Data Processing Agreement (DPA) & GDPR Addendum

How to use this DPA This DPA is intended as a standard addendum for client engagements. If your procurement team needs a signed version, email us via the contact page and we’ll provide a countersigned copy. For terms not defined here, the main services agreement (or SOW) applies.

Document

Data Processing Agreement (DPA) & GDPR Addendum

Applies to

Client data processed during service delivery

Contact

Use /contact/ for DPA requests

1. Parties & scope

This Data Processing Agreement (“DPA”) forms part of the agreement between (a) the client entity that purchases services (“Customer” or “Controller”) and (b) GrowingAI (“Processor”). This DPA applies to the extent Processor processes Personal Data on behalf of Customer in connection with the services.

If your master services agreement or statement of work uses different entity names, those names control. If you require the parties’ legal addresses in the header, insert them in the signature block.

2. Definitions

Terms such as “Personal Data”, “Processing”, “Controller”, “Processor”, “Supervisory Authority” and “Personal Data Breach” have the meanings given in the GDPR (Regulation (EU) 2016/679) where applicable.

Customer Data: Personal Data submitted to, made available to, or otherwise processed by Processor for the services.
Services: The services described in the applicable order form, SOW, proposal, or contract.
Subprocessor: A third party appointed by Processor to process Customer Data on behalf of Customer.

3. Roles, instructions, and responsibilities

3.1 Roles

Customer is the Controller of Customer Data (or acts on behalf of the Controller). Processor processes Customer Data only on documented instructions from Customer, unless required by applicable law.

3.2 Customer responsibilities

Ensure it has a lawful basis to collect and share Customer Data with Processor.
Provide clear instructions for the processing activities.
Respond to end-user notices/consents where required and maintain privacy disclosures.
Ensure the categories of Customer Data shared are appropriate and proportionate.

3.3 Processor responsibilities

Process Customer Data only as needed to deliver the Services and in accordance with this DPA.
Maintain appropriate technical and organizational measures described in Annex 2.
Ensure personnel are bound by confidentiality obligations.
Assist Customer with GDPR obligations as described in this DPA.

Practical example If you give us access to analytics tools, ad accounts, CRM, or website forms, we may process identifiers, lead/contact information, and usage events to optimize SEO, UX, tracking, and reporting.

4. Confidentiality and security

4.1 Confidentiality

Processor ensures that persons authorized to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.2 Security measures

Processor implements appropriate technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. See Annex 2 for an overview of controls.

4.3 Access control

Access is limited to personnel who need it to deliver the Services.
Where feasible: role-based access, strong authentication, and least-privilege access.
Operational logging and change control for sensitive systems where applicable.

5. Subprocessors

Customer authorizes Processor to use Subprocessors to the extent required to provide the Services. Processor remains responsible for Subprocessors’ performance of their obligations relating to processing Customer Data.

Processor will impose data protection obligations on Subprocessors that are no less protective than this DPA.
Subprocessors may include hosting, analytics, email, collaboration, and infrastructure providers.

A representative list is available in Annex 3. Depending on your scope, we may use additional providers (e.g., for incident response, backups, or deliverability). If you require a fixed list, request a signed DPA and we’ll attach it.

6. International data transfers

Where GDPR applies and Customer Data is transferred outside the European Economic Area (“EEA”), the UK, or Switzerland, Processor will use appropriate safeguards. These may include (where applicable) Standard Contractual Clauses (“SCCs”) or equivalent mechanisms recognized under applicable data protection laws.

Note: Transfer mechanisms depend on the parties’ locations, the tools used, and the nature of the engagement. For procurement review, request a signed DPA with your preferred transfer addendum.

7. Data subject requests and assistance

7.1 Data subject requests

If Processor receives a request from a data subject to exercise rights under GDPR (or similar laws) relating to Customer Data, Processor will (to the extent legally permitted) direct the request to Customer. Processor will not respond directly unless authorized by Customer or required by applicable law.

