Data Processing Agreement

1. Introduction and Scope

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between xWisdoM ("Processor," "we," "our," or "us") and the customer ("Controller," "you," or "your") for the provision of the xWisdoM platform and services (the "Services").

This DPA applies to the extent that xWisdoM processes Personal Data on behalf of the Controller in the course of providing the Services. This DPA is designed to ensure compliance with applicable data protection laws, including but not limited to the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable privacy laws.

In the event of any conflict between this DPA and the main Agreement, the provisions of this DPA shall prevail with respect to data protection matters. Capitalized terms not defined herein shall have the meanings given to them in the Agreement.

2. Definitions

For the purposes of this DPA, the following definitions apply:

• "Personal Data" means any information relating to an identified or identifiable natural person, as defined by applicable data protection laws.
• "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
• "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
• "Controller" means the entity that determines the purposes and means of the Processing of Personal Data.
• "Processor" means the entity that Processes Personal Data on behalf of the Controller.
• "Sub-processor" means any third party engaged by the Processor to Process Personal Data on behalf of the Controller.
• "Data Breach" means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
• "Applicable Data Protection Laws" means all laws and regulations applicable to the Processing of Personal Data, including GDPR, CCPA, and any other relevant privacy legislation.

3. Categories of Data and Processing Activities

3.1 Categories of Personal Data

The following categories of Personal Data may be Processed under this DPA:

• Contact information (name, email address, phone number)
• Account credentials and authentication data
• Billing and payment information
• Usage data and analytics
• Device and browser information
• IP addresses and geolocation data
• Website content submitted for analysis
• Communication records and support tickets
• Any other data submitted by Controller through the Services

3.2 Categories of Data Subjects

Data Subjects may include:

• Controller's employees, contractors, and representatives
• Controller's customers and end users
• Visitors to websites submitted for analysis
• Any other individuals whose data is submitted through the Services

3.3 Nature and Purpose of Processing

Processing activities include:

• Provision of AI visibility analysis and reporting services
• Website crawling and content analysis
• Answer Rate testing across AI models
• Generation of optimization recommendations
• Account management and customer support
• Billing and payment processing
• Service improvement and analytics
• Security monitoring and fraud prevention

3.4 Duration of Processing

Processing shall continue for the duration of the Agreement and for such additional period as required by applicable law or as reasonably necessary to fulfill the purposes described herein. Upon termination, data shall be handled in accordance with Section 9 of this DPA.

4. Obligations of the Processor

xWisdoM, as Processor, agrees to:

• Process Personal Data only on documented instructions from the Controller, unless required by applicable law
• Ensure that persons authorized to Process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk
• Respect the conditions for engaging Sub-processors as set forth in this DPA
• Assist the Controller in responding to requests from Data Subjects exercising their rights under applicable data protection laws
• Assist the Controller in ensuring compliance with security, breach notification, impact assessment, and prior consultation obligations
• Delete or return all Personal Data upon termination of the Agreement, unless retention is required by applicable law
• Make available to the Controller all information necessary to demonstrate compliance with the obligations set forth herein
• Allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller
• Immediately inform the Controller if, in the Processor's opinion, an instruction infringes applicable data protection laws

5. Obligations of the Controller

The Controller agrees to:

• Ensure that the Processing of Personal Data has a valid legal basis under applicable data protection laws
• Provide all required notices to and obtain all necessary consents from Data Subjects
• Ensure that the Personal Data is accurate, complete, and up to date
• Provide documented instructions to the Processor regarding the Processing of Personal Data
• Comply with all applicable data protection laws in connection with the use of the Services
• Not submit any special categories of Personal Data (sensitive data) unless expressly agreed in writing
• Be responsible for the lawfulness of the Personal Data submitted to the Services
• Promptly notify the Processor of any changes to applicable data protection laws that may affect the Processing

6. Security Measures

The Processor shall implement and maintain appropriate technical and organizational security measures, including but not limited to:

6.1 Technical Measures

• Encryption of Personal Data in transit using TLS 1.2 or higher
• Encryption of Personal Data at rest using AES-256 or equivalent
• Multi-factor authentication for system access
• Firewalls and intrusion detection/prevention systems
• Regular vulnerability assessments and penetration testing
• Secure software development practices
• Network segmentation and access controls
• Automated monitoring and logging of system activities
• Regular backup and disaster recovery procedures

6.2 Organizational Measures

• Written security policies and procedures
• Employee training on data protection and security
• Background checks on personnel with access to Personal Data
• Confidentiality agreements with all personnel
• Role-based access controls and principle of least privilege
• Incident response and management procedures
• Regular security reviews and audits
• Vendor management and due diligence programs

7. Sub-processors

7.1 Authorization

The Controller provides a general authorization for the Processor to engage Sub-processors for the Processing of Personal Data. The Processor shall maintain a list of current Sub-processors, which shall be made available to the Controller upon request.

7.2 Sub-processor Obligations

Before engaging any Sub-processor, the Processor shall:

• Conduct due diligence to ensure the Sub-processor is capable of providing the level of data protection required
• Enter into a written contract with the Sub-processor imposing data protection obligations substantially similar to those set forth in this DPA
• Remain fully liable for the acts and omissions of its Sub-processors

7.3 Notification of Changes

The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors. The Controller may object to such changes within 14 days of notification. If no objection is received, the change shall be deemed approved.

