CitedSite
DPA

Data Processing Addendum

For business customers who need a written processor agreement covering GDPR, UK GDPR and equivalents.

Last updated: April 28, 2026

Privacy PolicyTerms of UseCookie PolicyData Processing Addendum

This is a working template, not legal advice. Replace bracketed placeholders and have a lawyer review before going live.

1. Roles

When you use CitedSite to process personal data of your end users (e.g. visitor information surfaced through your sites), you are the controller and CitedSite is the processor. For your own account data (your email, billing info), CitedSite is the controller — see our Privacy Policy.

2. Scope and instructions

We process personal data only to provide the service as described in our Terms of Use and on your documented instructions. We will tell you if an instruction would breach the GDPR or other applicable law.

3. Subprocessors

You authorize us to engage the subprocessors listed in our Privacy Policy. We will give at least 30 days' notice before adding or replacing a subprocessor. You may object on reasonable data-protection grounds.

4. Security

We implement appropriate technical and organizational measures to protect personal data, including encryption in transit and at rest, access controls, and logging. A summary is available on request.

5. Personnel

Our personnel are bound by confidentiality obligations and are trained on data-protection responsibilities.

6. Data subject rights

We will assist you, taking into account the nature of processing, to respond to data-subject requests (access, deletion, etc.) within legal timeframes.

7. Breach notification

We will notify you without undue delay — and within 72 hours where feasible — after becoming aware of a personal-data breach affecting your data, with the information you need to meet your own regulatory obligations.

8. Audits

We will provide reasonable information necessary to demonstrate compliance. On request and subject to confidentiality, we will allow audits up to once per year, conducted by you or a mutually agreed independent auditor.

9. International transfers

Where personal data is transferred outside the EEA, UK or Switzerland to a country without an adequacy decision, the parties incorporate the EU Standard Contractual Clauses (Module 2 or 3 as applicable) and the UK Addendum by reference.

10. Return or deletion

On termination, we will delete or return personal data within 90 days, unless retention is required by law (e.g. tax records).

11. Liability

Each party's liability under this DPA is subject to the liability cap set out in our Terms of Use.

12. Annex — processing details

  • Subject matter: provision of the CitedSite service.
  • Duration: the term of your subscription.
  • Nature and purpose: hosting, indexing automation, analytics for the service.
  • Categories of data subjects: your end users and visitors to the sites you submit.
  • Categories of personal data: URLs (which may incidentally contain identifiers), IP addresses, and any data you choose to submit.

13. Sign and execute

To countersign a copy on your company's letterhead or to receive a PDF, email privacy@citedsite.com.