7.2 Assistance

Taking into account the nature of processing and information available, Processor will assist Customer with:

Access, deletion, correction, restriction, portability requests (as applicable to the Services and Customer instructions)
Security and breach notifications
Data protection impact assessments (DPIAs) and consultations when required and reasonable

8. Personal data breach

Processor will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Data, and will provide information reasonably required for Customer to meet breach reporting obligations.

Nature of the breach (where known)
Likely consequences
Measures taken or proposed to address the breach

9. Return and deletion of data

Upon termination of the Services, Processor will, at Customer’s choice and where feasible: (a) return Customer Data, or (b) delete Customer Data, unless retention is required by applicable law.

Some data may remain in backups for a limited time according to backup retention cycles. Such data will remain protected and will be deleted in accordance with standard backup deletion schedules.

10. Audit and compliance

Processor will make available information reasonably necessary to demonstrate compliance with this DPA. Customer may request an audit of relevant controls where (i) required by applicable law, or (ii) materially necessary for compliance validation, subject to reasonable notice, confidentiality, and scope limitations to protect other clients’ data.

Audit approach In most cases, we satisfy audit needs via security summaries, vendor attestations, and written responses. On-site audits are limited and scheduled only when strictly required.

11. Term, liability, and order of precedence

11.1 Term

This DPA remains in effect for the duration of the Services where Processor processes Customer Data on behalf of Customer.

11.2 Liability

Liability under this DPA follows the liability limitations in the parties’ main agreement, unless prohibited by applicable law.

11.3 Order of precedence

If there is a conflict between this DPA and the main agreement regarding data protection terms, this DPA controls for processing of Customer Data. For all other terms, the main agreement controls.

11.4 Contact

For DPA/GDPR questions, use our contact page: /contact/.

Annex 1: Details of processing

A. Subject matter

Processing of Customer Data to provide the Services (e.g., SEO, content systems, conversion UX, analytics/tracking, automation support).

B. Duration

For the term of the Services, plus any limited post-termination retention required for legal/backup purposes.

C. Nature and purpose

Website/marketing analytics and reporting
Conversion tracking setup and optimization
SEO and content analysis, planning, and implementation support
Lead routing and basic automation setup (when requested)

D. Categories of data subjects

Customer’s end users/website visitors
Customer’s leads and prospective customers
Customer’s employees/contractors (limited: account access, communications)

E. Categories of personal data (depending on scope)

Identifiers (name, email, phone) provided via forms/CRM
Online identifiers (IP address, cookie IDs, device IDs) where collected by Customer’s tools
Usage and event data (page views, clicks, form submits)
Business contact details and communications

F. Special categories of data

Unless explicitly agreed in writing, Customer will not provide special category data (GDPR Art. 9) or sensitive data to Processor.

Annex 2: Security measures (overview)

Access control: least privilege, account-based access, periodic access review where feasible
Authentication: strong passwords, MFA where supported by the platform/tools
Encryption: encryption in transit (TLS) where supported; encryption at rest where applicable by vendors
Operational safeguards: change control, limited admin access, secure device practices
Vendor management: use reputable providers for hosting, analytics, and communications
Incident response: documented breach handling and notification workflow
Backups: backups handled by infrastructure/tools where applicable; retention aligned to service needs

Exact controls depend on engagement scope and tools used. If you require a detailed security addendum, request the enterprise appendix.

Annex 3: Subprocessors (representative)

This list may change based on your project tools and stack. For a fixed/approved list, request a signed DPA with an attached subprocessor schedule.

Hosting/CDN (site delivery, performance, security)
Analytics (traffic and conversion measurement tools configured by Customer)
Email/communication (support and project communications)
Collaboration & storage (documents, reporting dashboards, deliverables)
Automation tools (only when requested by Customer for workflow/lead routing)

Need your company details inserted? For procurement-ready formatting (legal entity names, addresses, signature blocks, SCC module selection), send your preferred template or requirements via /contact/.