Data Processing Agreement

1. Introduction and Scope

This Data Processing Agreement ("DPA" or "Agreement") forms part of the Terms of Service between PageRoast ("Processor," "we," "us," or "our") and the customer ("Controller," "you," or "your") who has agreed to our Terms of Service (the "Principal Agreement").

This DPA applies to the processing of Personal Data by PageRoast on behalf of the Controller in connection with the provision of our AI-powered landing page audit services (the "Services").

This DPA is designed to ensure compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), the Swiss Federal Act on Data Protection ("FADP"), and other applicable data protection laws (collectively, "Data Protection Laws").

In the event of any conflict between this DPA and the Principal Agreement, this DPA shall prevail with respect to data protection matters.

2. Definitions

For the purposes of this DPA, the following terms shall have the meanings set out below:

• "Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. For purposes of this DPA, you are the Controller.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
• "Personal Data" means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
• "Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
• "Processor" means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller. For purposes of this DPA, PageRoast is the Processor.
• "Services" means the AI-powered landing page audit services provided by PageRoast under the Principal Agreement.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission, as may be amended, replaced, or superseded from time to time.
• "Sub-processor" means any Processor engaged by PageRoast or by any other Sub-processor of PageRoast who agrees to receive from PageRoast or from any other Sub-processor of PageRoast Personal Data exclusively intended for processing activities to be carried out on behalf of the Controller.
• "Supervisory Authority" means an independent public authority which is established by a Member State pursuant to Article 51 of the GDPR, or any equivalent authority under applicable Data Protection Laws.

3. Subject Matter and Duration of Processing

3.1 Subject Matter

The subject matter of this DPA is the processing of Personal Data by PageRoast on behalf of the Controller in connection with the provision of the Services as described in the Principal Agreement.

3.2 Duration

This DPA shall remain in effect for the duration of the Principal Agreement and for as long as PageRoast processes Personal Data on behalf of the Controller. Upon termination of the Principal Agreement, PageRoast shall, at the Controller's election, delete or return all Personal Data to the Controller, except to the extent that PageRoast is required by applicable law to retain some or all of the Personal Data.

3.3 Nature and Purpose of Processing

PageRoast processes Personal Data for the purpose of providing the Services, which includes:

• Capturing screenshots of landing pages submitted by the Controller.
• Analyzing landing page content using AI technology.
• Generating audit reports containing findings and recommendations.
• Storing screenshots and reports for access by the Controller.
• Processing payments and managing account information.
• Providing customer support and communicating with the Controller.

3.4 Types of Personal Data

The types of Personal Data processed under this DPA may include:

• Account information: Name, email address, company name, job title.
• Payment information: Billing address, payment card details (processed by Stripe).
• Technical data: IP address, browser type, device information.
• Usage data: Pages visited, features used, audit history.
• Content data: URLs submitted for analysis, screenshots of landing pages.
• Communication data: Support tickets, emails, feedback.

3.5 Categories of Data Subjects

The categories of Data Subjects whose Personal Data may be processed include:

• The Controller's employees and authorized users.
• Individuals whose Personal Data may appear on landing pages submitted for analysis.
• The Controller's customers or website visitors (to the extent their data appears on landing pages).

4. Obligations of the Processor

PageRoast, as the Processor, agrees to:

4.1 Processing Instructions

• Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
• Immediately inform the Controller if, in its opinion, an instruction infringes Data Protection Laws. In such case, the Processor shall be entitled to suspend performance of the relevant instruction until the Controller confirms or modifies the instruction.

4.2 Confidentiality

• Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Treat all Personal Data as confidential information and not disclose Personal Data to any third party except as permitted or required by this DPA, the Principal Agreement, or applicable law.

4.3 Security Measures

• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate:
  • The pseudonymization and encryption of Personal Data.
  • The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
  • The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident.
  • A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

4.4 Sub-processing

• Not engage another processor without prior specific or general written authorization of the Controller.
• In the case of general written authorization, inform the Controller of any intended changes concerning the addition or replacement of other processors, thereby giving the Controller the opportunity to object to such changes.
• Where the Processor engages another processor for carrying out specific processing activities on behalf of the Controller, the same data protection obligations as set out in this DPA shall be imposed on that other processor by way of a contract.
• Remain fully liable to the Controller for the performance of that other processor's obligations.

