SemlyPro · Effective date: as set out in clause 14.
Table of contents
- Parties
- Background
-
- Definitions
-
- Scope and roles
- 2A. Customer responsibilities, warranties and indemnity
-
- Customer instructions
-
- Personnel
- 4A. Support and access to Customer Personal Data
-
- Security
-
- Sub-processors
-
- Cross-border transfers
-
- Assistance with data subject requests
-
- Assistance with security, DPIA and prior consultation
- 9A. AI processing — additional obligations
-
- Personal Data Breach
-
- Audits
-
- Return or deletion of Customer Personal Data
-
- Liability
-
- Term
-
- General
-
- India — Digital Personal Data Protection Act 2023
- Annex 1 — Description of processing
- Annex 2 — Technical and organisational measures
- Annex 3 — India (DPDP) processing particulars
Parties
This Data Processing Agreement (“DPA”) is entered into between:
Semly Pro, a sole proprietorship (eenmanszaak) established in the Netherlands, registered with the KvK (Dutch Chamber of Commerce) under number 99448351, VAT ID NL005387029B31, with registered address Hawaiiweg 41, 1339 NW Almere, Netherlands (trading as “SemlyPro”, and in this DPA also “Processor”). SemlyPro intends to incorporate a private limited company (Semly Pro B.V.); upon incorporation, Semly Pro B.V. will assume this DPA in accordance with clause 15.4, and references to “SemlyPro” will be read as references to Semly Pro B.V. This does not require the Customer’s further consent; and
The customer identified in the Terms of Service or in a signed order form (“Customer”, and in this DPA also “Controller”).
Together the “Parties” and individually a “Party”.
Note on the contracting entity. Until Semly Pro B.V. is incorporated, the counterparty to this DPA is the sole proprietorship, whose owner(s) carry unlimited personal liability for obligations under this DPA. The single most effective step to remove that personal exposure is to incorporate the B.V.; incorporation, together with adequate professional-indemnity and cyber/E&O insurance, is strongly recommended before this DPA is executed with any material Customer.
Background
- The Parties have entered into an agreement under which SemlyPro provides the SemlyPro software-as-a-service platform (“Service”) to the Customer, incorporating the SemlyPro Terms of Service (“Terms”).
- In providing the Service, SemlyPro processes personal data on behalf of the Customer.
- The Parties enter into this DPA to comply with Article 28 of Regulation (EU) 2016/679 (“GDPR”), the UK GDPR, the Dutch Uitvoeringswet AVG (UAVG) and — where applicable to the processing — India’s Digital Personal Data Protection Act 2023 (“DPDP Act”) as set out in clause 16 and Annex 3.
- This DPA takes effect automatically for any Customer who uploads personal data of third parties to the Service, as contemplated in the Terms.
1. Definitions
Capitalised terms not defined here have the meaning given in the Terms or the GDPR.
- Applicable Data Protection Law means the GDPR, the UK GDPR, the Dutch Uitvoeringswet AVG, the ePrivacy Directive (2002/58/EC) and its national implementations, the Digital Personal Data Protection Act 2023 and the Digital Personal Data Protection Rules 2025 of India (together, the “DPDP Law”) to the extent applicable to the processing, and any implementing or successor national legislation applicable to the processing under this DPA.
- Customer Personal Data means personal data processed by SemlyPro on behalf of the Customer through the Service, as further described in Annex 1.
- Data Fiduciary, Data Principal and Data Protection Board have the meanings given in the DPDP Act.
- Data Subject Request means a request from a data subject (including, under the DPDP Law, a Data Principal) to exercise any right under Applicable Data Protection Law.
- EEA means the European Economic Area.
- EU–US DPF means the EU–US Data Privacy Framework, the adequacy of which was recognised by the European Commission’s adequacy decision of 10 July 2023, together with its UK Extension (the “UK–US data bridge”, in force from 12 October 2023).
- Personal Data Breach has the meaning in Article 4(12) GDPR and, for the DPDP Law, includes a “personal data breach” as defined in section 2(u) of the DPDP Act.
