SEMANTYX
Back to Semantyx

Data Processing Agreement

Last updated May 30, 2026

This Data Processing Agreement (“DPA”) is incorporated into the Terms of Service between you (the “Customer”) and Semantyx. It governs the processing of Personal Data by Semantyx on the Customer's behalf in connection with the services.

If you require a signed copy on your company letterhead, email legal@semantyxintel.com and we'll send one within 3 business days.

1. Definitions

  • Personal Data, Data Controller, Data Processor have the meanings given in the EU General Data Protection Regulation (GDPR).
  • Customer Data means Personal Data that the Customer submits to Semantyx (or that Semantyx collects on the Customer's instructions) through the service.
  • Sub-processor means a third party engaged by Semantyx to process Customer Data.

2. Roles

The Customer is the Data Controller for Customer Data. Semantyx is the Data Processor — we process Customer Data only on the Customer's documented instructions.

3. Scope of processing

  • Purpose: providing the Semantyx SEO audit, remediation, and reporting services described in the Terms.
  • Duration: for the term of the Customer's subscription, plus the retention periods described in the Privacy Policy.
  • Categories of data subjects: end users of the Customer's websites (where the crawled content includes personal data), the Customer's employees who use Semantyx, and affiliate participants if applicable.
  • Categories of Personal Data: email addresses, names, IP addresses, browser data, content of crawled pages (which may incidentally include personal data published by the Customer), GitHub repository contents (when Apply Fix is used).

4. Our obligations

Semantyx will:

  • Process Customer Data only on the Customer's documented instructions (the Terms, this DPA, and any written direction).
  • Maintain appropriate technical and organizational measures to protect Customer Data — see Section 7.
  • Ensure personnel with access to Customer Data are bound by confidentiality obligations.
  • Assist the Customer in fulfilling its obligations to respond to data subject requests (access, deletion, portability, etc.).
  • Notify the Customer without undue delay (and within 72 hours of discovery) of any Personal Data breach affecting Customer Data.
  • On termination of the service, delete or return Customer Data per the Customer's instructions, subject to the retention periods in our Privacy Policy.

5. Sub-processors

The Customer authorizes Semantyx to engage the following sub-processors (current list — we may update with notice):

  • Clerk Inc. (authentication) — United States
  • Stripe Inc. (payment processing) — United States, Ireland
  • Anthropic PBC (AI generation) — United States
  • Railway Corporation (hosting) — United States
  • Cloudflare Inc. (DNS / CDN) — Global
  • Resend Inc. (transactional email) — United States

We bind each sub-processor by written agreement to the same data protection obligations as those in this DPA. We'll notify the Customer of any new sub-processor at least 14 days before adding them. If the Customer objects on reasonable data protection grounds, the Customer may terminate the affected portion of the service.

6. International transfers

Where Customer Data is transferred outside the European Economic Area, United Kingdom, or other jurisdictions with data protection laws, the transfer is governed by the Standard Contractual Clauses (SCCs) issued by the European Commission, available at eur-lex.europa.eu. The Customer is the data exporter and Semantyx is the data importer.

7. Security measures

Semantyx implements:

  • TLS 1.3 encryption for data in transit
  • AES-256 encryption for data at rest in our managed database
  • Role-based access control with the principle of least privilege
  • Audit logs for administrative access to Customer Data
  • Quarterly internal access reviews
  • Vendor security assessments before adding new sub-processors
  • Documented incident response process with 72-hour breach notification
  • Automated backups with point-in-time restore

8. Audit rights

The Customer may audit Semantyx's compliance with this DPA once per calendar year, on at least 30 days' written notice, during normal business hours. The Customer bears the cost of the audit. We may satisfy this obligation by providing third-party attestations (e.g. SOC 2 reports) in lieu of an on-site audit.

9. Data subject requests

If we receive a data subject request directly that relates to Customer Data, we will promptly notify the Customer and not respond unless legally required, leaving the response to the Customer.

10. Liability

Each party's liability under this DPA is subject to the limitations in the Terms of Service.

11. Term and termination

This DPA is effective when the Customer accepts the Terms of Service and remains in effect for as long as Semantyx processes Customer Data.

12. Governing law

For Customers established in the EEA, UK, or Switzerland, this DPA is governed by the laws of Ireland. For all other Customers, this DPA is governed by the laws of the State of Delaware, United States.

Contact

For questions about this DPA or to request a signed copy: legal@semantyxintel.com.