4.5 Assistance with Data Subject Rights

• Taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising the Data Subject's rights, including rights of access, rectification, erasure, restriction, data portability, and objection.
• Promptly notify the Controller if it receives a request from a Data Subject under any Data Protection Law in respect of Personal Data, and shall not respond to that request except on the documented instructions of the Controller or as required by applicable law.

4.6 Personal Data Breaches

• Notify the Controller without undue delay after becoming aware of a Personal Data Breach.
• Provide the Controller with sufficient information to allow the Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under Data Protection Laws.
• Cooperate with the Controller and take such reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.

4.7 Data Protection Impact Assessments

• Taking into account the nature of the processing and the information available to the Processor, assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor.

4.8 Deletion or Return of Personal Data

• At the choice of the Controller, delete or return all the Personal Data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data.

4.9 Audits and Inspections

• Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
• Such audits shall be subject to reasonable notice, conducted during normal business hours, and shall not unreasonably interfere with the Processor's business activities. The Controller shall bear its own costs related to any audit.

5. Obligations of the Controller

The Controller agrees to:

• Lawful Basis: Ensure that it has obtained all necessary consents and has a lawful basis for the processing of Personal Data and for the transfer of Personal Data to the Processor.
• Instructions: Provide the Processor with documented instructions for processing Personal Data. The Controller warrants that its instructions will comply with applicable Data Protection Laws.
• Data Subject Information: Ensure that Data Subjects have been informed of the processing of their Personal Data by the Processor, including by providing appropriate privacy notices.
• Data Quality: Ensure the accuracy and quality of Personal Data provided to the Processor.
• Compliance: Comply with all applicable Data Protection Laws in relation to the processing of Personal Data and the exercise of its rights and performance of its obligations under this DPA.
• Authorization: When submitting URLs for analysis, ensure that it has the authority to process any Personal Data that may appear on those landing pages, including Personal Data of third parties.

6. Sub-processors

6.1 Authorization

The Controller provides general authorization for the Processor to engage Sub-processors for the processing of Personal Data, subject to the requirements of this Section.

6.2 Current Sub-processors

The Controller acknowledges and agrees that the following Sub-processors are authorized as of the Effective Date of this DPA:

6.3 Notification of Changes

The Processor shall provide the Controller with notice of any intended changes concerning the addition or replacement of Sub-processors at least thirty (30) days prior to the change. Such notice shall be provided via email to the address associated with the Controller's account.

6.4 Objection to Sub-processors

If the Controller has a legitimate reason to object to the use of a new Sub-processor, the Controller shall notify the Processor in writing within fifteen (15) days of receiving notice. The Processor and Controller shall work together in good faith to resolve the Controller's concerns. If the parties cannot reach a resolution, the Controller may terminate the affected Services without penalty.

6.5 Sub-processor Agreements

The Processor shall ensure that each Sub-processor is bound by data protection obligations at least as protective as those in this DPA. The Processor shall remain fully liable for the acts and omissions of its Sub-processors.

7. International Data Transfers

7.1 Transfers from the EEA, UK, and Switzerland

Where Personal Data is transferred from the European Economic Area, United Kingdom, or Switzerland to a country that has not been deemed to provide an adequate level of data protection, such transfers shall be subject to appropriate safeguards as required by applicable Data Protection Laws.

7.2 Standard Contractual Clauses

For transfers of Personal Data from the EEA to countries outside the EEA that have not received an adequacy decision, the parties agree that the Standard Contractual Clauses approved by the European Commission (Module Two: Controller to Processor) shall apply. The SCCs are hereby incorporated by reference into this DPA.

For purposes of the SCCs:

• The Controller is the "data exporter" and PageRoast is the "data importer."
• The optional docking clause (Clause 7) applies.
• Option 2 of Clause 9(a) applies, and the time period for prior notice of Sub-processor changes shall be 30 days.
• The optional redress clause (Clause 11) does not apply.
• Option 1 of Clause 17 applies, and the governing law shall be the law of Ireland.
• Clause 18(b) applies, and disputes shall be resolved by the courts of Ireland.
• Annexes I, II, and III shall be completed with the information set out in this DPA.

7.3 UK Transfers

For transfers of Personal Data from the United Kingdom, the UK Addendum to the EU SCCs (as issued by the UK Information Commissioner's Office) shall apply and is hereby incorporated by reference.

