Data Processing Agreement (DPA)

Draft, 2026

Draft template, pending legal review. This page is a starting point, not legal advice. Bracketed details and the governing terms must be completed and reviewed by a qualified lawyer before this is relied upon.

This Data Processing Agreement applies when Citanto processes personal data on behalf of a customer in the course of providing the service, and supplements the Terms of Service. It is written to Article 28 GDPR.

1. Roles

The customer is the data controller of the personal data contained in their websites, content and accounts. [Legal entity] acts as data processor and processes such data only on the customer's documented instructions, which are, in the first place, the configuration and use of the service itself.

2. Subject matter, duration, nature and purpose

Processing covers the operation of the Citanto service: auditing the customer's website, generating and deploying content the customer controls, measuring AI-assistant citations, maintaining aggregate AI-traffic counters, and producing reports. Processing lasts for the duration of the subscription plus the deletion period below.

3. Categories of data and data subjects

Typically limited, by design, to:

  • customer account data (name, email, organisation) — data subjects: the customer's users;
  • personal data appearing in the customer's website content or business profile (for example a named owner, a business address) — data subjects: the customer's staff;
  • site connection credentials the customer provides — treated as confidential secrets, see Security below.
  • The service's AI-traffic counters contain NO personal data of the customer's website visitors: no IP addresses, no cookies, no identifiers (aggregate counts only).

4. Sub-processors

The customer authorises the following sub-processors, used to run the service. Citanto will inform customers of intended changes and give them the opportunity to object:

  • Neon (database hosting);
  • Railway (application hosting);
  • Vercel (website hosting);
  • Stripe (payments);
  • WorkOS (authentication);
  • Anthropic (content generation);
  • OpenAI, Perplexity, Google (AI citation measurement, and generation where configured).

5. Security measures

Citanto implements, among others, the following technical measures:

  • strict tenant isolation enforced at the database layer (row-level security, enabled and forced on every tenant table);
  • site connection credentials encrypted at rest (AES-256-GCM) under keys derived per customer, never displayed back once stored, deletable at any time;
  • least-privilege access to customer platforms (for example a dedicated low-privilege WordPress role that cannot publish or touch the customer's own content);
  • encryption in transit (TLS) for all connections;
  • no collection of the customer's website visitors' personal data (aggregate counters only);
  • production boot checks that refuse to start with unsafe database roles or authentication configuration.

6. Confidentiality and personnel

Persons authorised to process personal data are bound by confidentiality obligations and access data only as needed to operate the service.

7. Assistance

Citanto assists the customer, insofar as possible, in responding to data subject requests (access, rectification, erasure, portability, objection) and in meeting the customer's obligations regarding security, breach notification and impact assessments.

8. Personal data breaches

Citanto notifies the customer without undue delay after becoming aware of a personal data breach affecting the customer's data, with the information reasonably available to help the customer meet their own notification duties.

9. Deletion and return

At the end of the subscription, Citanto deletes the customer's personal data within a reasonable period, unless law requires retention. On request before deletion, Citanto provides an export of the customer's service data.

10. Audits

Citanto makes available the information reasonably necessary to demonstrate compliance with this DPA, and allows for audits conducted in a manner proportionate to the service (documentation first, on reasonable notice, no more than once a year unless required by a supervisory authority).

11. International transfers

Where a sub-processor processes data outside the EEA, transfers rely on an adequacy decision or appropriate safeguards such as Standard Contractual Clauses.

12. Governing law and contact

This DPA is governed by the same law as the Terms of Service ([jurisdiction]). Questions: [contact email].

Bracketed details like [Legal entity], [registered address] and [contact email] must be completed by Citanto and reviewed by a qualified lawyer before this page is relied upon.