Data Processing Agreement

1. Scope and Applicability

This Data Processing Agreement (“DPA”) applies whenever Sightlabs Inc. (“Sightlabs”, “Processor”) processes Personal Data on behalf of a customer (“Customer”, “Controller”) in the course of providing the Sightlabs service. It forms part of, and is incorporated by reference into, the Terms of Service.

This DPA is required by GDPR Article 28 and equivalent provisions under UK GDPR, Brazil LGPD Article 39, and other applicable data protection laws. It takes effect when the Customer creates an account and continues for the duration of the service relationship.

2. Definitions

Terms used in this DPA have the meanings given in GDPR, UK GDPR, or applicable equivalent law. Key terms:

• Controller means the Customer, who determines the purposes and means of processing Personal Data.
• Processor means Sightlabs, who processes Personal Data on behalf of the Controller under this DPA.
• Personal Data means any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
• Processing means any operation or set of operations performed on Personal Data, as defined in GDPR Article 4(2).
• Subprocessor means any third party engaged by Sightlabs to process Personal Data on behalf of the Controller.
• Data Subject means the natural person to whom Personal Data relates.
• Supervisory Authority means the competent data protection authority in the relevant jurisdiction.
• SCCs means the EU Standard Contractual Clauses adopted by Commission Decision C(2021)3972.
• IDTA means the UK International Data Transfer Agreement in force from March 2022.
• Personal Data Breach means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

3. Subject Matter and Duration

The subject matter of processing is the provision of brand and keyword mention monitoring services by Sightlabs to the Customer, including the collection, storage, analysis, and presentation of data as described in the Privacy Policy.

This DPA commences on the date the Customer creates an account and continues for the duration of the active subscription. On termination, the obligations of confidentiality and the provisions governing deletion or return of data (Section 8.8) survive.

4. Nature and Purpose of Processing

Sightlabs processes Personal Data as a Processor on the Customer's behalf for the following purposes:

• Storing and retrieving the Customer's search query configurations (keyword lists, tracked entities, alert settings) in the Sightlabs database.
• Collecting publicly accessible social media posts, news article snippets, and LLM platform outputs that match the Customer's configured keywords and presenting them in the Customer's dashboard.
• Passing scraped mention text to an LLM API provider (OpenRouter, Inc.) to generate sentiment scores and action-item extractions, and storing those outputs against the Customer's account.
• Sending transactional emails to the Customer's registered address relating to account events, alerts, and service notices.
• Maintaining audit and access logs for security and accountability purposes.

Sightlabs does not process Personal Data for its own independent commercial purposes beyond delivering the service, except where it acts as a Controller for Track B scraped data as described in the Privacy Policy.

5. Types of Personal Data

The Personal Data processed under this DPA includes:

• Account data: name, work email address, job title, company name.
• Query and configuration data: keyword lists, tracked brand or person names, alert thresholds, and other settings that may reference identifiable individuals.
• Scraped mention data:public post text, post URLs, timestamps, and author handles or usernames collected from third-party platforms matching the Customer's configured keywords.
• LLM-derived data: sentiment scores and action-item summaries generated from scraped mention text, where that text is attributable to an identifiable individual.
• Usage and session data:IP addresses, session identifiers, feature interaction logs, and API call metadata generated during the Customer's use of the service.

6. Categories of Data Subjects

The categories of Data Subjects whose Personal Data may be processed under this DPA include:

• The Customer's authorised users (employees, contractors, or agents who access the Sightlabs service under the Customer's account).
• Authors of public social media posts, news articles, or other publicly accessible content that matches the Customer's configured keywords and is ingested by the monitoring service.
• Natural persons whose names, handles, or other identifiers appear in the Customer's keyword configurations.

