SEO Gets Data Processing Agreement

Thank you for using SEO Gets.

SEO Gets turns the Google Search Console and Google Analytics 4 data you connect into prioritization, tracking, and reporting for your SEO work. We take the trust you place in us with that data seriously, and we process it securely and transparently.

This Data Processing Agreement (“DPA”) is an addendum to the SEO Gets Terms of Service available at https://seogets.com/terms (the “Agreement”) between SEO Gets LLC (“SEO Gets,” “we,” “us”) and the customer (“you,” “Customer”). It applies to Customer Data processed by SEO Gets on your behalf in connection with your use of the service.

If you are accepting this DPA on behalf of an organization, you warrant that: (a) you have full legal authority to bind that organization to this DPA; (b) you have read and understand this DPA; and (c) you agree, on behalf of that organization, to this DPA.

1. DEFINITIONS

“Data Protection Laws” means all laws and regulations applicable to the processing of personal data under this DPA, including the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), the UK GDPR and the UK Data Protection Act 2018, the Swiss Federal Act on Data Protection, and the California Consumer Privacy Act as amended (“CCPA”), in each case as amended or replaced from time to time.

“Customer Data” means the personal data contained in the Google Search Console and Google Analytics 4 data that you connect to, and authorize SEO Gets to access through, the service, and which SEO Gets processes on your behalf. Customer Data does not include the account, contact, and billing information you provide to set up and pay for your SEO Gets account, which we process as a controller under our Privacy Policy (https://seogets.com/privacy).

“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in Decision (EU) 2021/914.

“Subprocessor” means any third party engaged by SEO Gets to process Customer Data in connection with the service.

The terms “controller,” “processor,” “data subject,” “personal data,” “processing,” and “personal data breach” have the meanings given in the GDPR.

2. ROLES OF THE PARTIES

For Customer Data, you are the controller (or a processor acting on behalf of your own customer) and SEO Gets is the processor (or, where you are a processor, the subprocessor). Each party will comply with its obligations under Data Protection Laws.

You are responsible for determining that you have a lawful basis to connect the relevant Google Search Console and GA4 properties to the service and to have SEO Gets process the associated Customer Data, for providing any required privacy notices to data subjects, and for responding to data subjects exercising their rights.

3. SCOPE AND PURPOSE OF PROCESSING

SEO Gets processes Customer Data only:

• to provide, maintain, secure, and support the service;
• in accordance with your documented instructions, which include this DPA, the Agreement, and your configuration and use of the service (for example, which properties you connect, the reports and content groups you create, and the recipients you share reports with); and
• as required by applicable law, in which case we will inform you of that requirement before processing unless the law prohibits it.

SEO Gets will not process Customer Data for any other purpose, and in particular will not sell Customer Data or “share” it for cross-context behavioral advertising (as those terms are defined under the CCPA). We will notify you without undue delay if we believe an instruction infringes Data Protection Laws.

By default, SEO Gets accesses your Google Search Console data on demand and does not retain it; if you revoke SEO Gets’ access, we no longer hold data about your connected sites. SEO Gets retains connected data beyond an active session only where you enable the optional, paid Extended Storage add-on, for as long as that subscription is active. From Google Analytics 4, SEO Gets retrieves aggregated reporting metrics through the GA4 Data API and does not ingest user-level session data or Client IDs.

The details of processing — categories of data subjects, categories of personal data, nature and purpose of processing, and duration — are set out in Annex 1.

4. CONFIDENTIALITY

SEO Gets ensures that personnel authorized to process Customer Data are bound by appropriate confidentiality obligations and access Customer Data only where necessary to provide, maintain, secure, or support the service.

5. SECURITY

SEO Gets implements and maintains appropriate technical and organizational measures designed to protect Customer Data against accidental or unlawful destruction, loss, alteration, and unauthorized disclosure or access, taking into account the state of the art, the costs of implementation, and the nature, scope, and purposes of processing. These measures are described in Annex 2 and may be updated over time provided the level of protection is not materially reduced.

