Data Processing Agreement

1. Parties

• Data Controller ("Controller") — The customer subscribing to KodexR services.
• Data Processor ("Processor") — Kodexr.com ("KodexR"), providing automated SEO services.

This DPA forms part of the Terms of Service between the Controller and KodexR, and applies from the date the Controller subscribes to the Service.

2. Definitions

Terms used in this DPA have the same meaning as in the General Data Protection Regulation (EU) 2016/679 ("GDPR"), including "personal data", "processing", "data subject", "supervisory authority", and "data breach".

3. Scope & Purpose

The Processor processes personal data on behalf of the Controller for the following purposes:

• Performing technical SEO analysis of the Controller's website
• Generating and publishing SEO-optimized content
• Tracking keyword rankings and search visibility
• Producing monthly SEO performance reports
• Communicating with the Controller regarding the Service

Processing is carried out for the duration of the subscription agreement. The Processor shall not process data for any purpose other than those specified above.

4. Data Categories

Data subjects: The Controller's authorized contacts and, indirectly, visitors to the Controller's website (via publicly accessible SEO data only).

Sensitive data: The Processor does not process special categories of personal data (Art. 9 GDPR).

5. Processor Obligations

The Processor shall:

• Process personal data only on documented instructions from the Controller, including with regard to transfers to third countries.
• Ensure that persons authorized to process data have committed themselves to confidentiality.
• Implement appropriate technical and organizational measures to ensure security (see Section 8).
• Not engage another processor without prior specific or general written authorization of the Controller (see Section 6).
• Assist the Controller in fulfilling data subject rights requests (see Section 10).
• Assist the Controller in ensuring compliance with GDPR obligations regarding security, breach notification, and impact assessments.
• At the choice of the Controller, delete or return all personal data after the end of the provision of services (see Section 12).
• Make available to the Controller all information necessary to demonstrate compliance with this DPA.

6. Sub-processors

The Controller grants general authorization for the Processor to engage the following sub-processors:

The Processor shall inform the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object within 14 days.

7. International Transfers

Where personal data is transferred outside the EU/EEA, the Processor ensures that appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Adequacy decisions where available.
• Supplementary measures as needed based on transfer impact assessments.

8. Security Measures

The Processor implements the following technical and organizational measures:

• Encryption: TLS/HTTPS for all data in transit. AES-256 encryption at rest (Supabase).
• Access control: Row Level Security (RLS) in database. API keys and service role tokens for server-to-server communication.
• Authentication: Stripe-managed authentication for payment. CRON_SECRET for automated processes.
• Logging: Server access logs retained for security monitoring.
• Infrastructure: Dedicated server (Hetzner, EU) with SSH key-only access, firewall, and regular security updates.
• Backups: Database backups via Supabase (point-in-time recovery).
• Personnel: Access limited to authorized personnel on a need-to-know basis.

9. Data Breach Notification

• The Processor shall notify the Controller of a personal data breach without undue delay, and in any case within 72 hours of becoming aware of the breach.
• The notification shall include: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.
• The Processor shall cooperate with the Controller and take reasonable steps to mitigate the effects of the breach.

10. Data Subject Rights

The Processor shall assist the Controller in responding to data subject requests, including:

• Right of access (Art. 15)
• Right to rectification (Art. 16)
• Right to erasure (Art. 17)
• Right to restriction of processing (Art. 18)
• Right to data portability (Art. 20)
• Right to object (Art. 21)

The Processor shall respond to Controller requests regarding data subject rights within 10 business days.

11. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and GDPR obligations.

• The Controller may request an audit with 30 days' written notice.
• Audits shall be conducted during normal business hours and shall not unreasonably disrupt operations.
• The Controller bears the cost of the audit unless the audit reveals material non-compliance.

12. Termination & Data Return

• Upon termination of the Service, the Processor shall, at the Controller's choice, return or delete all personal data within 30 days.
• The Controller may request data export in a machine-readable format (JSON or CSV) prior to termination.
• Published content remains on the Controller's website and is not affected by data deletion.
• Data required for legal obligations (e.g., invoicing) may be retained as required by law.

13. Contact

For questions about this DPA or to exercise your rights:

KodexR Data Protection Contact
Email: hello@kodexr.com
Website: kodexr.com