CiteRank AI
Legal · DPA

Data Processing Addendum

This Data Processing Addendum ('DPA') forms part of the Terms of Service between CiteRank AI ('Processor') and the customer ('Controller') and applies to the extent CiteRank AI processes personal data on behalf of the Controller. Last updated: May 26, 2026.

1. Definitions

Terms not defined here have the meaning given in the GDPR or India's Digital Personal Data Protection Act 2023 ('DPDP'), as applicable.

2. Roles

  • The Controller (or 'Data Fiduciary' under DPDP) determines the purposes and means of processing.
  • The Processor (or 'Data Processor' under DPDP) processes personal data only on documented instructions from the Controller.

3. Scope and duration

This DPA applies for as long as CiteRank AI processes personal data on behalf of the Controller under the Terms of Service. The subject matter is the provision of the CiteRank AI service. Categories of data subjects include Controller's employees, prospects and customers. Categories of personal data include identifiers, contact data, and any data submitted within prompts.

4. Processor obligations

  • Process personal data only on Controller's documented instructions.
  • Ensure persons authorised to process data are bound by confidentiality.
  • Implement appropriate technical and organisational measures (see Security).
  • Assist Controller in responding to data subject requests.
  • Notify Controller of a personal-data breach without undue delay, and in any case within 72 hours of becoming aware.
  • Delete or return personal data at the end of the engagement, except where retention is required by law.

5. Sub-processors

The Controller authorises the following sub-processors:

  • Supabase Inc. — managed Postgres and authentication (EU).
  • Resend Inc. — transactional email (EU/US).
  • PostHog Inc. — product analytics (EU, self-hosted).
  • Stripe Inc. — payment processing (EU/US).
  • Cloudflare Inc. — edge runtime and DDoS protection (global).
  • Vercel Inc. — application hosting (EU/US).

We will give 30 days' notice before adding or replacing a sub-processor. Controller may object on reasonable grounds, in which case the parties will negotiate in good faith.

6. International transfers

Where personal data is transferred outside the EEA or India, the parties rely on the EU Standard Contractual Clauses (Module Two, 2021) and the UK International Data Transfer Addendum where applicable. For transfers from India, the parties comply with the cross-border transfer rules under s.16 DPDP.

7. Data subject rights

Processor will, where technically feasible, assist Controller in fulfilling its obligations to respond to data subject requests (access, rectification, erasure, portability, objection, restriction).

8. Audits

Once per year, Controller may audit Processor's compliance with this DPA. Processor will make available the SOC 2 report (once available) and answer reasonable written questions in lieu of on-site audits.

9. Liability

Liability under this DPA is subject to the limitations of liability in the Terms of Service.

10. Contact

For DPA requests, write to legal@citerank.ai.

← Back to home