AISignal
Get started
Legal

Data Processing Agreement

How AISignal processes, stores and protects personal data on behalf of its customers.

Effective: June 29, 2026

1. Data processing addendum

AISignal is committed to the privacy, security and compliance of customer data. This Data Processing Addendum (“DPA”) outlines the terms governing how we process, store and protect personal data in accordance with applicable data protection laws. The DPA is an extension of our main agreement with Customers and applies when AISignal processes personal data on behalf of the Customer as a data processor.

It establishes clear responsibilities for both parties regarding data handling, ensuring compliance with relevant privacy laws. By using AISignal, Customers acknowledge and agree to the terms set forth in this DPA. If you require a signed counterpart for compliance purposes, contact us at [email protected].

2. Definitions

Affiliate refers to any entity that directly or indirectly controls, is controlled by, or is under common control with a party. “Control” means the direct or indirect ownership of at least 50% of the voting shares, equity interests, or similar rights in the entity. Affiliates are considered bound by the obligations and responsibilities outlined in this DPA to the extent they engage with the processing of Personal Data.

Authorized Sub-Processor means any third-party vendor, service provider or contractor engaged by AISignal to process the Customer's Personal Data strictly on behalf of and under the instructions of AISignal. All Sub-Processors must comply with the same data protection obligations, maintaining security, confidentiality and regulatory compliance.

Account Data refers to all business-related information collected, stored and processed by AISignal in relation to its contractual relationship with the Customer. This includes names, email addresses, phone numbers, payment details and access credentials of individuals authorised by the Customer to manage and operate their account on the platform. Account Data is used strictly for administrative, billing and support purposes.

Data Protection Laws encompass all applicable laws, regulations and frameworks governing the collection, processing, storage, transfer and protection of Personal Data — including, but not limited to, the General Data Protection Regulation (GDPR) of the European Union, the UK GDPR, the California Consumer Privacy Act (CCPA) and any other national or international privacy laws relevant to data processing under this Agreement.

Personal Data refers to any information relating to an identified or identifiable natural person (“Data Subject”). Personal Data excludes anonymised or aggregated data that cannot be used to identify an individual.

Processing means any operation or set of operations performed on Personal Data, whether by automated means or manually — including collecting, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, transmitting, restricting, erasing or destroying Personal Data.

Security Measures refer to the technical and organisational safeguards implemented to ensure the confidentiality, integrity and availability of Personal Data. These include encryption, access controls, firewalls, data masking, pseudonymisation, regular security audits and breach notification mechanisms.

Supervisory Authority refers to an independent public authority responsible for monitoring and enforcing compliance with Data Protection Laws — for example, the European Data Protection Board (EDPB), the UK Information Commissioner's Office (ICO), and the California Privacy Protection Agency (CPPA).

Data Subject Rights refer to the rights granted to individuals under applicable Data Protection Laws, including access, rectification, deletion, restriction, portability, objection and the right to lodge complaints with a Supervisory Authority.

3. Processing of data

The Customer may act as either a Data Controller or a Data Processor, depending on its relationship with the Data Subject and the purposes for which Personal Data is processed. In all cases, AISignal acts as a Data Processor, processing Personal Data on behalf of and under the instructions of the Customer.

The Customer is responsible for ensuring that all data processing activities conducted using our services comply with applicable Data Protection Laws. The Customer acknowledges that it has the legal basis to process Personal Data and indemnifies AISignal against any claims, liabilities or damages resulting from non-compliance with these legal requirements.

AISignal processes Personal Data only in accordance with the Customer's written instructions and solely as required to provide the services, unless otherwise mandated by law. We do not use, disclose or share Personal Data for any purpose other than those authorised by the Customer or explicitly outlined in this Agreement.

Upon termination of the Agreement or at the Customer's request, AISignal will, at the Customer's discretion, either (a) securely delete all Personal Data processed under this Agreement, ensuring no copies remain unless required by law, or (b) return the Personal Data to the Customer in a structured, commonly used, and machine-readable format before deletion.

4. Security and confidentiality

AISignal is committed to protecting the security and confidentiality of Personal Data processed on behalf of the Customer. We implement and maintain industry-leading security measures designed to prevent unauthorised access, disclosure, alteration or destruction of Personal Data, including:

  • Data Encryption. Personal Data is encrypted in transit (TLS 1.2+) and at rest (AES-256) using industry-standard protocols.
  • Access Controls. Strict access management policies ensure that only authorised personnel have access to Personal Data based on the principle of least privilege.
  • Network & System Security. Firewalls, intrusion-detection systems and continuous monitoring help prevent unauthorised access and cyber threats.
  • Data Anonymisation & Pseudonymisation. Where applicable, Personal Data is anonymised or pseudonymised to reduce risks associated with data exposure.
  • Regular Security Audits. Periodic security assessments, vulnerability testing and compliance checks identify and mitigate risks.
  • Incident Response Plan. A structured protocol ensures security incidents are promptly identified, mitigated and reported in compliance with applicable Data Protection Laws.

Any individual — employee, contractor or authorised service provider — who processes Personal Data on our behalf is bound by strict confidentiality obligations, including signed non-disclosure agreements and adherence to internal data-handling policies.

