Data Processing Agreement

“Controller”, “Processor”, “Personal Data”, “Processing”, “Data Subject”, “Sub-processor”, “Personal Data Breach” and “Standard Contractual Clauses (SCCs)” have the meanings given in applicable data protection law (UK GDPR, EU GDPR and, where relevant, the CCPA/CPRA).

You are the Controller of the personal data in your workspace; we are the Processor acting on your documented instructions. This DPA applies for as long as we process personal data on your behalf.

Data subjects: your authorised users, and individuals referenced in the data you connect. Categories of personal data: account and contact details, workspace content (prompts, topics, tracked brands/domains), connected Google Search Console / Analytics metrics where you enable them, billing identifiers, and usage data.

We process personal data only to provide and support the Measure service: measuring AI-engine visibility, generating dashboards and insights, processing payments, operating our infrastructure, and providing customer support — and otherwise on your documented instructions.

• Process personal data only on your documented instructions, including for international transfers, unless required by law (in which case we will tell you unless prohibited).
• Ensure personnel authorised to process the data are bound by confidentiality.
• Implement appropriate technical and organisational security measures, including encryption in transit and at rest, row-level workspace isolation, and least-privilege access.
• Assist you, taking into account the nature of processing, in responding to data-subject requests and in meeting your security, breach-notification and data-protection-impact-assessment obligations.
• Make available the information needed to demonstrate compliance with Article 28.

You give general authorisation for us to engage the sub-processors listed on our Sub-processors page, each bound by data-protection obligations no less protective than this DPA. We will give at least 30 days’ notice before adding or replacing a sub-processor; you may object on reasonable data-protection grounds within that period, and if we cannot resolve the objection you may terminate the affected service.

We will notify you without undue delay, and in any case within 72 hours of becoming aware of a Personal Data Breach affecting your data, with the information you need to meet your own notification duties — the nature of the breach, likely consequences, and the measures taken or proposed.

Where a data subject contacts us directly, we will refer them to you. We will assist you in fulfilling requests to access, rectify, erase, restrict, port or object — through the service’s features or, where needed, with reasonable support — within 30 days.

On termination, or on your request, we delete your workspace personal data within 90 days, backups included, except data we must retain by law and aggregated anonymised data that no longer identifies any individual. You can export your data before termination. We will certify deletion on request.

We will make available our security documentation and answer reasonable security questionnaires. On at least 30 days’ notice, no more than once a year (or following a material breach), you may audit our compliance during business hours in a manner that does not unreasonably disrupt the service.

Some sub-processors are located outside the UK / EEA, principally in the United States. For such transfers we rely on appropriate safeguards — the UK International Data Transfer Agreement / Addendum, the EU Standard Contractual Clauses, and adequacy decisions or the EU–US Data Privacy Framework where available.

Each party’s liability under this DPA is subject to the limitations in the main agreement, except where the law does not allow such limitation. This DPA lasts as long as we process your personal data; obligations regarding confidentiality, deletion and audit survive termination. It is governed by the law of England and Wales.

For any data-protection matter under this DPA, or to request a signed copy, contact hello@measure.co.