Data Processing Addendum

Effective Date: Mar 24, 2026

This Data Processing Addendum ("DPA") forms part of the Terms and Conditions or any applicable Master Service Agreement ("Agreement") between:

  • SpyderBot Inc., a Delaware corporation ("Processor")
  • The entity or organization using the Services ("Controller")

This DPA governs the processing of Personal Data by SpyderBot on behalf of the Controller.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data.
  • "Controller" means the entity determining the purposes and means of processing.
  • "Processor" means SpyderBot Inc.
  • "Subprocessor" means any third party engaged by the Processor.
  • "Applicable Data Protection Law" means all applicable laws including GDPR, CCPA/CPRA, and similar regulations.
  • "EEA" means the European Economic Area.
  • "SCCs" means the European Commission Standard Contractual Clauses.

2. Roles and Scope of Processing

The Controller determines the purposes and means of processing Personal Data. SpyderBot acts solely as a Processor.

SpyderBot shall process Personal Data only:

  • On documented instructions from the Controller
  • As necessary to provide the Services

3. Nature, Purpose, and Duration of Processing

3.1 Nature and Purpose

Processing activities include:

  • LLM output analysis (e.g., mentions, citations, sentiment)
  • GEO (Generative Engine Optimization) analytics
  • Website and behavioral tracking analysis
  • Attribution and conversion behavior modeling
  • Platform operation and performance monitoring

3.2 Duration

Processing shall continue for the duration of the Agreement, unless otherwise required by law.

3.3 Categories of Data Subjects

  • Users of the Controller
  • Employees and representatives of the Controller
  • Website visitors (as provided by Controller)

3.4 Categories of Personal Data

May include:

  • Account data (name, email, company)
  • Usage data (logs, interactions)
  • Device and technical data (IP address, browser)
  • Analytics and behavioral data
  • Optional integration data (e.g., GA4, GTM)

3.5 Third-Party and AI-Generated Data

SpyderBot may process:

  • Outputs generated by third-party LLM systems
  • Analytics data provided or integrated by the Controller

SpyderBot does not independently collect such data without explicit customer authorization.

4. Processor Obligations

SpyderBot shall:

  • Process Personal Data only on documented instructions
  • Ensure personnel are subject to confidentiality obligations
  • Implement appropriate technical and organizational measures (TOMs)
  • Assist Controller in compliance with applicable laws
  • Not sell or misuse Personal Data

5. Security and Compliance Program

SpyderBot maintains a comprehensive information security and risk management program designed to protect Personal Data. This program is aligned with:

  • SOC 2 Trust Services Criteria (Security, Availability, Confidentiality)
  • ISO/IEC 27001 principles

5.1 Organizational Security

  • Security governance and policies
  • Risk assessments
  • Vendor risk management

5.2 Access Control

  • Role-based access control (RBAC)
  • Least privilege access
  • Multi-factor authentication (MFA)
  • Access reviews

5.3 Data Protection

  • Encryption in transit (TLS 1.2+)
  • Encryption at rest (AES-256 or equivalent)
  • Data minimization
  • Logical separation of customer data

5.4 Infrastructure Security

  • Secure cloud infrastructure (e.g., AWS, GCP)
  • Network security controls
  • Continuous monitoring and logging

5.5 Application Security

  • Secure SDLC practices
  • Code reviews and testing
  • Vulnerability management

5.6 Monitoring and Incident Response

  • Logging and alerting
  • Incident response procedures
  • Post-incident remediation

5.7 Business Continuity

  • Backup and recovery
  • Disaster recovery planning

5.8 Continuous Improvement

SpyderBot continuously improves its security program and may pursue certifications such as SOC 2 Type II and ISO/IEC 27001. No certification is claimed unless formally obtained.

6. Subprocessors

SpyderBot may engage Subprocessors.

6.1 Obligations

  • Subprocessors are bound by written agreements
  • Equivalent data protection obligations apply

6.2 List and Transparency

  • A current list of subprocessors will be made available
  • Controller may object on reasonable grounds

7. International Data Transfers

Where Personal Data is transferred outside the EEA, SpyderBot relies on:

  • Standard Contractual Clauses (SCCs)
  • Other lawful mechanisms

8. Data Subject Rights

SpyderBot shall assist Controller in responding to data subject requests and provide reasonable support. Controller remains responsible for handling requests.

9. Personal Data Breach

In the event of a Personal Data breach, SpyderBot shall:

  • Notify Controller without undue delay
  • Provide nature of breach, affected data, and mitigation steps
  • Assist in remediation

10. Data Retention and Deletion

Upon termination:

  • Personal Data shall be deleted or returned
  • Unless retention is required by law

Backup copies may be retained temporarily.

11. Audit and Compliance

Audits are subject to reasonable notice, limited in scope, and subject to confidentiality. SpyderBot may satisfy audits via documentation, security reports, or questionnaires.

12. Controller Responsibilities

Controller agrees to:

  • Ensure lawful basis for processing
  • Provide required notices
  • Configure Services appropriately
  • Not submit unlawful or sensitive data without safeguards

13. Liability

Liability is subject to the limitations in the Agreement.

14. Order of Precedence

In case of conflict:

  1. SCCs
  2. This DPA
  3. The Agreement

15. Governing Law

As specified in the Agreement, or as required under SCCs.

16. Contact

SpyderBot Inc.

Email: [email protected]