Data Processing Agreement (DPA)

1. DEFINITIONS

2. SCOPE AND ROLES

2.1 Parties' Roles

The parties acknowledge that:

• With respect to Customer Personal Data, Customer acts as a controller (or processor where Customer processes data on behalf of its own customers), and Serpyx acts as a processor on behalf of Customer.
• With respect to Customer Account Data and Customer Usage Data, Serpyx acts as an independent controller.

2.2 Customer Instructions

Customer instructs Serpyx to process Customer Personal Data:

• In accordance with this DPA and the Terms
• As necessary to provide the Services
• As further instructed by Customer through its use of the Services and any written instructions provided to Serpyx

Customer represents and warrants that:

• It has obtained all necessary consents and established all legal bases required under Data Protection Laws to provide Customer Personal Data to Serpyx for processing
• Its instructions comply with all applicable Data Protection Laws
• It will not provide any Personal Data in violation of Data Protection Laws or the Terms

2.3 Processing Limitations

Serpyx shall process Customer Personal Data only:

• In accordance with Customer's documented instructions
• As necessary to provide the Services
• As required by applicable law (in which case Serpyx shall inform Customer of such legal requirement before processing, unless prohibited by law)

Serpyx shall immediately inform Customer if, in its opinion, Customer's instructions violate Data Protection Laws.

2.4 Details of Processing

The subject matter, nature, purpose, duration, types of Personal Data, and categories of Data Subjects are described in Schedule A to this DPA.

2.5 Data Retention and Deletion

Upon termination or expiration of the Services, Serpyx shall, at Customer's choice and written request:

• Delete all Customer Personal Data, or
• Return all Customer Personal Data to Customer in a standard format

Such deletion or return shall occur within thirty (30) days unless applicable law requires continued storage. Serpyx shall certify in writing the deletion of Customer Personal Data upon Customer's request.

2.6 CCPA Compliance

Where the CCPA applies, the parties acknowledge and agree that:

• Serpyx is a "service provider" as defined in the CCPA
• Serpyx receives Personal Data from Customer solely to provide the Services
• Serpyx shall not "sell" or "share" (as those terms are defined in the CCPA) Customer Personal Data
• Serpyx shall not retain, use, or disclose Customer Personal Data except as necessary to provide the Services or as otherwise permitted by the CCPA and this DPA
• Serpyx certifies that it understands and will comply with these restrictions

3. CONFIDENTIALITY

Serpyx shall ensure that all persons authorized to process Customer Personal Data:

• Are bound by obligations of confidentiality (whether contractual or statutory)
• Have received appropriate training on data protection

Serpyx may disclose Customer Personal Data to its advisers, auditors, insurers, or other third parties as reasonably necessary to perform its obligations under this DPA, provided such parties are bound by equivalent confidentiality obligations.

4. SUB-PROCESSORS

4.1 General Authorization

Customer provides general written authorization for Serpyx to engage sub-processors to process Customer Personal Data, subject to the requirements of this Section 4.

4.2 Sub-Processor List and Notification

Serpyx maintains a current list of Authorized Sub-Processors at: serpyx.io/subprocessors

Serpyx shall provide Customer with at least fourteen (14) calendar days' prior written notice before:

• Engaging any new sub-processor, or
• Making material changes to an existing sub-processor's role

4.3 Objection Rights

Customer may object to the engagement of a new sub-processor on reasonable data protection grounds by notifying Serpyx in writing within seven (7) calendar days of receiving notice.

4.4 Sub-Processor Obligations

Serpyx shall:

• Enter into a written agreement with each sub-processor imposing data protection obligations substantially equivalent to those in this DPA
• Ensure that each sub-processor complies with the obligations of this DPA
• Remain fully liable to Customer for the performance of each sub-processor's obligations

5. SECURITY MEASURES

5.1 Technical and Organizational Measures

Taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing, Serpyx shall implement and maintain appropriate technical and organizational measures to:

• Ensure a level of security appropriate to the risk
• Protect Customer Personal Data against Personal Data Breaches
• Ensure ongoing confidentiality, integrity, availability, and resilience of processing systems

Such measures are described in Schedule C to this DPA.

6. INTERNATIONAL DATA TRANSFERS

Customer acknowledges that Serpyx may transfer and process Customer Personal Data in countries outside the European Economic Area, the United Kingdom, and Switzerland as necessary to provide the Services.

Serpyx's primary processing operations are located in the European Union. Where Serpyx engages sub-processors located outside the EEA, UK, or Switzerland, Serpyx shall ensure appropriate safeguards are in place as required by Data Protection Laws.

For transfers not covered by an adequacy decision, the parties agree that such transfers shall be governed by the Standard Contractual Clauses as detailed in the full DPA document.

7. DATA SUBJECT RIGHTS

Serpyx shall, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject to exercise their rights under Data Protection Laws (including rights of access, rectification, erasure, data portability, restriction of processing, or objection).

Serpyx shall provide commercially reasonable assistance to enable Customer to respond to Data Subject requests.

8. AUDITS

Upon Customer's written request and subject to reasonable confidentiality controls, Serpyx shall provide copies of relevant certifications, audit reports, or assessments demonstrating Serpyx's compliance with this DPA and Data Protection Laws.

