Last updated: 14.06.2026
This Data Processing Agreement (“DPA”) forms part of, and is subject to, the Terms of Service or other written agreement (the “Agreement”) between RankUp OÜ, a private limited company registered in Estonia under registry code 17066724, with its registered address at Vase tn 7, Kesklinna linnaosa, Tallinn, Harju maakond, 10125, Estonia (“RankUp”, “we”, the “Processor”), and the customer identified in the Agreement (“Customer”, “you”, the “Controller”). It governs RankUp’s processing of personal data on the Customer’s behalf in connection with the RankUp platform and services (the “Service”).
In the event of a conflict between this DPA and the Agreement on the processing of personal data, this DPA prevails. Capitalised terms not defined here have the meaning given in the Agreement.
“GDPR” means Regulation (EU) 2016/679. “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing”, and “Personal Data Breach” have the meanings given in the GDPR. “Customer Personal Data” means Personal Data contained in the Customer Content or otherwise made available to RankUp by or on behalf of the Customer, which RankUp processes on the Customer’s behalf to provide the Service. “Subprocessor” means any third party engaged by RankUp to process Customer Personal Data. “SCCs” means the Standard Contractual Clauses approved by the European Commission in Implementing Decision (EU) 2021/914.
2.1. As between the parties, the Customer is the Controller and RankUp is the Processor of Customer Personal Data. The Customer may itself be acting as a processor on behalf of its own clients; in that case the Customer warrants that it has the necessary authority for RankUp to process the relevant Personal Data as a sub-processor.
2.2. RankUp processes Customer Personal Data only to provide, secure, and support the Service, and as further described in Annex 1. RankUp’s processing of Personal Data for which RankUp determines the purposes and means — such as account, billing, and Service-usage data — is governed by RankUp’s Privacy Policy, not by this DPA.
2.3. The subject matter, duration, nature and purpose of the processing, the types of Personal Data, and the categories of Data Subjects are set out in Annex 1.
3.1. Instructions. RankUp will process Customer Personal Data only on the Customer’s documented instructions, including as set out in this DPA and the Agreement and as given through the Service, unless required to do otherwise by applicable law (in which case RankUp will, where legally permitted, inform the Customer first). The Customer’s use and configuration of the Service constitutes its instructions. RankUp will inform the Customer if, in its opinion, an instruction infringes applicable data protection law.
3.2. Confidentiality. RankUp ensures that persons authorized to process Customer Personal Data are bound by appropriate confidentiality obligations and access it only as needed to perform under the Agreement.
3.3. Security. RankUp implements appropriate technical and organizational measures to protect Customer Personal Data, as described in Annex 2, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risks to Data Subjects.
3.4. Assistance. Taking into account the nature of the processing, RankUp will assist the Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling the Customer’s obligations to respond to Data Subject requests, and in ensuring compliance with its obligations regarding security, breach notification, data protection impact assessments, and prior consultation, taking into account the information available to RankUp.
4.1. The Service provides the Customer with tools to access, correct, export, and delete Customer Personal Data. The Customer is primarily responsible for responding to Data Subject requests using those tools.
4.2. If RankUp receives a request directly from a Data Subject relating to Customer Personal Data, RankUp will, where permitted by law, refer the Data Subject to the Customer and not respond directly except on the Customer’s instruction. Where the Customer requires assistance beyond the self-service tools, RankUp will provide reasonable assistance; RankUp may charge a reasonable fee for assistance that is excessive or repetitive.
5.1. The Customer gives RankUp general written authorization to engage Subprocessors to process Customer Personal Data. RankUp’s current Subprocessors are listed in Annex 3.
5.2. RankUp will impose on each Subprocessor, by written contract, data protection obligations substantially equivalent to those in this DPA, and remains liable to the Customer for its Subprocessors’ performance of those obligations.
5.3. RankUp will give the Customer at least 30 days’ prior notice of any intended addition or replacement of a Subprocessor (by email or through the Service), during which the Customer may object on reasonable, data protection-related grounds. If the Customer objects, the parties will work together in good faith to address the concern; if they cannot, the Customer may, as its sole remedy, terminate the affected portion of the Service and receive a pro-rata refund of any prepaid fees for that portion. Where RankUp must replace a Subprocessor urgently (for example, due to an outage, or for security or legal reasons), it may do so immediately and will notify the Customer promptly thereafter.
