SEOG← Back to site

Data Processing Agreement

Last updated: June 30, 2026

This Data Processing Agreement ("DPA") supplements and forms part of the Terms of Service between you ("Customer") and AIEmployees, a company registered in the State of Texas, United States ("AIEmployees", "we", "us", "our"), governing your use of the SEOG platform ("SEOG") available at seog.ai. This DPA applies where and to the extent AIEmployees processes Personal Data on the Customer's behalf, in particular Personal Data relating to individuals in the European Economic Area (EEA), the United Kingdom, and Switzerland. This DPA is effective as of June 30, 2026. In the event of a conflict between this DPA and the Terms of Service with respect to the processing of Personal Data, this DPA controls.

1. Definitions

Capitalized terms not defined here have the meaning given in the Terms of Service.

  • Data Protection Laws — all laws and regulations applicable to the processing of Personal Data under this DPA, including, where applicable: the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"); the UK GDPR and the Data Protection Act 2018 ("UK GDPR"); the Swiss Federal Act on Data Protection ("Swiss DPA"); and U.S. state privacy laws such as the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA").
  • Personal Data — any information relating to an identified or identifiable natural person that AIEmployees processes on the Customer's behalf under this DPA.
  • Processing — any operation performed on Personal Data, whether or not by automated means, such as collection, recording, storage, use, disclosure, transmission, or deletion.
  • Data Subject — the identified or identifiable natural person to whom Personal Data relates.
  • Sub-processor — any third party engaged by AIEmployees to process Personal Data on the Customer's behalf under this DPA.
  • Standard Contractual Clauses ("SCCs") — the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in Decision 2021/914 (Module Two: Controller-to-Processor), together with the UK International Data Transfer Addendum/IDTA and the Swiss adaptations, as applicable.
  • Controller and Processor have the meanings given under the Data Protection Laws.

2. Roles and Scope

For the Personal Data that the Customer (or its end customers) enters into or generates through SEOG — including business and end-customer data — the Customer acts as the Controller and AIEmployees acts as the Processor. Where the Customer itself acts as a processor on behalf of a third party, AIEmployees acts as a sub-processor, and the Customer's instructions reflect that third party's instructions.

This DPA applies only to AIEmployees' processing of Personal Data on the Customer's behalf in providing SEOG. Where AIEmployees determines the purposes and means of processing — for example, to operate, secure, and improve the service, or to bill the Customer — AIEmployees acts as an independent Controller, and that processing is governed by the Privacy Policy rather than this DPA.

3. Processing Details — Annex I

Subject matter and nature of processing. AIEmployees processes Personal Data to provide the SEOG AI local-SEO platform, including Google Business Profile analysis and optimization, local map-pack and ranking tracking, review monitoring and AI-assisted review-reply drafts, competitor tracking, citation and listing (NAP) consistency, AI-visibility (AEO/GEO) checks, website and PageSpeed analysis, and keyword research.

Purpose of processing. Performing the SEOG service for the Customer in accordance with the Customer's documented instructions and the Terms of Service.

Duration. For the term of the Customer's account and for the limited periods described in Section 9 (Data Return and Deletion) and the Privacy Policy.

Categories of Data Subjects:

  • The Customer's contacts and personnel who use or are referenced in the account.
  • Leads captured through the public GBP report tool and similar features.
  • Business reviewers and other individuals appearing in publicly available Google Business Profile data the Customer analyzes.

Categories of Personal Data:

  • Business Profile data (business name, address, phone, website, category, coordinates, hours, photos, attributes, and ratings) for businesses the Customer connects or analyzes.
  • Contact details (such as name, email, and phone) for account users and leads.
  • Google reviews and related fields (reviewer display name, photo URL, rating, and review text — public data sourced from Google).
  • Connected Google account OAuth tokens (encrypted), where the Customer connects a Google Business Profile.
  • Usage and diagnostic data (provider/call type, token counts, timestamps, metadata, and coarse city-level IP-based geolocation).

The processing does not, by design, involve special categories of Personal Data.