9. PERSONAL DATA BREACHES

In the event of a Personal Data Breach affecting Customer Personal Data, Serpyx shall, without undue delay and no later than seventy-two (72) hours after becoming aware:

• Notify Customer of the Personal Data Breach
• Provide available information about the breach
• Take reasonable steps to remediate the breach

10. SERPYX AS CONTROLLER

With respect to Customer Account Data and Customer Usage Data, Serpyx processes such data as an independent controller for managing customer relationships, billing, improving the Services, security, and compliance purposes.

Serpyx's processing of data as a controller is governed by its Privacy Policy, available at: https://www.serpyx.io/privacy

11. CONTACT

For questions regarding this DPA, please contact:

SCHEDULE A – DETAILS OF PROCESSING

Subject Matter and Duration

Subject Matter: Provision of real-time search engine results (SERP) API services — Google Search, Maps, Images, News, Shopping, Autocomplete and equivalent endpoints — as described in the Terms.

Duration: For the duration of the Services and as necessary to fulfill Serpyx's obligations under the Terms and this DPA.

Nature and Purpose of Processing

Serpyx processes Customer Personal Data to:

• Provide access to the Serpyx API and platform
• Execute Customer's queries against public search engines and return parsed SERP data
• Provide customer support and technical assistance
• Maintain and improve the Services

Categories of Data Subjects

• Customer's employees, agents, and authorized users
• Individuals incidentally identifiable in public SERP results returned by search engines (e.g. authors, business owners, public figures named in news headlines)

Types of Personal Data

• Public SERP Content: Names, business listings and publication metadata that may appear in publicly indexed search results
• Technical Data: IP addresses, API keys, usage logs
• Account Information: Usernames, account settings, billing information

Special Categories of Data

Customer is prohibited from submitting Special Categories of Personal Data (as defined in Article 9 of the GDPR) or data relating to criminal convictions and offenses to Serpyx. If Customer does so, it shall be solely responsible for ensuring compliance with applicable Data Protection Laws.

SCHEDULE B – SUB-PROCESSORS AND PARTIES

Data Exporter (Customer)

• Name: As specified in Customer's account
• Address: As specified in Customer's account
• Contact: As specified in Customer's account
• Role: Controller (or Processor when acting on behalf of its own customers)

Data Importer (Serpyx)

• Name: LINKUPAPI (operating as Serpyx)
• SIREN: 995 238 540
• SIRET: 995 238 540 00018
• Address: 58 RUE DE MONCEAU, 75008 PARIS, FRANCE
• Email: dpo@serpyx.io
• DPO Contact: dpo@serpyx.io
• Role: Processor

Authorized Sub-Processors

A current list of Authorized Sub-Processors is maintained at: serpyx.io/subprocessors

As of the date of this DPA, Authorized Sub-Processors include cloud infrastructure providers, data storage providers, and other service providers necessary to deliver the Services.

Supervisory Authority

The competent supervisory authority shall be determined in accordance with Article 55 of the GDPR (the supervisory authority of the Data Exporter's establishment or habitual residence).

SCHEDULE C – SECURITY MEASURES

Serpyx implements and maintains the following categories of technical and organizational security measures:

1. Access Control

• User Authentication: Multi-factor authentication for administrative access
• Role-Based Access Control: Principle of least privilege for employee access to systems and data
• Access Logging: Comprehensive logging of access to Customer Personal Data
• Credential Management: Secure storage and regular rotation of credentials and API keys

2. Data Security

• Encryption in Transit: TLS 1.2 or higher for all data transmissions
• Encryption at Rest: Industry-standard encryption for data stored in databases and file systems
• Data Segregation: Logical separation of Customer data in multi-tenant environments
• Secure Deletion: Secure methods for permanent deletion of data

3. Network Security

• Firewalls: Network-level and application-level firewalls
• Intrusion Detection: Monitoring and alerting for unauthorized access attempts
• Network Segmentation: Isolation of production environments from other networks
• DDoS Protection: Measures to prevent and mitigate denial-of-service attacks

4. Application Security

• Secure Development: Security-focused software development lifecycle
• Vulnerability Management: Regular security testing and vulnerability scanning
• Patch Management: Timely application of security patches
• Input Validation: Protection against injection attacks and malicious input

5. Organizational Measures

• Employee Training: Regular data protection and security awareness training
• Background Checks: Screening of employees with access to Customer Personal Data (where legally permitted)
• Confidentiality Agreements: Contractual confidentiality obligations for all employees
• Incident Response: Documented procedures for detecting and responding to security incidents
• Business Continuity: Backup and disaster recovery procedures

6. Physical Security

• Data Center Security: Use of certified data center providers with physical access controls, surveillance, and environmental protections
• Equipment Disposal: Secure destruction or wiping of hardware containing Personal Data

7. Monitoring and Testing

• Security Monitoring: Continuous monitoring of systems for security events
• Regular Testing: Periodic penetration testing and security audits
• Compliance Reviews: Regular assessment of security controls and compliance with this DPA

8. Vendor Management

• Sub-Processor Due Diligence: Assessment of sub-processors' security practices
• Contractual Protections: Requirements for sub-processors to maintain equivalent security measures

Serpyx reviews and updates its security measures regularly to address evolving threats and maintain alignment with industry standards and best practices.