Semly Pro

Data Processing Agreement (DPA)

Last updated: June 17, 2026

Effective date: June 17, 2026

Important: This Data Processing Agreement (DPA) applies to customers who subscribe to Semly Pro services and process personal data through our platform. It incorporates EU Standard Contractual Clauses (Module 2: Controller-to-Processor) and UK International Data Transfer Agreement (IDTA A1.0) for international data transfers.

1. Definitions

In this DPA, capitalized terms have the following meanings:

2. Scope and Roles

2.1 Data Processing Relationship

When you use Semly Pro Services to process personal data (such as end-user analytics, SEO data, or content related to individuals), you act as the Controller and we act as your Processor. This DPA governs our processing of Personal Data on your behalf.

2.2 Subject Matter and Duration

This DPA applies to all Personal Data processed through the Services for the duration of your subscription and for the retention period specified in Section 7 below.

2.3 Nature and Purpose of Processing

We process Personal Data to provide you with:

2.4 Categories of Data Subjects

Data subjects may include:

2.5 Types of Personal Data

Personal Data processed may include:

3. Processor Obligations

3.1 Processing Instructions

We will process Personal Data only in accordance with your documented instructions through your use of the Services, unless required to do so by EU or Member State law. If we are required by law to process data beyond your instructions, we will inform you of that legal requirement before processing, unless prohibited by law.

3.2 Confidentiality

We ensure that all persons authorized to process Personal Data are subject to confidentiality obligations, whether by contract or statutory duty.

3.3 Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

3.4 Sub-processors

You authorize us to engage Sub-processors to process Personal Data on your behalf, subject to the conditions in this Section 3.4 and our Sub-processors List.

Current Sub-processors: See our comprehensive Sub-processors List which includes infrastructure providers (Vercel, Supabase), AI providers (Anthropic, OpenAI, Azure, Google), analytics services (Google Analytics 4, Google Search Console), and monitoring tools (Sentry, Axiom).

Sub-processor Requirements: We ensure that:

Changes to Sub-processors: We will provide you with at least 30 calendar days advance notice before adding or replacing any Sub-processor. Notice will be sent to your registered email address and posted on our Sub-processors List page.

Objection Rights: If you have legitimate data protection concerns about a new Sub-processor, you may object in writing within 14 days of receiving notice. If we cannot accommodate your objection, you may terminate the affected Services without penalty.

3.5 Data Subject Rights

We will assist you in responding to data subject requests (access, rectification, erasure, restriction, portability, objection) by providing you with the necessary tools and documentation. You are responsible for responding to such requests within the timeframes required by Data Protection Laws.

Our platform provides self-service tools for common data subject requests. For complex requests, contact us at privacy@semlypro.com.

3.6 Data Protection Impact Assessments

We will provide reasonable assistance with data protection impact assessments (DPIAs) and prior consultations with supervisory authorities, to the extent such assistance is required under Data Protection Laws and the information is available to us.

3.7 Personal Data Breach Notification

We will notify you without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach affecting your data. The notification will include:

Breach notifications will be sent to your registered email address. You remain responsible for notifying affected data subjects and supervisory authorities as required by Data Protection Laws.

3.8 Deletion and Return of Data

Upon termination of the Services, we will delete or return all Personal Data at your choice, unless EU or Member State law requires continued storage. You may export your data at any time through the platform's export features.

3.9 Audit Rights

We will make available to you all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you, subject to reasonable notice and confidentiality obligations.

In lieu of direct audits, we provide:

4. International Data Transfers

4.1 Data Storage Location

Personal Data is primarily stored in the Asia-Pacific South region (ap-south-1, Mumbai, India) on Supabase PostgreSQL infrastructure. Some Sub-processors may process or store data in other regions as detailed in our Sub-processors List.

4.2 Transfer Mechanisms

For transfers of Personal Data from the European Economic Area (EEA), United Kingdom, or Switzerland to countries without an adequacy decision, we rely on the following mechanisms:

4.2.1 EU Standard Contractual Clauses (SCCs)

The EU Standard Contractual Clauses (Module 2: Controller-to-Processor) adopted by the European Commission Decision 2021/914 are hereby incorporated into this DPA by reference and apply to all transfers of Personal Data from the EEA to third countries.

The SCCs Module 2 terms are available at: EUR-Lex 2021/914

For the purposes of the SCCs Module 2:

4.2.2 UK International Data Transfer Agreement (IDTA)

The UK International Data Transfer Agreement (IDTA) version A1.0 issued by the UK Information Commissioner's Office on February 2, 2022, is hereby incorporated into this DPA by reference and applies to all transfers of Personal Data from the United Kingdom to third countries.

