Document
Data Processing Addendum
This Data Processing Addendum ("DPA") forms part of the Terms of Service between Voyarank ("Voyarank," "we," "Processor") and the business that has accepted the Terms of Service ("Customer," "you," "Controller") (together, the "Parties"). The DPA applies to the extent that, in providing the Service, we process personal data on your behalf, where you are the controller and we are the processor under applicable data protection law (including the General Data Protection Regulation, the UK General Data Protection Regulation, the California Consumer Privacy Act, and analogous laws).
If there is a conflict between the Terms of Service and this DPA with respect to the processing of personal data, this DPA controls.
1. Definitions
Capitalized terms used but not defined in this DPA have the meaning given in the Terms of Service or in applicable data protection law. "Personal Data" means any information relating to an identified or identifiable natural person processed by Voyarank on Customer's behalf under the Terms. "Processing" has the meaning given in Article 4 of the GDPR. "Sub-processor" means any third party engaged by Voyarank that processes Personal Data in connection with the Service.
2. Roles and Responsibilities
The Parties acknowledge that Customer is the controller (and, where applicable, a "business" under the CCPA) of Personal Data submitted to the Service or generated through Customer's use of the Service in connection with Customer's end users. Voyarank is the processor (and, where applicable, a "service provider" under the CCPA) of such Personal Data and processes Personal Data only on Customer's documented instructions, except where applicable law requires otherwise.
In respect of Personal Data of Customer's own users (the individuals who log into voyarank.tech on Customer's behalf), Voyarank acts as an independent controller. The processing of that data is governed by Voyarank's Privacy Policy, not by this DPA.
3. Subject Matter, Nature, Purpose, and Duration
Subject matter and nature. Voyarank processes Personal Data to provide the Service to Customer, including search engine ranking measurement, AI visibility tracking, structured data generation, and content brief authoring.
Purpose. To deliver the Service as described in the Terms of Service, to maintain and improve the Service, to ensure security and availability, and to comply with applicable law.
Duration. Processing continues for the duration of Customer's subscription, plus the post-termination period during which data is retained as set out in the Privacy Policy and Section 12 of this DPA.
Categories of data subjects. Customer's end users (such as visitors to Customer's websites whose behavior or attributes are tracked through configurations Customer establishes in the Service).
Categories of Personal Data. As determined by Customer's configuration of the Service. Voyarank does not require Customer to submit special categories of Personal Data under Art. 9 GDPR or sensitive personal information under the CCPA, and Customer agrees not to do so without prior written agreement.
4. Customer Instructions
Voyarank processes Personal Data only on Customer's documented instructions, which include (a) the Terms of Service and this DPA, (b) Customer's configuration of the Service, and (c) any further written instructions Customer provides. If Voyarank believes an instruction violates applicable data protection law, Voyarank will inform Customer.
5. Confidentiality
Voyarank ensures that personnel authorized to process Personal Data are bound by appropriate obligations of confidentiality, whether contractual or statutory.
6. Security Measures
Voyarank implements appropriate technical and organizational measures designed to protect Personal Data against unauthorized access, alteration, disclosure, or destruction, taking into account the state of the art, the nature of the processing, and the risks to data subjects. Current measures include encryption of data in transit (TLS), hashing of authentication credentials, scoped access control to production systems, monitoring of access logs, regular security review of dependencies and infrastructure, and vendor due diligence for sub-processors. Specific measures may be updated from time to time consistent with industry practice.
7. Sub-processors
Customer authorizes Voyarank to engage the sub-processors listed in our Privacy Policy ("Sub-processors") to assist in providing the Service. Voyarank will impose data protection obligations on each Sub-processor that are no less protective than this DPA. Voyarank remains responsible to Customer for the acts and omissions of its Sub-processors.
Voyarank will notify Customer at least thirty days before adding or replacing a Sub-processor. Customer may object on reasonable data protection grounds within fifteen days of notice. If the objection cannot be resolved, Customer may terminate the Service with respect to the affected processing without penalty for the unused portion of the current billing period.
8. Data Subject Requests
Voyarank will, taking into account the nature of the processing, assist Customer through appropriate technical and organizational measures, insofar as possible, in fulfilling Customer's obligation to respond to requests from data subjects exercising their rights under applicable data protection law. If Voyarank receives a request directly from a data subject regarding Personal Data processed on Customer's behalf, Voyarank will, unless legally prohibited, promptly inform the data subject that the request should be directed to Customer and notify Customer of the request without undue delay.
9. Personal Data Breach Notification
Voyarank will notify Customer without undue delay, and in any event within seventy-two hours, after becoming aware of a Personal Data breach affecting Personal Data processed under this DPA. The notification will include the information reasonably available to Voyarank at the time, with updates provided as additional information becomes available. Voyarank will cooperate with Customer in good faith in connection with the breach, including providing reasonably requested information to allow Customer to fulfill its own breach notification obligations.
10. International Transfers
Voyarank and its Sub-processors are located in the United States. Voyarank does not currently offer the Service to users in the European Economic Area, Switzerland, or the United Kingdom. To the extent Customer (as the controller) routes Personal Data of data subjects in those regions through the Service in the course of Customer's own processing — for example, where Customer is a US-based business whose own end users include EEA or UK residents — the Parties will, at Customer's reasonable request, execute the European Commission's Standard Contractual Clauses (Module 2: Controller to Processor, Commission Decision 2021/914) and the United Kingdom Information Commissioner's International Data Transfer Addendum to the extent required for Customer's specific use case, together with any Transfer Impact Assessment Customer requests Voyarank to support.
11. Audit Rights
Voyarank will make available to Customer, on reasonable written request and not more than once per calendar year except where required by applicable law or following a Personal Data breach, the information necessary to demonstrate compliance with this DPA. Information will be provided in the form of documentation, including (where available) third-party audit reports, security certifications, and policy summaries. Onsite audits are not contemplated at Voyarank's current scale; Voyarank will reasonably cooperate with documentation-based reviews instead.
12. Return and Deletion
On termination of the Terms of Service, Customer may export Personal Data through the in-product export functionality during the post-termination grace period described in the Privacy Policy. Following the grace period, Voyarank will delete or return Personal Data, except to the extent that retention is required by applicable law or to defend against legal claims. Retention of backups is on the regular backup rotation cycle.
13. Liability
The liability of each Party under this DPA is subject to the limitation of liability set out in the Terms of Service. Nothing in this DPA is intended to limit either Party's liability where such limitation is prohibited by applicable law.
14. Term and Termination
This DPA takes effect when Customer accepts the Terms of Service or signs a separate version of this DPA, and continues for the duration of the Terms. On termination, sections that by their nature should survive (including Sections 9, 12, and 13) survive.
15. Governing Law
This DPA is governed by the laws of Georgia, United States, consistent with the Terms of Service.
16. Order of Precedence
In the event of a conflict between this DPA, the Terms of Service, and any other agreement between the Parties: with respect to the processing of Personal Data, this DPA controls; with respect to all other matters, the Terms of Service control.
Contact
Privacy questions and DPA-specific correspondence: privacy@voyarank.tech.
Customer signature is not required for this DPA when accepted electronically through the Terms of Service. A countersigned version is available on request for procurement records.
End of document — Data Processing Addendum