Last updated: 2026-04-26
Placeholder: This document is a template — replace with legal copy reviewed by counsel before launch.
1. Parties and Scope
This Data Processing Agreement ("DPA") is entered into between SwooshRank, operated by [Company TBD] ("Processor"), and you, the organization using SwooshRank ("Controller"). This DPA applies to the extent that SwooshRank processes personal data on your behalf in accordance with GDPR, CCPA, and other applicable data protection laws. The processing activities, data categories, and types of data subjects are as described in the SwooshRank Privacy Policy.
2. Data Processing Instructions
The Processor shall process personal data only on documented instructions from the Controller, including with respect to international transfers unless required by law. The Processor shall ensure that persons authorized to process personal data have committed to confidentiality or are under an appropriate legal obligation of confidentiality.
3. Sub-processors
The Processor may engage sub-processors as listed in the Privacy Policy, including Stripe, Clerk, OpenAI, Anthropic, Resend, Vercel, and Railway. The Processor shall:
- Provide a current list of authorized sub-processors to the Controller
- Inform the Controller of any intended changes regarding the addition or replacement of sub-processors at least 30 days in advance
- Give the Controller the opportunity to object to new or replacement sub-processors
- Impose data protection obligations on sub-processors equivalent to those in this DPA
4. Security Measures
The Processor implements and maintains appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption of personal data in transit using TLS 1.3 or higher
- Encryption of personal data at rest using AES-256 or equivalent
- Least-privilege access controls and role-based authentication (via Clerk)
- Regular security assessments and vulnerability testing
- Incident response procedures and breach notification protocols
- SOC 2 Type II compliance roadmap (targeted for 2026)
5. Data Subject Rights
Taking into account the nature of the processing, the Processor shall, by appropriate technical and organizational measures, assist the Controller by:
- Providing personal data and information necessary for the Controller to fulfill data subject requests for access, deletion, portability, and correction
- Implementing access and deletion mechanisms available via /api/gdpr/export and /api/gdpr/delete
- Assisting with data subject requests within 30 days of receipt
- Ensuring sub-processors comply with data subject rights requests
6. Confidentiality
The Processor ensures that persons authorized to process personal data have committed to confidentiality or are under an appropriate legal obligation of confidentiality. Upon termination of services, confidentiality obligations continue to apply to all personnel who had access to personal data.
7. International Data Transfers
The Processor is located in the United States. For personal data subject to GDPR or equivalent laws originating from the European Union, United Kingdom, or other regions, the Processor relies on Standard Contractual Clauses (SCCs) as approved by relevant data protection authorities to ensure adequate safeguards for international transfers. The Controller consents to such transfers by entering into this DPA.
8. Personal Data Breach Notification
If there is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data, the Processor shall notify the Controller without undue delay and in no case later than 72 hours after becoming aware of the breach, providing information about the nature of the breach, categories and approximate number of data subjects and personal data records affected, likely consequences, and measures taken or proposed to address the breach and mitigate damage.
9. Assistance with Compliance
The Processor shall assist the Controller in complying with its obligations under applicable data protection laws, including:
- Data protection impact assessments (DPIA)
- Data protection by design and default implementation
- Cooperation with supervisory authorities and data protection authorities
10. Audit Rights
The Controller may, upon 30 days' written notice and no more than once per calendar year, audit the Processor's compliance with this DPA and applicable data protection laws. Audits shall be conducted at reasonable times and in a manner that minimizes disruption to the Processor's operations. The Controller may also engage a third-party auditor on its behalf, provided that the auditor is bound by confidentiality obligations.
11. Return and Deletion of Data
Upon termination of the agreement or at the Controller's request, the Processor shall, at the Controller's choice, return or securely delete all personal data and existing copies unless applicable law requires storage. Deletion shall be confirmed in writing within 30 days. The Processor may retain personal data to the extent and for the period required by applicable law.
12. Governing Law and Dispute Resolution
This DPA shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict of law provisions. Any disputes arising from this DPA shall be resolved in the courts of Delaware. Notwithstanding the foregoing, for data protection matters, the substantive law of the jurisdiction from which the data originated shall apply.
13. Changes to This DPA
The Processor may update this DPA with 30 days' notice to the Controller. Significant changes that materially affect data protection obligations shall be communicated in advance, and the Controller may object to changes by discontinuing use of the Service.
14. Contact
For questions or concerns regarding this DPA or data processing practices, please contact legal@swooshrank.com.
This is initial boilerplate pending review by qualified counsel. Refer to the latest version at /legal/dpa.