Last updated: 2026-06-10
This Data Processing Agreement ("DPA") forms part of the agreement between SwooshRank ("Processor," "we," or "us") and the customer ("Controller," "you") for use of the Service. It governs our processing of personal data on your behalf and applies to the extent the GDPR, UK GDPR, CCPA, or other applicable data-protection laws apply. Capitalized terms not defined here have the meaning given in those laws.
1. Roles and Scope
For personal data you provide or that we process to deliver the Service, you act as the Controller and we act as the Processor. We process personal data only to provide the Service and on your documented instructions, which include this DPA, our Terms of Service, and your use of the Service. The subject matter, nature, and purpose of the processing, the types of personal data, and the categories of data subjects are described in our Privacy Policy.
2. Processing Instructions
We will process personal data only on your documented instructions, including regarding international transfers, unless required to do otherwise by law — in which case we will inform you, unless that law prohibits it. We will promptly notify you if, in our opinion, an instruction infringes applicable data-protection law.
3. Confidentiality
We ensure that personnel authorized to process personal data are bound by appropriate confidentiality obligations. These obligations survive the end of their engagement.
4. Security Measures
We implement appropriate technical and organizational measures to protect personal data, including:
- Encryption of personal data in transit and at rest
- Least-privilege, role-based access controls and authentication
- Logical separation of customer data
- Regular review of our security practices
- Incident-response and breach-notification procedures
5. Sub-processors
You authorize us to engage the sub-processors listed at swooshrank.com/legal/sub-processors. We impose data-protection obligations on each sub-processor that are substantially equivalent to those in this DPA, and we remain responsible for their performance. We will give you at least 30 days' notice before adding or replacing a sub-processor, during which you may object on reasonable data-protection grounds.
6. Data Subject Requests
Taking into account the nature of the processing, we will assist you with appropriate technical and organizational measures, insofar as possible, in responding to data-subject requests to exercise their rights (access, rectification, erasure, restriction, portability, and objection). If we receive such a request directly, we will forward it to you and will not respond except on your instructions or as required by law.
7. Personal Data Breach
We will notify you without undue delay after becoming aware of a personal data breach affecting your data, and will provide information reasonably available to us to help you meet your notification obligations.
8. Assistance and Records
Taking into account the nature of processing and the information available to us, we will assist you with data-protection impact assessments and prior consultations with supervisory authorities where required. On reasonable request, we will make available information necessary to demonstrate compliance with this DPA.
9. International Transfers
Where we transfer personal data subject to the GDPR or UK GDPR outside the EEA or UK, we rely on a valid transfer mechanism, such as the Standard Contractual Clauses, which are incorporated into this DPA by reference where applicable.
10. Audits
On reasonable prior written notice, and no more than once per year (unless required by a supervisory authority), we will make available information necessary to demonstrate compliance with this DPA and allow for audits conducted in a manner that minimizes disruption and protects the confidentiality and security of other customers' data.
11. Return and Deletion
On termination of the Service, we will, at your choice, delete or return personal data we process on your behalf and delete existing copies, unless applicable law requires continued storage.
12. Liability and Governing Law
Each party's liability under this DPA is subject to the limitations in the Terms of Service. This DPA is governed by the same law as the Terms of Service, except where applicable data-protection law requires otherwise.
13. Contact
For questions about this DPA or our data-processing practices, email hello@swooshrank.com.