PL Run free audit

Legal

Data Processing Addendum

Effective date: [To be set on launch] · Last updated: June 2026

TEMPLATE — DRAFT pending review by licensed counsel before launch. Not legal advice. This document is a working draft prepared to reduce the time a qualified lawyer needs to finalize it. It is not final, does not constitute legal advice, and must not be relied upon until reviewed and approved.

1. Scope and roles

This Data Processing Addendum ("DPA") forms part of the agreement between the customer ("Controller") and GeoAI Solutions LLC (trading as GeoFlow) ("Processor", "CitePulse") and applies where CitePulse processes personal data on the Controller's behalf in the course of providing the Service. Where CitePulse determines purposes and means of processing (for example, its own account and billing records), it acts as an independent controller as described in the Privacy Policy.

2. Subject matter and duration

The subject matter is the provision of AI citation audit and monitoring services. The duration is the term of the agreement plus any retention period required by law. The nature and purpose of processing is the performance of audits, generation of reports, communication and monitoring.

3. Categories of data and data subjects

  • Data subjects: the Controller's authorized users and contacts.
  • Personal data: business contact email addresses, account and subscription metadata, and technical/usage logs.
  • Audit data: domains and publicly available website content submitted for audit (which may incidentally contain personal data published by the Controller).

4. Processor obligations

  • Process personal data only on documented instructions from the Controller, including for transfers, unless required by law.
  • Ensure persons authorized to process personal data are bound by confidentiality.
  • Implement appropriate technical and organizational security measures (see our Security page).
  • Assist the Controller with data-subject requests and with security, breach-notification and impact-assessment obligations.
  • Delete or return personal data at the end of the engagement, subject to legal retention.
  • Make available information necessary to demonstrate compliance and allow for audits, subject to reasonable confidentiality and security controls.

5. Sub-processors

The Controller authorizes CitePulse to engage the sub-processors listed below. We will inform the Controller of intended changes (addition or replacement) giving the opportunity to object on reasonable data-protection grounds. Each sub-processor is bound by data-protection obligations consistent with this DPA.

Sub-processorPurposeProcessing location
Cloudflare, Inc.Hosting, CDN, edge compute, DDoS protection, data storageUSA / global edge
Resend (Plus Five Five, Inc.)Transactional email deliveryUSA
Stripe, Inc.Payment processing and subscription billingUSA / EU
OpenAI, L.L.C.AI model queries (GPT) for citation testingUSA
Anthropic, PBCAI model queries (Claude) for citation testingUSA
Google LLCAI model queries (Gemini) for citation testingUSA / EU
Perplexity AI, Inc.AI model queries (Perplexity) for citation testingUSA

The current authoritative sub-processor list is maintained on this page. Audit query content concerns the audited business and market and is not intended to include the Controller's personal contact data.

6. International transfers

Where personal data of EU/UK data subjects is transferred outside the EEA/UK, the parties rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses and, where applicable, the UK International Data Transfer Addendum, together with supplementary measures as needed.

7. Security

CitePulse maintains technical and organizational measures appropriate to the risk, including encryption of data in transit, access controls, and data minimization. Further detail is provided on our Security page.

8. Personal data breaches

CitePulse will notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's data, and will provide information reasonably necessary for the Controller to meet its notification obligations.

9. Liability and precedence

This DPA is subject to the limitations of liability in the Terms of Service. In the event of conflict between this DPA and the Terms regarding the processing of personal data, this DPA prevails.

10. Contact

GeoAI Solutions LLC, 30 N Gould St Ste N, Sheridan, WY 82801, USA. Data-protection contact: [email protected].