4. Processor Obligations

AIEmployees shall:

  • Documented instructions. Process Personal Data only on the Customer's documented instructions, including this DPA and the Customer's configuration and use of SEOG, unless required to act otherwise by applicable law (in which case AIEmployees will inform the Customer where legally permitted).
  • Confidentiality. Ensure that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations.
  • Security. Implement and maintain the technical and organizational measures described in Annex III (Section 8).
  • Sub-processors. Engage Sub-processors only under a written contract imposing data-protection obligations substantially equivalent to those in this DPA (flow-down), and remain responsible for each Sub-processor's performance. AIEmployees maintains the current list of Sub-processors in Annex II (Section 7) and will give the Customer at least 14 days' prior notice of any intended addition or replacement of a Sub-processor, during which the Customer may object on reasonable data-protection grounds.
  • Assistance with Data Subject requests. Taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures, insofar as possible, to respond to requests from Data Subjects exercising their rights (access, correction, deletion, portability, objection, restriction, and similar). SEOG also provides self-service tools, including in-app account deletion that cascade-deletes the account's businesses, reviews, keywords, rankings, and related records.
  • Breach notification. Notify the Customer without undue delay, and where feasible within 72 hours, after becoming aware of a Personal Data breach affecting the Customer's Personal Data, and provide information reasonably available to assist the Customer with its own notification obligations.
  • DPIAs. Provide reasonable assistance to the Customer with data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of the processing and the information available to AIEmployees.
  • Audit rights. Make available to the Customer information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates. To protect the security and confidentiality of other customers, audits are conducted on reasonable prior notice, no more than once per year (absent a regulator requirement or a confirmed breach), during business hours, and may first be satisfied by relevant documentation and reports.

5. Controller Obligations

The Customer shall:

  • Ensure it has a valid lawful basis for the processing of Personal Data through SEOG and that its instructions comply with the Data Protection Laws.
  • Provide all required privacy notices to, and obtain all required consents from, the relevant Data Subjects.
  • Ensure it holds the rights necessary to connect, upload, or analyze any business and any Google or third-party data through SEOG, and not to misuse such data or violate applicable platform terms (including Google's terms).
  • Issue only lawful instructions to AIEmployees and be responsible for the accuracy, quality, and legality of the Personal Data it provides.

6. International Transfers

AIEmployees hosts the SEOG application, its primary self-managed PostgreSQL database, and Redis on its own infrastructure with OVHcloud (OVH US, LLC) in the United States (Virginia). Because this hosting and AIEmployees' other Sub-processors are located in the United States, Personal Data relating to Data Subjects in the EEA, the UK, or Switzerland is transferred to the United States. Such transfers, and any other transfer outside the EEA, the UK, or Switzerland, are protected by appropriate safeguards, including:

  • the SCCs (Module Two: Controller-to-Processor) for transfers subject to the GDPR;
  • the UK International Data Transfer Addendum/IDTA for transfers subject to the UK GDPR; and
  • the equivalent mechanism recognized under the Swiss DPA for transfers subject to Swiss law.

Where the SCCs apply, they are incorporated into this DPA by reference and completed using the details in Annex I (Section 3), Annex II (Section 7), and Annex III (Section 8). Nothing in this Section alters the governing law and dispute-resolution provisions of the Terms of Service; the SCCs govern only the mechanics of the relevant transfer.

7. Sub-processors — Annex II

AIEmployees engages the following Sub-processors to process Personal Data in providing SEOG:

Sub-processorLocationPurpose
Google LLC / Google CloudUSAVertex AI / Gemini (AI analysis of reviews and content); Google Places API (business/place data); Google Business Profile API (with your OAuth consent); Google Ads API (keyword volume); Google Search Console API (search metrics); Google PageSpeed Insights (site performance); Google Tag Manager (tag management)
Microsoft CorporationUSAMicrosoft Clarity (product analytics; consent-gated)
OpenAI, L.L.C.USAAI-visibility (GEO) checks; only a search query and location are sent (used where enabled)
Anthropic, PBCUSAAI-visibility (GEO) checks; only a search query and location are sent (used where enabled)
Amazon Web Services, Inc.USAAmazon SES (sending the GBP report and transactional email) and Amazon S3 (storing report PDFs and blog assets)
c10r (operated by PASV LLC)USACRM — forwarding lead/contact details (name, email, phone, company, the business details and goals you provide, and UTM attribution) for follow-up
geojs.ioUSACoarse city-level IP geolocation to bias local results
ip-api.comUSACoarse city-level IP geolocation to bias local results
OVHcloud (OVH US, LLC)USAInfrastructure and hosting (compute, PostgreSQL database, Redis) via Coolify, in a US (Virginia) data center

