Data Processing Agreement
This Data Processing Agreement (DPA) applies where MOA processes personal data on behalf of customers who are subject to GDPR or equivalent data protection law.
Last updated: May 22, 2026
1. Definitions
In this DPA:
- “Controller” means the customer who determines the purposes and means of processing personal data.
- “Processor” means MOA, acting on the Controller’s instructions.
- “Data Subject” means the identifiable natural person to whom personal data relates.
- “Personal Data” means any information relating to an identified or identifiable natural person.
- “Processing” means any operation performed on personal data.
- “GDPR” means Regulation (EU) 2016/679 and, where applicable, the UK GDPR.
2. Scope and Role
Where the Customer submits personal data to MOA (e.g. employee email addresses for team accounts, or personal data about third parties within scanned websites), MOA acts as a Processor on behalf of the Customer as Controller. MOA acts as an independent Controller for data it collects about its own users for its own purposes (see Privacy Policy).
3. Details of Processing
| Field | Details |
|---|---|
| Subject matter | AI visibility analysis and reporting services |
| Duration | For the term of the Customer’s subscription |
| Nature of processing | Collection, storage, analysis, transmission, deletion |
| Purpose | Provision of AI visibility scans and recommendations |
| Categories of data | Business contact information, website content data, professional information |
| Data subjects | Customer’s employees, end users, and website visitors |
4. Processor Obligations
MOA agrees to:
- Process personal data only on documented instructions from the Controller
- Ensure persons authorised to process data are subject to confidentiality obligations
- Implement appropriate technical and organisational security measures (see Section 7)
- Not engage sub-processors without prior written authorisation, or a general authorisation with the right to object (see Section 6)
- Assist the Controller in fulfilling data subject rights requests within 5 business days of receiving a request
- Notify the Controller within 48 hours of becoming aware of a personal data breach
- Delete or return all personal data on termination of services, at the Controller’s choice
- Make available all information necessary to demonstrate compliance with this DPA
5. Controller Obligations
The Controller agrees to:
- Ensure it has a lawful basis for processing personal data submitted to MOA
- Ensure data subjects have been appropriately informed about the processing
- Provide MOA with clear instructions regarding the processing of personal data
- Comply with all applicable data protection laws with respect to the data submitted
6. Sub-Processors
The Controller provides general authorisation for MOA to engage sub-processors. Current sub-processors include:
| Sub-processor | Location | Purpose |
|---|---|---|
| Vercel Inc. | USA | Infrastructure and hosting |
| Supabase Inc. | USA | Database and authentication |
| Stripe Inc. | USA | Payment processing |
| OpenAI LLC | USA | AI analysis (anonymised queries only) |
| Anthropic PBC | USA | AI analysis (anonymised queries only) |
| Postmark (ActiveCampaign) | USA | Transactional email delivery |
| PostHog Inc. | USA / EU | Product analytics and session recording |
MOA will notify the Controller of any intended sub-processor changes by email with at least 14 days’ notice, allowing the Controller to object.
7. Security Measures
MOA implements the following technical and organisational measures:
- TLS 1.2+ encryption for all data in transit
- AES-256 encryption for data at rest
- Role-based access control with least-privilege principles
- Multi-factor authentication for all internal administrative access
- Regular automated vulnerability scanning and penetration testing
- Security incident response procedures with defined escalation paths
- Annual security training for all employees with data access
- Data minimisation and pseudonymisation where applicable
8. International Transfers
Where personal data is transferred outside the EEA or UK, MOA ensures such transfers are protected by Standard Contractual Clauses (SCCs) as adopted by the European Commission, or equivalent safeguards. On request, MOA will provide copies of applicable SCCs with sub-processors.
9. Audits and Inspections
MOA will make available all information reasonably necessary to demonstrate compliance with this DPA. Customers may request an audit of MOA’s processing activities with 60 days’ written notice and at the Customer’s cost. MOA may satisfy audit rights by providing an independent third-party audit report.
10. Termination and Data Deletion
On termination of the Service, MOA will delete all Customer personal data within 30 days, unless retention is required by law. MOA will confirm deletion in writing upon request.
11. Governing Law
This DPA is governed by the laws specified in the Terms of Service. Where the Customer is established in the EU, this DPA shall be interpreted in accordance with GDPR requirements.
12. Contact
For DPA-related inquiries, contact privacy@mentionsonai.com. To formally execute a signed DPA for enterprise or regulated-industry use, contact legal@mentionsonai.com.
If you have any questions about this document, please contact us at legal@mentionsonai.com or write to: MOA Inc., 548 Market St PMB 72547, San Francisco, CA 94105, United States.