Skip to main content

Data Processing Addendum

Effective Date: October 25, 2025 | Questions? Contact legal@surmado.com

Parties: Surmado, Inc. ("Surmado", "Processor") and the customer identified in the Order ("Customer", "Controller").

Relationship to ToS: This DPA is incorporated by reference into Surmado's Terms of Service and prevails over conflicting ToS terms solely for data-protection matters.


0. Scope & Roles (Snapshot)

Roles

Customer is the Controller; Surmado is the Processor (or "service provider" under CPRA). Surmado will process Personal Data only on Customer's instructions to provide the Services and as described in this DPA.

Territory

Processing and storage occur primarily in the United States.

Cross-border

Where EU/UK data is involved, EU 2021 SCCs (Modules 2/3) and the UK IDTA/Addendum apply as the transfer tool.


1. Definitions

"Personal Data" means information relating to an identified or identifiable natural person, including pseudonymous identifiers (e.g., user IDs) and online identifiers/URLs where reasonably linkable under applicable law.

"De-identified Data" means data that cannot reasonably be used to identify a natural person, maintained with (i) technical safeguards that prevent re-identification, (ii) business processes that prohibit re-identification, and (iii) contractual and access controls requiring recipients to honor the same. De-identified under GDPR is not the same as "anonymized" (which requires irreversibility); Surmado treats de-identified data as not Personal Data and will not attempt to re-identify it.

"Customer Inputs" are Customer-provided text, URLs, files, and configuration used to generate reports.

"Restricted Transfer" means a transfer to a country without an adequacy decision (EU/UK).

Other capitalized terms have the meanings in the ToS or applicable law.

"Report Artifacts" means the final reports (e.g., PDFs, Markdown files) delivered to Customer, and may include associated intermediate data (like JSON outputs or logs) stored by Surmado.

"Customer Data" means Personal Data contained in or derived from Customer Inputs, Report Artifacts, and related metadata processed by Surmado on Customer's behalf in providing the Services.

"Training Data" means data derived from Customer Inputs, Report Artifacts, and Analysis Data (as defined in the Terms of Service) from which all Personal Data (as defined herein) has been removed or irreversibly obscured such that the data cannot reasonably be used to identify an individual natural person. Training Data may include, but is not limited to, de-identified or aggregated business information, domains, competitive data points, strategic scenarios, financial metrics provided by the user, SEO audit results, AI visibility metrics, and usage patterns. Training Data explicitly excludes Personal Data such as user names, email addresses, and direct user identifiers.


2. Services & Processing Instructions

Services Covered

Signal (AI visibility analysis), Solutions (AI strategic advisory), and Scan (SEO auditing).

Instructions

Surmado will process Personal Data solely on documented instructions from Customer. Customer instructs Surmado to process Customer Data (including Personal Data) as necessary: (i) to deliver the Services; (ii) to comply with law; (iii) to handle support; (iv) as otherwise agreed in writing; and (v) to create "Training Data" (as defined in Section 1).

Surmado will not retain, use, or disclose Customer Personal Data for any purpose other than performing the Services (including maintaining or improving their quality, security, and integrity) under Customer's instructions, or as required by law.

Surmado may create and use Training Data—de-identified and/or aggregated derivatives of Analysis Data and Outputs, and of Customer Inputs only after de-identification—for Surmado's internal research and model improvement. For Personal Data, Surmado acts as Processor/Service Provider. For de-identified Training Data, Surmado acts as an independent Controller and will not re-identify or combine such data to target an identified natural person. Creation and internal use of de-identified Training Data is a condition of the Services and not offered on an opt-out basis. Training Data is retained for 24 months as defined in Section 9 of our Privacy Policy and ToS §24, and is subject to deletion upon verified user request as described in Section 12 of this DPA.

EU/UK Carve-out

Where GDPR/UK GDPR applies, Surmado will create Training Data only from data rendered de-identified within the meaning of Recital 26. If anonymization/de-identification is not feasible for a given element, Surmado will not use that Personal Data for improvement without a separate lawful basis.

High-Risk Work

Surmado will reasonably cooperate with DPIAs and supervisory consultations to the extent related to its processing as Processor.

