Data Processing Agreement (DPA)
Draft, 2026
This Data Processing Agreement applies when Citanto processes personal data on behalf of a customer in the course of providing the service, and supplements the Terms of Service. It is written to Article 28 GDPR.
1. Roles
The customer is the data controller of the personal data contained in their websites, content and accounts. [Legal entity] acts as data processor and processes such data only on the customer's documented instructions, which are, in the first place, the configuration and use of the service itself.
2. Subject matter, duration, nature and purpose
Processing covers the operation of the Citanto service: auditing the customer's website, generating and deploying content the customer controls, measuring AI-assistant citations, maintaining aggregate AI-traffic counters, and producing reports. Processing lasts for the duration of the subscription plus the deletion period below.
3. Categories of data and data subjects
Typically limited, by design, to:
- customer account data (name, email, organisation) — data subjects: the customer's users;
- personal data appearing in the customer's website content or business profile (for example a named owner, a business address) — data subjects: the customer's staff;
- site connection credentials the customer provides — treated as confidential secrets, see Security below.
- The service's AI-traffic counters contain NO personal data of the customer's website visitors: no IP addresses, no cookies, no identifiers (aggregate counts only).
4. Sub-processors
The customer authorises the following sub-processors, used to run the service. Citanto will inform customers of intended changes and give them the opportunity to object:
- Neon (database hosting);
- Railway (application hosting);
- Vercel (website hosting);
- Stripe (payments);
- WorkOS (authentication);
- Anthropic (content generation);
- OpenAI, Perplexity, Google (AI citation measurement, and generation where configured).
5. Security measures
Citanto implements, among others, the following technical measures:
- strict tenant isolation enforced at the database layer (row-level security, enabled and forced on every tenant table);
- site connection credentials encrypted at rest (AES-256-GCM) under keys derived per customer, never displayed back once stored, deletable at any time;
- least-privilege access to customer platforms (for example a dedicated low-privilege WordPress role that cannot publish or touch the customer's own content);
- encryption in transit (TLS) for all connections;
- no collection of the customer's website visitors' personal data (aggregate counters only);
- production boot checks that refuse to start with unsafe database roles or authentication configuration.
6. Confidentiality and personnel
Persons authorised to process personal data are bound by confidentiality obligations and access data only as needed to operate the service.
7. Assistance
Citanto assists the customer, insofar as possible, in responding to data subject requests (access, rectification, erasure, portability, objection) and in meeting the customer's obligations regarding security, breach notification and impact assessments.
8. Personal data breaches
Citanto notifies the customer without undue delay after becoming aware of a personal data breach affecting the customer's data, with the information reasonably available to help the customer meet their own notification duties.
9. Deletion and return
At the end of the subscription, Citanto deletes the customer's personal data within a reasonable period, unless law requires retention. On request before deletion, Citanto provides an export of the customer's service data.
10. Audits
Citanto makes available the information reasonably necessary to demonstrate compliance with this DPA, and allows for audits conducted in a manner proportionate to the service (documentation first, on reasonable notice, no more than once a year unless required by a supervisory authority).
11. International transfers
Where a sub-processor processes data outside the EEA, transfers rely on an adequacy decision or appropriate safeguards such as Standard Contractual Clauses.
12. Governing law and contact
This DPA is governed by the same law as the Terms of Service ([jurisdiction]). Questions: [contact email].
Bracketed details like [Legal entity], [registered address] and [contact email] must be completed by Citanto and reviewed by a qualified lawyer before this page is relied upon.