data subjects: Customer's users, employees, contractors, and any natural persons identifiable from inputs Customer submits to our tools.
  • Categories of data: contact details (email, name); content data (URLs, text, images, files Customer submits); usage data (timestamps, request types, results returned); billing data (handled by our payment processors).

Customer must not submit special categories of personal data (Art. 9 GDPR), criminal-conviction data (Art. 10), or the categories of sensitive data prohibited in our AI Policy § 4 through the Service. If Customer does so anyway, Customer remains the controller of that data and bears responsibility for the additional obligations that apply.

4. Processor Obligations

We will:

  • Process Customer Personal Data only on documented instructions from Customer (these instructions are deemed given when Customer uses the Service or its API), and as required by applicable law (in which case we will inform Customer of that requirement before processing, unless prohibited by law on important grounds of public interest).
  • Ensure that persons authorised to process Customer Personal Data are bound by confidentiality.
  • Take appropriate technical and organisational measures (Section 7) to ensure security.
  • Engage sub-processors only in accordance with Section 5.
  • Taking into account the nature of the processing, assist Customer with appropriate technical and organisational measures, in fulfilling its obligation to respond to data-subject rights requests (Art. 12–23 GDPR).
  • Assist Customer in ensuring compliance with Articles 32 to 36 of the GDPR (security, breach notification, data-protection impact assessment, prior consultation), taking into account the nature of the processing and the information available to us.
  • At Customer's choice, delete or return all Customer Personal Data after the end of the provision of services, and delete existing copies, unless retention is required by law.
  • Make available to Customer all information necessary to demonstrate compliance with Article 28 GDPR, and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer.

5. Sub-processors

Customer authorises us to engage the sub-processors listed on our Sub-processors page, as updated from time to time. We will notify Customer of any intended addition or replacement of a sub-processor at least 30 days in advance. Customer may object on reasonable grounds. If we cannot accommodate the objection, Customer may terminate the affected portion of the Service per the cancellation procedure in our Refund Policy.

We impose data-protection obligations on sub-processors that are no less protective than those in this DPA, by written contract.

6. International Transfers

Where Customer Personal Data is transferred from the EEA, UK, or Switzerland to a country not subject to an adequacy decision, the parties incorporate by reference the EU Standard Contractual Clauses set out in Implementing Decision (EU) 2021/914:

  • Module Two (controller-to-processor) where Customer is a controller and we are a processor.
  • Module Three (processor-to-processor) where Customer is a processor and we are a sub-processor.

The optional clauses are selected as follows: Clause 7 (docking) not incorporated; Clause 11 (independent dispute resolution) not incorporated; Clause 17 governing law: Ireland (Module 2) or the law of an EU Member State that allows third-party-beneficiary rights (Module 3); Clause 18 forum: courts of Ireland.

For UK transfers, the parties incorporate by reference the UK International Data Transfer Addendum (Version B1.0, in force 21 March 2022) issued under Section 119A of the Data Protection Act 2018.

For Swiss transfers, the SCCs are interpreted in light of the FADP (FDPIC's general guidance applies).

The Annexes to the SCCs are completed as follows:

  • Annex I.A (Parties): Customer (the entity identified in the Agreement) and Your Company.
  • Annex I.B (Description of Transfer): as set out in Sections 2 and 3 of this DPA.
  • Annex I.C (Competent Supervisory Authority): the Irish Data Protection Commission for Module 2 transfers from the EEA.
  • Annex II (Technical and Organisational Measures): as set out in Section 7 of this DPA.
  • Annex III (Sub-processors): as listed on our Sub-processors page.

7. Technical and Organisational Measures

We maintain the following measures, which Customer accepts as appropriate to the risk:

  • Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256 for object storage; database TDE).
  • Access controls: role-based access; principle of least privilege; named access for staff; mandatory two-factor authentication on all administrative interfaces.
  • Authentication: bcrypt password hashing for end-user accounts; signed session tokens; HttpOnly, SameSite=Lax session cookies.
  • Network security: WAF and DDoS protection at the edge; private networking between application and database; periodic security testing.
  • Logging and monitoring: security and audit logs retained for 12 months in restricted-access storage.
  • Incident response: documented runbook; 72-hour controller-notification commitment per Section 8.
  • Backup and restore: encrypted nightly backups; quarterly restore tests; offsite copy retained 90 days.
  • Personnel: confidentiality undertakings; security training; background checks where lawful.
  • Supplier management: sub-processors contractually bound to equivalent measures.

8. Personal Data Breach

We will notify Customer without undue delay and, where feasible, within 72 hours after becoming aware of a personal data breach affecting Customer Personal Data. The notification will describe (a) the nature of the breach, (b) the likely consequences, (c) the categories and approximate number of data subjects and records concerned, (d) the measures taken or proposed to address the breach, and (e) the contact point for further information. Where the information is not all available within 72 hours, we will provide it in phases without further undue delay.

9. Audits

To the extent required by Article 28(3)(h) GDPR, we will provide Customer with audit information necessary to demonstrate compliance:

  • Standard: annual security questionnaire response and copies of any third-party attestations or certifications we hold (e.g. SOC 2 Type II, ISO/IEC 27001) when available.
  • On-site or active audits: by mutual agreement, with reasonable advance notice (minimum 30 days), at Customer's expense, conducted no more than once every 12 months unless a regulator requires more, scoped to the processing of Customer Personal Data, and subject to confidentiality undertakings.

10. Data-Subject Requests

Where we receive a data-subject request relating to Customer Personal Data, we will, where lawful, redirect the data subject to Customer and notify Customer without undue delay. We will assist Customer in responding to such requests, including by providing tooling for self-service access, rectification, and erasure where available.

11. Liability

Each party's liability for breach of this DPA is subject to the limitation-of-liability provisions of the Agreement (Section 13 of our Terms of Service). Nothing in this DPA limits a data subject's rights against the parties under Applicable Data Protection Law.

12. Term and Termination

This DPA takes effect when Customer first uses the Service to process Customer Personal Data after publication of this version, and continues until the termination of the Agreement. Sections 7 (security), 8 (breach), and 11 (liability) survive termination as necessary to give them effect.

13. Governing Law

This DPA is governed by the law specified in our Terms of Service § 16, except that the SCCs and the UK Addendum are governed by the law specified in their own terms.

14. Order of Precedence

In the event of a conflict between this DPA and the Terms of Service, this DPA prevails on data-protection matters. In the event of a conflict between this DPA and the SCCs, the SCCs prevail. In the event of a conflict between the SCCs and the UK Addendum on UK transfers, the UK Addendum prevails.

15. Counter-Signed Copy

To request a counter-signed PDF copy of this DPA on your letterhead, email info@baaed.com with subject "DPA Request", providing your full legal entity name and business address. We respond to DPA requests within 10 business days.