RankNowSign in

Legal · Art. 28 DSGVO

Data processing agreement.

Last updated · 2026-04-29

1. Scope

This DPA applies when you (controller) use RankNow (processor) to process personal data of your end customers — for example when running agents against websites that collect visitor data, or when the platform receives client emails for outreach replies.

2. Subject matter & duration

Subject matter: provision of the RankNow agentic SEO platform. Duration: matches the underlying service agreement; survives termination only for legally required retention periods.

3. Nature & purpose of processing

Storing and analyzing your project data (domain, keywords, content briefs, drafts). Forwarding extracts of your content to AI sub-processors for the strict purpose of producing the agent outputs you request. Logging actions for billing, debugging, and regulatory audit trails.

4. Categories of data

Account data of your team members (name, email). Project data you upload. Outputs the platform produces on your behalf. Visitor analytics from connected GSC/GA properties.

5. Sub-processors

Listed in the Privacy policy. We will give you reasonable notice before adding a new sub-processor and you may object on documented data-protection grounds.

6. Technical & organizational measures

Encryption in transit (TLS 1.3) and at rest (AES-256 on Hetzner volumes). Access controls per role. Audit-trail (Phase 7) with hash-chain tamper evidence. Backups in EU region only. Personnel under written confidentiality obligations.

7. Data subject requests

Where data subjects exercise rights under Articles 15–22 DSGVO, you (controller) handle the request. We provide reasonable assistance — including export of all data we process on your behalf.

8. Audit rights

We will provide on request the documentation needed to demonstrate compliance with this DPA — including SOC2 reports if and when obtained, our list of sub-processors, and our TOM specification.

9. International transfers

Where sub-processors are outside the EU/EEA, transfers use the EU Standard Contractual Clauses (Decision 2021/914/EU) plus supplementary measures where required by Schrems II.

10. Returning or deleting data

On termination, we return or delete all personal data within 30 days unless EU or member-state law requires further storage.

Placeholder. Final legal copy will be supplied by counsel before public launch. Treat the text on this page as a structural draft only.