7. Customer Obligations as Controller

The Customer warrants and undertakes that:

• It has a lawful basis under applicable data protection law (including GDPR Article 6 and, where applicable, Article 9) for each processing activity it instructs Sightlabs to carry out.
• It will provide accurate and complete instructions to Sightlabs and update those instructions promptly if circumstances change.
• It will notify Sightlabs without undue delay if it becomes aware of any restriction, court order, regulatory requirement, or other legal obligation that affects the processing instructions given to Sightlabs.
• It will configure the service only for lawful purposes and in accordance with the Acceptable Use provisions in the Terms of Service.
• It is responsible for responding to Data Subject requests relating to processing for which it is the Controller, using the assistance provided by Sightlabs under Section 8.5.
• Where the Customer processes Personal Data of individuals located in the EU, UK, or other jurisdictions with equivalent protections, it will ensure that transferring such data to Sightlabs is covered by an adequate transfer mechanism, including the SCCs or IDTA incorporated into this DPA under Section 9.

8. Sightlabs Obligations as Processor

8.1 Process Only on Documented Instructions

Sightlabs will process Personal Data only on the documented instructions of the Customer, including for international transfers, unless processing is required by applicable law. In that case, Sightlabs will inform the Customer of that legal requirement before processing, unless prohibited by law. Sightlabs will notify the Customer if it believes an instruction infringes applicable data protection law.

8.2 Confidentiality of Personnel

Sightlabs will ensure that all personnel authorised to process Personal Data are subject to appropriate confidentiality obligations, whether by contract or professional duty, and have received data protection training commensurate with their role.

8.3 Security Measures

Sightlabs will implement and maintain appropriate technical and organisational security measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include, at minimum:

• Encryption in transit using TLS 1.2 or higher for all data transmitted between the Customer's browser and Sightlabs's servers.
• Encryption at rest for all Personal Data stored in the Sightlabs database (AES-256 or equivalent).
• Row-level security and multi-tenant data isolation to prevent one Customer's data from being accessible to another.
• Role-based access controls and least-privilege principles for all internal access to production systems.
• Regular security assessments and penetration testing.
• Incident response procedures covering Personal Data Breaches.

8.4 Subprocessors

Sightlabs operates with a general written authorisation from the Customer to engage Subprocessors. The current list of Subprocessors is published at /subprocessors. Sightlabs will give at least 30 days advance written notice before adding or replacing a Subprocessor. If the Customer objects to a new Subprocessor on reasonable data protection grounds, the Customer may notify Sightlabs in writing within 30 days of the notice. Sightlabs will use commercially reasonable efforts to provide an alternative. If no alternative is feasible, the Customer may terminate the affected services without penalty with a pro-rated refund of prepaid fees.

Sightlabs imposes data protection obligations on each Subprocessor by contract that are at least equivalent to those imposed on Sightlabs by this DPA. Sightlabs remains liable to the Customer for the performance of each Subprocessor's obligations to the extent Sightlabs is responsible for that Subprocessor's acts and omissions under applicable law.

8.5 Assistance with Data Subject Requests

Sightlabs will provide reasonable assistance to the Customer in fulfilling its obligations to respond to Data Subject requests under GDPR Chapter III (access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making). Where a Data Subject submits a request directly to Sightlabs, Sightlabs will forward the request to the Customer without undue delay. Sightlabs will not respond to such requests on behalf of the Customer without the Customer's prior written authorisation, except as required by law.

8.6 Assistance with DPIAs and Prior Consultation

Sightlabs will provide reasonable assistance to the Customer in carrying out Data Protection Impact Assessments (DPIAs) under GDPR Article 35, and in any prior consultation with a Supervisory Authority under GDPR Article 36, taking into account the nature of processing and the information available to Sightlabs.

8.7 Notification of Personal Data Breaches

Sightlabs will notify the Customer without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA. Notification will include, to the extent known at the time:

• A description of the nature of the breach, including (where possible) the categories and approximate number of Data Subjects and Personal Data records concerned.
• The name and contact details of the data protection contact at Sightlabs.
• The likely consequences of the breach.
• The measures taken or proposed to address the breach, including to mitigate its possible adverse effects.

Notification may be provided in phases where not all information is available within 72 hours, provided that Sightlabs provides updates without undue delay. Notification to the Customer under this Section does not constitute an admission of fault or liability.

