Zum Inhalt springen

SEOForge

Data Processing Agreement

Data Processing Agreement (DPA)

Art. 28 GDPR · Pro Cloud Backends

This Data Processing Agreement (“DPA”) specifies the data protection obligations of the parties arising from the main contract on the use of the Pro versions of SEOForge and/or ShieldForge. It applies to all processing of personal data carried out by the Licensor (processor) on behalf of the Licensee (controller).

1. Parties

Controller: the customer / licensee (name and address per invoice).
Processor: Brainwerk e.U. (commercial register entry pending), Weißdornweg 1/4/3, 2442 Unterwaltersdorf, Austria, office@brainwerk.at.

2. Subject and term

Subject is the operation of the Pro cloud backends, namely licence activation, threat-intelligence feed, auto-update server (api.shieldforge.eu) and Search Console proxy / geo DB (api.seoforge.eu). The term corresponds to the term of the respective Pro licence.

3. Nature and purpose of processing

Processing for delivery of the agreed plugin features, in particular:

  • validation of licence keys and activation counting
  • delivery of threat-intelligence data (Spamhaus DROP and similar) to the installed site
  • delivery of geo-IP data
  • Search Console proxy: forwarding authenticated API requests of the licensee to Google Search Console
  • receiving update pings at the auto-update endpoint

4. Categories of personal data

  • IP addresses of visitors to the websites operated by the controller
  • HTTP user agents
  • Licence keys and site URLs of the controller
  • API tokens (transmitted encrypted) for the Search Console proxy

5. Categories of data subjects

  • Visitors of the WordPress websites operated by the controller
  • Employees / administrators of the controller

6. Obligations of the processor

The processor undertakes to:

  • process personal data only on documented instructions of the controller;
  • impose confidentiality on its staff;
  • implement appropriate technical and organisational measures (TOMs) under Art. 32 GDPR (see Annex TOM, section 11);
  • assist the controller in responding to data-subject requests and in fulfilling its obligations under Arts. 32–36 GDPR;
  • upon termination, at the controller’s choice, delete or return all personal data, unless statutory retention obligations apply;
  • make available to the controller all information necessary to demonstrate compliance with this DPA.

7. Sub-processors

The processor is entitled to engage further processors (“sub-processors”). With conclusion of this DPA the controller grants general authorisation pursuant to Art. 28(2) GDPR. Current sub-processors:

  • domainfactory GmbH, Oskar-Messter-Straße 33, 85737 Ismaning, Germany – hosting of the cloud backends (api.*.eu) within the EU.
  • Freemius Inc. and/or Lemon Squeezy LLC – licence activation and payment processing (Merchant of Record). Their own DPAs apply.

The processor will inform the controller of planned changes at least 30 days in advance by email. The controller may object within 14 days; in that case the controller has an extraordinary right of termination.

8. Third-country transfers

Processing takes place in the EU as a rule. Where the Merchant of Record (Freemius / Lemon Squeezy) transfers personal data to the United States, this is based on the EU-US Data Privacy Framework and/or the EU Standard Contractual Clauses (Decision 2021/914/EU).

9. Breach notification

The processor will notify the controller of any personal data breach without undue delay, at the latest within 48 hours of becoming aware, by email to the contact address stored in the licence profile.

10. Audit rights

The controller is entitled to verify compliance with the TOMs. Where an on-site audit would be disproportionate, evidence may also be provided through a current audit report by an independent auditor, self-assessments or relevant certifications.

11. Technical and organisational measures (TOMs)

  • Physical access: servers in EU data centres (domainfactory) with physical access control, multi-factor authentication for administrative access.
  • System access: least-privilege principle; SSH-key authentication; passwordless logins; sudo logging.
  • Transmission: TLS 1.2+ for all API connections; HSTS; modern cipher suites.
  • Input control: logging of all relevant administrative actions.
  • Availability: daily backups; hardening against DoS via Fail2ban + UFW; unattended security upgrades.
  • Separation: tenant separation at the application level (licence key per site).
  • Pseudonymisation: IP anonymisation on by default; daily-rotating visitor hashes; no cross-site tracking cookies.
  • Recovery: RTO < 24 h, RPO < 24 h.
  • Evaluation: annual review of the measures.

12. Final provisions

The Terms and the EULA apply additionally. In case of conflict on data protection matters this DPA prevails. Austrian law applies; exclusive jurisdiction lies with Vienna, unless mandatory consumer-protection rules dictate otherwise.

This DPA is deemed concluded with the purchase of a Pro licence and shall, upon request of the controller, additionally be signed by both parties. A signable PDF can be requested at any time by email at office@brainwerk.at.

Last updated: 2026-05-19