Data Processing Agreement

Last updated: March 16, 2026

1. Introduction

This Data Processing Agreement ("DPA") is entered into between you, the user ("Data Controller", "Controller") and the operator of this Service ("Data Processor", "Processor") pursuant to Article 28(3) of Regulation (EU) 2016/679 (GDPR).

This DPA supplements the Terms and Conditions and applies whenever the Processor processes personal data on behalf of the Controller in connection with the Service.

2. Subject Matter and Scope

2.1 Subject Matter

The subject matter of processing is personal data that the Controller submits to the Service, including keywords, domains, and analysis configurations.

2.2 Categories of Data

The personal data processed may include:

  • Domain names and URLs that may identify individuals or businesses
  • Brand names and search keywords
  • Analysis results that may contain references to identifiable persons

2.3 Special Categories

The Processor does not intentionally process special categories of personal data (Article 9, GDPR). The Controller shall not submit sensitive personal data to the Service without prior written agreement.

2.4 Controller's Responsibility

The Controller solely determines the scope and purpose of processing and is responsible for ensuring a valid legal basis under GDPR for all personal data submitted to the Service.

3. Purpose and Nature of Processing

The Processor processes personal data solely for the purpose of providing the Service as described in the Terms and Conditions. Processing is carried out in an automated manner and includes:

  • Storage and retrieval of submitted data
  • Automated analysis and report generation
  • Data visualization and export

The Processor shall not process personal data for any purpose other than as instructed by the Controller or as required by applicable law.

4. Duration

Processing continues for the duration of the service agreement between the parties. Upon termination, the Processor shall delete or return all personal data within 30 days, unless retention is required by applicable law.

5. Controller's Obligations

The Controller represents and warrants that:

  • Lawfulness: All personal data submitted has been collected lawfully and the Controller has a valid legal basis for its processing.
  • Transparency: Data subjects have been informed about the processing in accordance with GDPR requirements.
  • Data Subject Rights: The Controller has procedures in place to handle data subject requests.
  • Data Minimization: Only data necessary for the intended purpose is submitted to the Service.

6. Processor's Obligations

6.1 Instructions

The Processor shall process personal data only on documented instructions from the Controller. If the Processor believes an instruction violates applicable data protection law, it shall immediately inform the Controller.

6.2 Confidentiality

The Processor ensures that all persons authorized to process personal data are bound by confidentiality obligations. This obligation survives the termination of this DPA.

6.3 Data Subject Rights

The Processor shall assist the Controller in responding to data subject requests through appropriate technical and organizational measures.

6.4 Cooperation

The Processor shall assist the Controller with:

  • Ensuring compliance with security obligations (Article 32, GDPR)
  • Breach notification obligations (Articles 33-34, GDPR)
  • Data protection impact assessments (Article 35, GDPR)
  • Prior consultation with supervisory authorities (Article 36, GDPR)

6.5 Deletion and Return

Upon termination, the Processor shall, at the Controller's choice, delete or return all personal data and delete existing copies, unless applicable law requires retention.

6.6 Audits

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA. The Controller may conduct audits no more than once per year, with reasonable advance notice, at the Controller's expense.

7. Security Measures

The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of personal data in transit (TLS/HTTPS)
  • Access control and authentication mechanisms
  • Multi-tenant data isolation (workspace-level separation)
  • Security monitoring and logging
  • Automated backup procedures
  • Ability to restore data availability in case of incidents
  • Regular testing and evaluation of security measures

8. Security Breach Notification

In the event of a personal data breach, the Processor shall:

  • Notify the Controller without undue delay and no later than 48 hours after becoming aware of the breach.
  • Provide the following information:
    • Date of the breach and date of discovery
    • Nature and cause of the breach
    • Categories and approximate number of affected data subjects
    • Description of likely consequences
    • Measures taken or proposed to address the breach
  • Cooperate with the Controller in investigating and mitigating the breach.

9. Sub-processors

9.1 Authorized Sub-processors

The Controller grants general authorization for the Processor to engage the following categories of sub-processors:

  • Hosting and cloud infrastructure providers
  • Payment processing services
  • Error monitoring services
  • Data analysis API providers

9.2 New Sub-processors

The Processor shall inform the Controller of any intended changes to sub-processors with at least 14 days' advance notice. All sub-processors are bound by equivalent data protection obligations.

9.3 Objection

The Controller may reasonably object to a new sub-processor within 14 days of notification. If the objection cannot be resolved, the Controller may terminate the service agreement.

10. International Transfers

Where personal data is transferred outside the EU/EEA, the Processor ensures that appropriate safeguards are in place in accordance with Chapter V of GDPR, including Standard Contractual Clauses (SCCs) or reliance on adequacy decisions.

11. Governing Law

This DPA is governed by the laws of the Czech Republic and applicable EU data protection law. Any disputes shall be resolved by the competent courts of the Czech Republic.

12. Contact

For questions about this DPA, contact us at: info@blackboxanalyzer.com

See also: Privacy Policy | Terms and Conditions