US Data Processing Agreement

Select version

v.February, 2025

Need to sign a copy? Click here.

BY ACCEPTING THIS DATA PROCESSING AGREEMENT ON BEHALF OF CUSTOMER, YOU WARRANT THAT: (A) YOU HAVE FULL LEGAL AUTHORITY TO BIND CUSTOMER TO THIS DATA PROCESSING AGREEMENT; (B) YOU HAVE READ AND UNDERSTAND THESE DATA PROCESSING AGREEMENT; AND (C) YOU AGREE ON BEHALF OF CUSTOMER, TO THIS DATA PROCESSING AGREEMENT. IF YOU DO NOT HAVE THE LEGAL AUTHORITY TO BIND CUSTOMER, PLEASE DO NOT ACCEPT THESE DATA PROCESSING TERMS.

This Data Processing Agreement (the “Agreement”) is entered into by and between:

Entity: [Customer Name]	Entity: Siteimprove, Inc
Address: [Customer Address]	Address: 5600 West 83rd Street, Suite 500, Bloomington, MN 55437
Company reg. no: [Customer Company Registration Number]	Company reg. no: Company Registration Number: 2799877
("the Customer")	("the Supplier")

("the Customer") have entered into the below Data Processing Agreement (“the Agreement”) on the Supplier’s processing of personal data on the Customer’s behalf:

1. General terms

1.1 The Supplier processes personal data for the Customer pursuant to the agreement with the Customer on purchases of the Supplier’s online services (“the Master Subscription Agreement”). The Data Processing Agreement will take precedence over any corresponding or conflicting provisions in the Master Subscription Agreement and any other contractual documents.

1.2 This DPA concerns the Supplier’s obligation to comply with the requirements for processing Personal Information set forth in the California Privacy Rights Act of 2018, (“CCPA”).

1.3 Capitalized terms identified in this Agreement shall have the same meaning as defined in the CCPA , unless otherwise noted.

2. The Customer’s rights and obligations

2.1 The Customer is the Business for the Personal Information which the Customer instructs the Supplier to process; see Clause 4 of the Agreement.

2.2 The Customer has the rights and obligations vested in a Business pursuant to the CCPA ; see Clause 1.2 of the Agreement.

2.3 The Customer is responsible for ensuring that the Personal Information that the Customer instructs the Supplier to process may be processed by the Supplier, including that there is no particularly sensitive Personal Information on the Customer’s website.

3. The Supplier’s Obligations

3.1 The Supplier is the Service Provider of the Personal Information processed by the Supplier on the Customer’s behalf; see Clause 4 and Appendix 3 of the Agreement.

3.2 The Supplier only processes received Personal Information in accordance with documented instructions from the Customer and solely for the performance of the Master Subscription Agreement.

3.3 The Supplier must continuously keep a record of the processing of Personal Information.

3.4 The Supplier must secure the Personal Information via technical and organizational security measures; see Appendix 1 – Security.

3.5 The Supplier will, taking into account the nature of the processing, assist the Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation as a Business to respond to requests for exercising the Consumer’s rights.

3.6 The Supplier shall not Sell Personal Information.

4. Instructions

4.1 The Supplier will only process Personal Information on the Customer’s behalf in accordance with documented instructions; see Appendix 3. The Supplier is responsible for ensuring that any sub-processors (see Clause 5 of the Agreement) receive the Customer’s instructions; see Appendix 3.

4.2 The Supplier shall cooperate with Customer if a Consumer requests (i) access to his or her Personal Information, (ii) information about the categories of sources from which the Personal Information is collected, or (iii) information about the categories or specific pieces of the individual’s Personal Information, including by providing the requested information in a portable and, to the extent technically feasible, readily useable format.

4.3 The Supplier shall inform Customer in writing within five (5) business days of any requests it receives from individuals with respect to their Personal Information. The Supplier also shall direct the requesting individual to submit the request directly to Customer by contacting Customer as described in Customer’s then-current privacy policy.

