ManufactureSEOManufactureSEO

Data Processing Agreement (GDPR)

Last updated: 1 June 2025

This Data Processing Agreement ("DPA") forms part of the agreement between you ("Controller") and ManufactureSEO ("Processor") for the provision of the ManufactureSEO platform. This DPA sets out the terms under which the Processor processes personal data on behalf of the Controller in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR").

1. Definitions

  • Personal Data means any information relating to an identified or identifiable natural person processed under this DPA.
  • Processing means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
  • Sub-processor means a third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • Data Subject means the individual to whom Personal Data relates.

2. Scope & Purpose

The Processor processes Personal Data solely to provide the ManufactureSEO platform as described in the Terms of Service. The categories of data processed include account information (name, email, company), usage data, and content data provided by the Controller.

3. Obligations of the Processor

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller, unless required by EU or Member State law.
  • Ensure that persons authorised to process Personal Data are bound by confidentiality obligations.
  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption, access controls, and regular security testing.
  • Assist the Controller in fulfilling its obligations to respond to Data Subject requests (access, rectification, erasure, portability, restriction, objection).
  • Notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data breach.
  • Delete or return all Personal Data upon termination of the agreement, at the Controller's choice, unless retention is required by law.
  • Make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA.

4. Sub-processors

The Controller provides general authorisation for the Processor to engage Sub-processors. The Processor shall:

  • Maintain a list of current Sub-processors, available upon request.
  • Notify the Controller of any intended changes to Sub-processors at least 30 days in advance.
  • Ensure each Sub-processor is bound by data protection obligations no less protective than those in this DPA.
  • Remain fully liable for the acts and omissions of its Sub-processors.

5. Data Location

All Personal Data is stored and processed within the European Economic Area (EEA). If any processing requires transfer outside the EEA, the Processor shall ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission or a valid adequacy decision.

6. Security Measures

The Processor implements the following technical and organisational measures:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
  • Role-based access controls with least-privilege principles.
  • Regular vulnerability assessments and penetration testing.
  • Logging and monitoring of access to systems containing Personal Data.
  • Business continuity and disaster recovery procedures.
  • Employee security awareness training.

7. Audits

The Controller has the right to audit the Processor's compliance with this DPA. The Processor shall cooperate with audits conducted by the Controller or a mandated third-party auditor, subject to reasonable notice and confidentiality obligations. The Processor may provide third-party audit reports or certifications in lieu of direct audits where practicable.

8. Data Subject Rights

The Processor shall promptly assist the Controller in responding to requests from Data Subjects exercising their rights under the GDPR, including:

  • Right of access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure (Article 17)
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20)
  • Right to object (Article 21)

9. Data Breach Notification

In the event of a Personal Data breach, the Processor shall notify the Controller without undue delay and provide:

  • A description of the nature of the breach.
  • The categories and approximate number of Data Subjects and records affected.
  • The likely consequences of the breach.
  • The measures taken or proposed to address the breach and mitigate its effects.

10. Term & Termination

This DPA remains in effect for the duration of the Processor's processing of Personal Data on behalf of the Controller. Upon termination, the Processor shall delete or return all Personal Data within 30 days, unless legal obligations require longer retention.

11. Governing Law

This DPA is governed by the laws of England and Wales, without prejudice to the GDPR and any applicable Member State data protection laws.

12. Contact

For questions about this DPA or to exercise your rights, contact our Data Protection team at privacy@manufactureseo.com.