Sign in

Data Processing Agreement

Last updated: 2026-04-30

Template — review required before publishing

This document is a working template provided as a starting point. It is not legal advice. Replace bracketed placeholders, adapt clauses to your specific operations, and have qualified legal counsel review before publishing or relying on it.

This Data Processing Agreement ("DPA") supplements the EdgeRank Terms of Servicebetween Triangle Technology ("Processor") and the customer ("Controller"). It applies whenever the Processor processes Personal Data on behalf of the Controller in connection with the Service.

By using the Service, the Controller agrees to this DPA. Where required, an executable copy is available on request from legal@edgerank.app.

1. Definitions

Terms not defined here have the meanings given in the EU General Data Protection Regulation (Regulation 2016/679, "GDPR") and the UK GDPR. In particular:

  • Controller — the customer who determines the purposes and means of processing.
  • Processor— Triangle Technology, processing on the Controller's behalf.
  • Subprocessor — a third party engaged by the Processor to assist with processing.
  • Personal Data — any information relating to an identified or identifiable natural person processed under this DPA.

2. Subject matter and duration

The Processor will process Personal Data on behalf of the Controller for the duration of the Controller's subscription to the Service, plus any post-termination retention period required by the Terms or applicable law.

3. Categories of data and data subjects

Categories of data subjects may include:

  • The Controller's end users and website visitors
  • The Controller's employees and contractors who use the Service

Categories of Personal Data may include:

  • Identifiers (name, email, hashed credentials)
  • Technical data (IP address, browser, device, timestamps)
  • Usage and analytics data from the Controller's connected properties
  • Page content and metadata from sites the Controller adds

4. Processor obligations

The Processor will:

  • Process Personal Data only on documented instructions from the Controller, including those given via the Service's configuration UI and API
  • Ensure persons authorized to process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures (see Section 7)
  • Engage Subprocessors only as permitted by Section 8
  • Assist the Controller in responding to data subject requests
  • Notify the Controller of Personal Data breaches without undue delay (see Section 9)
  • Make information available to demonstrate compliance and allow for audits as described in Section 10
  • Delete or return Personal Data after the end of the Service (see Section 11)

5. Controller obligations

The Controller represents and warrants that:

  • It has the lawful basis to process the Personal Data and to instruct the Processor
  • It has provided required notices to data subjects
  • It will not transmit Personal Data to the Processor in violation of applicable law
  • It owns or is authorized to manage the websites it adds to the Service

6. International transfers

Where transfer of Personal Data outside the EEA, UK, or Switzerland occurs, the parties rely on the European Commission's Standard Contractual Clauses (Module Two: Controller-to-Processor) and, where applicable, the UK International Data Transfer Addendum or the Swiss Federal Data Protection Act equivalents. These clauses are deemed incorporated into this DPA by reference.

7. Security measures

The Processor implements technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include encryption in transit and at rest, access controls, audit logging, and incident response procedures. Full details are described on our Security page, which is incorporated into this DPA by reference.

8. Subprocessors

The Controller authorizes the Processor to engage the Subprocessors listed below for the activities described:

  • Cloudflare — edge worker, CDN, DNS
  • Vercel — application hosting
  • Supabase — database, authentication, storage
  • Stripe — payment processing
  • Anthropic — AI-generated SEO recommendations
  • Google — Search Console / Analytics integrations (only when the Controller authorizes a connection)

The Processor will provide at least [30] days' notice of any intended addition or replacement of Subprocessors. The Controller may object on reasonable grounds related to data protection; if the objection cannot be resolved, the Controller may terminate the affected portion of the Service.

9. Personal Data breaches

The Processor will notify the Controller without undue delay (and in any case within [72 hours] of discovery) of any confirmed Personal Data breach affecting the Controller's data. The notification will include the nature of the breach, categories and approximate volume of data subjects and records, likely consequences, and measures taken or proposed.

10. Audits and information

The Processor will make available to the Controller information reasonably necessary to demonstrate compliance with this DPA. The Controller may, no more than once per twelve (12) month period and on at least [30] days' written notice, conduct an audit (directly or via an independent third-party auditor bound by confidentiality). The Processor may charge reasonable costs.

11. Return or deletion of data

Upon termination of the Service, the Processor will, at the Controller's choice, delete or return all Personal Data within [30] days, except to the extent retention is required by applicable law. Backup copies will be deleted in the ordinary course within [90] days.

12. Liability

Each party's liability under this DPA is governed by the limitation-of-liability provisions of the Terms of Service.

13. Governing law

This DPA is governed by the same law as the Terms of Service unless a mandatory provision of EU or UK data protection law requires otherwise.

14. Order of precedence

In the event of any conflict between this DPA and the Terms of Service, this DPA prevails with respect to the processing of Personal Data. The Standard Contractual Clauses prevail over both with respect to international data transfers.

15. Contact

Questions about this DPA, requests to execute a signed copy, or Subprocessor objections should be addressed to legal@edgerank.app.