4.4 Upon Customer’s request, the Supplier shall promptly delete a particular individual’s Personal Information from Supplier’s records. In the event Supplier is unable to delete the Personal Information for reasons permitted under the CCPA , Supplier shall (i) promptly inform Customer of the reason(s) for its refusal of the deletion request, (ii) ensure the privacy, confidentiality and security of such Personal Information, and (iii) delete the Personal Information promptly after the reason(s) for Supplier’s refusal has expired.

5. Sub-processors

5.1 A sub-processor is a sub-supplier to which the Supplier has transferred all or parts of the processing of Personal Information which the Supplier performs on the Customer’s behalf.

5.2 The Customer gives Siteimprove a prior, general, written approval for the use of Sub-processors. At the date of the DPA, Siteimprove is using the Sub-processors listed in Appendix 2. The Customer cannot refuse to approve addition or replacement of a sub-processor unless there are specific reasoned grounds for this.

5.3 If the Supplier leaves the processing of Personal Information to sub-processors, the Supplier must enter into a written data (sub-)processing agreement with the sub-processor.

5.4 The data sub-processing agreement must impose on the sub-processor the same data protection obligations imposed on the Supplier under this Agreement, including that the sub-processor guarantees to be able to deliver sufficient expertise, reliability and resources to be able to implement the appropriate technical and organizational measures.

5.5 If the Supplier leaves the processing of Personal Information to sub-processors, the Supplier is responsible to the Customer for the sub-processors’ compliance with their obligations; see Clause 5.4 of the Agreement.

5.6 All communication between the Customer and the sub-processor will take place via the Supplier.

6. Technical and organizational security measures

6.1 The Supplier shall comply with all applicable provisions of the CCPA, including implementing and maintaining reasonable security measures to safeguard any Personal Information that the Customer discloses to Supplier under the Master Subscription Agreement.

6.2 The Supplier is obliged to instruct its employees who have access to or otherwise handle the processing of the Customer’s Personal Information, about the Supplier’s obligations, including the provisions on a duty of confidentiality; see Clause 8 of the Agreement.

6.3 At least once a year, the Supplier must review its internal security regulations and guidelines for processing of personal data to ensure that the necessary security measures are constantly observed; see Appendix 1 - Description of the technical and organizational security measures implemented.

7. Data Breach

7.1 The Supplier is obliged to notify the Customer of any personal data breach immediately after the occurrence thereof.

7.2 The Supplier must not communicate a personal data breach publicly or to third parties without a prior written agreement with the Customer about the contents of such communication unless the Supplier has a legal obligation to provide such communication.

8. Duty of confidentiality

8.1 During the term of the Master Subscription Agreement and after its termination, the Supplier has a duty of complete confidentiality about all information of which the Supplier becomes aware during the cooperation.

8.2 The Supplier must ensure that anyone who is authorized to process Personal Information covered by the Agreement, including employees, third parties (e.g. a technician) and sub-processors, undertake a duty of confidentiality or are subject to an appropriate statutory duty of confidentiality.

9. Amendments to the Agreement

9.1 The Customer may, at any given time and at minimum thirty (30) days’ prior notice, make amendments to the Agreement and the instructions; see Appendix 3 – Instructions. Unless the costs for such amendments are specified in the Master Subscription Agreement, pricing must be agreed before the amendments take effect.

9.2 The Customer is entitled to make amendments to the Agreement at thirty (30) days’ notice and without this triggering a claim for payment from the Supplier to the extent to which amendments to legislation (see clause 1.2 of the Agreement) or changes to the established practice give rise to this.

10. Governing law

10.1 This Agreement will be governed by and construed in accordance with the laws of California. In the event of any suit or proceeding arising out of or related to this Agreement, the courts of California will have exclusive jurisdiction and the parties will submit to the jurisdiction of those courts.

11. Commencement and term

11.1 The Agreement is entered into when signed by both parties and will run until the termination of the Master Subscription Agreement or until it is replaced by another valid data processing agreement.