For white-label partners, lead and contact details are routed to the partner's own CRM rather than to AIEmployees' CRM. The current list of Sub-processors is reflected in this Annex II and the Cookie Policy; changes are notified in accordance with Section 4.

8. Technical and Organizational Measures — Annex III

AIEmployees maintains the following technical and organizational measures, which it may update over time provided the overall level of security is not materially reduced:

AreaMeasures
EncryptionSensitive OAuth tokens (Google and partner CRM) encrypted at rest with AES-256-GCM; all data encrypted in transit with TLS/HTTPS
Authentication and passwordsPasswords stored only as bcrypt hashes; authentication via short-lived JWT access tokens (~15 minutes) and refresh tokens (~7 days) with Redis-backed session revocation, so logout invalidates the session server-side
Access controlRole-based access control (RBAC); administrative actions are audited
Network and application securitySelf-hosted infrastructure in a US (Virginia) data center; encrypted transport; isolation of credentials and tokens
Hosting and continuityApplication, self-managed PostgreSQL database, and Redis hosted via Coolify with OVHcloud in the US (Virginia); Redis powers sessions, job queues, and caching
PersonnelAuthorized personnel bound by confidentiality obligations and granted access on a need-to-know basis

9. Data Return and Deletion

Upon termination or expiry of the Customer's account, AIEmployees will, at the Customer's choice, make the Customer's Personal Data available for export during an export window of approximately 30 days, after which AIEmployees will delete or anonymize the Customer's Personal Data within approximately 90 days, except where retention is required by applicable law or for legitimate, narrowly scoped purposes. As described in the Privacy Policy, leads already shared to a CRM and unclaimed report leads may be retained for legitimate follow-up. Caches and diagnostics are short-lived (for example, keyword-volume cache ~30 days, PageSpeed cache ~7 days, IP-geolocation cache ~24 hours, and sessions ~7 days).

10. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, and any reference in those limitations to "AIEmployees" or "us" includes AIEmployees' Sub-processors.

11. Term and Termination

This DPA takes effect on the effective date stated above (or, if later, when the Customer first uses SEOG) and remains in force for as long as AIEmployees processes Personal Data on the Customer's behalf. Sections that by their nature should survive — including confidentiality, international transfers, data return and deletion, and liability — survive termination.

12. Changes

AIEmployees may update this DPA from time to time. For material changes, AIEmployees will provide reasonable notice (for example, by posting the updated DPA at /legal/dpa or by other reasonable means). The "Last updated" date shown on this page reflects the most recent revision, and continued use of SEOG after the changes take effect constitutes acceptance.

13. How to Execute and Contact

This DPA applies between the parties without the need for a signature. If the Customer requires a countersigned copy, it may request one by emailing hello@seog.ai with the subject "Attn: Legal". For privacy-related requests and to exercise Data Subject rights, email hello@seog.ai with the subject "Attn: Privacy". See also the Privacy Policy, Cookie Policy, Acceptable Use Policy, and Do Not Sell or Share My Personal Information.

More from SEOG legalTermsPrivacyCookiesDPAAcceptable UseDo Not Sell
SEOG

Local visibility intelligence for owners who want the next action, not another dashboard.

Product

What you getIndustriesHow it worksFAQFree analysis

Company

BlogRSSContactSign inGet started

Legal

TermsPrivacyCookiesDPAAcceptable UseDo Not Sell
© 2026 SEOG. Operated by AIEmployees.Back to AIEmployees