Data Processing Agreement (DPA)
Last updated: June 17, 2026
Effective date: June 17, 2026
Important: This Data Processing Agreement (DPA) applies to customers who subscribe to Semly Pro services and process personal data through our platform. It incorporates EU Standard Contractual Clauses (Module 2: Controller-to-Processor) and UK International Data Transfer Agreement (IDTA A1.0) for international data transfers.
1. Definitions
In this DPA, capitalized terms have the following meanings:
- "Agreement" means the Semly Pro Terms of Service together with this DPA.
- "Controller" means the Customer (you), who determines the purposes and means of processing Personal Data.
- "Customer Data" means all data, including Personal Data, that Customer submits, uploads, or generates through the Services.
- "Data Protection Laws" means all applicable laws relating to data protection and privacy, including the EU General Data Protection Regulation (GDPR), UK GDPR, and the Dutch Implementation Act (UAVG).
- "Personal Data" means any information relating to an identified or identifiable natural person as defined in applicable Data Protection Laws.
- "Processor" means Semly Pro (we/us), who processes Personal Data on behalf of the Controller.
- "Services" means the Semly Pro platform, including Content Gap Pro, Content Creation Pro, SEO Checklist Pro, AI Tracking Pro, CMS integrations, MCP server, and all related features.
- "Sub-processor" means any third party engaged by Semly Pro to process Personal Data on behalf of the Customer.
2. Scope and Roles
2.1 Data Processing Relationship
When you use Semly Pro Services to process personal data (such as end-user analytics, SEO data, or content related to individuals), you act as the Controller and we act as your Processor. This DPA governs our processing of Personal Data on your behalf.
2.2 Subject Matter and Duration
This DPA applies to all Personal Data processed through the Services for the duration of your subscription and for the retention period specified in Section 7 below.
2.3 Nature and Purpose of Processing
We process Personal Data to provide you with:
- SEO analytics and reporting (including Google Analytics 4 and Search Console data)
- AI-powered content generation based on your instructions
- Website crawling and content gap analysis
- CMS integration and publishing services
- AI visibility tracking across ChatGPT, Claude, Perplexity, and Google Gemini
- Customer support and service optimization
2.4 Categories of Data Subjects
Data subjects may include:
- Your website visitors and end-users
- Your customers or clients (if processing their data through our Services)
- Your employees or team members
- Any other individuals whose data you process through the Services
2.5 Types of Personal Data
Personal Data processed may include:
- Website analytics data (IP addresses, user behavior, session data)
- Search console data (search queries, click data, impressions)
- Content data (articles, blog posts, marketing materials)
- CMS account credentials (encrypted)
- OAuth tokens for third-party integrations
- Any personal data you include in content, prompts, or uploaded files
3. Processor Obligations
3.1 Processing Instructions
We will process Personal Data only in accordance with your documented instructions through your use of the Services, unless required to do so by EU or Member State law. If we are required by law to process data beyond your instructions, we will inform you of that legal requirement before processing, unless prohibited by law.
3.2 Confidentiality
We ensure that all persons authorized to process Personal Data are subject to confidentiality obligations, whether by contract or statutory duty.
3.3 Security Measures
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption: AES-256-GCM encryption for sensitive credentials (CMS tokens, API keys) at rest
- Authentication: Argon2 password hashing, JWT-based session management, multi-factor authentication support
- Access controls: Role-based access control (RBAC), organization-scoped data isolation, least-privilege principles
- Network security: HTTPS-only connections, TLS 1.3 for data in transit
- Infrastructure: Hosting on Vercel with SOC 2 Type II certified infrastructure
- Database security: Supabase PostgreSQL with encryption at rest, automated backups, connection pooling
- Monitoring: Sentry for error tracking, Axiom for security logs, automated threat detection
- Incident response: 72-hour breach notification procedures per GDPR Article 33
3.4 Sub-processors
You authorize us to engage Sub-processors to process Personal Data on your behalf, subject to the conditions in this Section 3.4 and our Sub-processors List.
Current Sub-processors: See our comprehensive Sub-processors List which includes infrastructure providers (Vercel, Supabase), AI providers (Anthropic, OpenAI, Azure, Google), analytics services (Google Analytics 4, Google Search Console), and monitoring tools (Sentry, Axiom).
Sub-processor Requirements: We ensure that:
- Each Sub-processor is bound by written contractual obligations at least as protective as this DPA
- Sub-processors comply with GDPR Article 28(3) and (4) requirements
- We remain fully liable to you for Sub-processor performance
Changes to Sub-processors: We will provide you with at least 30 calendar days advance notice before adding or replacing any Sub-processor. Notice will be sent to your registered email address and posted on our Sub-processors List page.