8.8 Deletion or Return of Data on Termination

At the Customer's written request, or upon termination of the service for any reason, Sightlabs will, at the Customer's choice:

• Delete all Personal Data processed under this DPA within 90 days of termination and confirm deletion in writing; or
• Return a copy of the Personal Data to the Customer in a commonly used machine-readable format before deletion.

Sightlabs may retain Personal Data beyond the 90-day period solely where required by applicable law, subject to appropriate confidentiality protections, and will delete such data as soon as the legal retention obligation expires.

8.9 Records of Processing

Sightlabs will maintain a record of all categories of processing activities carried out on behalf of the Customer as required by GDPR Article 30(2), including the information specified in that article. Such records will be made available to Supervisory Authorities on request.

9. International Transfers

Where Personal Data of EU/EEA residents is transferred outside the EU/EEA in connection with the service, the transfer is governed by the EU Standard Contractual Clauses (Module 2: Controller to Processor) adopted by Commission Decision C(2021)3972, incorporated herein by reference.

Where Personal Data of UK residents is transferred outside the UK, the transfer is governed by the UK International Data Transfer Agreement (IDTA, in force March 2022) or, where the EU SCCs are used, with the UK Addendum issued by the Information Commissioner under s.119A of the UK Data Protection Act 2018.

Sightlabs implements supplementary technical and organisational measures to protect transferred data, including encryption in transit and at rest and contractual commitments from Subprocessors not to process data for their own purposes or to use it to train AI models.

For transfers of Personal Data of Brazilian residents, Sightlabs relies on standard contractual clauses adapted for LGPD requirements as adopted by the ANPD, where available, or on the contractual safeguards set out in this DPA pending formal ANPD guidance.

10. Audits and Inspections

Sightlabs will make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations in this DPA and will allow for and contribute to audits and inspections conducted by the Customer or an auditor mandated by the Customer, subject to the following:

• Sightlabs will commission an annual third-party security assessment (such as SOC 2 Type II or ISO 27001 certification) and will make the executive summary of the most recent report available to the Customer on request under confidentiality obligations.
• Customers may exercise their audit right by submitting a written request with at least 30 days notice, specifying the scope of the audit and the proposed auditor. Audits will be conducted during normal business hours and must not unreasonably disrupt Sightlabs operations.
• Customers may conduct no more than one audit per 12-month period unless a Personal Data Breach or regulatory investigation requires an additional audit.
• The Customer will bear the costs of any audit it commissions, except where the audit reveals material non-compliance by Sightlabs, in which case Sightlabs will bear reasonable audit costs.

11. Liability and Indemnity

Each party's liability under this DPA is subject to the limitations set out in Section 11 (Limitation of Liability) of the Terms of Service, except:

• Liability to Data Subjects under GDPR Article 82 or equivalent provisions cannot be contractually disclaimed and is not subject to the liability cap as between Sightlabs and Data Subjects.
• Liability for breach of the confidentiality obligations in Section 8.2 is not subject to the consequential damages exclusion in the Terms of Service.

Each party will indemnify the other against fines, penalties, and reasonable legal costs imposed by a Supervisory Authority or awarded by a court arising from that party's failure to comply with its obligations under this DPA or applicable data protection law.

12. Conflict with Terms of Service

In the event of a conflict or inconsistency between this DPA and the Terms of Service (or any other agreement between the parties) with respect to the processing of Personal Data or compliance with data protection law, this DPA prevails. In all other respects, the Terms of Service continue to apply.

13. Effective Date and Acceptance

This DPA takes effect on 2026-05-13 and is binding on Sightlabs and each Customer who creates an account or continues to use the Sightlabs service after that date. No physical signature is required. By creating an account or using the service, the Customer confirms that it has read, understood, and agrees to be bound by this DPA on behalf of itself and any organisation it represents.

Sightlabs may update this DPA to reflect changes in applicable law or service features. Material changes will be notified to the Customer at least 30 days in advance via email and in-product notice. Continued use of the service after the effective date of an updated DPA constitutes acceptance of the updated terms.

Change History