Signatures

By signing this Agreement, both parties agree to have read and understood this Agreement in its entirety. The person signing this Agreement represents and warrants that he or she is duly authorized and has the legal capacity to execute this Agreement.

On behalf of Siteimprove A/S:	On behalf of Customer:
Signature	Signature
Name	Name
Position	Position
Date February 18, 2025	Date February 18, 2025

Appendices:

Appendix 1 – Description of the technical and organizational security measures implemented

Appendix 2 – Sub-processors

Appendix 3 – Instructions

Appendix 1 - Description of the technical and organizational security measures implemented

1. Security measures in general

Siteimprove will implement and maintain technical and organizational measures to protect the personal data provided by Customers using our product and services against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access as described in this Appendix.

Siteimprove will continuously improve and develop its security and privacy measures in order to provide appropriate safeguards for protection of personal data. Information Security is an organizational unit comprised of three teams: Security Operations, Information Assurance and Governance, Risk and Compliance. Siteimprove has appointed a Director of Security role to lead this function, which reports to the Chief Information Officer. Specific details about the points in this Appendix can be found under References in section 23.

2. Security organization and approach

Siteimprove has developed a risk-based, holistic, and decentralized approach to Information Security and Privacy. Siteimprove acknowledges that risk management is the core of Information Security and that risks must be identified, addressed. and reduced to an acceptable level when discovered.

By this continuous approach, Siteimprove strives to improve the quality, reliability, and security of its work and services. Information Security and Privacy responsibilities are delegated throughout the organization to relevant staff such as line managers, process owners, and application owners.

Siteimprove will take appropriate steps to ensure that employees, contractors, and sub-processors comply with Siteimprove’s security policy to the extent applicable taken their scope of performance into account. This includes ensuring that all persons authorized to process personal data provided by the Customer have committed themselves to confidentiality or are under appropriate statutory obligations of confidentiality.

3. Security contact

The single point of contact for Siteimprove security matters is the Siteimprove Information Security team: security@siteimprove.com.

Siteimprove does not employ a Data Protection Officer, as the scale and nature of the data processing conducted by Siteimprove do not rise to the amount necessary to appoint one.

4. Vendor Management

In order to conduct business effectively, Siteimprove collaborates with various vendors. When choosing to collaborate with a vendor or to use new hardware and software, Siteimprove assesses the criticality and risks to the products and services provided by the vendor. This process is known as the “Vendor Management Process” within Siteimprove and it is a joint initiative between the Legal, Information Security, IT, and Finance departments.

Siteimprove makes sure to commit any vendor to confidentiality and confidentiality clauses are a standard requirement in our supplier contracts. Data Processing Agreements and contractual model clauses are used to further ensure a secure collaboration.

The relationship with the vendor and associated documentation is inspected every year as part of an internal security audit.

5. Security incidents

5.1 As part of the Information Security policy, Siteimprove holds and maintains a Security Incident Response Plan based on guidelines from NIST (800-61). A security incident is an event for which there is a greater likelihood that data has left, or will leave, Siteimprove, but uncertainty remains about whether unauthorized acquisition or access has occurred. A security incident either has had, can have, or will have a negative impact on the confidentiality, integrity, and availability of Siteimprove informational and technological assets.

5.2 Examples of security incidents include:

5.2.1 Virus/ransomware infection

5.2.2 Suspicious activity on company devices or accounts

5.2.3 Former employee suspected of accessing Siteimprove network or tools after contract termination.

5.3 Security incidents generally require further investigation to determine whether data or assets were improperly accessed or acquired (i.e. whether the incident could be classified as a breach). To aid in the investigation, security incidents are classified and handled with a priority based on the impact to the business and associated assets:

5.3.1 Critical - related to critical assets or situations that can lead to a disaster.

5.3.1.1 Handling: As soon as possible following notification/identification and solved as soon as possible

5.3.1.2 Example: Ransomware infection on multiple subnets with a big probability to infect development or production servers