5. Sub-processors

AISignal engages third-party Sub-Processors to assist in providing and maintaining the service. These Sub-Processors perform specific functions such as infrastructure hosting, payment processing, transactional email and security. We ensure that all engaged Sub-Processors adhere to data-protection obligations equivalent to those outlined in this DPA, backed by signed agreements.

An up-to-date list is available on request from [email protected]. Current Sub-Processors include (but are not limited to):

  • Stripe — payment processing, invoicing and fraud screening.
  • Mailgun — transactional and notification email delivery.
  • Cloudflare — CDN, DDoS protection and the Turnstile bot challenge.
  • Managed-database providers — encrypted at-rest storage for application data.

AI engine endpoints

To measure how generative assistants describe a customer's business, AISignal sends carefully crafted public queries to the official APIs of ChatGPT (OpenAI), Claude (Anthropic), Gemini (Google), Meta AI (Meta), DeepSeek and Grok (xAI). These engines are independent service providers operating their own infrastructure under their own terms.

  • We send only the prompts prepared for the AI Visibility Sprint — not your account data, not your private files and not your customers' personal data.
  • We never submit personal data or proprietary content as training payload. Where the provider exposes a “do not use my data to train models” setting, we enable it on our service accounts.
  • Each engine processes prompts under its own privacy policy and retention schedule. Links to those policies are listed in the Cookie Policy appendix and on request.

Customer rights & objections. AISignal will notify Customers of any new Sub-Processor engagements at least 10 days in advance. Customers may submit a written objection within that period if they have legitimate data-protection concerns. We will engage in good-faith discussions to address concerns; if no mutually acceptable resolution is reached, the Customer may have the right to terminate the affected services.

6. Transfers of personal data

AISignal may transfer Personal Data outside the European Economic Area (EEA), the United Kingdom or Switzerland to facilitate the provision of services. When such transfers occur, we ensure appropriate legal safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission or other competent authorities.
  • Supplementary Measures — additional technical, organisational and contractual safeguards.
  • Binding Corporate Rules (BCRs) when applicable to affiliated entities.
  • Other Approved Transfer Mechanisms recognised under applicable law.

7. Data subject rights

AISignal recognises and respects the rights of Data Subjects under applicable Data Protection Laws. We will assist the Customer, as the Data Controller, in responding to requests from individuals regarding their Personal Data:

  • Right of Access — confirmation of whether data is being processed and access to it.
  • Right to Rectification — correction of inaccurate or incomplete data.
  • Right to Erasure (“Right to be Forgotten”) — deletion of Personal Data, subject to legal and contractual obligations.
  • Right to Restrict Processing — limiting the processing of Personal Data under certain conditions.
  • Right to Data Portability — obtaining and transferring Personal Data to another controller where technically feasible.
  • Right to Object — to processing based on legitimate interests, direct marketing or automated decision-making.
  • Right to Withdraw Consent — at any time if processing is based on consent.

8. Data breach notification

AISignal implements preventative measures to safeguard Personal Data. In the event of a confirmed Personal Data Breach, we shall:

  • Assess the impact of the breach and take immediate mitigation steps;
  • Notify the Customer without undue delay (typically within 48 hours of confirmation);
  • Provide details on the nature and scope of the breach, the type of data affected, the potential consequences, and the measures taken;
  • Assist the Customer in fulfilling any regulatory notification obligations to authorities and affected Data Subjects;
  • Implement corrective actions to prevent recurrence.

The Customer is responsible for determining whether to notify regulatory authorities and Data Subjects in compliance with applicable Data Protection Laws.

9. Data retention and deletion

AISignal retains Personal Data only for as long as necessary to fulfil its obligations under this Agreement or as required by applicable laws. We follow data-minimisation principles: data is retained only for legitimate business and compliance needs, and is deleted or anonymised once no longer necessary.

Customers may request deletion of Personal Data at any time. Upon termination of services, AISignal will delete or return Personal Data in accordance with the Customer's instructions. If no deletion request is made, Personal Data is automatically deleted within a reasonable timeframe unless legal retention requirements apply (tax records, fraud-prevention investigations, etc.).

10. Governing law & dispute resolution

This DPA is governed by and interpreted in accordance with the same laws and jurisdiction as defined in the main agreement between AISignal and the Customer. Disputes will be resolved through good-faith negotiation first; if no resolution is reached, the dispute may be referred to mediation, arbitration, or the competent courts of the applicable jurisdiction. In the event of any conflict between this DPA and the main agreement, the terms of this DPA take precedence concerning data-protection matters.

11. Final provisions

This DPA forms an integral part of the overall agreement between AISignal and the Customer. By continuing to use the services, the Customer acknowledges and accepts the terms of this DPA. If any provision is found invalid or unenforceable, the remaining provisions continue in full force and effect.

AISignal reserves the right to modify or update this DPA to reflect changes in applicable Data Protection Laws, industry practices or operational needs. Customers will be notified of material changes; continued use of the services constitutes acceptance of the updated terms.

12. Contact

For any question, formal request, or to obtain a signed counterpart of this DPA, contact [email protected]. For general privacy-related inquiries, contact [email protected].

Questions? Drop us a line via our contact page.