Data Processing Agreement

This agreement defines the obligations of beReferenced (the Processor) to the Client (the Controller) regarding the processing of personal data via the Platform, in accordance with Article 28 of the GDPR.

1. Object, Instructions and Nature of Data

The Processor is authorized to process the following categories of data on behalf of the Client:

• Identity and login data of the Client’s employees (name, surname, email, IP) to ensure access and maintenance.
• Web performance and visibility data from third-party tools connected by the Client (notably Google Search Console, Google Analytics, Bing Webmaster) to generate audits and visibility scores.

beReferenced commits to processing this information exclusively according to the Client’s documented instructions.

The Client explicitly commits not to submit any "sensitive" data within the meaning of Article 9 of the GDPR (health data, political opinions, sexual orientations, etc.) to the Service, whether through prompts or file imports.

2. Confidentiality and Security

beReferenced guarantees the strict confidentiality of data. Authorized personnel are bound by an obligation of secrecy. The company implements technical security measures (TLS encryption, logic isolation of accounts).

Regarding AI, beReferenced exclusively uses professional APIs ensuring that the Client's data and prompts are never reused for training third-party models.

3. Sub-processing and Transfers

The Client authorizes the use of necessary subsequent sub-processors:

1. Railway Corp (Hosting - Amsterdam, EU)
2. AI Providers (OpenAI, Anthropic, Perplexity, Google)

beReferenced will inform the Client of any addition or replacement of subsequent sub-processors via notification on the Platform’s interface or by email. The Client has fifteen (15) calendar days from this notification to present objections.

Any transfer outside the EU is governed by Standard Contractual Clauses or adequacy decisions. beReferenced remains fully responsible for the performance of its sub-processors' obligations.

4. Rights of Data Subjects and Notification

beReferenced assists the Client in responding to requests for the exercise of data subjects' rights (access, rectification, deletion).

In the event of a data breach, the Processor commits to notifying the Client in writing within a maximum of 48 hours after becoming aware of it.

5. Disposition of Data and Audit

At the expiration of the contract, beReferenced will proceed to delete or anonymize the data within 30 days, unless there is a legal obligation.

The Processor allows an annual audit to be conducted, at the Client’s expense, to verify compliance with this agreement, subject to a notice period of 15 business days.