Data Processing Agreement
Last updated: June 17, 2026
This Data Processing Agreement ("DPA") forms part of and is incorporated into the AskRank Terms of Service between you (the "Customer" or "Controller") and Supafast Tech ("AskRank", "Processor"). It governs the processing of personal data by AskRank on behalf of the Customer, as required by the EU General Data Protection Regulation (GDPR) and other applicable data protection laws.
This DPA applies automatically to all Customer accounts. By using AskRank, you agree to this DPA on behalf of yourself and, where applicable, your organization.
1. Definitions
- "Personal Data" - any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
- "Processing" - any operation performed on Personal Data, as defined in Article 4(2) GDPR.
- "Controller" - the entity that determines the purposes and means of processing Personal Data (the Customer).
- "Processor" - the entity that processes Personal Data on behalf of the Controller (AskRank).
- "Sub-processor" - a third party engaged by the Processor to assist in processing Personal Data.
- "Data Subject" - an identified or identifiable natural person whose Personal Data is processed.
2. Subject matter and duration
AskRank processes Personal Data on behalf of the Customer for the purpose of providing the AskRank AI visibility tracking service, as described in the Terms of Service. This DPA is effective for the duration of the Customer's use of the Service and terminates upon account deletion or termination of the Terms of Service.
3. Nature and purpose of processing
3.1 Categories of Personal Data processed
- Account identifiers: email address, name (if provided).
- Brand and domain data entered by the Customer.
- Usage data: dashboard actions, feature usage, session identifiers.
- Technical data: IP addresses, browser type (in logs and error reports).
- Billing data: Stripe customer ID, subscription status (no card data stored).
3.2 Categories of Data Subjects
- Customer employees and users who access the AskRank dashboard.
- End users whose data may be incidentally included in brand monitoring queries.
3.3 Purpose of processing
Processing is carried out solely to: (a) provide and maintain the Service, (b) send product alerts and notifications, (c) process billing, (d) monitor for errors and security incidents, and (e) comply with legal obligations. AskRank does not process Personal Data for its own commercial purposes beyond this scope.
4. Obligations of AskRank as Processor
AskRank agrees to:
- Process Personal Data only on documented instructions from the Customer (as expressed in the Terms of Service and this DPA), unless required by applicable law.
- Ensure that personnel authorized to process Personal Data are subject to appropriate confidentiality obligations.
- Implement appropriate technical and organizational security measures as described in Section 7.
- Not engage Sub-processors without Customer authorization (see Section 6 for the pre-authorized list).
- Assist the Customer in responding to Data Subject requests to exercise their GDPR rights, to the extent technically feasible.
- Notify the Customer without undue delay (and within 72 hours where feasible) after becoming aware of a Personal Data breach.
- At the Customer's choice, delete or return all Personal Data upon termination of the Service.
- Make available to the Customer all information necessary to demonstrate compliance with GDPR obligations and allow for audits, subject to reasonable confidentiality protections.
5. Obligations of the Customer as Controller
The Customer agrees to:
- Ensure there is a lawful basis for any Personal Data shared with or processed via AskRank.
- Provide necessary privacy notices to Data Subjects whose data may be processed through the Service.
- Not instruct AskRank to process Personal Data in a way that violates applicable law.
- Promptly notify AskRank of any Data Subject requests or regulatory inquiries that relate to the Service.
6. Sub-processors
The Customer grants AskRank general authorization to engage the following sub-processors. AskRank will notify the Customer of any intended changes (additions or replacements) with at least 14 days notice, giving the Customer the opportunity to object.
| Sub-processor | Location | Purpose |
|---|---|---|
| Stripe, Inc. | USA | Payment processing |
| OpenAI, L.L.C. | USA | LLM API for ChatGPT queries |
| Anthropic, PBC | USA | LLM API for Claude queries |
| Perplexity AI, Inc. | USA | LLM API for Perplexity queries and citation tracking |
| Google LLC | USA / EEA | LLM API for Gemini queries |
| ActiveCampaign, LLC (Postmark) | USA | Transactional email delivery |
| Sentry, Inc. | USA | Error monitoring and crash reporting |
| PostHog, Inc. | Self-hosted (EU) | Product analytics |
| Amazon Web Services | EU (eu-central-1) | Archive storage (S3) |
AskRank ensures each sub-processor is bound by data protection obligations substantially equivalent to those in this DPA, via written agreements including Standard Contractual Clauses where required for international data transfers.
7. Security measures
AskRank implements the following technical and organizational measures to protect Personal Data:
- Encryption in transit (TLS 1.2 or higher) for all data transferred to and from the Service.
- Encryption at rest for databases and archive storage.
- Role-based access controls limiting employee access to Personal Data on a need-to-know basis.
- Regular security reviews and dependency auditing.
- Intrusion detection and error monitoring via Sentry.
- Automated database backups with encryption.
- Password policies and multi-factor authentication for internal systems.
8. Data subject rights
Where AskRank receives a request directly from a Data Subject exercising their GDPR rights (access, rectification, erasure, portability, restriction, objection), AskRank will forward the request to the Customer without undue delay if the Customer is the appropriate Controller. AskRank will provide reasonable technical assistance to enable the Customer to fulfill such requests.
9. Data transfers
Where Personal Data is transferred to countries outside the EEA that do not provide an adequate level of protection under GDPR, such transfers are made subject to the EU Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914), incorporated herein by reference, or another valid transfer mechanism approved by the relevant supervisory authority.
10. Breach notification
AskRank will notify the Customer without undue delay and, where feasible, within 72 hours of becoming aware of a Personal Data breach affecting data processed under this DPA. The notification will include all information required by Article 33(3) GDPR that is available at the time. AskRank will cooperate with the Customer in investigating and mitigating the breach.
11. Audit rights
The Customer may, upon reasonable notice (not less than 30 days) and at most once per calendar year, request an audit of AskRank's data processing practices. AskRank may satisfy this obligation by providing relevant third-party certifications, audit reports, or other documentation demonstrating compliance. Audits shall be conducted at the Customer's expense and subject to reasonable confidentiality protections.
12. Return and deletion of data
Upon termination of the Service or upon request, AskRank will delete or return all Personal Data processed under this DPA within 30 days, except where retention is required by applicable law. AskRank will provide written confirmation of deletion upon request.
13. Governing law
This DPA is governed by the same law as the AskRank Terms of Service, supplemented by GDPR obligations to the extent they apply. The parties submit to the jurisdiction of the competent courts specified in the Terms of Service for any disputes arising from this DPA.
14. Contact and requests
For DPA-related inquiries, Data Subject requests forwarded to us, or to request a signed copy of this DPA, contact:
Email: privacy@askairank.com
Website: askairank.com