Skip to main content

Data Processing Addendum

Effective: March 5, 2026 · Last updated: March 5, 2026

This Data Processing Addendum ("DPA") forms part of the agreement between you ("Controller") and DekAI ("Processor") for the processing of personal data in connection with the DekAI platform. This DPA is designed to comply with GDPR Article 28.

1. Definitions

  • Personal Data: As defined in Article 4(1) of the GDPR.
  • Processing: As defined in Article 4(2) of the GDPR.
  • Data Subject: The identified or identifiable natural person to whom the Personal Data relates.
  • Sub-processor: Any third party engaged by the Processor to process Personal Data on behalf of the Controller.

2. Scope of Processing

2.1 Subject Matter

The Processor processes Personal Data to provide AI visibility intelligence services, including: querying AI models with business information, generating visibility reports, computing scores, and delivering recommendations.

2.2 Categories of Data Subjects

  • Business owners and authorized account users
  • Business employees with account access

2.3 Types of Personal Data

  • Account data: email address, name
  • Business data: business name, address, phone, website, vertical category
  • Billing data: Stripe customer ID, subscription status
  • Usage data: consent records, login timestamps

2.4 Duration

Processing continues for the duration of the service agreement plus the data retention periods specified in our Privacy Policy.

3. Obligations of the Processor

  1. Process Personal Data only on documented instructions from the Controller, including transfers to third countries.
  2. Ensure that persons authorized to process Personal Data have committed to confidentiality.
  3. Implement appropriate technical and organizational security measures (see Section 5).
  4. Engage sub-processors only with prior written authorization of the Controller (see Section 4).
  5. Assist the Controller in responding to Data Subject rights requests (access, rectification, erasure, portability).
  6. Assist the Controller in ensuring compliance with GDPR Articles 32–36 (security, breach notification, impact assessments).
  7. Delete or return all Personal Data upon termination, at the Controller's choice, subject to legal retention obligations.
  8. Make available all information necessary to demonstrate compliance and allow for audits.

4. Sub-processors

The Controller provides general authorization for the Processor to engage sub-processors. The current list of sub-processors is maintained at /subprocessors.

The Processor will notify the Controller at least 30 days before adding or replacing a sub-processor. The Controller may object to a new sub-processor within 14 days of notification. If the Processor cannot reasonably accommodate the objection, either party may terminate the affected service.

5. Security Measures

The Processor implements the following technical and organizational measures:

  • Encryption in transit: TLS 1.2+ for all connections (HSTS enforced)
  • Encryption at rest: Database encryption via managed PostgreSQL provider
  • Authentication: Passwordless magic-link authentication with session token management
  • Access control: Role-based access (Admin, Client Owner, Client Member)
  • Data minimization: Only business names and public geography sent to AI models — no PII
  • IP anonymization: IP addresses hashed (SHA-256) before storage in consent records
  • Security headers: HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy
  • Monitoring: Server logs retained for 90 days for security incident detection
  • Incident response: 72-hour breach notification per GDPR Article 33

6. Breach Notification

The Processor will notify the Controller without undue delay (and no later than 72 hours) after becoming aware of a personal data breach. Notification will include:

  • Description of the nature of the breach
  • Categories and approximate number of Data Subjects affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

7. Data Deletion

Upon termination of the service agreement, the Processor will:

  1. Provide 30 days for the Controller to export data via the data export API
  2. Soft-delete all account data (anonymize email, set deletion flag)
  3. After a 30-day grace period, permanently hard-delete all Personal Data
  4. Delete or anonymize associated probe results, reports, and recommendations
  5. Retain consent records for up to 5 years as required for regulatory compliance

8. Audit Rights

The Controller may audit the Processor's compliance with this DPA by providing 30 days' written notice. Audits shall be conducted during normal business hours, no more than once per year, and at the Controller's expense. The Processor may satisfy audit requests by providing relevant certifications, audit reports, or detailed responses to written questionnaires.

9. AI Governance Addendum

In alignment with the EU AI Act, the Processor:

  • Maintains a registry of AI models used in the Service (see Subprocessors)
  • Marks all AI-generated content with disclosure labels in reports
  • Includes AI metadata in PDF report files (creator, generation date)
  • Does not use AI for automated decision-making that produces legal effects on Data Subjects
  • Sends only non-personal business information to AI models

10. Governing Law

This DPA is governed by the same law as the underlying service agreement. For EEA-based Controllers, the provisions of the GDPR take precedence in case of conflict. Where the Controller is established in the EEA, the courts of the EU Member State in which the Controller is established shall have jurisdiction.

11. Contact

For questions about this DPA, contact our Privacy Officer at privacy@dekai.ai.