5.3.2 High - related to important assets or situations that can lead to a disaster.

5.3.2.1 Handling: Within two (2) hours of notification/identification and solved as soon as possible

5.3.2.2 Example: Ransomware infection on an isolated network segment

5.3.3 Medium - related to generic assets and situations affecting multiple users.

5.3.3.1 Handling: Within one (1) business day and solved within seven (7) business days

5.3.3.2 Example: Multiple user endpoints infected with adware

5.3.4 Low - related to generic assets and situation affecting one user.

5.3.4.1 Handling: Within three (3) business days and solved within ten (10) business days

5.3.4.2 Example: User endpoint infection with adware

5.4 The Security Incident Response Plan serves not only to address a specific security incident but also to provide critical input in the preparation against subsequent incidents. The main phases of the Security Incident Response plan are listed below:

5.4.1 Preparation

5.4.2 Identification

5.4.3 Containment

5.4.4 Investigation

5.4.5 Eradication

5.4.6 Recovery

5.4.7 Reporting

5.4.8 Lessons learned

5.5 Siteimprove commits to a notification via email to affected data controllers -customers/partners-, specifically to the primary business contact registered upon contract signing, as soon as possible but no later than 48 hours of reasonable suspicion of a Data Breach. If there is an operational impact, updates will appear on status.siteimprove.com as well.

6. Pseudonymization and encryption

Siteimprove assures the confidentiality and integrity of personal data by using and supporting the latest recommended secure cipher suites and protocols for encryption.

Concerning Data in transit - The Siteimprove Intelligence Platform is only accessible using HTTPS on TLS 1.2.

Concerning Data at rest - User passwords are salted and hashed using SHA512. Confidential Customer data is encrypted using Transparent Data Encryption (TDE).

Pseudonymization is applied wherever feasible, by separating direct and indirect identifiers, in order to facilitate secure and private processing. Likewise, data is logically segregated in order to ensure confidentiality of the information.

7. Data retention and backup

7.1 Siteimprove will store personal data provided by the Customer:

7.1.1 As long as the Agreement between Siteimprove and Customer stands, we process and retain the personal data provided by the Customer.

7.1.2 As soon as the Agreement between Siteimprove and Customer is terminated, we initiate the deletion of the specific personal data provided by the Customer, thus the retention period for the Customer ends.

7.2 However, Siteimprove will retain some information about the Customer after the contract termination, due to legal and financial requirements.

7.3 When the Agreement between Siteimprove and Customer is terminated, the following will happen:

7.3.1 The tables in the database, containing the customer results, history, and specific customizations to the Siteimprove Suite will be dropped.

7.3.2 Crawled website data (HTML) and/or any linked documents (such as PDF files) will be deleted.

7.3.3 Elimination from the backup scheme is initiated; due to the backup frequency and the technical setup, personal data will be fully rolled out of the backup scheme ninety (90) days after initiation.

7.4 Backup of personal data is completed on a regular and frequent basis, depending on the data in scope. Backup material is encrypted and transferred to an offsite location, which is part of Siteimprove’s infrastructure.

7.5 Personal data belonging to Customers within the EU will be stored, processed, and backed up in the EU components of the Siteimprove infrastructure.

8. Physical security

Siteimprove maintains geographically distributed data centers. Siteimprove stores all production data in physically secure data centers.

9. Interxion

Interxion is an ISO 27001:2013 (Information Security) and ISO 22301:2012 (Business continuity) certified data center provider. Interxion also undergoes a yearly SOC2 audit. Both the certificates and the audit report can be provided to customers, upon request. Further information about Interxion security posture can be found on their official website.

10. Amazon Web Services

AWS is a multi-certified data center provider, including certifications ISO 27001:2013 (Information Security) and SOC 1, 2, and 3. Further information about AWS security posture can be found on their official website.

11. SingleStore

SingleStore has secured industry-leading security certifications including ISO/IEC 27001, SOC 2 Type 2. Further information about SingleStore security posture can be found on their official website.

