Data Processing Addendum (DPA)

Effective Date: June 6, 2026

This Data Processing Addendum (“DPA”) supplements the Main Software License Agreement, Terms of Service, or other principal commercial agreement (the “Agreement”) between SRNA SEO (“Processor”) and the legal entity executing this document (“Controller”).

This DPA governs the processing of personal data in connection with the Controller’s use of the AI Visibility Inspector and NovaX software platforms. This document is drafted to satisfy the requirements of Article 28 of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).

1. Definitions

All capitalized terms not defined herein shall have the meanings ascribed to them in the GDPR or the principal Agreement.

  • “Controller” means the natural or legal person, public authority, agency, or other body which determines the purposes and means of the processing of personal data.
  • “Processor” means SRNA SEO, which processes personal data or technical metadata on behalf of the Controller.
  • “Personal Data” means any information relating to an identified or identifiable natural person.
  • “Technical Metadata” means data generated automatically by the software execution, including license keys, software version logs, and host server IP addresses.

2. Nature and Scope of Processing

2.1 Self-Hosted Architecture: The Controller explicitly acknowledges that the AI Visibility Inspector and NovaX are 100% self-hosted, on-premises platforms. The software operates entirely within the isolated infrastructure, firewalls, or private cloud environments managed exclusively by the Controller.

2.2 Absolute Data Sovereignty & Zero-Custody Model: SRNA SEO enforces a strict zero-custody data architecture. SRNA SEO does not collect, hold, intercept, or store ANY operational data, customer data, search intelligence, or database configurations from the Controller. The sole administrative datasets maintained by SRNA SEO for standard subscription tiers are limited strictly to the Controller’s corporate Web URL, administrative contact email, and active license token.

2.3 True Sovereignty for Lifetime Licenses (Zero-Knowledge Isolation): For Controllers utilizing a Lifetime License, the software utilizes a completely decentralized, disconnected verification model:

  • Local Verification: The software is delivered with an initial, local database-added access key used solely for the first local instance initialization.
  • Complete Administrative Handover: Upon the initial login, the Controller creates their own internal System Administrator account and deletes the default initialization profile.
  • Total Access Exclusion: From the moment of first administrative creation, the platform detaches completely from any external validation protocols. Absolute, exclusive access is held solely by the Controller.
  • Immunity from External Interception: SRNA SEO retains zero backdoors, zero remote access capabilities, and zero encryption bypass keys. No external third party, including SRNA SEO, cloud hosting vendors, regulatory authorities, or courts of law, can access, view, or subpoena the data contained within the software instance. The data remains 100% physically and logically isolated on the Controller’s infrastructure, and the Controller retains sole responsibility and sovereign custody over their data assets.

3. Categories of Data and Data Subjects

  • Categories of Personal Data: Limited strictly to technical metadata (host server IP address, license authorization tokens, application version logs) and administrative contact details (name, corporate email) used for account management.
  • Categories of Data Subjects: Authorized employees, system administrators, and IT engineers of the Controller who install, manage, or utilize the software.

4. Obligations of the Processor

In accordance with GDPR Article 28, SRNA SEO covenants that it shall:

  • 4.1 Documented Instructions: Process technical metadata and support-related data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organization.
  • 4.2 Confidentiality: Ensure that all personnel, engineers, and support staff authorized to handle technical logs or troubleshooting information have committed themselves to strict confidentiality agreements or are under an appropriate statutory obligation of confidentiality.
  • 4.3 Security Measures: Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of license verification transmission, in compliance with GDPR Article 32.
  • 4.4 Sub-processors: Not engage another processor (Sub-processor) without prior specific or general written authorization of the Controller. SRNA SEO guarantees that any utilized licensing or support infrastructure resides strictly within the European Union (EU).
  • 4.5 Data Subject Rights: Assist the Controller, insofar as this is technically feasible given the Processor’s lack of access to the local self-hosted instance, by appropriate technical and organizational measures, for the fulfillment of the Controller’s obligation to respond to requests for exercising the data subject’s rights laid down in GDPR Chapter III.
  • 4.6 Assistance in Compliance: Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 (Security of processing, notification of personal data breaches, data protection impact assessments) taking into account the nature of processing and the information available to the Processor.
  • 4.7 Data Deletion and Return: At the choice of the Controller, safely delete or return all support logs, troubleshooting data, or communication metadata to the Controller after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the personal data.
  • 4.8 Audits and Inspections: Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

5. Technical and Organizational Measures (TOMs)

Because the application is executed entirely on the Controller’s hardware, the Controller maintains sole responsibility for the physical security, network whitelisting, access controls, and logical encryption of the infrastructure hosting the software.

SRNA SEO maintains the following security measures on its administrative and licensing perimeter:

  • Mandatory end-to-end encryption via TLS 1.3 for all outbound license authorization handshakes.
  • Strict role-based access control (RBAC) limiting visibility of technical support tickets and troubleshooting metadata to verified engineering staff.
  • Adherence to strict local data residency protocols, guaranteeing that no data shared for support purposes ever leaves the European Economic Area (EEA).

6. Governing Law

This DPA shall be governed by, and construed in accordance with, the laws of the Member State in which the Controller is established, or alternatively, the laws of the Czech Republic, ensuring seamless alignment with European data protections.

7. Exclusion of Liability for Third-Party or Judicial Data Demands

7.1 Jurisdictional and Judicial Immunity: Because SRNA SEO maintains a strict zero-custody, decentralized architecture, the Processor structurally lacks the technical capability to comply with data disclosure requests, interception warrants, or search subpoenas issued by any court of law, regulatory agency, or government authority worldwide.

7.2 Impossibility of Access: If SRNA SEO receives a formal legal demand to expose, freeze, or hand over information regarding a Controller’s business, search profiles, or internal analytics, SRNA SEO will reject the demand on the grounds of physical and technological impossibility. SRNA SEO possesses no administrative access, master encryption keys, or architectural backdoors into the Controller’s self-hosted deployment.

7.3 Sole Legal Target: The Controller acknowledges and agrees that they remain the sole custodian of their data assets. Any legal actions, discovery requests, or regulatory inquiries regarding the data processed by the software must be directed exclusively to the Controller.

Execution Note

For enterprise clients and procurement departments requiring a countersigned, standalone PDF copy of this Data Processing Addendum (including finalized Standard Contractual Clauses), please contact our Data Protection Officer directly at hello@srnaseo.com.

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by