Data Processing Agreement

Effective Date: March 29, 2026

Last Updated: March 29, 2026

This Data Processing Agreement (“DPA”) supplements the Terms of Service and forms part of the agreement between Seeniq LLP, a Limited Liability Partnership registered in India (“Processor,” “we,” “us”) and the subscribing entity (“Controller,” “you,” “your”) for the processing of personal data in connection with the Seeniq platform.

This DPA applies to Agency plan customers and any customer who requires a DPA for compliance purposes.

1. Definitions

“Personal Data” means any information relating to an identified or identifiable natural person processed by Seeniq on behalf of the Controller.

“Processing” means any operation performed on Personal Data, including collection, storage, use, analysis, transmission, and deletion.

“Data Subject” means the identified or identifiable natural person to whom Personal Data relates.

“Sub-Processor” means any third party engaged by Seeniq to process Personal Data on behalf of the Controller.

“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

2. Scope of Processing

2.1. Categories of Data Subjects

  • Practice owners and authorized users (account holders)
  • Dental providers listed in public NPI records associated with the practice
  • Individuals who appear in publicly posted Google reviews

2.2. Types of Personal Data Processed

  • Account data: name, email address, password hash
  • Billing data: Paddle customer ID, subscription status (full payment data stored by Paddle)
  • Practice contact data: practice name, address, phone, website, hours, rating, review count, and categories (from Google Places API and business directory listings)
  • Provider data: provider name, credentials, and taxonomy (from public professional registries)
  • Review data: reviewer display name, review text, rating (from public Google reviews)
  • AI engine response data: text responses and source citations from ChatGPT, Gemini, Perplexity, and Google AI Overview containing practice references
  • Website and SEO data: page performance metrics, structured data markup, domain authority, keyword rankings, and technology stack
  • Usage data: IP address, browser type, device type, pages visited

2.3. Purpose of Processing

  • Providing AI visibility monitoring and audit services
  • Generating audit reports comparing AI responses to ground truth
  • Enriching practice profiles with public SEO and authority data
  • Processing payments and managing subscriptions (via Paddle)
  • Sending transactional communications (reports, alerts)

2.4. Data NOT Processed

  • Protected Health Information (PHI)
  • Patient data of any kind
  • Data from internal practice systems (EHR, PMS)
  • Financial data beyond subscription billing

3. Processor Obligations

3.1. We will process Personal Data only on documented instructions from the Controller, unless required by applicable law (including Indian law).

3.2. We will ensure that persons authorized to process Personal Data are bound by confidentiality obligations.

3.3. We will implement appropriate technical and organizational security measures as described in Section 6, consistent with Section 43A of the IT Act, 2000.

3.4. We will assist the Controller in responding to Data Subject requests within the timeframes specified in our Privacy Policy.

3.5. We will assist the Controller with data protection impact assessments and prior consultations with supervisory authorities, where required.

3.6. We will delete or return all Personal Data upon termination of the Service, at the Controller’s choice, within 30 days. Backup copies will be purged within 90 days.

3.7. We will make available all information necessary to demonstrate compliance with this DPA and allow for audits as described in Section 8.

4. Controller Obligations

4.1. The Controller warrants that it has a lawful basis for providing Personal Data to Seeniq.

4.2. The Controller is responsible for ensuring that Data Subjects are informed about the processing.

4.3. Agency customers are responsible for obtaining authorization from practice owners before adding their practice to the Service.

5. Sub-Processors

5.1. Authorized Sub-Processors

Sub-ProcessorPurposeLocation
Supabase (AWS)Database hostingUS (us-east-2)
VercelApplication hostingUS / Global Edge
Paddle (UK)Merchant of Record — payments, tax, invoicingUK / US
ResendEmail deliveryUS
UpstashRedis cachingUS
OpenAIAI engine queriesUS
GoogleAI engine queries, practice verificationUS
PerplexityAI engine queriesUS
AnthropicAI response analysisUS
DataForSEOSEO and business dataEU / US

5.2. Sub-Processor Changes

We will notify the Controller via email at least 14 days before adding or replacing a Sub-Processor. The Controller may object within 14 days. If we cannot reasonably accommodate the objection, the Controller may terminate the affected Service.

5.3. Sub-Processor Liability

We remain liable for the acts and omissions of our Sub-Processors.

6. Security Measures

Access Control

  • Role-based access control with least-privilege principle
  • Supabase Row Level Security (RLS) policies
  • Service role keys isolated to server-side operations

Encryption

  • TLS 1.2+ for all data in transit
  • AES-256 encryption at rest (Supabase managed)
  • Environment variables for all secrets and API keys

Application Security

  • Input validation and sanitization on all endpoints
  • Rate limiting on public API routes
  • Cascade deletion to prevent orphaned data

These measures are aligned with IS/ISO 27001 standards as referenced by the IT Act, 2000 (Section 43A) and the Information Technology (Reasonable Security Practices and Procedures) Rules, 2011.

7. Data Breach Notification

7.1. We will notify the Controller of a Data Breach without undue delay and no later than 72 hours after becoming aware of it.

7.2. The notification will include the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach.

7.3. We will cooperate with the Controller in investigating and remediating the breach.

7.4. Where required under the DPDP Act, 2023, we will also notify the Data Protection Board of India.

8. Audits

8.1. The Controller may audit our compliance with this DPA once per year, with 30 days’ written notice.

8.2. As an alternative to an on-site audit, we may provide a summary of our most recent security assessment, responses to a security questionnaire, or relevant compliance certifications.

9. International Data Transfers

9.1. Seeniq LLP is based in India. Personal Data is processed and stored in the United States (Supabase/AWS us-east-2).

9.2. For transfers from the EU/EEA/UK, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission (Module 2: Controller to Processor).

9.3. For data originating from India, cross-border transfers comply with the DPDP Act, 2023. If the Central Government restricts transfers to certain jurisdictions, we will work with the Controller to ensure compliance or provide alternative hosting arrangements.

9.4. Upon request, we will execute SCCs with the Controller.

10. Duration and Termination

10.1. This DPA is effective for the duration of the Controller’s subscription.

10.2. Upon termination, we will delete all Personal Data within 30 days. The Controller may request a data export (JSON format) before deletion.

10.3. Obligations regarding confidentiality and data security survive termination.

11. Liability

Liability under this DPA is subject to the limitations set forth in the Terms of Service. Nothing in this DPA limits either party’s liability for breaches of data protection law (including the DPDP Act, 2023 and GDPR) to the extent such limitation is not permitted by applicable law.

12. Conflict

In the event of conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the processing of Personal Data.

13. Contact

For DPA-related inquiries: