Data Processing Agreement
Our comprehensive DPA ensures GDPR compliance and data protection for enterprise customers
DPA Overview
1. Definitions
For the purposes of this Data Processing Agreement (DPA):
- "Controller" means the entity that determines the purposes and means of processing Personal Data.
- "Processor" means OmniGanic AB, which processes Personal Data on behalf of the Controller.
- "Personal Data" has the meaning given in Article 4(1) of the GDPR.
- "Processing" has the meaning given in Article 4(2) of the GDPR.
- "Data Subject" has the meaning given in Article 4(1) of the GDPR.
- "Services" means OmniGanic's SEO and AEO optimization platform.
2. Data Processing Details
Categories of Data Subjects
- • Website visitors
- • Customer employees
- • End users of customer websites
- • Analytics data subjects
Categories of Personal Data
- • Website analytics data
- • IP addresses
- • User behavior metrics
- • Technical performance data
Purpose of Processing
Processing is limited to providing SEO and AEO optimization services, including website performance analysis, search engine optimization, and AI visibility enhancement as specified in the main service agreement.
Processing Duration
Processing will continue for the duration of the service agreement and up to 30 days after termination for backup and recovery purposes, unless longer retention is required by law or requested by the Controller.
3. Processor Obligations
Processing Instructions
OmniGanic will process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to third countries or international organizations.
Personnel Obligations
OmniGanic ensures that persons authorized to process Personal Data have committed themselves to confidentiality and have received appropriate training on data protection requirements.
Technical and Organizational Measures
OmniGanic implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- • Encryption of Personal Data in transit and at rest
- • Regular security assessments and penetration testing
- • Access controls and authentication mechanisms
- • Data backup and disaster recovery procedures
- • Incident response and breach notification procedures
4. Sub-processors
The Controller provides general authorization for OmniGanic to engage sub-processors. Current sub-processors include:
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Content delivery and security | USA (with Standard Contractual Clauses) |
| Google Cloud Platform | Infrastructure and analytics | EU (data residency controlled) |
| MongoDB Atlas | Database services | EU (Frankfurt region) |
Sub-processor Changes
OmniGanic will notify the Controller of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance.
5. Data Subject Rights
OmniGanic will assist the Controller in fulfilling its obligations to respond to requests for exercising data subject rights, including:
Access and Portability
Right to access and data portability requests
Rectification
Correction of inaccurate Personal Data
Erasure
Deletion of Personal Data when required
Restriction
Limitation of processing activities
6. Security Breach Notification
OmniGanic will notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's data, and in any event within 24 hours.
Breach notification will include:
- • Description of the nature of the breach
- • Categories and approximate number of data subjects concerned
- • Categories and approximate number of Personal Data records concerned
- • Likely consequences of the breach
- • Measures taken or proposed to address the breach
7. International Data Transfers
Any transfer of Personal Data to third countries or international organizations will only take place with appropriate safeguards in accordance with GDPR Articles 44-49.
Transfer mechanisms include:
- • European Commission adequacy decisions
- • Standard Contractual Clauses (SCCs)
- • Binding Corporate Rules where applicable
- • Certification mechanisms when available
8. Return and Deletion of Data
Upon termination of the services, OmniGanic will, at the choice of the Controller, return or delete all Personal Data and existing copies unless retention is required by applicable law.
Termination process:
- • 30-day notice period for data return/deletion
- • Secure data export options available
- • Certification of deletion upon request
- • Backup data deleted within 90 days
Contact Information
Data Protection Officer
Email: dpo@omniganic.ai
Response time: Within 72 hours
Legal Department
Email: legal@omniganic.ai
Phone: +46 8 123 456 789
This DPA is governed by Swedish law and forms an integral part of our service agreement.