This Data Processing Addendum (the "DPA") is incorporated into the Engagement Agreement between NextAIForge, LLC, a Delaware limited liability company operating the NextAIForge brand ("Provider"), and the customer identified in the applicable order ("Client"). Capitalized terms not defined here have the meanings in the Engagement Agreement.
Provider's registered office in Delaware is 131 Continental Dr, Suite 305, Newark, Delaware 19713, New Castle County. Provider's registered agent at that address is Legalinc Corporate Services Inc.
This DPA applies only to personal data that Provider processes on Client's behalf to provide the Services ("Client Personal Data"). For Client Personal Data, Client is the controller/business and Provider is the processor/service provider, unless the parties expressly document different roles in an Order.
Provider is an independent controller/business for Provider account administration, billing, fraud prevention, security, legal compliance, service improvement using aggregated or de-identified data, and Provider's own business operations.
The Services are intended to measure companies and public business information. Client must not provide sensitive personal data, children's data, consumer reports, health information, financial account data, government identifiers, or other regulated data unless expressly approved in a signed Order.
Subject matter: AI visibility measurement, reporting, consulting, content and schema support, account administration, billing coordination, and related services.
Duration: the term of the applicable Order plus the deletion, return, backup, legal hold, and retention periods described in this DPA or the Agreement.
Categories of data subjects: Client personnel and business contacts, website visitors who submit forms, authorized users, and any other individuals whose data Client provides or approves for processing.
Categories of personal data: business contact details, account records, communications, public URLs, client materials, approved prompts, usage metadata, support records, billing metadata, and measurement evidence. Payment card data is processed by Stripe and not stored by Provider.
Processing operations: collection, hosting, storage, retrieval, use, analysis, transmission, disclosure to subprocessors, deletion, de-identification, and return where feasible.
Provider will process Client Personal Data only on documented Client instructions, including the Agreement, Order, this DPA, and Client's authorized configuration or written requests. Provider will promptly inform Client if, in Provider's reasonable opinion, an instruction violates applicable data protection law, unless prohibited by law.
Client is responsible for the lawfulness, accuracy, transparency, rights, notices, consents, and legal basis for Client Personal Data and Client instructions.
Provider will:
confidentiality obligations;
safeguards appropriate to the nature of the data and Services;
required by applicable law and reasonably possible;
to the extent required by applicable law and reasonably possible;
unless retention is required by law, legitimate records retention, backup integrity, dispute resolution, security, or compliance obligations;
this DPA, subject to confidentiality and reasonable limits.
Provider's security measures include, as applicable:
Provider may update security measures over time, provided updates do not materially reduce overall protection for Client Personal Data.
Provider will notify Client without undue delay after confirming a breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client Personal Data (a "Security Incident"). Where feasible, Provider will target notice within 72 hours after confirmation.
Provider's notice will include available information reasonably needed for Client to meet legal obligations. Provider's notice is not an admission of fault or liability.
Client authorizes Provider to use subprocessors to provide the Services. Provider will impose written obligations on subprocessors that are materially protective of Client Personal Data and appropriate to the services they provide. Provider remains responsible for subprocessors' performance of their data processing obligations.
Current subprocessors:
| Subprocessor | Purpose | Typical location |
|---|---|---|
| Stripe | Payments, invoices, and billing records | US/EU |
| Vercel | Hosting, deployment, logs, and availability | US/global |
| Cloudflare | DNS, domain security, and network protection | US/global |
| OpenAI | AI measurement queries and response analysis where approved | US/global |
| Perplexity | AI/search measurement queries where approved | US/global |
| Google Gemini | AI measurement queries and response analysis where approved | US/global |
| Anthropic | AI measurement queries and response analysis where approved | US/global |
| Resend | Programmatic outbound email, reports, and notifications | US/global |
| Migadu | Mailbox hosting and email routing for nextaiforge.com | Switzerland/EU/global |
Provider will give reasonable notice of material subprocessor changes by email, policy update, or another commercially reasonable method. Client may object on reasonable data protection grounds within 10 business days after notice. The parties will work in good faith to resolve objections; if unresolved, Client may terminate the affected Order as its exclusive remedy.
Where U.S. state privacy laws apply and Provider acts as a processor, service provider, or contractor, Provider will not:
described in the Agreement and Order;
permitted by applicable law;
furtherance of solely automated decisions with legal or similarly significant effects unless expressly instructed and lawfully documented by Client.
Provider will support Client's reasonable and legally required consumer rights requests, deletion requests, opt-out obligations, and assessments to the extent the requested action relates to Client Personal Data processed by Provider.
If GDPR, UK GDPR, Swiss FADP, or similar laws apply, Provider will process Client Personal Data as a processor under Client's documented instructions and will provide the assistance required by Articles 28 and 32-36 of the GDPR to the extent applicable and reasonably possible.
For transfers of Client Personal Data from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties will rely on an appropriate transfer mechanism, such as the EU Standard Contractual Clauses, the UK Addendum, or another lawful mechanism. The parties will complete transfer impact assessments where required.
Client must not ask Provider to measure, score, rank, profile, or persist a named natural person as the measurement subject unless the parties first document in writing:
risk assessment is required;
Provider may refuse or suspend processing that Provider reasonably believes creates unlawful, unsafe, discriminatory, reputational, or disproportionate risk.
Client may request information reasonably necessary to verify Provider's compliance with this DPA no more than once per year, unless required by law or after a confirmed Security Incident. Audits must be conducted during normal business hours, with reasonable notice, without disrupting Provider's operations, and subject to confidentiality, security, and trade secret protections. Provider may satisfy audit requests through summaries, questionnaires, policies, certifications, or third-party reports where appropriate.
Provider may create and use aggregated, anonymized, or de-identified data for analytics, benchmarking, security, and service improvement, provided Provider does not attempt to re-identify the data except to test or validate de-identification or as permitted by law. Provider will use reasonable measures designed to prevent re-identification and will contractually require recipients to do the same where required by law.
Upon termination of the applicable Order or upon Client's written request, Provider will delete or return Client Personal Data within a commercially reasonable period, unless retention is required or permitted for legal, accounting, tax, security, backup, dispute, compliance, or legitimate business records purposes. Backup copies will be deleted according to normal backup rotation unless restored earlier.
Liability arising from this DPA is subject to the limitations, exclusions, and remedies in the Engagement Agreement.