Objection Rights: If you have legitimate data protection concerns about a new Sub-processor, you may object in writing within 14 days of receiving notice. If we cannot accommodate your objection, you may terminate the affected Services without penalty.
3.5 Data Subject Rights
We will assist you in responding to data subject requests (access, rectification, erasure, restriction, portability, objection) by providing you with the necessary tools and documentation. You are responsible for responding to such requests within the timeframes required by Data Protection Laws.
Our platform provides self-service tools for common data subject requests. For complex requests, contact us at privacy@semlypro.com.
3.6 Data Protection Impact Assessments
We will provide reasonable assistance with data protection impact assessments (DPIAs) and prior consultations with supervisory authorities, to the extent such assistance is required under Data Protection Laws and the information is available to us.
3.7 Personal Data Breach Notification
We will notify you without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach affecting your data. The notification will include:
- Description of the nature of the breach
- Categories and approximate number of data subjects and records affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate harm
Breach notifications will be sent to your registered email address. You remain responsible for notifying affected data subjects and supervisory authorities as required by Data Protection Laws.
3.8 Deletion and Return of Data
Upon termination of the Services, we will delete or return all Personal Data at your choice, unless EU or Member State law requires continued storage. You may export your data at any time through the platform's export features.
3.9 Audit Rights
We will make available to you all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you, subject to reasonable notice and confidentiality obligations.
In lieu of direct audits, we provide:
- Annual SOC 2 Type II reports (from our infrastructure provider Vercel)
- Security questionnaires and documentation upon request
- Third-party penetration test results (subject to NDA)
4. International Data Transfers
4.1 Data Storage Location
Personal Data is primarily stored in the Asia-Pacific South region (ap-south-1, Mumbai, India) on Supabase PostgreSQL infrastructure. Some Sub-processors may process or store data in other regions as detailed in our Sub-processors List.
4.2 Transfer Mechanisms
For transfers of Personal Data from the European Economic Area (EEA), United Kingdom, or Switzerland to countries without an adequacy decision, we rely on the following mechanisms:
4.2.1 EU Standard Contractual Clauses (SCCs)
The EU Standard Contractual Clauses (Module 2: Controller-to-Processor) adopted by the European Commission Decision 2021/914 are hereby incorporated into this DPA by reference and apply to all transfers of Personal Data from the EEA to third countries.
The SCCs Module 2 terms are available at: EUR-Lex 2021/914
For the purposes of the SCCs Module 2:
- Data exporter: You (the Customer), as the Controller
- Data importer: Semly Pro, as the Processor
- Clause 7 (Docking Clause): Applies; parties not signatory to the SCCs may accede to them
- Clause 9 (Sub-processing): Option 2 (general written authorization) applies with 30 days advance notice
- Clause 11 (Redress): Data subjects may lodge complaints with competent supervisory authorities
- Clause 17 (Governing law): The laws of the Netherlands apply
- Clause 18 (Dispute resolution): Courts of Amsterdam, Netherlands have jurisdiction
- Annex I: See Sections 2.3-2.5 above for processing details
- Annex II: See Section 3.3 above for technical and organizational measures
- Annex III: See our Sub-processors List
4.2.2 UK International Data Transfer Agreement (IDTA)
The UK International Data Transfer Agreement (IDTA) version A1.0 issued by the UK Information Commissioner's Office on February 2, 2022, is hereby incorporated into this DPA by reference and applies to all transfers of Personal Data from the United Kingdom to third countries.
The UK IDTA A1.0 terms are available at: ICO IDTA Guidance
For the purposes of the UK IDTA:
- Exporter: You (the Customer)
- Importer: Semly Pro
- Selected modules: Table 2 and Table 3 apply
- Governing law: The laws of England and Wales apply to the UK IDTA
- Tables 1-4: See corresponding sections in this DPA and the EU SCCs annexes
4.2.3 Automatic Updates
If the European Commission, UK ICO, or Swiss FDPIC adopt new or revised standard contractual clauses, data transfer agreements, or adequacy decisions, those mechanisms will automatically apply to this DPA 30 days after adoption, unless you object in writing within that period.
4.3 Transfer Impact Assessment
We have conducted a Transfer Impact Assessment (TIA) for data transfers to third countries in accordance with EDPB Recommendations 01/2020. Based on this assessment:
- Our primary infrastructure providers (Vercel, Supabase) are certified under recognized privacy frameworks
- We have implemented supplementary measures including encryption, access controls, and contractual protections
- We have assessed the laws of recipient countries and determined that they do not impinge on the effectiveness of appropriate safeguards
A summary of our TIA is available upon request to enterprise customers.
5. Liability and Indemnification
5.1 Processor Liability
We are fully liable for the performance of our Sub-processors as if it were our own performance under this DPA.