De-identification Safeguards

When creating or using Training Data, Surmado will:

  • (a) implement technical/organizational measures to prevent re-identification;
  • (b) not attempt to re-identify any individual or Customer account;
  • (c) bind recipients (if any) by written terms requiring the same protections; and
  • (d) maintain public commitments consistent with CPRA/GDPR de-identification standards.
  • (e) If Surmado becomes aware that any Personal Data remains within Training Data or that Training Data can be reasonably re-linked to an individual natural person, Surmado will promptly remediate by deleting or further de-identifying the affected data. Surmado will use reasonable efforts to notify Customer only if Customer Data containing Personal Data was directly implicated.
  • (f) Surmado will not disclose Training Data to third parties except under written terms requiring protections at least as strict as this §2.4 and prohibiting any attempt to re-identify.

3. Data Minimization & Categories

What Surmado Stores by Default

Production identifies users primarily by a unique User ID. Names/emails are stored only in systems needed for auth, billing, and deliverables. Surmado does not store full payment card numbers; payments are processed by Stripe under the Stripe Services Agreement.

Customer Inputs

Customer Inputs may include domains/URLs, questionnaires, competitor lists, and files; such Inputs can contain Personal Data if individuals are identified or reasonably identifiable.

Purchase-to-Account Linking Data

Surmado temporarily stores purchase records (session ID, email, amount) to link Stripe payments to user accounts. This data is automatically deleted immediately upon account creation, or after 90 days if no account is created, whichever occurs first. See Privacy Policy §9 for details.

Special Categories

Not intended or required. Customer will not submit PHI/PCI/children's data or other regulated data unless a separate written agreement permits it. For clarity, Surmado does not act as a HIPAA Business Associate and does not sign BAAs unless expressly agreed in writing.


4. Security

Security Program

Surmado maintains a security program aligned with ISO/IEC 27001 requirements (risk-based controls, continuous improvement).

Controls (Summary)

Encryption: TLS 1.2+ in transit; AES-256 at rest (Google Cloud Storage).

Isolation & access: logical separation by User ID, least-privilege access, MFA, audit logging.

Monitoring & hardening: vulnerability management, logging/alerting, change control.

Secure SDLC: code review, secrets management, dependency scanning.

Incident Response & Notice

Surmado operates an incident handling process consistent with NIST guidance; upon confirming a Personal Data Breach affecting Customer Data, Surmado will notify Customer without undue delay and no later than 72 hours, with available facts, impact, measures taken, and a contact point, and will provide updates as material facts develop.

Backups & Retention

Operational backups may persist on a rolling basis (typically ≤ 35 days). Surmado retains data according to the schedule in ToS §24 and Privacy Policy §9: Account Data (active + 3 years after closure); Business Inputs and Reports (active + 12 months after closure); Training Data (24 months from creation, unless earlier deletion is requested). Customer may request earlier deletion per Section 12.

Changes

Surmado may update technical and organizational measures from time to time provided they do not materially diminish overall protections.


5. Sub-Processors

Authorization

Customer grants general authorization for Surmado to engage Sub-processors, subject to written data-protection terms no less protective than this DPA.

Current Sub-Processors

The authoritative list of engaged Sub-processors is maintained at https://www.surmado.com/legal/subprocessors and is incorporated here by reference; it may include, among others, Google Cloud Services, Stripe, Auth provider (Clerk), Postmark, OpenAI, Anthropic, Google (Gemini/Workspace), xAI, Perplexity, and Together AI (hosting platform for open-source models).

Note on DeepSeek: DeepSeek models are served via Together AI, a U.S.-based hosting platform. All processing occurs on U.S. infrastructure; no data is transmitted to the People's Republic of China. See ToS §13C and our Sub-processor List for current routing details.

AI Routing (Uniform Posture)

Surmado uses third-party AI providers to generate analysis. Where available, Surmado enables provider controls intended to limit reuse (e.g., "no-training"). Not all providers offer such controls and some may conduct safety review under their own policies. Surmado does not control provider data-use practices and makes no guarantees. Routing is uniform for all customers; Surmado does not offer per-customer provider exclusions, custom routing, or data-residency guarantees. See ToS §13C for details. Surmado does not knowingly route Customer account contact details or full payment card numbers for analysis.

Changes

Surmado will provide ≥ 30 days' notice (email and/or URL) of new or replaced Sub-processors. Customer may object on reasonable data-protection grounds; if unresolved, Customer may suspend the affected processing or terminate the impacted Service with a pro-rated refund. If only part of the Services is impacted, termination will be limited to that part, and Surmado will use commercially reasonable efforts to offer a functionally equivalent alternative.


6. Data Subject Requests & Assistance

Controller Responsibility

Customer responds to requests from data subjects and regulators.

Processor Assistance

On request, Surmado will provide reasonable assistance: search/export (JSON/CSV), correction, and deletion actions within Surmado-controlled systems; and flow-down to Sub-processors where applicable. Surmado will, without undue delay, forward any data-subject request it receives directly to Customer and will not respond except per Customer's documented instructions, unless required by law.

Fees

Surmado may charge reasonable fees for extraordinary efforts beyond standard operations.


7. Data Transfers

EU/EEA

For Restricted Transfers, the parties incorporate the EU Standard Contractual Clauses (2021/914) as follows: Module 2 (C→P) for Customer→Surmado and Module 3 (P→P) for Surmado→Sub-processor; Clause 9(a) Option 2 (general authorization) with 30-day notice; Annexes I–III as in Annex A. The parties also adopt Clause 7 (Docking Clause). For Clause 17/18, the governing law and forum are that of Ireland, without prejudice to mandatory rights under EU law.

UK

For Restricted Transfers under UK GDPR, the parties incorporate the UK International Data Transfer Addendum (IDTA) or UK Addendum to the EU SCCs.

Switzerland

For transfers subject to Swiss FADP, the parties incorporate the Swiss FDPIC addendum or equivalent terms; references to "Member State" are read as "Switzerland," and the competent authority is the FDPIC.

U.S. Storage

Primary storage is in the United States.

Schrems II

Surmado will implement appropriate supplementary measures, assess legal risks of third-country access, and (where legally permissible) challenge unlawful or disproportionate government access requests. Supplementary measures may include encryption in transit, access controls, strict role-based access, and transparency reporting consistent with §10.


8. Audit & Compliance

Evidence

Surmado may satisfy audit requests by providing: (i) third-party assessments (e.g., SOC reports, pen-test summaries), and/or (ii) written responses to reasonable security questionnaires.

On-Site

If such materials are insufficient or required by law, Customer may conduct an on-site review on 30 days' notice, during business hours, under an NDA, and minimizing disruption.

Frequency & Costs

Absent a Personal Data Breach or regulatory request, audits occur no more than annually. Customer bears audit costs unless material non-compliance is found, in which case Surmado will reimburse reasonable, documented audit costs.


9. Confidentiality

Surmado ensures persons authorized to process Personal Data are subject to confidentiality obligations.


10. Government & Law-Enforcement Requests

Where legally permissible, Surmado will redirect requests to Customer. If compelled, Surmado will limit disclosure to the minimum required by law and notify Customer without undue delay, unless prohibited. On Customer request, Surmado will provide an annual aggregate transparency summary of government/law-enforcement requests related to Customer Data.


11. Export Controls & Sanctions

Customer represents it will not use the Services in violation of U.S. export controls or OFAC sanctions; Surmado may geo-block or refuse access to comply with law.


11A. U.S. State Privacy Laws (CPRA and Similar)

Service Provider/Contractor

For Personal Information subject to the California Consumer Privacy Act (as amended by CPRA) and similar U.S. state privacy laws, Surmado acts as a "service provider" and/or "contractor." Surmado certifies it understands and will comply with applicable restrictions and will not: (i) Sell or Share Personal Information (including for cross-context behavioral advertising); (ii) retain, use, or disclose Personal Information for any purpose other than the specific "business purposes" specified in this DPA and the ToS, or as otherwise permitted by CPRA; (iii) retain, use, or disclose Personal Information outside the direct business relationship with Customer; or (iv) combine Personal Information with other data except as permitted by CPRA (e.g., to perform the Services, detect security incidents, or for other business purposes as instructed by Customer).

Permitted Business Purposes

Customer acknowledges that Surmado's "business purposes" include all activities necessary to provide the Services, as well as: (i) service improvement, quality assurance, security, detecting security incidents, debugging, and error repair; and (ii) processing Personal Information to create de-identified and/or aggregated "Training Data" as instructed in §2.2. Training Data creation is a condition of the Services and is not offered on an opt-out basis (see ToS §2(d) and §14).

Clarification on Training Data

Surmado's subsequent use of the resulting Training Data (which has been de-identified per §2.4 and is no longer Personal Information) for Surmado's internal research, development, and model training does not violate Surmado's service-provider/contractor certifications.

Sub-processing

Surmado will not subcontract processing of Personal Information without a written agreement imposing equivalent obligations. Surmado does not offer per-customer provider exclusions or routing customization. Customers who require provider-specific guarantees or restrictions should not use the Services.