12. Siteimprove’s access to personal data provided by the Customer

The operation of Siteimprove services requires that some employees have access to the systems that store and process personal data provided by the Customer. These employees are prohibited from using these permissions to view the data unless it is a necessity. Technical controls and audit policies are in place and reviewed on a yearly basis to ensure that any access to personal data provided by the Customer is controlled and logged.

Employee access to sensitive or critical information processing facilities is managed in accordance with the "need to know and least privilege" principles, ensuring that access is granted only to resources that require it to perform their tasks. The assessment of granting access privileges must be based upon current job function responsibilities.

Employees’ passwords are protected according to current industry best practices (NIST 800-63), including an annual review of users in order to check correct operations. Multifactor authentication is implemented wherever technically feasible.

User activities related to personal data access and processing events are logged with the following details – username, IP address, time of the activity, activity, reason for the activity. User activity logs are kept for durations dependent on the business need. Logs are kept in a centralized logging solution, wherever technically feasible.

Logs are inspected as part of the internal security audit as well as external audits relevant to the specific area of logging (infrastructure supporting financial activities or infrastructure supporting product development).

13. User management within the Siteimprove suite

The customer is responsible for user management within the Siteimprove services. Access roles and rights within the application are predefined and detailed in the User Roles Right section of the KnowledgeBase. There is a minimum password policy in place, but this must be configured by the customer with more information being found on the Password Policy FAQ section of the KnowledgeBase. There is also a possibility to create additional user roles.

Regarding authentication, the platform uses its own repository of users with local authentication. It is possible to configure Single Sign On (SSO) depending on the selection of Siteimprove’s Technical Support Schemes available. Session hijacking is prevented by encryption in transit of the session, applying the "secure" flag to the session cookie.

14. Personnel practices and Security Awareness

Prior to employment with Siteimprove, candidates will be assessed and checked on their background, considering the position they will hold and the applicable law and regulations. Siteimprove has offices in many locations around the world and has HR resources who are familiar with local requirements. Criminal checks of employees prior to starting are normally only done for US employees.

Employees will be made aware of Security threats and practices during onboarding as well as on an ongoing basis, including the completion of the mandatory data protection training which includes data privacy contents. Upon employment, the employee signs the IT policy and Code of Conduct acknowledging that they have read and understood the document which is the basic set of rules which all employees must comply with, including the acceptable use of devices and networks.

All personnel are required to sign a Confidentiality Agreement as a condition of employment.

Any violation to Siteimprove policies, procedures, or code of conduct may result in disciplinary actions.

15. Network and host protection

To ensure the protection of information in networks, 2nd generation firewall is installed with Deep packet inspection (DPI) and Intrusion Prevention System (IPS).

Siteimprove uses industry-standard endpoint protection which relies on signature and heuristic-based detection. Servers are restricted to run only the services they are intended to.

16. Patch management

For user endpoints, Siteimprove has centrally managed patch management of OS, software, endpoint protection, and automatic deployment capabilities for applications and services. For servers, Siteimprove has the capability to rapidly patch vulnerabilities across all our computing devices, applications, and systems. Patches are assessed before applied to production infrastructure equipment to minimize the risk of service disruption.

17. Service and data availability

The continuous operation of the services delivered by Siteimprove is reliant on the systems and infrastructure owned by Siteimprove as well as third parties who provide hosting or supporting services. IT infrastructure, Operations, and Development staff are monitoring the Siteimprove infrastructure for any risks that can affect the availability of the Siteimprove services. Core business systems run on Virtual Machines on High Availability infrastructure. The hardware used to house core business systems have redundant components.

Given the nature and implications of data security, data privacy, and information technology, Siteimprove cannot guarantee 100% availability to its services. To cover this gap, Siteimprove has prepared response procedures that can be invoked in case of an event that can affect the availability of the services.

In case of an availability issue: should any Service or any Service function or component not be available, Siteimprove will: (i) verify the outage; (ii) if the outage is verified, notify Customer as long as Customer has signed up for email alerts at https://status.siteimprove.com; (iii) resolve the outage or, if determined to be a matter that is not directly controllable, such as an internet provider problem, open a ticket with the internet provider; and notify Customer when the outage has been resolved, along with any pertinent findings.

