Last Updated
June 11, 2026
This Data Processing Addendum (“DPA”) forms part of the AEO Goal Terms of Service, order form, or other written agreement between AEO Goal Inc. (“AEO Goal”) and the customer using the services (“Customer”). This DPA applies when AEO Goal processes Customer Personal Data on behalf of Customer.
1. Roles
For Customer Personal Data, Customer is the controller or business, and AEO Goal is the processor or service provider. AEO Goal acts as an independent controller for account administration, billing, security, product operations, legal compliance, and business contact data as described in the Privacy Policy.
2. Definitions
“Customer Personal Data” means personal data, personal information, or similar regulated information that Customer submits to the services and that AEO Goal processes on Customer’s behalf. “Data Protection Laws” means privacy and data protection laws that apply to the processing, including GDPR, UK GDPR, Swiss FADP, CCPA/CPRA, and similar laws where applicable. Terms such as controller, processor, business, service provider, personal data, and processing have the meanings given under applicable Data Protection Laws.
3. Processing Instructions
AEO Goal will process Customer Personal Data only to provide, secure, support, and improve the services; comply with Customer’s documented instructions; comply with the agreement; and meet legal obligations. Customer’s instructions include use of the platform, product settings, integrations, APIs, support requests, order forms, and this DPA. AEO Goal will inform Customer if, in AEO Goal’s opinion, an instruction violates Data Protection Laws, unless prohibited by law.
4. Customer Responsibilities
- Customer must provide lawful instructions and maintain a valid legal basis for processing.
- Customer must provide required privacy notices and obtain required consents from data subjects.
- Customer must avoid submitting sensitive personal data unless expressly authorized in writing.
- Customer must configure access controls, user permissions, integrations, and retention settings appropriately.
- Customer must ensure Customer Content does not violate law or third-party rights.
5. Confidentiality and Personnel
AEO Goal will require personnel authorized to process Customer Personal Data to protect it as confidential and to process it only as needed to provide the services, support Customer, maintain security, or comply with law.
6. Security Measures
AEO Goal will maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access. Measures include access controls, authentication safeguards, encryption in transit, tenant isolation controls, logging, monitoring, backup and recovery practices, vulnerability management, secure development practices, and vendor review appropriate to the nature of the services.
7. Subprocessors
Customer grants AEO Goal general authorization to use subprocessors. AEO Goal will impose data-protection obligations on subprocessors that are no less protective, in substance, than this DPA. AEO Goal remains responsible for subprocessors’ performance of their data-protection obligations.
Subprocessor categories may include cloud hosting, database, cache, object storage, email delivery, payment processing, observability, security, AI/search data providers, customer support, analytics, and integration providers. AEO Goal will make a current subprocessor list or category description available on request and will provide reasonable notice of material subprocessor changes where required by law or contract. Customer may object to a new subprocessor on reasonable data-protection grounds.
8. Data Subject Requests
Taking into account the nature of the processing, AEO Goal will provide reasonable assistance for Customer to respond to data subject requests. If AEO Goal receives a request directly about Customer Personal Data, AEO Goal may direct the requester to Customer unless legally required to respond.
9. Security Incidents
AEO Goal will notify Customer without undue delay after confirming a security incident involving Customer Personal Data. The notice will include information reasonably available to AEO Goal, such as the nature of the incident, affected data, mitigation steps, and contact point. AEO Goal’s notice is not an admission of fault or liability.
10. Assistance and Compliance
AEO Goal will provide reasonable assistance, taking into account the nature of processing and information available to AEO Goal, for Customer’s obligations related to security, breach notification, data protection impact assessments, prior consultation, and records of processing where required by Data Protection Laws.
11. Audits
Upon reasonable written request, AEO Goal will provide information necessary to demonstrate compliance with this DPA. If that information is insufficient, Customer may request a remote audit no more than once per year, during normal business hours, with reasonable notice, subject to confidentiality, security, and operational limits. Audits must not compromise other customers, systems, trade secrets, or security controls.
12. Deletion and Return
At Customer’s choice and subject to product functionality, AEO Goal will delete or return Customer Personal Data after termination or upon valid request. AEO Goal may retain limited copies where required by law, necessary for security, backup, accounting, dispute resolution, or legitimate business records, provided retained data remains protected and is not processed for other purposes.
13. International Transfers
AEO Goal and its subprocessors may process Customer Personal Data in the United States and other jurisdictions. Where Data Protection Laws require a transfer mechanism, the parties will use lawful safeguards such as adequacy decisions, Standard Contractual Clauses, the UK International Data Transfer Addendum, or other approved mechanisms. If Standard Contractual Clauses apply, they are incorporated by reference and will control over conflicting terms for the relevant transfer.
14. CCPA/CPRA Service Provider Terms
For personal information subject to the CCPA/CPRA, AEO Goal acts as a service provider or contractor. AEO Goal will not sell or share Customer Personal Data, retain, use, or disclose it outside the business purpose of providing the services, or combine it with personal information from other sources except as permitted by the CCPA/CPRA.
15. Annex A - Processing Details
Subject matter
Providing AI citation tracking, SEO analytics, content workflows, reporting, alerts, account administration, support, security, and related SaaS services.
Duration
For the term of Customer’s use of the services, plus any retention period required or permitted by the agreement, product settings, law, backup lifecycle, or legitimate business record needs.
Categories of data subjects
Customer users, administrators, employees, contractors, prospects, customers, website visitors, and individuals whose information appears in Customer Content or connected services.
Categories of personal data
Account details, contact information, organization details, website and brand metadata, prompts, keywords, documents, support content, analytics data, OAuth identifiers, integration metadata, IP addresses, device data, audit logs, and similar business information submitted to or generated by the services.
Sensitive data
The services are not designed for sensitive personal data. Customer must not submit sensitive personal data unless expressly authorized in writing.
Processing operations
Collection, hosting, storage, retrieval, analysis, enrichment, generation, transmission, display, support, logging, deletion, export, and other operations necessary to provide and secure the services.
16. Contact
For DPA or subprocessor questions, email legal@aeogoal.com. For privacy requests, email privacy@aeogoal.com.