NEWWorld's first AI visibility audit tool for Web3 is live.Run free audit →
CompareAboutCustomersPartnersPressStatusDocsSign Up
Data Processing Agreement · Effective April 13, 2026

The DPA between Crawlux and you.

Standard processor obligations, complete subprocessor list, security measures, breach notification timelines and audit rights. Forms part of the terms of service automatically. No separate signature needed for standard tiers.

EffectiveApril 13, 2026
Subprocessors10 disclosed
Breach SLA72 hours
Subprocessor notice30 days
10Disclosed subprocessors
72hBreach notification SLA
30dSubprocessor change notice
90dData export window
SCCsFor all third-country transfers
Section 01
// Defined terms

Definitions

Terms used throughout this DPA. The definitions align with the GDPR (Regulation 2016/679) and UK Data Protection Act 2018 where applicable. Where this DPA conflicts with general terms of service, this DPA governs.

TermMeaning in this DPA
ControllerThe customer. Determines what personal data is submitted for audit and the purposes for processing.
ProcessorCrawlux. Processes personal data on the customer's behalf per documented audit instructions.
SubprocessorThird parties engaged by Crawlux to support audit processing (data providers, infrastructure, AI models).
Personal dataInformation identifying or relating to an identifiable natural person, as defined by GDPR Article 4.
Data subjectThe natural person to whom personal data relates.
ProcessingAny operation on personal data: collection, storage, modification, retrieval, transmission or deletion.
Personal data breachA security incident leading to accidental or unlawful destruction, loss, alteration or disclosure of personal data.
SCCsStandard Contractual Clauses adopted by EU Commission Decision 2021/914 for third-country data transfers.
Section 02
// Processing scope

What Crawlux processes and why

Audit processing is bounded by what the customer submits and by the documented audit purpose. Crawlux does not process personal data outside this scope without separate documented instructions.

01

Subject matter

Automated SEO and AEO audit of customer-submitted domains. Includes technical SEO analysis, schema validation, AI engine citation testing and authority signal measurement.

02

Duration

Processing continues for the term of the customer agreement plus 90 days for data export, then permanent deletion within 14 additional days. Backup retention up to 90 days post-deletion.

03

Categories of personal data

Account email and name. Audited domain content (which may incidentally contain personal data published by the customer). Author bylines. Public author profiles linked from audited content.

04

Categories of data subjects

Customer's own personnel (account holders). Authors named in the audited domain content. Public-facing professionals identified in author profiles. Crawlux does not process special category data per GDPR Article 9.

Lawful basis is the customer's responsibility

The customer (controller) determines the lawful basis for processing personal data submitted via audited domains. Crawlux processes that data on the customer's instructions. Customers must ensure they have a lawful basis under GDPR Article 6 before submitting.

Section 03
// Authorized subprocessors

Subprocessor list

Complete list of subprocessors engaged by Crawlux. Each entry shows purpose, region and the transfer mechanism for any third-country transfers. New subprocessors are announced 30 days before deployment via the changelog and email to active accounts.

Amazon Web Services

Primary infrastructure hosting (compute, storage, networking, KMS).

EU PrimarySCCs
Infrastructure

Stripe

Payment processing for Pro and Team tier purchases. PCI DSS Level 1 certified.

USSCCs
Payments

DataForSEO

Backlink data, ranking data and SERP analysis used in audit modules.

USSCCs
Audit data

CoinGecko

Token market data (price, volume, market cap) for token schema validation.

SGSCCs
Market data

DefiLlama

TVL data and protocol metrics for DeFi-specific audit modules.

Global APIPublic data
On-chain data

Anthropic

Claude API for AI analysis components (intent classification, citation testing).

USSCCs
AI processing

OpenAI

ChatGPT API for AI engine citation testing component of AEO audit.

USSCCs
AI testing

Perplexity

Perplexity API for AI engine citation testing component of AEO audit.

USSCCs
AI testing

Google PageSpeed Insights

Page speed metrics and Core Web Vitals data for technical SEO module.

USSCCs
Performance

Brevo

Newsletter delivery, double opt-in confirmation emails and marketing email broadcasts to subscribers.

EU (France)EU primary
Marketing email

Postmark

Transactional email delivery (account verification, audit completion, receipts).