In case of hardware failure: an agreement is in place with a provider that will replace failing hardware components in a short amount of time. Siteimprove Platform status can be checked on status.siteimprove.com.

Siteimprove maintains business impact assessments to determine its business-critical systems. Siteimprove maintains a Master Disaster Recovery Plan that is directly linked with individual Disaster Recovery plans for critical systems place which consist of documented technical procedures that will restore Siteimprove services in case of an outage. The plan is reviewed and tested on an annual basis.

Siteimprove also has a Business Continuity Plan in place which consists of documented organizational procedures and processes to be implemented during a Crisis to allow business operations to continue. During a Crisis, the goal of the Plan is to ensure information system uptime; data integrity and availability; and business continuity. The plan is set to be reviewed and tested on an annual basis.

18. Working remotely

Siteimprove employees are allowed to work remotely only when using a Siteimprove managed device (work laptop) and a Siteimprove approved connection to Siteimprove systems (VPN). Alternatives are not allowed nor technically possible.

19. Logging

All Siteimprove infrastructure and applications are monitored by the 24 by 7 Security Operations function to detect and respond to suspicious behaviour. This is supported by the Information Assurance & GRC functions which deliver risk management, compliance and audit.

Logs are used by operational and development teams to troubleshoot service delivery issues. Role based access control is applied to restrict staff from support functions to the data required to fulfil their role.

20. Data collection and cookies

When it comes to Siteimprove Analytics, Siteimprove collects customer website visitor analytics data via the script on your website, which passes information through our endpoints to datacenters. These endpoints are located based on customer location so that collection is done more efficiently.

To make the website and other communications related to Siteimprove services work properly, we place small text files (cookies) on the website visitor’s device. For more information about the usage of cookies, please visit https://support.siteimprove.com/hc/en-gb/articles/115000070092-Analytics-Technical-Specifications.

21. GDPR compliance

Siteimprove is committed to GDPR compliance in both its own internal processing of personal data as well as customer-use of the Siteimprove Intelligence Platform. For further information on this matter please visit Siteimprove’s Privacy and Security webpage.

22. Regular testing and evaluation of the effectiveness of the technical and organizational security measures

Internal security audit. In order to properly implement the Siteimprove Information Security policy, the Internal Security Audit is conducted every year, with the objectives of (i) assuring adherence to the Information Security Policy and other underlying policies, (ii) monitor and follow-up on regulatory information security requirements relevant to Siteimprove (e.g., personal data processing), (iii) identify new risks and (iv) indirectly raise employee awareness around Security and Privacy.

External security audit. Siteimprove undergoes yearly security audits from third parties to obtain an objective view over the effectiveness of the technical and organizational security measures.

Financial audit. Due to financial regulatory requirements, Siteimprove undergoes a financial audit on a yearly basis. The IT infrastructure related to the financial data processing is included in the audit and servers as an additional, external, objective method of assessing and evaluating the effectiveness of the technical and organizational security measures.

Penetration testing and vulnerability management. To continuously assure a reliable and secure product for Customers, Siteimprove has its application suite tested for security vulnerabilities, both internally and externally.

1. Internally, this is done through quality checks before each release as well as 'bug hunting' sessions, where Siteimprove’s developers will try out new features to discover if the application is not responding as it should.

2. Externally, this is done annually by a third-party party entity that specializes in penetration testing services which performs an annual assessment of OWASP top 25 vulnerabilities.

3. The process concludes with a vulnerability report which serves as input for the development of the application. Siteimprove, as with any other software developer company or cloud provider, cannot fully guarantee the lack of specific vulnerabilities due to the nature of the field – but Siteimprove does apply a reasonable amount of effort to prevent, identify and remediate vulnerabilities.

Code development and review. We follow Agile development methodology which help us to provide a quick and proper answer to any feedback given by our customers or internal quality assurance tests, assessing continuously the direction of the project during its development cycle. Our code runs through multiple individual (unit testing), automated (multiple tests in the CI/CD pipeline), and manual tests (through internal peer-review), and transitions through the development and staging environments, before being deployed to production.