- Restricted Transfer means a transfer of personal data (a) outside the EEA, or (b) for personal data protected by the UK GDPR, outside the United Kingdom, in each case to a country or territory that does not benefit from an adequacy decision under Article 45 GDPR or, as applicable, UK adequacy regulations. Transfers under the DPDP Law are addressed separately in clause 16.
- SCCs means the Standard Contractual Clauses set out in Commission Implementing Decision (EU) 2021/914 for Restricted Transfers from the EEA.
- Sub-processor means any third party engaged by SemlyPro to process Customer Personal Data on SemlyPro’s behalf.
- UK Addendum means the International Data Transfer Addendum to the EU Commission SCCs issued by the UK Information Commissioner, version B1.0.
2. Scope and roles
2.1. The Parties acknowledge that: (a) the Customer is the controller of Customer Personal Data; (b) SemlyPro is the processor of Customer Personal Data; © any Sub-processor engaged by SemlyPro is a sub-processor of the Customer.
2.2. The subject-matter, duration, nature and purpose of the processing, the types of personal data, and the categories of data subjects are described in Annex 1.
2.3. This DPA does not apply to personal data for which SemlyPro is a controller in its own right, including data about the Customer as a business contact of SemlyPro, which is governed by the SemlyPro Privacy Policy. For the avoidance of doubt, SemlyPro’s own direct-marketing and transactional-email practices, and the accuracy/limitations of AI-generated outputs, are addressed in the Privacy Policy and the Terms respectively, not in this DPA.
2.4. Role mapping under the DPDP Law. Where the DPDP Law applies to the processing, the Customer is (or acts on behalf of) the Data Fiduciary and SemlyPro is the Data Processor, mirroring the controller/processor roles above. Clause 16 and Annex 3 set out the additional obligations that apply in that case.
2A. Customer responsibilities, warranties and indemnity
2A.1. The Customer warrants and undertakes, on a continuing basis, that:
(a) it has a valid legal basis (and, where required, has obtained and can evidence valid consent) for all Customer Personal Data it uploads, connects, imports or otherwise makes available to the Service — including personal data contained in uploaded files (for example Excel/CSV spreadsheets) and personal data ingested through authorised third-party integrations (including Google Ads, Google Analytics 4 and Google Search Console);
(b) it has provided all transparency information and notices to, and obtained any authorisations required from, the relevant data subjects/Data Principals as required by Applicable Data Protection Law;
© its instructions to SemlyPro are and will remain lawful, and its use of the Service complies with Applicable Data Protection Law, the Terms and the Acceptable Use Policy (“AUP”); and
(d) it will not upload, connect or instruct SemlyPro to process any special-category personal data (Article 9 GDPR / Article 10 GDPR criminal-offence data) or any category of data prohibited under the AUP, except where expressly permitted in writing by SemlyPro and supported by a valid legal basis.
2A.2. The Customer will indemnify SemlyPro (and the other SemlyPro Indemnified Parties defined in the Terms) against losses, liabilities, fines, claims and reasonable costs arising from any third-party claim, Data Principal claim or regulatory action to the extent caused by the Customer’s breach of clause 2A.1, subject to the liability provisions in clause 13. This indemnity is in addition to, and does not limit, any equivalent Customer warranty or indemnity in the Terms; where the Terms already contain an equivalent obligation, that obligation and this clause are to be read consistently and without duplication of recovery.
3. Customer instructions
3.1. Documented instructions. SemlyPro will process Customer Personal Data only on the Customer’s documented instructions, including regarding Restricted Transfers, unless required to do otherwise by law binding on SemlyPro. Where SemlyPro is required by law to process otherwise, SemlyPro will inform the Customer of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.
3.2. Standing instructions. The Customer’s standing instructions to SemlyPro are as follows: (a) provide the Service in accordance with the Terms; (b) enforce the Terms and the AUP; © comply with SemlyPro’s legal obligations; (d) provide technical support to, troubleshoot, debug, maintain and secure the Service, including authorised staff and contractor access to Customer Personal Data on a least-privilege, need-to-know and access-logged basis strictly for those purposes, as further described in clause 4A; (e) review, quality-assure and improve the Service and its models for SemlyPro’s internal, non-public purposes only, using anonymised or pseudonymised Customer Personal Data (and never to train publicly-released AI models), as further described in clause 9A.1; and (f) take steps reasonably necessary to perform (a) to (e).