12. Return & Deletion

Upon Customer request or termination, Surmado will delete or return Customer Data in its possession within 30 days, with backup copies overwritten within 35 days, subject to (i) legal holds, and (ii) ongoing backup rotation; upon request, Surmado will certify deletion. Exports will be provided in a commonly used, machine-readable format (e.g., CSV/JSON). Surmado may charge reasonable fees for extraordinary data export efforts exceeding standard tooling.

Training Data

Upon verified deletion request per Section 6, we will use reasonable efforts, including provenance records, to identify and remove derived Training Data that remains reasonably linkable to your account from active systems, consistent with our obligations under applicable law and as detailed in our Terms of Service Section 24. Properly de-identified Training Data that cannot be reasonably linked back to the requesting user may persist in aggregated forms or within trained model artifacts where removal is technically infeasible or would require disproportionate effort. Consistent with our Privacy Policy §12, where a business name is a natural person's name (sole proprietor, e.g., "Jane Smith Coaching"), we will treat that name as Personal Data for the purposes of deletion and de-identification within Training Data.


13. Liability; Order of Precedence

Liability and exclusions follow the ToS caps and carve-outs. This DPA prevails over the ToS solely for data-protection matters.


14. Governing Law & Venue

This DPA follows the governing law and venue set in the ToS (California law; San Diego, California for any court proceedings ancillary to arbitration). For EU SCC purposes only, Clause 17/18 governing law and forum are as stated in §7.1 (Ireland). This carve-out does not affect the ToS governing law otherwise.


15. Miscellaneous

No third-party beneficiaries. If any provision is invalid, the rest remains in force. This DPA may be updated for legal changes with 30 days' notice; material adverse changes allow Customer to object under §5.4.


Annex A — EU SCCs Mapping (2021/914)

Annex I.A Parties

Data Exporter (Controller): Customer (details per Order).

Data Importer (Processor): Surmado, Inc., 1301 North Broadway, STE 32373, Los Angeles, CA 90012, USA.

Annex I.B Description of Transfer

Data Subjects: Customer's personnel/contractors and individuals reasonably identifiable within Customer Inputs (e.g., in website content used for audits).

Categories of Data: Names/emails (auth/billing), pseudonymous user IDs, Customer Inputs (text/URLs/files), report artifacts, logs.

Special Categories: None intended.

Frequency: Continuous per Service use.

Nature & Purpose: Generate AI visibility reports (Signal), strategic advisory outputs (Solutions), SEO audits (Pulse); deliver emails; billing; support. Create and maintain de-identified Training Data for service improvement per §2.4.

Retention: As in §§4.4 and 12.

Per Customer's EEA establishment (or representative). If Customer has no EEA establishment/representative, the competent authority is the Irish Data Protection Commission.


Annex II — Technical & Organizational Measures (TOMs)

Governance: Risk-based ISMS aligned with ISO/IEC 27001; policies, training, vendor management.

Access control: Role-based access, MFA, least privilege, periodic reviews.

Encryption: TLS 1.2+ in transit; AES-256 at rest (S3).

Segregation: Logical separation by User ID; environment separation.

Operations: Vulnerability management, logging/monitoring, backups (≤ ~35 days).

Development: Secure SDLC, code review, dependency scanning, secrets management.

Incident response: Detect/contain/eradicate/recover processes; 72-hour breach notice SLA; post-mortems.

Key Management: Keys managed via cloud KMS with access controls and rotation.

Endpoint Security: Company-managed devices with disk encryption and EDR for staff with production access.

Anonymization/De-identification: Documented pipelines for removal of direct and quasi-identifiers; periodic re-identification risk assessments; segregation of Training Data from Customer Data.


Annex III — Sub-processors

As listed in §5.2 (updated as changes occur per §5.4).


Annex B — UK Transfers

For Restricted Transfers under UK GDPR, the parties incorporate the UK IDTA or the UK Addendum to the EU SCCs as published by the ICO.


Annex C — Payments (Stripe Reference)

Payments are processed by Stripe under the Stripe Services Agreement; Surmado does not store full payment card details.


Annex D — AI Provider Posture (Disclosure)

OpenAI (API/Business): No training by default on business/API data; customers own inputs/outputs (where allowed).

Anthropic (Commercial/API): Inputs/outputs not used for training by default; consumer products (Free/Pro/Max) have different defaults and extended retention. These are excluded from Surmado's enterprise routing.

Google (Gemini API/Workspace): No training without permission for enterprise programs; safety-flagged human review may occur.


Annex E — CPRA Service Provider/Contractor Certification

Surmado certifies it understands and will comply with the CPRA's service-provider/contractor restrictions as stated in §11A.


Related Legal Documents