Data Processing Addendum
Last updated:
This Data Processing Addendum (“DPA”) forms part of the Terms of Service between you (“Customer”, the controller) and FixAEO (the processor; see the Imprint). It applies where FixAEO processes personal data on the Customer's behalf — most notably visitor data collected by the FixAEO analytics tag installed on the Customer's website. For data where FixAEO decides the purposes (e.g. your own account), FixAEO is the controller and the Privacy Policy governs.
1. Roles & scope
The Customer is the controller and FixAEO is the processor for “Customer Personal Data” processed to provide the Service. FixAEO processes Customer Personal Data only on the Customer's documented instructions, including those expressed through use of the Service, unless required by law (in which case we'll inform you where permitted).
2. Nature, purpose & duration
- Subject matter / purpose: providing AI-visibility analytics, including classifying AI-bot and AI-referred traffic to the Customer's site.
- Duration: for the term of the Customer's subscription, then deletion/return per section 8.
- Data subjects: visitors to the Customer's website.
- Categories of data: hashed/salted IP address, user agent, referrer, page path, and derived bot/engine classification. We do not require or request special-category data.
3. Confidentiality
FixAEO ensures that persons authorized to process Customer Personal Data are bound by confidentiality and process it only as needed to provide the Service.
4. Security
FixAEO maintains appropriate technical and organizational measures, including encryption in transit (TLS), encryption of sensitive stored tokens, access controls and least-privilege admin gating, IP hashing, and network/DDoS protection via our CDN. Measures may evolve provided protection is not materially reduced.
5. Subprocessors
The Customer authorizes FixAEO to engage the subprocessors listed on our Subprocessors page (hosting/CDN, email, payments, AI providers, etc.). FixAEO imposes data-protection obligations on subprocessors no less protective than this DPA and remains responsible for their performance. We'll give notice of intended changes so you can object on reasonable data-protection grounds.
6. Data-subject requests
Taking into account the nature of the processing, FixAEO assists the Customer with appropriate measures to respond to data-subject requests (access, deletion, correction, objection). If a data subject contacts FixAEO directly, we'll refer them to the Customer where the Customer is the controller.
7. Personal-data breaches
FixAEO notifies the Customer without undue delay after becoming aware of a personal-data breach affecting Customer Personal Data, and provides information reasonably available to help the Customer meet its own notification obligations.
8. Deletion & return
On termination, FixAEO deletes Customer Personal Data within a reasonable period, except where retention is required by law. Account-level export and deletion are available self-serve in Settings.
9. Audits
FixAEO makes available information reasonably necessary to demonstrate compliance with this DPA and contributes to audits, including by providing relevant documentation, subject to reasonable confidentiality and frequency limits.
10. International transfers
Where Customer Personal Data is transferred outside the EEA/UK (e.g. to US-based subprocessors), the transfer relies on an appropriate safeguard such as the EU Standard Contractual Clauses (and the UK Addendum), which are incorporated by reference.
11. How to put this in place
For most customers, accepting the Terms incorporates this DPA. If your procurement process needs a counter-signed copy, email hello@fixaeo.com and we'll arrange it.