5.2 Limitation of Liability
Each party's liability under this DPA is subject to the limitation of liability provisions in the Semly Pro Terms of Service, except that liability for data breaches caused by our gross negligence or willful misconduct is not limited.
5.3 Indemnification
You agree to indemnify us against claims arising from your processing instructions that violate Data Protection Laws or third-party rights.
6. Customer Responsibilities
As the Controller, you are responsible for:
- Determining the lawful basis for processing Personal Data under Data Protection Laws
- Obtaining necessary consents from data subjects where required
- Providing privacy notices to data subjects as required by Data Protection Laws
- Ensuring the accuracy of Personal Data you submit to the Services
- Responding to data subject requests within required timeframes
- Notifying supervisory authorities and data subjects of breaches as required by Data Protection Laws
- Configuring the Services in accordance with Data Protection Laws (e.g., cookie consent settings, data retention policies)
- Reviewing and approving AI-generated content before publishing to ensure compliance with privacy and accuracy obligations
7. Data Retention and Deletion
7.1 Retention Period
We retain Personal Data for the duration of your subscription plus 90 days thereafter to allow for account recovery and billing reconciliation, unless you request earlier deletion or unless a longer retention period is required by law.
7.2 Deletion Procedures
You may delete your data at any time through the platform's deletion features. Upon account termination, we will:
- Delete all Personal Data from production databases within 30 days
- Delete all backup copies within 90 days
- Retain only anonymized, aggregated data for analytics and service improvement
7.3 Legal Holds
We may retain Personal Data longer if required by legal hold, litigation, investigation, or regulatory requirement. We will notify you if such retention is necessary.
8. Specific Processing Activities
8.1 AI Content Generation
When you use our AI-powered content generation features, we process your prompts and instructions through third-party AI providers (Anthropic Claude, OpenAI GPT, Azure OpenAI, Google Gemini) acting as our Sub-processors.
Important: Do not include sensitive personal data (special categories under GDPR Article 9) in AI prompts unless you have obtained explicit consent from data subjects. We are not liable for Personal Data you choose to include in AI prompts.
Our AI providers have committed not to use your data for model training. See our Sub-processors List for their data processing terms.
8.2 Google Analytics Integration
When you connect Google Analytics 4 to the Services, we process analytics data (including IP addresses and user behavior) on your behalf. We have enabled IP anonymization and restricted data sharing settings in accordance with GDPR requirements.
You remain responsible for:
- Obtaining consent from website visitors for analytics cookies where required
- Providing privacy notices that disclose Google Analytics usage
- Executing a Data Processing Amendment with Google if required by your data protection authority
8.3 CMS Integrations
When you integrate third-party CMS platforms (WordPress, Sanity, Contentful, etc.), we store your encrypted credentials and process content data as your Processor. The CMS providers act as independent controllers or processors depending on your relationship with them.
You are responsible for ensuring that your CMS provider agreements include appropriate data protection terms.
9. Supervisory Authority and Data Subject Rights
9.1 Supervisory Authority
For EU/EEA customers, the competent supervisory authority is the data protection authority in your Member State. For Netherlands-based customers, this is the Autoriteit Persoonsgegevens (Dutch DPA).
For UK customers, the competent supervisory authority is the UK Information Commissioner's Office (ICO).
9.2 Data Subject Rights Assistance
We provide the following tools and assistance for data subject rights:
- Access: Self-service data export in JSON, CSV, and PDF formats
- Rectification: Edit features for all user-editable data
- Erasure: Account deletion and data purge features
- Restriction: Data retention policy configuration
- Portability: Machine-readable export in JSON format
- Objection: Opt-out features for marketing and non-essential processing
For requests we cannot fulfill through self-service tools, contact us at privacy@semlypro.com. We will respond within 30 days as required by GDPR Article 12(3).
10. Changes to this DPA
We may update this DPA from time to time to reflect changes in Data Protection Laws, Sub-processors, or our data processing practices. We will notify you of material changes at least 30 days in advance by email and by posting a notice on our platform.
Your continued use of the Services after the effective date of changes constitutes acceptance of the updated DPA. If you do not agree to the changes, you may terminate your subscription without penalty within 30 days of receiving notice.
11. Contact and DPO
For questions about this DPA or to exercise your data protection rights, contact:
Semly Pro Data Protection
Email: privacy@semlypro.com
DPO Email: dpo@semlypro.com
Address: Amsterdam, Netherlands
Note: This DPA is effective immediately for all existing and new customers. By continuing to use Semly Pro Services, you agree to the terms of this DPA. If you have questions or need a signed copy for your records, please contact legal@semlypro.com.
Related legal documents:
Privacy Policy | Terms of Service | Sub-processors List | Security Practices