Reviews of Security Documentation. After the parties have entered into a Non-Disclosure Agreement (NDA), Siteimprove will enable the Customer to review the following documents and information to demonstrate compliance with Siteimprove’s obligations:

4. the certificates issued for Siteimprove infrastructure providers in relation to the ISO 27001 Certification, the ISO 22301 Certification.

5. the then-current SOC 2 Report for Siteimprove infrastructure providers.

6. the then-current Penetration testing attestation for the Siteimprove Intelligence Platform.

7. the Siteimprove Business Continuity Plan.

8. the Siteimprove Master Disaster Recovery Plan.

23. References

https://siteimprove.com/en/privacy/

Appendix 2 – Sub-processors

This Appendix constitutes Siteimprove’s disclosure of sub-processors used to provide the Included Services. It is an integrated part of the Agreement, and its inclusion constitutes Customer’s agreement to the use of said sub-processors.

Company name	Company information	Location and description of processing
Cologix Minneapolis Data Centers	Registered office: 511 11th Ave S, Minneapolis, MN 55415, USA	Minnesota, USA Primary hosting location for the Siteimprove infrastructure. This location contains the bulk of the Siteimprove application logic and the various database back-ends.
Amazon Web Services Inc. (AWS)	Registered office: 410 Terry Ave. N, Seattle, WA 98109-5210, United States	Ohio, USA Hosting location for some of our service components, which mainly relates to the storage of crawled content from Customers' websites by the Quality Assurance service.
SingleStore Inc.	Registered office: 534 4th St, San Francisco, CA 94107, USA	Ohio, USA Relational database used in order to deliver analytics-based services.

Appendix 3 – Instructions

1. Instructions

The Customer hereby instructs the Supplier to process the Customer’s data for use for operation and maintenance of the Customer’s website and to form an overview of the website traffic; see Master Subscription Agreement.

If the Supplier leaves the processing of the Customer’s data to sub-processors, the Supplier is responsible for entering into written data (sub-)processing agreements with these; see clause Error! Reference source not found. The Supplier is responsible for ensuring that the Customer’s instructions are sent to any sub-processors.

2. Purpose of the processing

The Supplier is a multinational software-as-a-service provider which gives customers access to cloud-based tools and services that automate the process of identifying errors, faults and deficiencies on websites. The Supplier’s Intelligence Platform constitutes a collection of integrated tools for management and optimization of website content, improvement of search engine optimization (SEO), monitoring of website performance and/or use of website analysis data. The Customer has purchased access to such services.

3. General description of data processing

The Supplier’s tools are designed and developed to collect and process content on customers’ websites, such as storage of cached copies of customers’ website content. In this connection, the Supplier collects and processes both personally attributable and not personally attributable data on the Customer’s website in connection with the provision of the services. If using Siteimprove Analytics, IP addresses of visitors to the Customer’s website will also be processed. Customer has the opportunity to use IP anonymization which means IP addresses will only be processed to the extent necessary to deliver essential parts of the Analytics services and to the extent technically necessary. After collection of IP addresses, they will be anonymized and thereby not traceable in the Siteimprove Intelligence Platform.

4. Type of Personal data

The data processing comprises personal data in the categories ticked below. The Supplier’s and any sub-processors’ level for security of processing should reflect the data sensitivity.

Ordinary personal data

Ordinary personal data

Sensitive personal data

Racial or ethnic origin

Political opinions

Religious beliefs

Philosophical beliefs

Trade union membership

Health issues, including abuse of medication, drugs, alcohol, etc.

Sexual orientation

Data on individuals’ purely private affairs

Criminal convictions and offences

Serious social problems

Other purely private matters which are not mentioned above:

Data about civil registration number

Civil registration numbers

5. Categories of data subjects

Data are processed about the following categories of data subjects (e.g., citizens, students, employees etc.): Any person who may be stated or identifiable on the Customer’s website.