The UK IDTA A1.0 terms are available at: ICO IDTA Guidance

For the purposes of the UK IDTA:

4.2.3 Automatic Updates

If the European Commission, UK ICO, or Swiss FDPIC adopt new or revised standard contractual clauses, data transfer agreements, or adequacy decisions, those mechanisms will automatically apply to this DPA 30 days after adoption, unless you object in writing within that period.

4.3 Transfer Impact Assessment

We have conducted a Transfer Impact Assessment (TIA) for data transfers to third countries in accordance with EDPB Recommendations 01/2020. Based on this assessment:

A summary of our TIA is available upon request to enterprise customers.

5. Liability and Indemnification

5.1 Processor Liability

We are fully liable for the performance of our Sub-processors as if it were our own performance under this DPA.

5.2 Limitation of Liability

Each party's liability under this DPA is subject to the limitation of liability provisions in the Semly Pro Terms of Service, except that liability for data breaches caused by our gross negligence or willful misconduct is not limited.

5.3 Indemnification

You agree to indemnify us against claims arising from your processing instructions that violate Data Protection Laws or third-party rights.

6. Customer Responsibilities

As the Controller, you are responsible for:

7. Data Retention and Deletion

7.1 Retention Period

We retain Personal Data for the duration of your subscription plus 90 days thereafter to allow for account recovery and billing reconciliation, unless you request earlier deletion or unless a longer retention period is required by law.

7.2 Deletion Procedures

You may delete your data at any time through the platform's deletion features. Upon account termination, we will:

7.3 Legal Holds

We may retain Personal Data longer if required by legal hold, litigation, investigation, or regulatory requirement. We will notify you if such retention is necessary.

8. Specific Processing Activities

8.1 AI Content Generation

When you use our AI-powered content generation features, we process your prompts and instructions through third-party AI providers (Anthropic Claude, OpenAI GPT, Azure OpenAI, Google Gemini) acting as our Sub-processors.

Important: Do not include sensitive personal data (special categories under GDPR Article 9) in AI prompts unless you have obtained explicit consent from data subjects. We are not liable for Personal Data you choose to include in AI prompts.

Our AI providers have committed not to use your data for model training. See our Sub-processors List for their data processing terms.

8.2 Google Analytics Integration

When you connect Google Analytics 4 to the Services, we process analytics data (including IP addresses and user behavior) on your behalf. We have enabled IP anonymization and restricted data sharing settings in accordance with GDPR requirements.

You remain responsible for:

8.3 CMS Integrations

When you integrate third-party CMS platforms (WordPress, Sanity, Contentful, etc.), we store your encrypted credentials and process content data as your Processor. The CMS providers act as independent controllers or processors depending on your relationship with them.

You are responsible for ensuring that your CMS provider agreements include appropriate data protection terms.

9. Supervisory Authority and Data Subject Rights

9.1 Supervisory Authority

For EU/EEA customers, the competent supervisory authority is the data protection authority in your Member State. For Netherlands-based customers, this is the Autoriteit Persoonsgegevens (Dutch DPA).

For UK customers, the competent supervisory authority is the UK Information Commissioner's Office (ICO).

9.2 Data Subject Rights Assistance

We provide the following tools and assistance for data subject rights:

For requests we cannot fulfill through self-service tools, contact us at privacy@semlypro.com. We will respond within 30 days as required by GDPR Article 12(3).

10. Changes to this DPA

We may update this DPA from time to time to reflect changes in Data Protection Laws, Sub-processors, or our data processing practices. We will notify you of material changes at least 30 days in advance by email and by posting a notice on our platform.

Your continued use of the Services after the effective date of changes constitutes acceptance of the updated DPA. If you do not agree to the changes, you may terminate your subscription without penalty within 30 days of receiving notice.

11. Contact and DPO

For questions about this DPA or to exercise your data protection rights, contact:

Semly Pro Data Protection

Email: privacy@semlypro.com

DPO Email: dpo@semlypro.com

Address: Amsterdam, Netherlands

Note: This DPA is effective immediately for all existing and new customers. By continuing to use Semly Pro Services, you agree to the terms of this DPA. If you have questions or need a signed copy for your records, please contact legal@semlypro.com.


Related legal documents:
Privacy Policy | Terms of Service | Sub-processors List | Security Practices