Legal

Data Processing Agreement (DPA)

Effective 2026-05-10. Last updated 2026-05-10. Version 1.0.

Notice. This document is plain-English, industry-standard SaaS language adapted for Aeoniti's product. It is binding once you sign up. It is not a substitute for independent legal advice. Enterprise customers signing contracts above $50K/yr should have their own counsel review this and may negotiate amendments — email [email protected].
How to execute this DPA.

This DPA is effective without a signature for Team+ tier customers — your continued use of the service constitutes acceptance, and this published version is binding on us as the data processor. Enterprise customers requiring a counter-signed copy on letterhead can request one at [email protected] — we'll return signed within 5 business days. Negotiated amendments for contracts above $50K/yr are accommodated.

1. Parties & scope

Processor: Aeoniti, operated by Networkers Home, Mumbai, India ("we", "us"). Controller: the customer organization holding the account ("you"). This DPA applies whenever you process personal data of identifiable individuals through the Aeoniti service.

For most Aeoniti use (tracking your own brand mentions in AI search), little personal data is involved beyond your own account credentials. The DPA matters most when you connect Google Search Console (which exposes search-query data) or upload customer/competitor data into onboarding.

2. Subject matter, duration, nature, purpose

Subject matterPersonal data you submit to or generate via the Aeoniti service (account info, integration tokens, scraped page contents, LLM probe responses)
DurationFor the term of your subscription, plus 30 days for export, plus 90 days backup expiry
Nature of processingStorage, retrieval, analysis, transmission to sub-processors as listed in §6 of the Privacy Policy
PurposeTo provide the SEO + AEO + AI-citation tracking service you contracted for
Categories of data subjectsYour employees who use the dashboard; users whose search-query data appears in Google Search Console exports you upload; individuals whose names appear in scraped public web pages
Categories of personal dataNames, email addresses, IP addresses, search queries, OAuth tokens (encrypted), publicly-scraped page content. No special-category data (no health, biometric, criminal-record, etc.) is intentionally processed.

3. Our obligations as processor

We will:

  • Process personal data only on your documented instructions (the subscription itself + any feature configuration you set + any specific written instructions to [email protected])
  • Ensure persons authorized to process the data are bound by confidentiality (employment contracts + sub-processor agreements)
  • Implement the technical + organizational security measures listed in §10 of the Privacy Policy + Annex A below
  • Engage sub-processors only with general written authorization (the list in §6 of the Privacy Policy is your authorization for the named sub-processors)
  • Notify you 30 days in advance of any new material sub-processor (via the in-product changelog + an email to your account contact)
  • Assist you in fulfilling data-subject rights requests within reasonable timelines
  • Assist you with your own DPIA, security investigations, and regulatory inquiries on request
  • On termination of your subscription, return your data via the export API or delete it as you instruct
  • Make available all information necessary to demonstrate compliance with this DPA + allow audits as defined in §6

4. Personal data breach notification

If we become aware of a personal data breach affecting your data, we'll notify you without undue delay and in any case within 72 hours of confirmation. The notification will include:

  • Description of the breach (categories + approximate number of data subjects affected)
  • Likely consequences
  • Measures we've taken or propose to take to address it + mitigate adverse effects
  • Contact point for further information ([email protected])

Notification will go to the email on file for your account's billing contact. Maintain that contact accurately.

5. International data transfers

Some sub-processors are based in the United States (full list in §6 of the Privacy Policy). For transfers from EU/UK/Switzerland to the US, we rely on:

  • Standard Contractual Clauses (SCCs) — module 3 (processor to sub-processor)
  • Where applicable, the EU-US Data Privacy Framework (DPF) for sub-processors that have certified to it
  • UK International Data Transfer Addendum + Swiss FDPIC equivalents as appropriate

The SCCs are incorporated by reference into this DPA. Module 3 (processor-to-processor) applies between Aeoniti and our sub-processors.

6. Audit rights

Once per 12-month period, you may audit our compliance with this DPA, by either:

  • Reviewing our SOC 2 Type II report — once issued (Q1 2027), this will satisfy audit obligations for most customers
  • Submitting a security questionnaire — we respond to all reasonable industry-standard questionnaires (CAIQ, SIG Lite, custom) within 14 days
  • On-site audit — by mutual agreement, with 30 days' notice, at your cost. Limited to 2 working days. Conducted under NDA. Auditor must be a neutral third party not a competitor of Aeoniti.

For more frequent audits or audits triggered by a regulator, we work with you in good faith to accommodate.

7. Data subject rights

You are responsible for fulfilling data subject rights as the controller. We'll assist by:

  • Providing technical means for data export (the API at any tier)
  • Deleting on request via the dashboard or via written request to [email protected]
  • Forwarding rights requests we receive directly from your end-users to your account contact within 5 business days, so you can respond as the controller

If a data subject contacts us directly we'll route them to you and acknowledge to them that you are the controller.

8. Term & termination

This DPA remains in force as long as we process your personal data — that is, for the term of your subscription + the deletion/export periods in §2.

9. Liability & remedies

Each party's liability for breach of this DPA is governed by the liability cap in the Terms of Service. The exception: liability for unlawful processing under GDPR Article 82 cannot be capped below the statutory minimum.

10. Conflict

If this DPA conflicts with the Terms of Service, this DPA prevails for matters of personal data processing.

Annex A — Technical & organizational security measures (TOMs)

Access control:

  • Argon2id password hashing for customer accounts
  • JWT session cookies (HttpOnly, Secure, SameSite=Lax)
  • CSRF tokens on every state-changing request
  • Production secrets stored in environment files with 0600 permissions, never committed to git
  • SSH access to production VMs limited to a small founder/operator list, key-based only, fail2ban'd

Data isolation:

  • Postgres row-level security (RLS) policies on every multi-tenant table — enforced at the database engine, not application layer
  • Per-tenant agency_id session variable set at every transaction; impossible to query across tenants without admin sentinel
  • Sub-processor data never crosses tenants: each customer's keywords go to their own DataForSEO/spider request, never batched across customers

Encryption:

  • TLS 1.3 for all client-server traffic; HSTS preload-listed
  • TLS for all sub-processor connections
  • AES-256-GCM at rest for sensitive tokens (Google Search Console OAuth refresh tokens)
  • Daily encrypted backups to a separate region (Frankfurt as of 2026-05-10)

Operational security:

  • Rate limiting + WAF at Cloudflare edge
  • Cost cap circuit breakers on all paid third-party APIs (cost > cap = service degrades to honest "pending" rather than runaway billing)
  • Daily backups, retained 90 days
  • Documented incident-recovery runbook (RECOVERY.md on production VM)
  • Mean time to recovery target: 15 minutes for known failure modes; 60 minutes for unknown

Personnel:

  • All personnel with production access bound by confidentiality clauses in employment contracts
  • Access removed within 24 hours of role change or termination

Sub-processor management:

  • Each sub-processor has SOC 2 Type II or equivalent certification
  • Each sub-processor has its own DPA with us, including SCCs where data crosses jurisdictions
  • Annual review of sub-processor security posture; documented in our internal compliance log