Data Processing Agreement

This Data Processing Agreement applies when Rankpad processes personal data on behalf of a customer in connection with the Rankpad service and applicable data protection law requires a processor agreement.

The customer is the controller or business for customer personal data. Rankpad is the processor or service provider for that data. Each party will comply with the data protection laws that apply to it.

"Customer personal data" means personal data submitted to Rankpad by or for the customer and processed by Rankpad on the customer's behalf. "Personal data," "processing," "controller," "processor," "data subject," and "personal data breach" have the meanings given under applicable data protection law.

"Data protection law" includes the GDPR, UK GDPR, Swiss data protection law, US state privacy laws, and similar privacy laws to the extent they apply to the processing.

Rankpad will process customer personal data only on the customer's documented instructions, including the Terms, this DPA, product settings, support requests, and other written instructions accepted by Rankpad.

Rankpad may process customer personal data when required by law. If legally permitted, we will notify the customer before doing so. Rankpad will promptly inform the customer if we believe an instruction violates applicable data protection law.

The subject matter of processing is the provision, security, support, and improvement of Rankpad. The duration of processing is the term of the customer's account or subscription plus any retention period required for deletion, backup, legal, billing, or security purposes.

• Nature of processing: hosting, storing, retrieving, analyzing, transmitting, displaying, deleting, securing, and supporting customer personal data.
• Purpose of processing: providing AI visibility tracking, prompt analysis, citation tracking, competitor mention reporting, account administration, support, billing, and security.
• Data subject categories: customer users, workspace members, account administrators, support contacts, billing contacts, and individuals whose personal data is included in customer-submitted prompts or content.
• Personal data categories: names, email addresses, account identifiers, workspace data, prompt text, brand and competitor references, domains, usage events, support communications, billing references, and scan outputs.
• Sensitive data: not intended. Customers must not submit sensitive or special-category personal data unless Rankpad has agreed in writing.

The customer is responsible for determining whether and how to use Rankpad, choosing what data to submit, providing required notices, obtaining required consents, maintaining a lawful basis for processing, and ensuring instructions are lawful.

The customer must not use Rankpad to process data in a way that violates law, infringes rights, or exceeds the permitted scope of the service.

Rankpad will process customer personal data according to this DPA and will maintain reasonable technical and organizational measures designed to protect the confidentiality, integrity, availability, and resilience of the service.

• Ensure personnel authorized to process customer personal data are bound by confidentiality obligations.
• Limit access to customer personal data to personnel and providers with a legitimate need to provide or protect the service.
• Assist the customer with data subject requests when the customer cannot reasonably fulfill the request without Rankpad.
• Assist with security, breach, DPIA, and consultation obligations taking into account the nature of processing and information available to Rankpad.
• Delete or return customer personal data after the end of service according to this DPA, the Privacy Policy, and applicable law.
• Make information reasonably necessary to demonstrate compliance available to the customer as described in the audit section.

Rankpad's security program is designed for a SaaS product handling account, workspace, prompt, scan, and reporting data. Measures may evolve as the product and threat model change.

• Encryption in transit using HTTPS/TLS and provider-supported encryption at rest.
• Access controls, least-privilege practices, account authentication, and role-based workspace access where supported.
• Production access limited to authorized personnel with a business need.
• Provider-level database, hosting, backup, monitoring, and infrastructure protections.
• Logging, error monitoring, abuse monitoring, and incident response procedures.
• Reasonable vendor review before engaging subprocessors that process customer personal data.
• Data minimization and retention practices designed to avoid keeping data longer than needed.

The customer authorizes Rankpad to use subprocessors to provide the service. Rankpad will impose data protection obligations on subprocessors that are materially consistent with this DPA.

Current subprocessors may include hosting, database, payment, analytics, email, support, security, and AI processing providers, including Supabase, Vercel, Stripe, and AI model or AI infrastructure providers used to run scans.

Rankpad remains responsible for subprocessors' performance of their data protection obligations to the extent required by applicable law. We will provide reasonable notice of material subprocessor changes and allow customers to object where required by law.

Because Rankpad measures AI visibility, some customer inputs and scan context may be sent to AI providers to generate or analyze answers. This may include prompt text, brand names, competitor names, domains, and related context selected by the customer.

Rankpad will use AI providers only as needed to provide the service, protect the service, or follow customer instructions. Customers should avoid putting sensitive personal data or confidential third-party data into prompts.

If Rankpad receives a request from a data subject about customer personal data, we will either direct the requester to the customer or handle the request according to the customer's documented instructions where legally permitted.

Rankpad will provide reasonable assistance with access, correction, deletion, restriction, objection, and portability requests when the customer cannot fulfill them independently through the service.

Rankpad will notify the customer without undue delay after becoming aware of a personal data breach affecting customer personal data. The notice will include information reasonably available to Rankpad, such as the nature of the incident, affected data, likely consequences, mitigation steps, and a contact point.

Rankpad's notice of a potential or confirmed breach is not an admission of fault or liability. The customer is responsible for determining whether any notification to regulators or individuals is required.

Customer personal data may be processed in countries outside the customer's jurisdiction. Where required, the parties will rely on lawful transfer mechanisms such as adequacy decisions, standard contractual clauses, UK transfer mechanisms, or other safeguards recognized by applicable law.

If standard contractual clauses are required, they are incorporated by reference to the extent needed, with the customer as exporter and Rankpad as importer unless the facts require a different module.

Rankpad will make available information reasonably necessary to demonstrate compliance with this DPA. Where required by law and not satisfied by documentation, the customer may request an audit no more than once per year unless a confirmed breach or regulator request requires otherwise.

Audits must be conducted with reasonable notice, during normal business hours, without disrupting Rankpad operations, and subject to confidentiality obligations. Rankpad may satisfy audit requests through security documentation, written responses, third-party reports, or a mutually agreed review process.

At the end of the service, Rankpad will delete or return customer personal data according to the customer's instructions, product functionality, this DPA, and applicable law.

Rankpad may retain limited copies where required for legal, billing, dispute, security, fraud-prevention, backup, or compliance purposes. Backup copies are deleted through normal backup lifecycle practices.

Where US state privacy laws apply, Rankpad acts as a service provider or processor for customer personal data. Rankpad will not sell or share customer personal data, retain, use, or disclose it outside the business purposes described in this DPA, or combine it with personal data from other sources except as permitted by applicable law.

Rankpad will notify the customer if we determine we can no longer meet our obligations under applicable US state privacy law.

If there is a conflict between this DPA and the Terms, this DPA controls only for the processing of customer personal data. If the parties sign a separate written data processing agreement, that signed agreement controls over this online DPA.

Questions about this DPA or data processing can be sent to privacy@rankpad.app.