6. PERSONAL DATA BREACHES

SEO Gets will notify you without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a personal data breach affecting Customer Data. The notification will describe, to the extent known, the nature of the breach, its likely consequences, and the measures taken or proposed to address it. SEO Gets will take reasonable steps to mitigate the breach and cooperate with you in your own notification obligations.

7. SUBPROCESSORS

You provide a general authorization for SEO Gets to engage Subprocessors to process Customer Data. The current Subprocessors are listed in Annex 3. Each Subprocessor is bound by a written agreement imposing data protection obligations no less protective than those in this DPA, and SEO Gets remains responsible for its Subprocessors’ performance.

SEO Gets will notify you of any intended addition or replacement of a Subprocessor by email or in-app notification at least thirty (30) days before the change takes effect, giving you the opportunity to object on reasonable data protection grounds. If you object and the parties cannot agree on a resolution, you may terminate the affected portion of the service.

8. INTERNATIONAL DATA TRANSFERS

SEO Gets processes and stores Customer Data in the United States. Where Customer Data is subject to the GDPR, UK GDPR, or Swiss data protection law and is transferred to SEO Gets in the United States, the transfer is governed by the Standard Contractual Clauses, which are incorporated into this DPA by reference and completed as follows:

• Module Two (controller to processor) applies where you are a controller; Module Three (processor to subprocessor) applies where you act as a processor for your own customer.
• In Clause 7, the optional docking clause applies.
• In Clause 9, Option 2 (general written authorization) applies, with the notice period in Section 7 of this DPA.
• In Clause 11, the optional language is deleted.
• In Clause 17, the SCCs are governed by the law of the Republic of Ireland; in Clause 18(b), disputes are resolved before the courts of Ireland.
• The Annexes of the SCCs are populated with the information in Annexes 1–3 of this DPA.

For transfers subject to the UK GDPR, the UK International Data Transfer Addendum to the SCCs applies and is incorporated by reference; Table 4 is completed as “neither party.” For transfers subject to Swiss law, references in the SCCs to the GDPR are read as references to the Swiss FADP, references to EU member state law are read as Swiss law, and the competent authority is the Swiss Federal Data Protection and Information Commissioner.

Where SEO Gets is certified under the EU-US Data Privacy Framework (and its UK and Swiss extensions), that certification applies to the relevant transfers; in all cases the Standard Contractual Clauses apply as described above.

9. ASSISTANCE WITH YOUR OBLIGATIONS

Taking into account the nature of the processing and the information available to it, SEO Gets will provide reasonable assistance to help you:

• respond to requests from data subjects exercising their rights (access, rectification, erasure, restriction, portability, and objection). If a data subject contacts SEO Gets directly regarding Customer Data, we will forward the request to you without undue delay; and
• meet your obligations to keep Customer Data secure, notify breaches, and carry out data protection impact assessments and prior consultations under Articles 32–36 GDPR.

10. DELETION AND RETURN OF DATA

You can delete connected properties, reports, and your account at any time through the service. On termination of the Agreement, or on your written instruction, SEO Gets will delete or return Customer Data within a reasonable period and delete existing copies, except where retention is required by applicable law. Deletion through the service is permanent and irreversible.

11. AUDIT

SEO Gets will make available to you the information reasonably necessary to demonstrate compliance with this DPA, including summaries of our security measures and responses to reasonable security questionnaires from Enterprise customers (contact security@seogets.com). SEO Gets does not currently hold ISO 27001 or SOC 2 certification. Where the information we provide is not sufficient, you may request an audit no more than once in any twelve (12) month period, on reasonable prior written notice, conducted during business hours, subject to confidentiality obligations, and in a manner that does not unduly disrupt the service. SEO Gets may charge a reasonable fee for assistance with audits that go beyond providing existing documentation.

