HomeLegal › Data Processing Terms

Data Processing Terms

📅 Effective Date: January 1, 2025 🔄 Last Updated: March 15, 2025 🌍 Governing Law: California, USA / EU GDPR

These Data Processing Terms ("DPT") supplement RankForge's Terms of Service and Privacy Policy. They govern the processing of Personal Data by RankForge on behalf of its clients in compliance with applicable data protection laws, including the GDPR, CCPA, and other regional regulations.

1. Introduction & Scope

These Data Processing Terms ("DPT") apply to all personal data processed by RankForge LLC ("Processor", "we", "us", "our") on behalf of our clients ("Controller", "you", "your") in the course of providing SEO strategy, digital marketing, web analytics, and related services.

This agreement is incorporated by reference into the Master Services Agreement ("MSA") between the parties. In the event of a conflict, these DPT shall prevail with respect to data processing obligations.

2. Definitions

  • "Applicable Data Protection Law" means GDPR, CCPA/CPRA, LGPD, PIPEDA, and any other local/industry regulations governing personal data.
  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" includes collection, storage, analysis, reporting, transfer, and deletion.
  • "Data Subject" refers to the individual to whom the Personal Data relates.
  • "Controller" is the client who determines the purposes and means of processing.
  • "Processor" is RankForge, processing data solely per Controller instructions.

3. Processing Purposes

RankForge processes Personal Data strictly for the following purposes:

  1. SEO performance tracking and campaign optimization
  2. Web analytics, user behavior analysis, and conversion tracking
  3. Content strategy development and audience segmentation
  4. Reporting, dashboards, and client communication
  5. Compliance with legal obligations and contract fulfillment
Note: RankForge will not process Personal Data for any purpose outside the scope of the Services without prior written consent from the Controller.

4. Data Types & Categories of Data Subjects

Types of Personal Data Processed:

  • Contact information (names, email addresses, phone numbers)
  • Technical/usage data (IP addresses, cookies, browser fingerprints, device IDs)
  • Analytics data (page views, session duration, bounce rates, conversion events)
  • CRM/Lead data (form submissions, newsletter subscriptions, customer support tickets)

Categories of Data Subjects: Website visitors, newsletter subscribers, leads, customers, and internal employees (where applicable for internal testing).

5. Controller Obligations

The Controller warrants that:

  • It has obtained all necessary consents and lawful bases for processing Personal Data.
  • It has provided transparent privacy notices to Data Subjects.
  • Processing by RankForge complies with Applicable Data Protection Laws.
  • It will promptly respond to Data Subject requests in coordination with RankForge.

6. Processor Obligations

RankForge agrees to:

  • Process Personal Data only on documented instructions from the Controller.
  • Ensure personnel are bound by confidentiality and data protection training.
  • Implement appropriate technical and organizational security measures.
  • Assist the Controller in responding to Data Subject rights requests.
  • Maintain a record of processing activities and make it available upon request.

7. Sub-processors

RankForge may engage trusted sub-processors for hosting, analytics, email delivery, and reporting. Current sub-processors include:

  • Cloudflare (CDN & Security)
  • Google Analytics & Looker Studio
  • SendGrid/Mailgun (Transactional Email)
  • Ahrefs/SEMrush (SEO Intelligence)
  • AWS/Google Cloud (Data Storage & Processing)

RankForge maintains a binding data processing agreement with each sub-processor. The Controller may object to new sub-processors with 15 days' written notice.

8. Security Measures

RankForge implements industry-standard safeguards including:

  • End-to-end encryption (TLS 1.3 in transit, AES-256 at rest)
  • Role-based access control and MFA for all systems
  • Regular vulnerability scanning and penetration testing
  • Network segmentation and intrusion detection
  • Strict data minimization and retention policies
  • Employee background checks and NDAs

9. Data Breach Notification

In the event of a Personal Data breach, RankForge will:

  1. Notify the Controller without undue delay (maximum 24 hours) after becoming aware.
  2. Provide details including nature of breach, categories of data, likely consequences, and remediation steps.
  3. Assist the Controller in regulatory notification and Data Subject communication.

10. Data Subject Rights

RankForge will assist the Controller in facilitating Data Subject rights, including:

  • Right to access, rectification, erasure, and restriction
  • Right to data portability
  • Right to object to processing
  • Withdrawal of consent mechanisms

Assistance requests must be submitted via the designated compliance channel. RankForge will respond within 10 business days.

11. International Transfers

Where Personal Data is transferred outside the EEA/UK, RankForge ensures compliance via:

  • EU Standard Contractual Clauses (SCCs) or UK International SCCs
  • Transfer Impact Assessments (TIAs) for high-risk jurisdictions
  • Supplementary technical measures (encryption, pseudonymization)

12. Data Deletion & Return

Upon termination of services or written request, RankForge will securely delete or return all Personal Data, except where retention is required by law. Certified destruction records will be provided within 30 days.

13. Audit & Monitoring

The Controller may request an audit or certification of RankForge's compliance with these DPT annually or upon reasonable suspicion of non-compliance. Audits will be conducted with 30 days' notice and at the Controller's expense unless regulatory-mandated.

14. Liability & Indemnity

Each party shall be liable for breaches of their respective obligations under these DPT. RankForge's liability shall be proportionate to its role in the processing. Indemnification applies to fines and claims arising from processor negligence or unauthorized processing.

15. Contact & Data Protection Officer

For compliance inquiries, DSR requests, or audit coordination, contact:

Data Protection Officer (DPO)
📧 compliance@rankforge.com
📞 +1 (555) 123-4567 (Ext. 802)
📍 123 SEO Boulevard, Suite 400, San Francisco, CA 94102
⏰ Response Time: Within 48 business hours

These terms may be updated to reflect legal changes or operational improvements. Clients will receive 30 days' advance notice of material modifications.