Legal

Data Processing Agreement

Last updated:

1. Introduction and Definitions

This Data Processing Agreement ("DPA") is entered into between Nukes AI & Software Solution("Processor") and the customer ("Controller") and forms part of the Terms of Service. It ensures compliance with Article 28 of the GDPR and equivalent data protection laws.

Controller: The Citora customer who determines the purposes and means of processing personal data.

Processor: Nukes AI & Software Solution, the entity that processes personal data on behalf of the Controller.

Data Subject: An identified or identifiable natural person whose personal data is processed.

Personal Data: Any information relating to an identified or identifiable natural person, including names, email addresses, and usage data.

2. Details of Processing

Subject matterProvision of GEO analytics services, including AI citation tracking, competitor intelligence, and content recommendations.
DurationFor the term of the subscription agreement, plus 30 days post-termination for data deletion.
Nature and purposeCollection, storage, analysis, and reporting of brand visibility data in AI search engines. Automated querying of AI engines, extraction of citations, and generation of analytics dashboards.
Types of dataAccount data (name, email, company), brand data (brand names, domains, prompts), usage analytics, and AI engine response data.
Categories of subjectsCitora account holders, their team members, and end-users whose brands are being tracked.

3. Processor Obligations

  • Process personal data only on documented instructions from the Controller, including with regard to transfers.
  • Ensure that persons authorized to process personal data have committed themselves to confidentiality.
  • Implement appropriate technical and organizational measures to ensure security of processing, including:
    • TLS encryption for data in transit
    • Encryption at rest provided by managed database and hosting infrastructure
    • Row-level security and multi-tenant isolation
    • Regular access reviews and least-privilege access controls
  • Notify the Controller without undue delay and within 24 hours of becoming aware of a personal data breach.
  • Assist the Controller in ensuring compliance with data subject rights requests (access, rectification, erasure, portability).
  • Delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless storage is required by law.
  • Make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR.

4. Subprocessors

The Controller hereby grants general authorization for the Processor to engage the following subprocessors:

SubprocessorFunctionLocation
Razorpay Software Pvt. Ltd.Payment processing & billingIndia
better-authAuthentication & user management (incl. Google / Microsoft OAuth)Self-hosted
PostgreSQL (managed provider)Primary databaseUnited States / EU
Upstash, Inc.Caching & rate limiting (Redis)United States / EU
Inngest, Inc.Background job processingUnited States
Vercel, Inc.Application hosting & CDNUnited States / EU
Google Workspace (Gmail)Transactional email (SMTP)United States
PostHog, Inc.Product analyticsUnited States / EU
Sentry (Functional Software, Inc.)Error monitoringUnited States
OpenAI, Anthropic, Google, Perplexity, xAI (via OpenRouter)AI scan & citation extractionUnited States

We will notify the Controller of any intended changes concerning the addition or replacement of subprocessors at least 30 days in advance, giving the Controller the opportunity to object.

5. Controller Obligations

  • Ensure that instructions to the Processor comply with applicable data protection law.
  • Obtain all necessary consents from Data Subjects and provide required privacy notices.
  • Promptly notify the Processor of any data subject rights requests or regulatory inquiries.
  • Maintain accurate records of processing activities as required by Article 30 GDPR.

6. Data Subject Rights

The Processor shall promptly notify the Controller of any request received from a Data Subject and shall not respond directly unless authorized in writing by the Controller. The Processor shall provide reasonable assistance to the Controller in fulfilling data subject rights requests.

7. Security Measures

The Processor maintains the following security measures:

  • Automated vulnerability scanning and dependency updates
  • Multi-factor authentication for all production access
  • Encrypted backups with point-in-time recovery (provided by managed infrastructure)
  • Incident response plan with prompt breach notification
  • Regular security awareness practices for personnel

8. Audit Rights

The Controller has the right to audit the Processor's compliance with this DPA once per calendar year, or more frequently if required by a supervisory authority. Audits must be conducted with 30 days' notice during normal business hours. The Processor shall provide reasonable cooperation and make available relevant records.

As an alternative to on-site audits, the Processor may provide available security documentation or attestations upon written request. Formal third-party audit certifications are in progress.

9. Data Transfers

Personal data may be transferred to and processed in countries outside the EEA. The Processor ensures that such transfers are subject to appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission.

10. Term and Termination

This DPA is effective as of the date the Controller first uses the Service and continues until all processing of personal data under the Service has ceased. Upon termination, the Processor shall, at the Controller's choice, return or delete all personal data, except where storage is required by applicable law.

11. Execution

To execute this DPA or request a signed copy, please email us at legal@citorahq.com. Upon sending this email, this DPA is incorporated into and forms part of your Terms of Service agreement.

Processor

Nukes AI & Software Solution

Greater Noida, Uttar Pradesh, India

By: ___________________

Date: ___________________

Controller

[Customer legal entity]

[Customer address]

By: ___________________

Date: ___________________