6.1. RankUp stores and processes Customer Personal Data primarily within the European Union. Where RankUp transfers Customer Personal Data to a Subprocessor located outside the European Economic Area (“EEA”) in a country without an adequacy decision, the transfer is made subject to the SCCs, which are incorporated into this DPA by reference and completed as follows: the module applicable to processor-to-processor (or, where relevant, controller-to-processor) transfers applies; RankUp acts as data exporter and the Subprocessor as data importer; the docking, governing-law, and option selections are those that give effect to this DPA; and the annexes are populated by Annexes 1, 2, and 3.
6.2. In the event of any conflict between the SCCs and this DPA in relation to international transfers, the SCCs prevail.
7.1. RankUp will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will describe, to the extent known, the nature of the breach, the likely consequences, and the measures taken or proposed to address it, and RankUp will provide further information as it becomes available.
7.2. RankUp’s notification is not an acknowledgement of fault or liability.
8.1. On termination or expiry of the Agreement, the Customer may, for a period of 30 days, export Customer Personal Data using the Service’s tools. After that period, RankUp will delete Customer Personal Data, except to the extent RankUp is required or permitted by law to retain it (for example, billing and tax records, which RankUp retains for the period required by Estonian accounting law). RankUp may also retain Customer Personal Data in routine backups for a limited period until those backups are overwritten in the ordinary course, during which it remains protected under this DPA.
9.1. RankUp will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA, including its security documentation and, where available, the certifications or audit reports of its Subprocessors.
9.2. Where this information is not sufficient, the Customer may, no more than once per calendar year and on at least 30 days’ prior written notice, conduct an audit of RankUp’s compliance with this DPA. Audits are conducted during business hours, at the Customer’s cost, subject to confidentiality obligations, and in a manner that does not disrupt RankUp’s operations or compromise the data of other customers. On-site audits are limited to circumstances where the information and remote means are genuinely insufficient.
10.1. Each party’s liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement.
10.2. This DPA takes effect on the date the Agreement takes effect and continues for as long as RankUp processes Customer Personal Data. Provisions that by their nature should survive termination survive.
10.3. This DPA is governed by the laws of Estonia, and the courts of Estonia (with Harju County Court as the court of first instance) have jurisdiction, consistent with the Agreement, except where the SCCs require otherwise for transfer-related matters.
Subject matter: RankUp’s provision of the Service to the Customer under the Agreement.
Duration: For the term of the Agreement and until deletion of Customer Personal Data in accordance with section 8.
Nature and purpose: Hosting, storage, and processing of Customer Personal Data to provide the AI-powered SEO and GEO content features of the Service, including content planning, generation, auditing, and publishing to the Customer’s connected services, as configured by the Customer.
Categories of Data Subjects: Determined by the Customer through its use of the Service. These may include the Customer’s own staff, contacts, leads, customers, and any individuals referenced in the content, Knowledge Base material, or connected sites and accounts that the Customer provides.
Types of Personal Data: Determined by the Customer. These may include names, contact details, and any other Personal Data the Customer chooses to include in its Customer Content, Knowledge Base, or connected services. The Customer is responsible for ensuring it does not submit special categories of Personal Data except as appropriate, and for the lawfulness of the Personal Data it provides.
RankUp maintains the following measures, which it may update provided the level of protection is not reduced:
RankUp engages the following Subprocessors to process Customer Personal Data. The current list is maintained and updated in accordance with section 5.
| Subprocessor | Purpose | Location | Transfer safeguard |
|---|---|---|---|
| Supabase (AWS) | Primary database | EU (Frankfurt) | In-EU |
| Vercel | Application hosting / compute | EU (Frankfurt) | In-EU |
| AWS (S3, Lambda) | File storage and backend jobs | EU (Stockholm) | In-EU |
| AI model providers — AWS Bedrock, Microsoft Azure OpenAI, Google, OpenAI, Anthropic, Perplexity, xAI, OpenRouter | Processing content submitted to AI features; the specific provider used may vary by feature and routing | EU and US / global | SCCs (US/global) |
| Stripe | Payments | US / global | SCCs |
| Sign-in (OAuth) and Search Console integration | US / global | SCCs | |
| Google Workspace | Support email | US / global | SCCs |
| PostHog | Product analytics | US | SCCs |
| Sentry | Error monitoring | US / global | SCCs |
| Microsoft Clarity | Marketing-site analytics and session recording | US / global | SCCs |
| Resend | Sign-in and transactional emails | US | SCCs |
| Fireflies | Consultation-call recording and transcription | US | SCCs |
| Featurebase | Support, feedback, and changelog | EU (EEA) | In-EU; limited ancillary transfers under SCCs |
