SignalAEO
Sign inGet my free AI audit

Data Processing Agreement

Effective Date: 2026-04-16 | Last Updated: 2026-04-16

This Data Processing Agreement ("DPA") forms part of the Terms of Service between SignalAEO LLC, a Utah limited liability company ("SignalAEO," the "Processor"), and the customer entity identified in the applicable subscription order ("Customer," the "Controller"). This DPA governs the Processing of Personal Data by SignalAEO on behalf of Customer.

This DPA applies when Customer uses the SignalAEO Service to Process Personal Data subject to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR and Data Protection Act 2018, the Swiss Federal Act on Data Protection ("Swiss FADP"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), or other applicable privacy laws that require a written data processing agreement between Controller and Processor.

Overview and Purpose

The parties agree that when SignalAEO Processes Personal Data on behalf of Customer in connection with the Service, SignalAEO acts as a Processor and Customer acts as a Controller, as those terms are defined under applicable Data Protection Laws. This DPA sets out the terms on which SignalAEO will Process such Personal Data.

If there is a conflict between this DPA and the Terms of Service, this DPA governs with respect to the Processing of Personal Data.

Definitions

Terms in this DPA that are capitalized but not defined here have the meanings given to them in the Terms of Service or in the applicable Data Protection Laws.

  • "Data Protection Laws" means all laws and regulations applicable to the Processing of Personal Data under this DPA, including GDPR, UK GDPR, Swiss FADP, and CCPA/CPRA.
  • "Personal Data" has the meaning given in applicable Data Protection Laws and refers to Personal Data Processed by SignalAEO on behalf of Customer.
  • "Processing" means any operation performed on Personal Data, whether automated or not.
  • "Controller" and "Processor" have the meanings given in GDPR Article 4.
  • "Sub-processor" means any third party engaged by SignalAEO to Process Personal Data on behalf of Customer.
  • "SCCs" means the Standard Contractual Clauses adopted by the European Commission by Implementing Decision (EU) 2021/914 of 4 June 2021.
  • "UK Addendum" means the International Data Transfer Addendum to the EU Commission SCCs issued by the UK Information Commissioner's Office.

Subject-Matter, Duration, and Nature of Processing

  • Subject-matter: Processing of Personal Data as necessary to provide the SignalAEO Service to Customer under the Terms of Service.
  • Duration: For the term of the Customer's subscription to the Service, plus the data retention periods described in our Privacy Policy.
  • Nature and purpose: To operate the SignalAEO platform, run AI observation queries, generate reports and dashboards, provide support, and meet legal obligations.
  • Type of Personal Data: As described below in "Categories of Personal Data."
  • Categories of data subjects: Customer's authorized users (employees, contractors, agents) and any individuals whose Personal Data Customer submits to the Service.

Categories of Data Subjects and Personal Data

Categories of data subjects:

  • Customer's employees and other authorized users of the Service
  • Customer's support contacts
  • Individuals whose information is included in data Customer uploads to the Service

Categories of Personal Data:

  • Identity and contact data: name, business email, phone (if provided), business address
  • Authentication data: password (hashed), session tokens, IP address, device identifiers, and browser metadata
  • Billing data: last four digits of payment card, billing address, transaction history (full card numbers are not received or stored by SignalAEO; they are handled by Stripe)
  • Usage data: feature interactions, dashboard actions, search queries entered within the Service, error logs
  • Configuration data: keywords, target markets, business profile settings that Customer configures for monitoring
  • Support communications: tickets, emails, and attachments exchanged with our support team

SignalAEO does not intentionally Process special categories of Personal Data (GDPR Article 9) or sensitive Personal Information (CCPA/CPRA). Customer is responsible for not submitting such data to the Service outside of what is necessary for the operation of the Service.