7.4 Current Sub-processors

The Processor currently engages the following categories of Sub-processors:

• Cloud infrastructure providers (hosting and data storage)
• Payment processors (billing and subscription management)
• Analytics providers (service improvement and usage analytics)
• AI model providers (AI analysis and testing services)
• Customer support tools (helpdesk and communication)
• Email service providers (transactional and marketing emails)

8. Data Breach Notification

8.1 Notification to Controller

In the event of a Data Breach affecting Personal Data Processed under this DPA, the Processor shall notify the Controller without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach. The notification shall include:

• A description of the nature of the breach, including categories and approximate number of Data Subjects affected
• The name and contact details of the Processor's data protection contact
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach and mitigate its effects

8.2 Cooperation

The Processor shall cooperate with the Controller in investigating, mitigating, and remediating any Data Breach. The Processor shall take reasonable steps to mitigate the effects of the breach and prevent further breaches.

8.3 Record Keeping

The Processor shall maintain a record of all Data Breaches, including the facts surrounding the breach, its effects, and the remedial action taken.

9. Data Subject Rights

The Processor shall assist the Controller in responding to requests from Data Subjects to exercise their rights under applicable data protection laws, including:

• Right of access
• Right to rectification
• Right to erasure (right to be forgotten)
• Right to restriction of Processing
• Right to data portability
• Right to object
• Rights related to automated decision-making and profiling

The Processor shall promptly notify the Controller of any request received directly from a Data Subject and shall not respond to such requests directly except as instructed by the Controller.

10. International Data Transfers

The Processor may transfer Personal Data to countries outside the European Economic Area (EEA) or other jurisdictions with data transfer restrictions. Such transfers shall only occur:

• To countries with an adequacy decision from the relevant supervisory authority
• Subject to appropriate safeguards, such as standard contractual clauses approved by the European Commission
• Where the Data Subject has provided explicit consent
• Where the transfer is necessary for the performance of a contract
• Where other legal grounds for transfer exist under applicable law

By entering into this DPA, the parties agree that transfers may occur as described herein and that the Standard Contractual Clauses (where applicable) are incorporated by reference.

11. Data Retention and Deletion

Upon termination of the Agreement or upon the Controller's written request, the Processor shall, at the Controller's choice:

• Return all Personal Data to the Controller in a commonly used format; or
• Delete all Personal Data and certify such deletion in writing

The Processor may retain Personal Data to the extent required by applicable law, provided that the Processor ensures the confidentiality of such data and Processes it only as necessary for compliance purposes.

The Controller acknowledges that deletion of data from backup systems may occur in accordance with the Processor's standard backup retention schedules.

12. Audits and Compliance

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to the following conditions:

• The Controller shall provide reasonable advance notice of any audit (at least 30 days)
• Audits shall be conducted during normal business hours and in a manner that minimizes disruption
• The Controller shall bear the costs of any audit, unless the audit reveals material non-compliance
• Audit reports and findings shall be treated as confidential information
• The Processor may require the Controller or auditor to execute a non-disclosure agreement

The Processor may satisfy audit requirements by providing third-party audit reports, certifications (such as SOC 2), or other documentation demonstrating compliance.

13. AI-Specific Processing Provisions

In connection with the AI-powered features of the Services, the following additional provisions apply:

13.1 AI Model Providers

The Services may utilize third-party AI models (such as GPT-4, Claude, Gemini, Perplexity) for analysis and testing. The Controller acknowledges that:

• Data submitted for AI analysis may be processed by these third-party providers
• Such providers act as Sub-processors and are bound by appropriate data protection terms
• The Processor does not control how AI models generate outputs
• AI-generated content may not be accurate or complete

13.2 Training Data

The Processor may use aggregated and anonymized data derived from the Services to improve AI models and algorithms. The Controller may opt out of such usage by providing written notice.

13.3 Automated Decision-Making

The Services do not engage in automated decision-making that produces legal effects or similarly significantly affects Data Subjects. All AI-generated outputs are advisory in nature and subject to human review.

14. CCPA Specific Provisions

To the extent that the California Consumer Privacy Act (CCPA) applies to the Processing of Personal Data under this DPA:

• The Processor acts as a "Service Provider" as defined under the CCPA
• The Processor shall not sell Personal Data or use it for any purpose other than providing the Services
• The Processor shall not combine Personal Data with data from other sources except as permitted by the CCPA
• The Processor shall assist the Controller in responding to consumer requests under the CCPA
• The Processor certifies that it understands and will comply with the restrictions and obligations set forth herein

15. Liability and Indemnification

Each party shall be liable for damages caused by Processing that infringes applicable data protection laws or this DPA, subject to the limitations of liability set forth in the Agreement.

Where one party has paid compensation for damages resulting from the other party's non-compliance with applicable data protection laws or this DPA, the paying party shall be entitled to claim back from the other party the portion of compensation corresponding to the other party's part of responsibility for the damage.

The Controller shall indemnify the Processor for any damages, claims, or expenses arising from the Controller's breach of this DPA, its obligations under applicable data protection laws, or its instructions to the Processor that violate applicable law.

16. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws determined at xWisdoM's sole discretion, without regard to conflict of law principles.

17. Amendments and Modifications

xWisdoM may update this DPA from time to time to reflect changes in our practices, applicable laws, or regulatory guidance. We will notify the Controller of any material changes and provide an opportunity to review before such changes become effective.

Continued use of the Services after any such changes constitutes acceptance of the modified DPA. If the Controller does not agree to the modified DPA, it may terminate the Agreement in accordance with its terms.

18. Contact Information

For questions or concerns regarding this Data Processing Agreement, please contact: