Legal

Data Processing Agreement

For customers subject to GDPR / UK GDPR. Last updated 2026-05-15.

Scope

This Data Processing Agreement ("DPA") forms part of the Geondex Terms of Service for customers acting as a data controller under EU/UK GDPR, where Geondex processes personal data on their behalf.

Roles

Controller — you, the customer.
Processor — Geondex.
Sub-processors — Cloudflare, Google, Polar, Brevo, Microsoft Clarity, and the AI engines listed in our Privacy Policy.

Processing details

Subject matter — citation tracking across AI engines.
Categories of data — account identity, tracked keywords, citation results, notification preferences.
Categories of data subjects — the customer's authorized account users.
Retention — for the life of the account; 30-day wipe after deletion.

Security measures

See /legal/security.

Sub-processors

We will give 30 days' notice via email before adding a new sub-processor. Current list mirrors the third parties in our Privacy Policy.

Audit + reporting

Geondex will respond to reasonable audit requests via email within 30 days. Material breaches will be reported within 72 hours of detection.

International transfers

Cloudflare's primary infrastructure spans EU, UK, and US data centers. Standard Contractual Clauses (SCCs) cover any transfer of EU/UK data outside the EEA.

Execution

To sign this DPA for your organization, email hello@geondex.com with your company details.