EU RegionEU-resident
Email delivery

Right to object to subprocessor changes

Customers have 30 days to object to new subprocessors before they are deployed. Unresolved objections give the customer the right to terminate with a pro-rated refund. Subprocessor changes are announced via changelog and email to active accounts.

Section 04
// Article 32 measures

Technical and organizational security measures

The processor maintains technical and organizational measures appropriate to the risk per GDPR Article 32. Full details are in the security policy. The summary below maps each Article 32 element to the implementation.

Art. 32(1)(a)

Pseudonymization and encryption

AES-256 at rest, TLS 1.3 in transit. AWS KMS managed keys. Customer-isolated envelope encryption for API keys and webhook secrets. Implemented across all data tiers.

Art. 32(1)(b)

Confidentiality and integrity

VPC isolation. WAF and DDoS protection. Authenticated routes with session tokens. CSRF tokens for state-changing operations. Input validation at every API boundary.

Art. 32(1)(c)

Availability and resilience

Cross-region backup replication (eu-west-1 primary, eu-central-1 backup). Documented incident response process. RTO 4 hours for critical services. RPO 24 hours for production data.

Art. 32(1)(d)

Regular testing

Quarterly internal security reviews. Annual external penetration testing. Vulnerability disclosure program with severity-tied response targets. Detection rules updated post-incident.

Art. 32(2)

Risk assessment

Annual risk assessment covering threat landscape, breach probability and potential impact. Mitigations prioritized by combined likelihood-and-impact score. Reviewed quarterly between full assessments.

Art. 32(4)

Personnel obligations

All personnel processing personal data sign confidentiality agreements. Background checks for production access roles. Documented onboarding and offboarding procedures with access review at each step.

Section 05
// Article 33 obligations

Breach notification timeline

If Crawlux confirms a personal data breach affecting customer data, notification follows the timeline below. The 72-hour clock starts when Crawlux confirms the breach, not when it is first detected. Initial notifications may be incomplete; detailed reports follow.

T+0DetectionAutomated monitoring or external report flags potential incident. Investigation begins immediately.
T+1hContainmentAffected systems isolated. Compromised credentials revoked. Forensic state preserved.
T+4hConfirmationInvestigation determines whether a personal data breach actually occurred. 72-hour clock starts here.
T+72hCustomer notificationInitial notification to affected customers via account email and any DPA-specified addresses.
T+14dDetailed reportFull incident report with timeline, scope, root cause, remediation steps and recommendations.
T+30dClosure reportPost-incident review with implemented changes and verification of remediation effectiveness.

Customer obligations under Article 33

As controller, the customer is responsible for notifying the supervisory authority within 72 hours of becoming aware of a breach. Crawlux notification triggers the customer's clock. Customers should have a documented incident response procedure and regulator contact ready.

Section 06
// Article 28(3)(h) audit rights

Audit rights

Customers have the right to verify Crawlux compliance with this DPA. Two paths are available: the standard option (annual attestation reports) and the negotiated option (customer-initiated audits for Enterprise contracts).

Standard

Annual attestation reports

Available now: AWS SOC 2 Type II, ISO 27001 attestations covering inherited infrastructure controls. In progress: Crawlux SOC 2 Type II target Q4 2026. Reports requested via [email protected] under NDA.

Enterprise

Customer-initiated audits

Negotiable for Enterprise tier contracts. Requirements: 30 days advance notice, NDA in place, audit at customer cost, scoped to compliance with this DPA. Cannot disrupt service operations.

Out-of-scope for audits

The following are not subject to customer audit because doing so would compromise other customers' security or expose proprietary methodology:

  • Other customers' data, infrastructure or audit configurations
  • Proprietary methodology calibration data and weight tables
  • Internal personnel records beyond what is needed to verify the audit role
  • Source code outside of components specifically relevant to the DPA
  • Third-party subprocessor infrastructure (audit those providers separately)
Section 07
// Article 28(3)(e)

Data subject requests

The customer is the controller and is responsible for responding to data subject requests. Crawlux supports the customer in fulfilling these requests as the processor.

5d

Forwarding window

If a data subject contacts Crawlux directly with a request that should be handled by the customer, we forward it to the customer within 5 business days and notify the data subject of the forward.

