DATA PROCESSING AGREEMENT (DPA)

Between:

G.M. POWERSOFT COMPUTER SOLUTIONS LIMITED

Leoforos Larnakos 39-41, 1046 Nicosia, Cyprus
Reg. No. 84900
(“Processor” or “We/Us/Our”)

The Customer using AI-SEOGen

(“Controller” or “You/Your”)

Last Updated: 01/12/2025

This Data Processing Agreement (“DPA”) forms part of the Terms & Conditions governing your use of the AI-SEOGen service (“Service”) and reflects the parties’ agreement regarding the processing of personal data in accordance with Article 28 of the General Data Protection Regulation (EU 2016/679) (“GDPR”).

1. Subject Matter and Duration

This DPA governs the processing of personal data by the Processor on behalf of the Controller when the Controller uses the Service.

The DPA remains in effect for the duration of your use of the Service.

2. Nature and Purpose of Processing

Processing is carried out for the following purposes:

User account creation and authentication
Token purchases and billing
Communication and support
Security, fraud detection, and abuse prevention
Service operation, analytics, logs, and performance monitoring
Delivery of requested AI-based features (SEO text generation, image discovery)

Important: Product catalog data uploaded via CSV never leaves the user’s browser and is not processed or stored by the Processor.

3. Types of Personal Data Processed

Name, email, contact details
Company and billing data
IP addresses and device identifiers
Log data
Usage analytics
Support communication
Authentication tokens
Optional marketing preferences

Excluded: Product catalog data and CSV uploads (processed entirely client-side).

4. Categories of Data Subjects

Users of the Service
Employees or representatives of customer organizations
Billing contacts

5. Obligations of the Processor

We shall:

Process personal data only on documented instructions from the Controller, including use of the Service according to your account settings and user actions.
Ensure staff confidentiality through binding agreements.
Implement appropriate technical and organizational measures including:
- Encryption
- Access controls
- Secure hosting
- Monitoring and intrusion detection
- Regular security audits
- Data minimization practices
Engage sub-processors only as allowed under this DPA.
Assist the Controller in fulfilling GDPR obligations, including responding to data subject rights, security notifications, and impact assessments (if required).
Notify the Controller of personal data breaches without undue delay.

6. Obligations of the Controller

Ensure the legality of personal data provided
Maintain proper user authorizations
Not upload unlawful or special-category data
Secure your own systems, credentials, and access
Respond to data subject requests for your own data

7. Sub-Processing

We may use carefully selected sub-processors for:

Hosting
Analytics
Error tracking
Payment processing
Security services

All sub-processors operate under GDPR-compliant agreements.
A current list of sub-processors will be made available upon request.

8. International Transfers

We process personal data primarily within the EU/EEA.

Where transfers outside the EEA occur, they will be protected by:

EU adequacy decisions
Standard Contractual Clauses (SCCs)
Binding legal safeguards
Explicit consent where applicable

9. Security Measures

TLS encryption
Access control and role-based permissions
Logging and monitoring
Firewalls and DDoS protection
Secure development practices
Staff confidentiality training
Regular audits

10. Data Breach Notification

In the event of a confirmed data breach affecting your personal data, we will:

Notify you without undue delay
Provide known details
Assist with mitigation steps

11. Data Subject Rights

We assist the Controller in responding to:

Access requests
Deletion requests
Objections
Corrections
Portability

We will not respond directly to data subjects without your authorization unless required by law.

12. Return and Deletion of Data

Upon termination of the Service:
We delete or anonymize all personal data we process unless required by law to retain them.

13. Audit Rights

The Controller has the right to:

Request information necessary to demonstrate compliance
Perform audits (remotely and subject to reasonable limitations)

14. Liability

Liability under this DPA follows the limitations set forth in the Service Terms & Conditions.

15. Governing Law

This DPA is governed by the laws of Cyprus.
Disputes shall be resolved exclusively in Cypriot courts.

16. Incorporation Into Terms

This DPA is automatically incorporated into the Terms & Conditions.
Use of the Service constitutes acceptance of this DPA.

DATA PROCESSING AGREEMENT (DPA)

Between:

G.M. POWERSOFT COMPUTER SOLUTIONS LIMITED

Leoforos Larnakos 39-41, 1046 Nicosia, Cyprus
Reg. No. 84900
(“Processor” or “We/Us/Our”)

The Customer using AI-SEOGen

(“Controller” or “You/Your”)

Last Updated: 01/12/2025

2. Nature and Purpose of Processing

Processing is carried out for the following purposes:

User account creation and authentication

Token purchases and billing

Communication and support

Security, fraud detection, and abuse prevention

Service operation, analytics, logs, and performance monitoring

Delivery of requested AI-based features (SEO text generation, image discovery)

Important: Product catalog data uploaded via CSV never leaves the user’s browser and is not processed or stored by the Processor.

5. Obligations of the Processor

We shall:

Process personal data only on documented instructions from the Controller, including use of the Service according to your account settings and user actions.

Ensure staff confidentiality through binding agreements.

Implement appropriate technical and organizational measures including:

Encryption
Access controls
Secure hosting
Monitoring and intrusion detection
Regular security audits
Data minimization practices

Engage sub-processors only as allowed under this DPA.

Assist the Controller in fulfilling GDPR obligations, including responding to data subject rights, security notifications, and impact assessments (if required).

Notify the Controller of personal data breaches without undue delay.