3.3. Additional instructions. The Customer may issue additional instructions in writing to anil@semlypro.com. SemlyPro will notify the Customer if, in its opinion, an instruction infringes Applicable Data Protection Law, and may reasonably decline to follow that instruction.
4. Personnel
SemlyPro will ensure that persons authorised to process Customer Personal Data:
- have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- have received appropriate training on data protection; and
- process Customer Personal Data only as necessary to perform their duties.
4A. Support and access to Customer Personal Data
4A.1. SemlyPro personnel and authorised contractors may access Customer Personal Data and Customer Materials only as necessary to (a) provide, maintain and secure the Service; (b) troubleshoot, debug and provide support; © investigate abuse, security or AUP issues; and (d) review and improve the Service and its models for SemlyPro’s internal, non-public purposes only.
4A.2. Such access is subject to confidentiality obligations, least-privilege and role-based access controls, and access logging, as further described in Annex 2. SemlyPro does not use Customer Personal Data or Customer Materials to train publicly-released AI models, and does not export Customer Personal Data beyond the purposes in clause 4A.1. This clause operationalises, and is consistent with, the no-public-model-training position at semlypro.com/ai-transparency and clause 9A.1.
5. Security
5.1. SemlyPro will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as set out in Annex 2, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risks to the rights and freedoms of natural persons.
5.2. SemlyPro will review and, where appropriate, update those measures periodically. SemlyPro may make changes to Annex 2 provided the changes do not materially reduce the overall security of the Service.
6. Sub-processors
6.1. General authorisation. The Customer provides a general authorisation to SemlyPro to engage Sub-processors, on condition that SemlyPro complies with this clause 6.
6.2. List and notice. SemlyPro maintains a list of Sub-processors at semlypro.com/subprocessors. SemlyPro will notify the Customer of any new Sub-processor or replacement Sub-processor with at least thirty (30) days’ advance notice, except where a shorter period is necessary for security or compliance reasons.
6.3. Objection. The Customer may object to a new Sub-processor on reasonable grounds relating to data protection within fourteen (14) days of notification. If the Parties cannot resolve the objection in good faith within a further fourteen (14) days, the Customer may terminate the affected part of the Service by written notice, with a pro-rata refund of prepaid fees for the terminated portion.
6.4. Sub-processor obligations. SemlyPro will impose on each Sub-processor, by written contract, data-protection obligations no less protective than those in this DPA. SemlyPro remains fully liable to the Customer for the performance of each Sub-processor’s obligations.
6.5. Third-party AI assistants and MCP boundary. Where the Customer chooses to operate the Service (including any SemlyPro MCP server) through a third-party AI assistant host under the Customer’s own account and agreement with that host (for example a desktop or coding assistant), any prompts and Customer Materials that the Customer enters into that third-party assistant are processed by the assistant provider under the Customer’s own agreement with it, outside SemlyPro’s sub-processor chain and outside this DPA. SemlyPro’s processor responsibility begins when data reaches the Service.
7. Cross-border transfers
7.1. EEA transfers to third countries. Where SemlyPro or a Sub-processor makes a Restricted Transfer of Customer Personal Data, the Parties agree that the SCCs (Module 2 — controller to processor, or Module 3 — processor to processor, as applicable) are hereby incorporated into this DPA and are entered into by the Parties, with: (a) Clause 7 (docking clause): not applicable; (b) Clause 9(a) (sub-processors): OPTION 2 (general authorisation) selected, with the notice period in clause 6.2 of this DPA; © Clause 11 (redress): the optional part relating to independent dispute resolution is not selected; (d) Clause 17 (governing law): the law of the Netherlands; (e) Clause 18 (choice of forum): the courts of Amsterdam, the Netherlands; (f) Annex I.A (list of parties): the Parties named at the top of this DPA; (g) Annex I.B (description of transfer): as set out in Annex 1 to this DPA; (h) Annex I.C (competent supervisory authority): the Autoriteit Persoonsgegevens (Netherlands); (i) Annex II (technical and organisational measures): as set out in Annex 2 to this DPA; (j) Annex III (sub-processors): the list at semlypro.com/subprocessors.
