Data Processing Agreement

1. Definitions

• --"Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject") that is processed by us on your behalf in connection with the Services.
• --"Processing" means any operation or set of operations performed on Personal Data, whether by automated means or otherwise, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
• --"Data Controller" means the entity that determines the purposes and means of the Processing of Personal Data.
• --"Data Processor" means the entity that Processes Personal Data on behalf of the Data Controller.
• --"Sub-processor" means any third party engaged by the Data Processor to Process Personal Data on behalf of the Data Controller.
• --"Data Protection Laws" means all applicable legislation relating to data protection and privacy, including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and any other applicable national or state data protection laws.
• --"Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed.

2. Scope and Purpose

This DPA applies to the Processing of Personal Data by us on your behalf in the context of providing the Services. We will Process Personal Data only as necessary to perform the Services described in the Agreement and in accordance with your documented instructions.

The purpose of Processing is to provide app store optimization analytics, keyword tracking, review monitoring, AI visibility tracking, and related services as described in the Agreement. We will not Process Personal Data for any purpose other than those set out in this DPA and the Agreement, unless required by applicable law.

3. Data Processing Details

The following details describe the nature and scope of data Processing under this DPA:

Categories of Data Subjects

End users of the Data Controller's applications, employees and authorized users of the Data Controller's account, and app store reviewers whose publicly available review data is analyzed.

Categories of Personal Data

Account registration data (name, email, company), billing information, usage and analytics data, app metadata and performance metrics, and publicly available app store review data (reviewer display names and review content).

Duration of Processing

Processing will continue for the duration of the Agreement and for such additional period as necessary to fulfill our obligations under this DPA, including data deletion or return upon termination.

4. Security Measures

We implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful Processing, accidental loss, destruction, or damage. These measures include, but are not limited to:

• --Encryption of Personal Data at rest (AES-256) and in transit (TLS 1.3).
• --SOC 2 Type II certified infrastructure and operational controls.
• --Role-based access controls with multi-factor authentication.
• --Regular penetration testing and vulnerability assessments by independent third parties.
• --Comprehensive audit logging and monitoring of all access to Personal Data.
• --Business continuity and disaster recovery procedures with regular testing.

We regularly review and update these measures to ensure they remain appropriate in light of the nature, scope, context, and purposes of Processing, as well as the risks to the rights and freedoms of Data Subjects.

5. Sub-processors

You provide general authorization for us to engage Sub-processors to assist in providing the Services, subject to the following conditions:

• --We will maintain an up-to-date list of Sub-processors, which is available upon request.
• --We will notify you at least 30 days in advance of engaging any new Sub-processor, giving you the opportunity to object.
• --We will impose data protection obligations on each Sub-processor that are no less protective than those set out in this DPA.
• --We remain fully liable for the acts and omissions of our Sub-processors with respect to the Processing of Personal Data.

If you object to a new Sub-processor on reasonable data protection grounds, we will make reasonable efforts to make available an alternative arrangement. If no alternative is feasible, either party may terminate the affected portion of the Services.

6. Data Subject Rights

We will assist you in fulfilling your obligations to respond to Data Subject requests to exercise their rights under applicable Data Protection Laws. These rights may include:

• --Right of access to their Personal Data.
• --Right to rectification of inaccurate Personal Data.
• --Right to erasure ("right to be forgotten").
• --Right to restrict Processing.
• --Right to data portability.
• --Right to object to Processing.

If we receive a request directly from a Data Subject, we will promptly notify you and will not respond to the request without your prior authorization, unless required to do so by applicable law.

7. Data Breach Notification

In the event of a Data Breach affecting Personal Data Processed under this DPA, we will:

• --Notify you without undue delay and in any event within 48 hours of becoming aware of the Data Breach.
• --Provide you with sufficient information to enable you to meet your obligations to report the breach to supervisory authorities and affected Data Subjects.
• --Take immediate steps to contain and mitigate the effects of the Data Breach.
• --Cooperate with you and provide reasonable assistance in investigating the breach and in any regulatory notifications or communications.

The notification will include, to the extent available: the nature of the Data Breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach.

8. Audit Rights

We will make available to you all information necessary to demonstrate compliance with the obligations laid down in this DPA and applicable Data Protection Laws. You have the right to conduct audits, including inspections, to verify our compliance, subject to the following conditions:

• --You must provide at least 30 days' written notice before conducting an audit.
• --Audits must be conducted during normal business hours and shall not unreasonably disrupt our operations.
• --You may engage a qualified, independent third-party auditor, subject to reasonable confidentiality obligations.
• --Audit frequency shall be limited to once per calendar year, unless a Data Breach or regulatory requirement necessitates additional audits.

We will also provide copies of relevant third-party audit reports (such as SOC 2 Type II reports) upon request, subject to confidentiality obligations.

9. International Data Transfers

We will not transfer Personal Data to a country or territory outside the European Economic Area (EEA) or the United Kingdom unless appropriate safeguards are in place, as required by applicable Data Protection Laws. Such safeguards may include Standard Contractual Clauses (SCCs) approved by the European Commission, binding corporate rules, or an adequacy decision by the relevant supervisory authority. Upon request, we will provide details of the safeguards in place for any international transfer of Personal Data.

10. Term and Termination

This DPA shall remain in effect for the duration of the Agreement and for as long as we Process Personal Data on your behalf. Upon termination of the Agreement, we will, at your election:

• --Return all Personal Data to you in a commonly used, machine-readable format; or
• --Securely delete all Personal Data within 30 days and provide written certification of deletion upon request.

We may retain Personal Data to the extent required by applicable law, provided that such data remains subject to the protections of this DPA. Provisions of this DPA that by their nature should survive termination -- including confidentiality, security obligations, and liability -- shall survive.