Data Processing Addendum

Last updated: April 19, 2026·Effective: April 19, 2026

This Data Processing Addendum ("DPA") forms part of the agreement between you ("Customer", the data controller) and Georion ("Processor") for the provision of the Georion Service. It is entered into pursuant to Article 28 of the EU General Data Protection Regulation (GDPR).

📌 Pre-signed DPA: This DPA is automatically incorporated into every paid subscription as of the "Effective Date" above. No signature is required — accepting the Georion Terms of Service while having an active subscription constitutes execution of this DPA. For a counter-signed PDF version, email legal@georion.app.

1. Parties & scope

This DPA is between:

  • Controller: the Customer who has subscribed to the Georion Service
  • Processor: Georion, based in Villmergen, Aargau, Switzerland

It applies to all processing of Personal Data by Georion on behalf of the Customer in connection with the Service.

2. Definitions

Terms used in this DPA (e.g., "Personal Data", "Data Subject", "Processing", "Controller", "Processor", "Subprocessor", "Supervisory Authority") have the meanings given in GDPR Art. 4. "EU SCCs" means the Standard Contractual Clauses approved by the European Commission under Implementing Decision (EU) 2021/914 dated 4 June 2021. "Swiss SCCs" means the adapted SCCs approved by the Swiss Federal Data Protection and Information Commissioner (FDPIC).

3. Subject matter, duration, nature, purpose, categories

The following details satisfy Art. 28(3) GDPR:

  • Subject matter: the processing of Personal Data by Georion in the course of providing the Service
  • Duration: for the duration of the Customer's subscription, plus 90 days for data export, then deletion
  • Nature & purpose: AI visibility tracking, Generative Engine Optimization, competitive intelligence, audit engine, content generation, and related analytics delivered via the Service
  • Types of Personal Data: Customer account data (name, email, company, role); billing data (via Stripe); configuration data (tracked domains, prompts, competitors); usage data (API calls, dashboard interactions); hashed IP addresses for security
  • Categories of Data Subjects: Customer's employees, contractors, agents, and (where applicable) Customer's own end-users whose data is processed through the Service

4. Processor (Georion) obligations

Georion shall:

  1. Process Personal Data only on documented written instructions from the Customer (including those contained in the Service configuration), except where required by Swiss, EU, or Member State law
  2. Ensure persons authorized to process Personal Data are bound by confidentiality obligations
  3. Implement appropriate technical and organizational measures (see Section 6)
  4. Engage Subprocessors only under the conditions in Section 7
  5. Assist the Customer in responding to Data Subject rights requests (see Section 8)
  6. Assist the Customer in ensuring compliance with Art. 32–36 GDPR (security, breach notification, DPIA, prior consultation)
  7. At Customer's choice, delete or return all Personal Data after the end of the provision of services (see Section 12)
  8. Make available to the Customer all information necessary to demonstrate compliance with Art. 28 GDPR and allow audits (see Section 10)
  9. Inform the Customer if an instruction infringes GDPR or other applicable data protection law

5. Controller (Customer) obligations

Customer shall:

  1. Ensure a lawful basis exists for all processing instructed to Georion
  2. Provide clear and accurate Processing instructions
  3. Provide notices to and obtain consent from Data Subjects where required
  4. Respond to Data Subject requests directly (Georion will assist per Section 8)
  5. Ensure Customer content submitted to the Service does not infringe third-party rights

6. Technical and organizational measures

Georion maintains the measures described in detail at georion.app/security, which include (non-exhaustive):

  • TLS 1.3 in transit; AES-256 at rest
  • Row-Level Security on every database table (tenant isolation)
  • Bcrypt password hashing; hashed API keys
  • Mandatory 2FA/SSO for internal access; hardware security keys for production
  • 24×7 monitoring with automated alerting and incident response
  • Dependency scanning, static analysis, and mandatory peer code review
  • Quarterly disaster recovery drills; annual penetration tests
  • Secure SDLC with threat modeling on new features

Georion may update these measures without prior notice provided that the overall security level is not degraded.

7. Subprocessors

Customer grants Georion general authorization to engage Subprocessors subject to the conditions in this Section.