Obligations of SignalAEO (Processor)

SignalAEO agrees that when Processing Personal Data on behalf of Customer, SignalAEO will:

  • Process Personal Data only on Customer's documented instructions, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by law to which SignalAEO is subject (in which case SignalAEO will inform Customer of that legal requirement before Processing, unless that law prohibits such information)
  • Ensure that personnel authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
  • Take all measures required by GDPR Article 32 and equivalent provisions of other Data Protection Laws regarding the security of Processing
  • Assist Customer, taking into account the nature of the Processing, in fulfilling Customer's obligations to respond to requests from data subjects exercising their rights
  • Assist Customer in ensuring compliance with GDPR Articles 32 through 36, taking into account the nature of Processing and the information available to SignalAEO
  • Return or delete all Personal Data to Customer at the end of the provision of Services, and delete existing copies, unless applicable law requires storage of the Personal Data
  • Make available to Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits as described in "Audits and Inspections" below

Obligations of Customer (Controller)

Customer represents and warrants that:

  • It has the right to Process Personal Data it submits to the Service and to instruct SignalAEO to Process that Personal Data on its behalf
  • Its Processing instructions to SignalAEO comply with applicable Data Protection Laws
  • It has provided all notices and obtained all consents and authorizations required under applicable Data Protection Laws for SignalAEO's Processing of Personal Data as contemplated by this DPA
  • It will respond in a timely and effective manner to inquiries from data subjects, supervisory authorities, and other third parties regarding the Processing of Personal Data

Sub-processors

Customer grants SignalAEO general written authorization to engage Sub-processors to Process Personal Data on Customer's behalf, subject to the terms of this Section.

A current list of authorized Sub-processors is published at /subprocessors/. Before engaging a new Sub-processor or replacing an existing one, SignalAEO will:

  • Update the Sub-processors list at least 30 days before the new Sub-processor begins Processing Personal Data
  • Send email notice to account administrators when a new Sub-processor is added, if Customer has subscribed to those notifications
  • Impose contractual obligations on the Sub-processor that are at least as protective as those in this DPA, in compliance with GDPR Article 28(4)

Customer may object to the engagement of a new Sub-processor on reasonable grounds relating to data protection by notifying SignalAEO in writing within the 30-day notice period. In the event of such an objection, the parties will work in good faith to find a mutually acceptable resolution. If no resolution is reached, Customer may terminate the affected subscription by providing written notice, without liability for fees for unused subscription periods after termination.

SignalAEO remains fully liable to Customer for the performance of its Sub-processors' obligations.

International Data Transfers

SignalAEO is based in the United States and Processes Personal Data primarily in the United States. If Customer transfers Personal Data from the European Economic Area ("EEA"), United Kingdom, or Switzerland to SignalAEO, the following transfer mechanisms apply:

  • EEA transfers: The EU Standard Contractual Clauses (Module Two: transfer Controller to Processor) adopted by the European Commission on 4 June 2021 are hereby incorporated into this DPA by reference. Customer is the "data exporter" and SignalAEO is the "data importer."
  • UK transfers: The UK International Data Transfer Addendum to the EU Commission SCCs (Version B1.0, in force 21 March 2022) is hereby incorporated by reference, and the SCCs above are deemed modified by the UK Addendum with respect to transfers subject to UK law.
  • Swiss transfers: The SCCs are deemed modified as necessary to comply with the Swiss FADP, with references to "Member States" interpreted to include Switzerland and the competent supervisory authority being the Swiss Federal Data Protection and Information Commissioner.

SignalAEO will maintain Transfer Impact Assessments for its use of US-based Sub-processors, where applicable, and make summaries available on request to contact@signalaeo.com.

