Data Processing Agreement and Subprocessors

This Data Processing Agreement ("DPA") forms part of the agreement between you ("Customer", "Controller", or "you") and Saaslinks ("we", "us", "Processor") governing your use of the Saaslinks marketplace and related services (the "Services"). It applies where, in the course of using the Services, we process personal data on your behalf. By creating an account, funding a wallet, or otherwise using the Services, you agree to the terms of this DPA. If you require a countersigned copy for your own records, contact us through the Contact and Support page and we will provide one.

This DPA supplements and is incorporated into our Terms of Service and should be read alongside our Privacy Policy. Where this DPA conflicts with the Terms of Service on matters of personal data processing, this DPA controls.

1. Definitions

Terms used but not defined here have the meaning given in applicable data protection law.

• "Applicable Data Protection Law" means all laws and regulations relating to the processing of personal data that apply to a party, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR and Data Protection Act 2018, and the California Consumer Privacy Act as amended ("CCPA/CPRA").
• "Personal Data" means any information relating to an identified or identifiable natural person that we process on your behalf under the Services.
• "Processing", "Controller", "Processor", "Data Subject", and "Supervisory Authority" have the meanings given in the GDPR.
• "Subprocessor" means any third party engaged by us to process Personal Data in connection with the Services.
• "Standard Contractual Clauses" or "SCCs" means the clauses approved by the European Commission for the transfer of personal data to third countries, as set out in Commission Implementing Decision (EU) 2021/914.

2. Roles of the parties

For Personal Data you submit to the Services (for example, the contact and billing details of your colleagues, or end-customer data you choose to include in order notes), you act as the Controller and we act as the Processor. For data we collect for our own purposes (such as account security, billing, fraud prevention, and product analytics), we act as an independent Controller, and that processing is governed by our Privacy Policy rather than this DPA.

3. Scope and details of processing

• Subject matter: Provision of the Saaslinks link-building marketplace, including account management, wallet funding, order placement and fulfillment, and order tracking through to indexation.
• Duration: For the term of your account, plus any retention period required by law or described in our Privacy Policy.
• Nature and purpose: Hosting, storing, transmitting, and otherwise processing Personal Data as necessary to operate the Services and provide support.
• Types of Personal Data: Names, business email addresses, account credentials, billing identifiers (we do not store full card numbers; see Section 8 on payments), IP addresses, and any data you voluntarily include in order details or support tickets.
• Categories of Data Subjects: Your authorized users and personnel, and any individuals whose data you choose to submit. The Services are not designed to process special categories of data, and you agree not to submit them.

4. Our obligations as Processor

We will:

1. Process Personal Data only on your documented instructions, including your use of the Services and any written instructions you provide, unless required to act otherwise by law (in which case we will inform you, unless legally prohibited).
2. Ensure that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations.
3. Implement and maintain appropriate technical and organizational measures as described in Section 6.
4. Engage Subprocessors only in accordance with Section 5.
5. Taking into account the nature of processing, assist you by appropriate measures, insofar as possible, in fulfilling your obligation to respond to Data Subject requests under Applicable Data Protection Law.
6. Assist you in ensuring compliance with your obligations regarding security, breach notification, data protection impact assessments, and prior consultation with Supervisory Authorities, taking into account the information available to us.
7. At your choice, delete or return all Personal Data after the end of the provision of Services, and delete existing copies unless storage is required by law. See our Refund and Wallet Policy for how wallet balances and order records are handled on account closure.
8. Make available to you the information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits as set out in Section 9.

5. Subprocessors

You provide general authorization for us to engage the Subprocessors listed in the table below to process Personal Data in connection with the Services. We impose data protection obligations on each Subprocessor that are no less protective than those in this DPA, and we remain responsible for the performance of each Subprocessor's obligations.

We will inform you of any intended addition or replacement of a Subprocessor, giving you a reasonable opportunity to object on legitimate data-protection grounds. If you object and we cannot reasonably accommodate the objection, you may terminate the Services in accordance with the Terms of Service. To receive notice of changes to our Subprocessor list, contact us through the Contact and Support page.

The current list of Subprocessors and the role each performs is set out in the section below.

6. Security measures

We maintain appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These include, as appropriate to the risk:

• Encryption of Personal Data in transit using TLS, and at rest where supported by our hosting provider.
• Role-based access controls and the principle of least privilege for personnel.
• Multi-factor authentication for administrative access to production systems.
• Logging and monitoring of access to systems that store Personal Data.
• Regular review of our security practices and those of our Subprocessors.

These measures may be updated over time provided that the level of protection is not materially decreased.

7. Personal data breaches

We will notify you without undue delay after becoming aware of a Personal Data breach affecting Personal Data we process on your behalf. The notification will describe, to the extent known, the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address it. We will cooperate with you and take reasonable steps to assist in your investigation and any notifications you are required to make.

8. Payments

Payment card processing is handled by our payment Subprocessor (Stripe). We do not store complete payment card numbers on our systems. The processing of cardholder data by the payment Subprocessor is governed by that provider's own terms and PCI DSS obligations. For how wallet balances, charges, and refunds are handled, see our Refund and Wallet Policy.

9. Audits

We will, on reasonable prior written request and no more than once per twelve-month period (unless required more frequently by a Supervisory Authority or following a Personal Data breach), make available information reasonably necessary to demonstrate compliance with this DPA. Where an on-site audit is required by Applicable Data Protection Law, the parties will agree in advance on its scope, timing, and reasonable cost allocation, conducted so as to minimize disruption to our business and to protect the confidentiality and security of other customers' data.

10. International data transfers

Where processing of Personal Data involves a transfer outside the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, the transfer is governed by the Standard Contractual Clauses adopted by the European Commission, incorporated into this DPA by reference, together with the UK International Data Transfer Addendum where the UK GDPR applies. We and our Subprocessors apply supplementary measures where appropriate to ensure an essentially equivalent level of protection. The SCCs prevail over any conflicting term in this DPA in respect of such transfers.

11. CCPA/CPRA

Where we process personal information of California residents on your behalf, we act as a "service provider" as defined under the CCPA/CPRA. We will not sell or share such personal information, will not retain, use, or disclose it for any purpose other than performing the Services or as otherwise permitted by the CCPA/CPRA, and will not combine it with personal information from other sources except as permitted. We certify that we understand and will comply with these restrictions. California residents can review their available options on our Your Privacy Choices page.

12. Liability and term

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. This DPA takes effect when you begin using the Services and continues for as long as we process Personal Data on your behalf. Sections relating to confidentiality, deletion, audits, and liability survive termination as necessary to give them effect.

13. Contact

Questions about this DPA, requests for a countersigned copy, or data protection inquiries can be directed to us through the Contact and Support page. We respond to data protection requests within a reasonable time and in accordance with Applicable Data Protection Law.