The current list of Subprocessors is maintained at georion.app/privacy#subprocessors.

Georion will:

  • Notify Customer at least 30 days before adding a new Subprocessor (via email + changelog)
  • Bind Subprocessors to written agreements with data protection obligations at least as protective as this DPA
  • Remain fully liable to Customer for the performance of each Subprocessor

Customer may object to a new Subprocessor on reasonable data protection grounds by emailing legal@georion.app within 30 days of notification. If the objection cannot be resolved, Customer may terminate the Service with prorated refund of unused prepaid fees.

8. Data subject rights

Georion provides functionality within the Service (Settings → Data & Privacy) to help Customer respond to Data Subject requests, including:

  • Export of all Personal Data associated with an account (JSON/CSV)
  • Deletion of an individual user's account and associated data
  • Rectification of inaccurate data via the Settings interface
  • Object to processing / restriction by disabling specific features

Where Customer requires additional assistance, Georion responds within 14 days at no charge for reasonable requests. Extraordinarily broad or repetitive requests may be subject to time-and-materials fees.

9. Breach notification

In the event of a Personal Data Breach:

  • Georion will notify Customer without undue delay, and in any case within 72 hours of becoming aware
  • Notification will include: nature of the breach, categories and approximate number of Data Subjects + records affected, likely consequences, measures taken or proposed to address the breach, and Georion's Data Protection contact
  • Georion will cooperate with Customer in its communications with Supervisory Authorities and Data Subjects

10. Audits

Customer (or its independent auditor acting on Customer's behalf) may audit Georion's compliance with this DPA no more than once per 12-month period, except:

  • Following a Personal Data Breach affecting Customer
  • Where required by a Supervisory Authority

Audits are subject to:

  • 30 days advance written notice
  • Mutually agreed scope and methodology (remote preferred)
  • Reasonable confidentiality obligations
  • Minimum disruption to Georion's operations
  • Customer's cost, except where the audit uncovers material non-compliance by Georion (in which case Georion bears reasonable costs)

Georion may satisfy audit rights by providing SOC 2 Type II reports (once certified) or equivalent third-party attestations.

11. International data transfers

Where Personal Data is transferred from the EU/EEA, UK, or Switzerland to a third country not subject to an adequacy decision:

  • The parties incorporate the EU SCCs (Module 2: Controller-to-Processor) by reference
  • For transfers from Switzerland, the Swiss SCCs apply
  • For transfers from the UK, the UK Addendum to the EU SCCs applies
  • Georion maintains the EU–U.S. Data Privacy Framework and Swiss–U.S. Data Privacy Framework self-certifications where applicable

The SCCs are deemed completed as follows: Module 2; Clause 7 (docking) applies; Clause 9(a) Option 2 (general authorization, 30-day notice); Clause 11 (optional language) not included; Clause 17 Option 1 (EU MS law: Ireland); Clause 18(b) (Irish courts). For Swiss SCCs, references to GDPR are replaced with references to Swiss FADP.

12. Deletion & return

Upon termination of the Service:

  • Customer may export all Personal Data via the Settings interface for 30 days
  • After 30 days, Georion will delete all Personal Data within 90 days
  • Exceptions: billing records (retained 10 years per Swiss law), anonymized aggregate analytics (retained indefinitely)
  • Backup media is overwritten in the normal rotation cycle (maximum 12 months)

13. Liability

Each party's liability under this DPA is subject to the liability provisions of the main Terms of Service agreement. Nothing in this DPA limits either party's liability for:

  • Fraud or fraudulent misrepresentation
  • Death or personal injury caused by negligence
  • Any liability that cannot be limited under applicable law

14. Execution

This DPA is entered into by acceptance of the Georion Terms of Service and the initiation or continuation of a paid subscription. No signature is required.

For customers who require a counter-signed PDF version (enterprise procurement, public sector, regulated industries), email legal@georion.app. We provide counter-signed PDFs within 5 business days at no charge.

In the event of a conflict between this DPA and the main Terms of Service, this DPA controls for matters relating to Personal Data protection.