Security Measures

SignalAEO implements and maintains appropriate technical and organizational measures to protect Personal Data, consistent with GDPR Article 32. The current measures are described in our Security page and include, at minimum:

  • Encryption of Personal Data in transit (TLS 1.2 or higher) and at rest (AES-256)
  • Access controls enforcing least privilege for personnel with access to production systems
  • Network segregation between production, staging, and development environments
  • Logging and monitoring of access to production systems and Personal Data
  • Regular backup with tested restoration procedures
  • Security awareness training for all personnel with access to Personal Data
  • Incident response procedures and a documented breach notification process

Data Subject Rights and Assistance

SignalAEO will assist Customer, by appropriate technical and organizational measures and insofar as possible, in fulfilling Customer's obligation to respond to requests from data subjects exercising their rights under Data Protection Laws (access, rectification, erasure, restriction, portability, objection, or rights related to automated decisions).

If SignalAEO receives a request directly from a data subject concerning Personal Data Processed on behalf of Customer, SignalAEO will, unless legally required to respond, promptly forward the request to Customer and will not respond to the request directly without Customer's prior written authorization.

SignalAEO will use commercially reasonable efforts to support Customer's response to data subject requests within 30 days of Customer's request for assistance.

Breach Notification

SignalAEO will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer's Personal Data, and in any event within 72 hours. The notice will include, to the extent known at the time of notice:

  • A description of the nature of the Personal Data Breach, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned
  • The name and contact details of SignalAEO's point of contact for the breach
  • A description of the likely consequences of the Personal Data Breach
  • A description of the measures taken or proposed to address the Personal Data Breach, including measures to mitigate adverse effects

SignalAEO will cooperate with Customer and provide information reasonably necessary to enable Customer to meet its own notification obligations to regulators and data subjects. Notifications will be sent to the email address on file for Customer's account administrator; Customer is responsible for keeping that email current.

Audits and Inspections

SignalAEO makes available to Customer, upon reasonable prior written request (not more than once per 12-month period unless otherwise required by applicable law or regulator), information necessary to demonstrate compliance with this DPA, including:

  • Completed security questionnaires (SIG Lite, CAIQ) at SignalAEO's discretion
  • Summary reports from independent third-party assessments of SignalAEO's security program, when available
  • Documented security controls and policies relevant to the Processing of Customer's Personal Data

Where independent third-party assessments are not available and Customer has demonstrated good-faith concern relating to SignalAEO's compliance with this DPA, the parties will cooperate in good faith to scope a reasonable audit at Customer's expense, subject to confidentiality obligations and reasonable limits on scope, timing, and disruption to SignalAEO's operations.

Return and Deletion of Data

Within 30 days of termination or expiration of the Customer's subscription, Customer may request the return of its Personal Data in a commonly-used machine-readable format. After the earlier of (a) completion of the return, or (b) 90 days after termination, SignalAEO will delete or anonymize Personal Data Processed on behalf of Customer, except for copies that must be retained to comply with applicable law or for backup purposes in accordance with SignalAEO's standard retention schedule.

Liability

Each party's liability arising out of or in connection with this DPA is subject to the limitations and exclusions set out in the Terms of Service. Nothing in this DPA limits or excludes liability that cannot be limited or excluded under applicable law.

Term and Termination

This DPA takes effect on the Effective Date and remains in force for as long as SignalAEO Processes Personal Data on behalf of Customer under the Terms of Service. Termination of the Terms of Service automatically terminates this DPA, subject to any obligations that survive termination (confidentiality, return or deletion of Personal Data, ongoing obligations relating to breaches that occurred before termination).

How to Execute This DPA

This public DPA reflects the current standard terms offered by SignalAEO. Customers who require a countersigned copy may request one by emailing contact@signalaeo.com with:

  • The legal name and mailing address of the Customer entity
  • The name, title, and email of the authorized signatory
  • Any customer-specific data transfer annexes or customer-specific security questionnaires you need completed

We will return a DPA with the Standard Contractual Clauses pre-populated and ready for electronic signature, typically within five business days.

Contact

SignalAEO LLC
3300 Triumph Blvd, Suites 100 and 200
Lehi, UT 84043
Legal: contact@signalaeo.com
Privacy: contact@signalaeo.com