7.4 Swiss Transfers

For transfers of Personal Data from Switzerland, the SCCs shall apply with the modifications necessary to comply with the Swiss Federal Act on Data Protection.

7.5 Data Privacy Framework

To the extent applicable, the Processor may also rely on certifications under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and/or the Swiss-U.S. Data Privacy Framework as a lawful mechanism for data transfers.

8. Data Subject Requests

The Processor shall:

• Promptly notify the Controller if it receives a request from a Data Subject to exercise any of their rights under Data Protection Laws, including rights of access, rectification, erasure, restriction of processing, data portability, or objection.
• Unless otherwise required by applicable law, not respond directly to any such request except to confirm receipt and inform the Data Subject that the request has been forwarded to the Controller.
• Upon the Controller's request, provide reasonable assistance in responding to Data Subject requests, taking into account the nature of the processing and the information available to the Processor.
• Where technically feasible, provide self-service tools that allow the Controller to access, correct, or delete Personal Data directly.

9. Personal Data Breach Notification

9.1 Notification Timing

The Processor shall notify the Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA.

9.2 Notification Contents

Such notification shall include, to the extent known:

• A description of the nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned.
• The name and contact details of the Processor's data protection officer or other contact from whom more information can be obtained.
• A description of the likely consequences of the Personal Data Breach.
• A description of the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

9.3 Cooperation

The Processor shall cooperate with the Controller and take such reasonable steps as are directed by the Controller to assist in the investigation, mitigation, and remediation of each Personal Data Breach. The Processor shall not inform any third party of any Personal Data Breach without first obtaining the Controller's prior written consent, except as required by applicable law.

10. Audit Rights

10.1 Information and Audit

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

10.2 Audit Procedures

Any audit shall be conducted:

• With at least thirty (30) days' prior written notice.
• During normal business hours.
• In a manner that does not unreasonably disrupt the Processor's business operations.
• Subject to the auditor entering into appropriate confidentiality undertakings.
• No more than once per twelve (12) month period, unless required by a Supervisory Authority or following a Personal Data Breach.

10.3 Certifications and Reports

The Processor may satisfy audit requirements by providing the Controller with:

• Relevant certifications (such as ISO 27001 or SOC 2 Type II reports).
• Summaries of third-party audit reports.
• Responses to reasonable security questionnaires.

10.4 Costs

The Controller shall bear its own costs related to any audit. If an audit reveals material non-compliance by the Processor, the Processor shall bear the reasonable costs of the audit.

11. Liability

Each party's liability under this DPA shall be subject to the exclusions and limitations of liability set forth in the Principal Agreement. Nothing in this DPA shall limit either party's liability for:

• Death or personal injury caused by negligence.
• Fraud or fraudulent misrepresentation.
• Any liability that cannot be limited or excluded by applicable law.

12. Term and Termination

12.1 Term

This DPA shall remain in effect for as long as the Processor processes Personal Data on behalf of the Controller under the Principal Agreement.

12.2 Survival

The obligations of the Processor under this DPA shall survive the termination or expiration of the Principal Agreement to the extent necessary to continue to protect Personal Data.

12.3 Data Return or Deletion

Upon termination of the Principal Agreement, the Processor shall, at the Controller's written request:

• Return all Personal Data to the Controller in a commonly used format; and/or
• Delete all Personal Data in its possession or control, including all copies.

The Processor shall certify in writing that it has complied with this requirement upon the Controller's request. The Processor may retain Personal Data to the extent required by applicable law, subject to appropriate security measures and the ongoing obligations of this DPA.

13. General Provisions

13.1 Governing Law

This DPA shall be governed by and construed in accordance with the laws of the State of Delaware, United States, without regard to its conflict of laws provisions, except that the Standard Contractual Clauses shall be governed as specified therein.

13.2 Amendments

This DPA may only be amended by a written agreement signed by both parties. However, PageRoast may update this DPA unilaterally to reflect changes in applicable Data Protection Laws, provided that such updates do not materially reduce the protections afforded to Personal Data.

13.3 Severability

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

13.4 Entire Agreement

This DPA, together with the Principal Agreement and any schedules or annexes hereto, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior agreements and understandings.

14. Contact Information

For questions about this Data Processing Agreement, please contact:

PageRoast
Data Protection Officer: contact@pageroast.io
Legal Inquiries: contact@pageroast.io
General Support: contact@pageroast.io
Website: https://pageroast.io