12. LIABILITY

Each party’s liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement. Each party indemnifies the other against third-party claims to the extent arising from that party’s breach of this DPA. Nothing in this DPA limits any liability that cannot be limited under applicable law.

13. TERM, GOVERNING LAW, AND CHANGES

This DPA takes effect when you accept the Agreement or begin using the service, and remains in effect for as long as SEO Gets processes Customer Data on your behalf. Confidentiality obligations survive termination. This DPA is governed by the laws of the State of Delaware, United States, except that the SCCs are governed as stated in Section 8. We may update this DPA from time to time; material changes will be notified through the service or by email, and your continued use after the effective date constitutes acceptance.

14. ACCEPTANCE

Use of the service constitutes acceptance of this DPA. No separate signature is required. If your organization requires a counter-signed copy, contact us at the address below.

15. CONTACT

Questions about this DPA can be sent to privacy@seogets.com. Security questionnaires and reviews: security@seogets.com.

ANNEX 1 — DETAILS OF PROCESSING

Subject matter: Provision of the SEO Gets analytics and reporting service.

Duration: Google Search Console data is processed on demand and, by default, is not retained beyond the active session; it is retained only where the Extended Storage add-on is enabled, for the duration of that subscription. Google Analytics 4 data is processed for the term of the Agreement. In all cases, Customer Data is deleted or returned in accordance with Section 10.

Nature and purpose of processing: Accessing, organizing, analyzing, and presenting the Google Search Console and Google Analytics 4 data you connect, in order to surface SEO priorities, track performance and content groups, generate alerts, and produce reports that you and the recipients you designate can view. SEO Gets retrieves aggregated reporting metrics from the GA4 Data API and does not ingest user-level session data or Client IDs.

Categories of data subjects: Visitors to, and users of, the websites and properties you connect to the service, whose interactions are reflected in the connected Google Search Console and GA4 data.

Categories of personal data: SEO Gets processes the aggregated and dimensioned analytics data made available through the Google Search Console and Google Analytics 4 APIs. This may include, to the extent present in that data:

• online and pseudonymous identifiers and event/measurement data;
• approximate geographic location (e.g., country, region, city) derived by Google;
• device, browser, operating system, and other technical information;
• page URLs, landing pages, referral and traffic-source data; and
• search queries, which Google generally anonymizes but which may in limited cases contain personal data entered by a data subject.

SEO Gets does not request or process special categories of personal data, and asks that you do not connect properties whose data is intended to include them.

ANNEX 2 — TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

• Hosting and storage. Customer Data is stored using Google Cloud (infrastructure and managed database). Data is stored in the United States.
• Data minimization and retention. By default, SEO Gets does not store Google Search Console site data; it is accessed on demand and is no longer held once access is revoked. GSC data is retained only where the customer enables the optional Extended Storage add-on. From GA4, only aggregated reporting metrics are retrieved — not user-level session data or Client IDs.
• Encryption. Sensitive data is encrypted in transit and at rest. SEO Gets accesses connected Google Search Console and GA4 properties via Google OAuth scopes granted by the customer and never receives the customer’s Google account password.
• Access control. Access to production systems and Customer Data is limited to SEO Gets’ two principals on a need-to-know basis. Accounts are protected with Single Sign-On (SSO) and Multi-Factor Authentication (MFA).
• Segregation. Customer Data is logically segregated by account so that each customer can access only its own data.
• Backups. Database backups are maintained at the managed-database provider level to support recovery.
• Vendor management. Subprocessors are bound by data protection terms no less protective than this DPA (see Annex 3).
• Certifications. SEO Gets does not currently hold ISO 27001 or SOC 2 certification. SEO Gets will respond to reasonable security questionnaires from Enterprise customers on request (security@seogets.com).

ANNEX 3 — LIST OF SUBPROCESSORS

Last updated: June 2026

SEO Gets LLC, Delaware, USA