10d

Processor support window

When the customer needs Crawlux help to fulfill a data subject request (data export, deletion, rectification), we respond within 10 business days. Standard requests faster, complex ones may need extension.

$0

Reasonable support included

Reasonable support is included in standard subscription pricing. Excessive or repetitive requests may incur per-request fees disclosed in advance. Bad-faith requests may be declined per GDPR Article 12(5).

Section 08
// Article 28(3)(g)

Return and deletion on termination

On termination of the customer agreement, customer personal data is deleted according to the timeline below. A deletion certification can be requested in writing.

T+0TerminationSubscription ends. Account moves to read-only mode for data export.
T+90dExport window endsCustomer must export data via API or dashboard within 90 days. Read-only access removed.
T+104dProduction deletionAll customer personal data deleted from production systems within 14 days after export window.
T+194dBackup deletionBackup copies aged out within 90 days of production deletion. No residual customer data remains.
On requestDeletion certificationWritten certification of deletion provided on request via [email protected] after T+194d.
Section 09
// Chapter V transfers

International data transfers

Some subprocessors are located outside the EEA and UK. Transfers to those providers are governed by Standard Contractual Clauses incorporated by reference into this DPA.

SCCs

Standard Contractual Clauses

EU Commission Decision 2021/914 SCCs apply to all transfers from the EEA to third countries. UK Addendum applies to transfers from the UK. SCCs incorporated by reference and binding without separate signature.

TIA

Transfer impact assessments

For each third-country subprocessor, Crawlux conducts a transfer impact assessment evaluating local law impact on the protections offered by SCCs. Supplementary measures applied where TIA identifies gaps.

// DPA FAQ

Common DPA questions

Six questions covering DPA acceptance, controller and processor roles, subprocessor objections, breach handling, audit rights and termination data handling.

Do I need a separate DPA with Crawlux?

No. By accepting the Crawlux terms of service, you accept the DPA as an integrated part of the service agreement. The DPA forms part of the contract automatically. Enterprise customers requiring a signed standalone DPA can request one via [email protected].

Who is the controller and who is the processor?

The customer is the data controller and determines what personal data is submitted for audit. Crawlux is the data processor and processes the submitted data on the customer's instructions per the audit purpose. This applies to all standard tier customers including Free, Pro, Team and Enterprise.

Can I object to a subprocessor?

Yes. New subprocessors are announced 30 days before deployment. During the 30-day window, you can object via [email protected]. If your objection cannot be resolved, you have the right to terminate your subscription with a pro-rated refund. Active subscriptions can review the current subprocessor list at any time.

How do you handle data breach notifications?

Confirmed breaches affecting customer personal data trigger notification within 72 hours of confirmation. Initial notification covers what we know, what we are doing and what customers should do. A detailed report follows within 14 days. Notification goes to the contact email on the account plus any DPA-specified addresses.

Can I audit Crawlux as a processor?

Yes. The standard option is the annual SOC 2 Type II attestation report (target completion Q4 2026, AWS attestation available now). Enterprise contracts can negotiate customer-initiated audits. Customer-initiated audits require an NDA, occur at customer cost and are scheduled with 30 days notice. We do not permit unannounced audits.

What happens to my data if I terminate?

On termination, you have 90 days to export your data via the API or dashboard. After 90 days, all customer personal data is permanently deleted from production systems within 14 additional days. Backup copies are deleted within 90 days of production deletion. A deletion certification can be requested via [email protected].

DPA inquiries
// Contact

Contact for DPA matters

Standalone signed DPAs, subprocessor objections, audit requests, breach notifications and any DPA-specific questions go to the legal team.

DPA legal contact

Email: [email protected]
Subject line: "DPA" plus topic
Standalone signed DPA: Available for Enterprise tier
Response window: 10 business days

For privacy-specific matters, see the privacy policy. For security details, see the security policy. For service terms, see the terms of service.

Read the GDPR Addendum next

The GDPR Addendum covers GDPR-specific commitments that supplement this DPA. Lawful basis matrix, data subject rights, supervisory authority and ePrivacy alignment.

Read GDPR Addendum Privacy policy
DPA v1.0 · Effective April 13, 2026 · 10 disclosed subprocessors · 72h breach SLA