Data processing addendum

This Data Processing Addendum (“DPA”) supplements the AuthorityOn AI Terms of Service (the “Agreement”) between you (the “Controller”) and Digital Brand Building Sàrl (Rue du 31 Décembre 21, 1207 Genève, Switzerland) acting as “Processor”.

To the extent we process personal data on your behalf in connection with the Service, this DPA applies. Where it conflicts with the Agreement, this DPA prevails for data-processing matters.

• Subject matter: processing personal data in the course of providing the AuthorityOn AI software service.
• Duration: for as long as the Agreement is in force, plus a 30-day retention window post-cancellation for export, after which data is deleted (see clause 11).
• Nature and purpose: running AI-visibility scans and audits against the entities the Controller configures; generating reports, recommendations, dashboards, and alerts.

The Service is configured by the Controller and the data flowing through it is determined by that configuration. In typical use, the following categories of personal data and data subjects apply:

3.1 Personal data

• Account data of the Controller's users: name, email, role, session tokens, hashed passwords.
• Names and public identifiers of brand leaders, executives, or spokespeople the Controller tracks as “entities”.
• Usage logs: pages visited, features used, IP address (truncated to /24).

3.2 Categories of data subjects

• The Controller's own employees and authorised users.
• Public figures linked to the Controller's brand (CEOs, founders, named spokespeople) when configured as entities.

The Service is not designed for processing special-category data (Art 9 GDPR). The Controller agrees not to submit such data through the Service.

For the avoidance of doubt: the Controller decides what entities to track, what prompts to submit, who to invite, and how to interpret the output. The Processor provides the platform and processes data only on the Controller's documented instructions.

The Controller represents and warrants that it has a valid lawful basis under GDPR Art 6 / nFADP Art 31 for every category of personal data submitted to the Service.

• Process personal data only on the Controller's documented instructions, including instructions on international transfers (clause 9).
• Ensure personnel with access to personal data are bound by confidentiality.
• Apply appropriate technical and organisational measures (clause 6).
• Assist the Controller with data-subject requests within reasonable commercial effort.
• Notify the Controller of personal-data breaches without undue delay (clause 8).
• Make available all information necessary to demonstrate compliance with Art 28 and allow for audits as set out in clause 10.

The Processor maintains a layered set of security controls including but not limited to:

• Encryption in transit (TLS 1.3) and at rest (AES-256).
• Authentication: bcrypt-hashed passwords (cost ≥ 10), rate-limited sign-in, magic-link option, server-side session tokens.
• Access controls: least-privilege role-based access for staff; production database accessible only via audited break-glass.
• Hosting in EU regions (Vercel + Supabase); Swiss data residency available under separate addendum.
• Logging and monitoring of administrative actions; regular vulnerability scanning; automated dependency-vulnerability alerts.
• Backups encrypted and retained for 30 days; tested restoration quarterly.

The Controller authorises the Processor to engage the sub-processors listed at /legal/sub-processors. That page also carries the change-log of additions and removals.

The Processor will give at least 14 days' notice before adding a new sub-processor. If the Controller objects on reasonable data-protection grounds, the Processor will offer a commercially reasonable alternative or, failing that, the Controller may terminate the Agreement without penalty for the affected service.

Each sub-processor is bound by data-protection terms no less protective than those in this DPA.

The Processor will notify the Controller without undue delay (and in any event within 48 hours of becoming aware) of any personal-data breach affecting the Controller's data. The notification will include the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed.

The Processor will assist the Controller with its own breach notification obligations under Art 33-34 GDPR / Art 24 nFADP.

Personal data is primarily hosted in EU regions. Where data is transferred outside the EEA or Switzerland, including to LLM providers in the US, the Processor relies on the EU Commission's Standard Contractual Clauses (Decision 2021/914) and, where applicable, the Swiss-US Data Privacy Framework. Supplementary measures (encryption in transit, prompt-only payload, never identifying account metadata) limit transfer risk.

The Controller may, no more than once per twelve-month period, request reasonable information to verify the Processor's compliance with this DPA. Where the Controller demonstrates regulatory necessity (e.g. a supervisory authority request), an on-site audit can be arranged with at least 30 days' notice, at a mutually agreed time, subject to the Processor's confidentiality and security requirements. Cost of the audit is borne by the Controller.

On termination of the Agreement, the Controller may export its data as JSON or CSV from the in-product account-export tool for up to 30 days. After the 30-day window the Processor will delete the Controller's personal data within a further 30 days, except where retention is required by law (e.g. accounting records).

The liability provisions of the Agreement apply equally to this DPA. The Processor may update this DPA from time to time to reflect changes in law, infrastructure, or sub-processor arrangements. Where a change materially reduces the Controller's protections, the Processor will give at least 30 days' notice and the Controller may terminate the affected service without penalty.

This page is the public-facing template. To exchange a signed counterpart, email hello@authorityon.ai with your legal entity name, registered office, and the contracting contact. We'll send a PDF for counter-signature within five business days.