Data Processing Agreement (DPA)

1. Definitions

For the purposes of this DPA, the following terms shall have the meanings ascribed below:

• "Personal Data" means any information relating to an identified or identifiable natural person, as defined by applicable data protection legislation.
• "Processing" means any operation or set of operations performed on Personal Data, including collection, storage, access, modification, or deletion.
• "Controller" refers to the Customer who determines the purposes and means of Processing.
• "Processor" refers to Sitemap.xml, which processes Personal Data on behalf of the Controller.
• "Applicable Data Protection Law" includes GDPR, CCPA/CPRA, LGPD, and other relevant privacy regulations.

2. Scope & Purpose of Processing

Sitemap.xml provides automated web crawling, sitemap generation, indexing APIs, and analytics services. Processing of Personal Data occurs solely to fulfill these services, maintain platform security, ensure service reliability, and comply with legal obligations. Processing is strictly limited to the instructions documented in the Master Services Agreement (MSA) and technical documentation.

3. Categories of Personal Data Processed

The types of Personal Data we may process on your behalf include:

• Account Data: Names, email addresses, and authentication tokens for user management.
• Technical & Log Data: IP addresses, browser fingerprints, device identifiers, and access logs for crawling and API requests.
• Website Metadata: URLs, page titles, content hashes, and indexing status tied to user-submitted sites.
• Support Communications: Tickets, chat transcripts, and email correspondence containing user information.

4. Processor Obligations

Sitemap.xml agrees to:

1. Process Personal Data only on documented instructions from the Controller, including transfers across borders, unless required by law.
2. Ensure that personnel authorized to process Personal Data are subject to strict confidentiality obligations and regular privacy training.
3. Implement appropriate technical and organizational security measures (detailed in Section 7).
4. Assist the Controller in responding to data subject requests (access, rectification, erasure, restriction, portability).
5. Notify the Controller without undue delay (and no later than 48 hours) upon becoming aware of a personal data breach.
6. At the Controller's direction, delete or return all Personal Data upon termination of the service, and delete existing copies unless storage is required by law.

5. Sub-Processors

Sitemap.xml engages third-party sub-processors to deliver infrastructure, analytics, and support services. We maintain full contractual control over all sub-processors and ensure they meet equivalent data protection standards. Current sub-processors include:

Sub-processors may be added, changed, or removed with 30 days' prior written notice. Controllers may object to new sub-processors in writing, subject to commercial viability.

6. Data Security Measures

Sitemap.xml maintains an industry-standard security posture to protect Personal Data against accidental or unlawful destruction, loss, alteration, or unauthorized disclosure. Measures include:

• Encryption: AES-256 at rest, TLS 1.3+ in transit.
• Access Control: Role-based access control (RBAC), multi-factor authentication (MFA), least-privilege principles.
• Infrastructure: Isolated environments, automated patching, WAF, DDoS mitigation, continuous vulnerability scanning.
• Logging & Monitoring: Immutable audit logs, real-time alerting, 24/7 SOC monitoring.
• Incident Response: Documented IR playbook, tabletop exercises, forensic capability, and regulatory notification workflows.

7. International Data Transfers

Where Personal Data is transferred outside its country of origin, Sitemap.xml ensures an adequate level of protection through:

• European Commission Standard Contractual Clauses (SCCs) for GDPR cross-border transfers.
• Adequacy decisions where applicable.
• Technical safeguards (encryption, tokenization, access restrictions) to minimize exposure.

Controllers warrant they have obtained all necessary consents or legal bases required under their local jurisdiction for cross-border transfers.

8. Audit & Compliance

Sitemap.xml undergoes annual third-party security audits (SOC 2 Type II, ISO 27001). Controllers may request audit reports upon request. For large-scale or enterprise engagements, on-site or remote audits may be conducted with reasonable notice and at the Controller's expense, subject to confidentiality and operational impact constraints.

9. Term, Termination & Data Return

This DPA remains in effect for as long as the MSA is active. Upon termination or cancellation, Sitemap.xml will securely delete or return all Personal Data within 30 days, except where retention is legally mandated. Certificates of destruction can be provided upon request.

10. Data Protection Officer (DPO) & Contact

For any inquiries regarding data processing, privacy practices, or to exercise data subject rights, please contact: