Last updated: 2026-04-15

Data Processing Addendum (DPA)

This addendum applies to engagements where ChainRank Pro processes personal data on behalf of a client — typically Growth or Authority retainers where we receive Search Console / GA4 access and editorial-pipeline data. The DPA forms part of the Master Services Agreement and is signed alongside the SOW.

Roles

Client is the controller of analytics and end-user data. ChainRank Pro is the processor. Client decides purpose; we follow documented instructions.

Sub-processors

Current sub-processors (as of 2026-05-08):

• Cloudflare (EU) — site hosting, CDN, edge compute, DNS
• Supabase (EU region) — analytics and lead-capture database
• Google (Search Console + GA4) — client-granted read access for ranking and traffic data
• Looker Studio / Metabase — dashboards built from the above sources
• Postmark / SES — transactional email

We notify clients in writing 30 days before adding a new sub-processor; you may object and we will propose alternatives or exit terms.

Security measures

• Encryption at rest (AES-256) and in transit (TLS 1.3)
• Role-based access control with audit logs
• Quarterly access review
• Incident response plan with 72-hour breach notification commitment
• Regular backups, tested restore procedure, EU-only backup storage

Data subject requests

If a data subject contacts us directly, we forward the request to the controller within 5 working days. If the controller asks us to act on a request, we do so without undue delay.

Termination

On termination of services, we return or delete all client personal data within 30 days, on written instruction. Backup retention follows agreed schedules and is documented in the SOW.

Sign and request

A counter-signable PDF version is available on request — write to [email protected].

Note: this DPA template references a draft sub-processor list and security baseline. The counter-signable version sent on request reflects the current production configuration.