Data Processing Addendum

This Data Processing Addendum (the "DPA") supplements the agreement between NE26 Limited (trading as Citations.io, "Processor") and the customer identified in that agreement ("Controller") for the provision of the Citations.io services (the "Principal Agreement"). It applies where Processor processes Personal Data on behalf of Controller in connection with the Principal Agreement. In the event of conflict, this DPA prevails over the Principal Agreement with respect to Personal Data.

• "Applicable Data Protection Law" means the UK GDPR, the EU GDPR, the UK Data Protection Act 2018, the California Consumer Privacy Act (as amended by the CPRA), and any other privacy or data protection law applicable to a party's processing of Personal Data.
• "Controller", "Processor", "Personal Data", "Processing", "Sub-processor" and "Data Subject" have the meanings given in the UK GDPR / EU GDPR.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
• "Standard Contractual Clauses" or "SCCs" means the Module 2 (Controller-to-Processor) clauses approved by the European Commission in Decision 2021/914.
• "UK Addendum" means the UK International Data Transfer Addendum to the SCCs issued by the Information Commissioner.

Controller is the Controller and Processor is the Processor of Personal Data processed under the Principal Agreement. Processor will process Personal Data only on documented instructions from Controller, including the Principal Agreement, this DPA and Controller's use of the Service. Processor will inform Controller if it considers any instruction infringes Applicable Data Protection Law.

Subject matter and duration

Provision of the Citations.io service for the term of the Principal Agreement and any post-termination period required to return or delete Personal Data.

Nature and purpose

Hosting, processing and analysing Personal Data to enable Controller to monitor brand visibility across AI search engines, manage prompts, citations, competitors, integrations, reports and related workflows.

Categories of Data Subjects

Controller's authorised users; Controller's customers, prospects or contacts (where Controller imports such data into the Service); individuals named in publicly available AI-generated outputs analysed by the Service.

Categories of Personal Data

Identifiers (name, email, role), professional information, account credentials (hashed), usage logs, content of prompts and reports, and any other Personal Data Controller chooses to submit. No special-category data is required by the Service; Controller must not submit special-category or criminal-offence data.

Processor will ensure that personnel authorised to process Personal Data are bound by confidentiality obligations and have received appropriate training on data protection and information security.

Processor will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• encryption in transit (TLS 1.2+) and at rest (AES-256);
• role-based access control and least-privilege access management;
• multi-factor authentication for administrative access;
• network segmentation and managed cloud infrastructure;
• centralised logging and audit trails;
• regular vulnerability scanning and patch management;
• secure development lifecycle including code review and dependency scanning;
• documented incident response and business continuity plans;
• annual security reviews and personnel training.

Full details are at /security.

Controller authorises Processor to engage the Sub-processors listed at /subprocessors. Processor will impose data-protection obligations on each Sub-processor that are no less protective than those in this DPA. Processor will give Controller at least 30 days' notice of any intended addition or replacement of a Sub-processor (via email to subscribers and via the Sub-processors page). Controller may object on reasonable data-protection grounds within that notice period, in which case the parties will work in good faith to resolve the objection and, failing resolution, Controller may terminate the affected portion of the Service for convenience. Processor remains liable for the acts and omissions of its Sub-processors.

Taking into account the nature of the processing, Processor will provide reasonable assistance to Controller through appropriate technical and organisational measures, insofar as possible, to enable Controller to respond to Data Subject requests. The Service provides self-service tools to access, export and delete Personal Data; further assistance is available at privacy@citations.io.

Processor will notify Controller without undue delay, and in any case within 72 hours of becoming aware of a Personal Data Breach affecting Controller's Personal Data. The notification will include, to the extent known, the nature of the breach, categories and approximate numbers of Data Subjects and records affected, likely consequences, and measures taken or proposed.

Processor will provide reasonable assistance to Controller with data protection impact assessments and prior consultations with supervisory authorities required under Articles 35 and 36 GDPR, in each case solely in relation to the processing of Personal Data by Processor.

Where Processor transfers Personal Data from the UK or EEA to a country not subject to an adequacy decision, the parties agree that the SCCs (Module 2, with Clause 7 docking, Clause 9(a) Option 2 with 30 days' notice, Clause 11 without independent dispute resolution, Clause 17 Option 1 governed by the law of Ireland, Clause 18(b) jurisdiction of the courts of Ireland) are incorporated by reference. For UK transfers, the UK Addendum is incorporated and the SCCs are amended accordingly. Annexes I-III to the SCCs are those described in this DPA.

Processor will make available to Controller information necessary to demonstrate compliance with this DPA. Controller may, no more than once per year and at its own expense, conduct an audit on at least 30 days' written notice, during business hours and subject to confidentiality obligations. In lieu of an on-site audit, Processor may provide Controller with third-party audit reports (e.g. SOC 2, ISO 27001 once available) and answers to a security questionnaire. On-site audits in response to a Personal Data Breach are not subject to the once-per-year limit.

On termination of the Principal Agreement, Processor will, at Controller's choice, delete or return all Personal Data within 30 days, and will delete existing copies unless retention is required by law. Backup copies will be overwritten or deleted in line with Processor's backup-retention cycle, during which they will remain subject to the security and confidentiality obligations of this DPA.

With respect to Personal Data subject to the CCPA, Processor is a "Service Provider" and Controller is a "Business". Processor will not (a) sell or share Personal Data; (b) retain, use or disclose Personal Data for any purpose other than the specific business purpose of providing the Service; (c) retain, use or disclose Personal Data outside the direct business relationship between the parties; or (d) combine Personal Data received from Controller with Personal Data from other sources except as permitted by CCPA regulations. Processor will notify Controller if it can no longer meet its CCPA obligations.

Each party's liability under this DPA is subject to the limitations of liability in the Principal Agreement, except where applicable law does not permit such limitation.