7.2. UK transfers. For Restricted Transfers from the United Kingdom, the SCCs incorporated in clause 7.1 are amended by the UK Addendum in accordance with its terms. The UK Addendum tables are populated using the same information as in clause 7.1, save that, notwithstanding clause 7.1(h), for UK Restricted Transfers references to the competent supervisory authority are to the Information Commissioner’s Office (ICO), references to the GDPR are to the UK GDPR, and the governing law and forum are as required by the UK Addendum. For transfers to importers certified under the UK–US data bridge, the Customer may rely on clause 7.4 as an alternative to the UK Addendum, with the SCCs as amended by the UK Addendum retained as the fallback mechanism.
7.3. Conflicts. In the event of a conflict between this DPA and the SCCs or the UK Addendum, the SCCs or the UK Addendum (as applicable) prevail.
7.4. EU–US DPF / UK Extension. Where a Sub-processor is certified under the EU–US DPF (or, for UK-origin data, its UK Extension / the UK–US data bridge), the corresponding transfer relies on that adequacy decision and is not a Restricted Transfer for so long as the certification and the adequacy decision remain valid. As at the date of this DPA the EU adequacy decision of 10 July 2023 is valid and is subject to a pending appeal before the Court of Justice of the European Union (Case C-703/25 P), and the UK–US data bridge remains in force. If any such adequacy decision is suspended, annulled or withdrawn, or a Sub-processor’s certification lapses, the SCCs (clause 7.1) and, for UK-origin data, the UK Addendum (clause 7.2) apply as the fallback transfer mechanism without further action by the Parties. The transfer-mechanism column of the Sub-processor list identifies, for each relevant importer, whether the DPF/UK–US data bridge or the SCCs/UK Addendum is relied upon.
7.5. India transfers. Cross-border transfers of Customer Personal Data that are subject to the DPDP Law are addressed in clause 16.4.
8. Assistance with data subject requests
SemlyPro will, taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, in so far as this is possible, to fulfil the Customer’s obligation to respond to Data Subject Requests under Chapter III GDPR (and, where applicable, to Data Principal requests under the DPDP Act — see clause 16.3). Where SemlyPro receives a Data Subject Request that concerns Customer Personal Data, SemlyPro will forward it to the Customer without undue delay and will not respond to the request itself unless required by law.
9. Assistance with security, DPIA and prior consultation
SemlyPro will assist the Customer in ensuring compliance with the Customer’s obligations under Articles 32 to 36 GDPR, taking into account the nature of the processing and the information available to SemlyPro. This includes providing reasonable information available to SemlyPro to support the Customer’s data-protection impact assessments and prior consultations with supervisory authorities.
9A. AI processing — additional obligations
9A.1. Where processing under this DPA involves the use of AI models by SemlyPro or by AI-Provider Sub-processors, SemlyPro will:
(a) not use Customer Personal Data to train publicly-released AI models, save as expressly agreed with the Controller in writing;
(b) where it reviews, quality-assures or improves the Service and its models for its own internal, non-public purposes (as authorised in clause 3.2(e)), do so using anonymised or pseudonymised Customer Personal Data only, applying the safeguards in Annex 2, and never in a manner that trains or discloses to any publicly-released model; if identifiable Customer Personal Data is ever genuinely required for such improvement, SemlyPro will not process it for that purpose without the Controller’s prior documented instruction and appropriate safeguards. For clarity, this internal-improvement purpose is a documented instruction (clause 3.2(e)) and a listed purpose (Annex 1), so that it does not recharacterise SemlyPro as a controller under Article 28(10) GDPR;
© use contractual and technical measures with AI-Provider Sub-processors that prohibit them from using Customer Personal Data to train their public models by default;
(d) apply the safety filters and controls described at semlypro.com/ai-transparency; and
(e) support the Controller in complying with its obligations as a deployer under the EU AI Act (Regulation (EU) 2024/1689), including its transparency obligations under Article 50 and its incident-reporting obligations under Article 73, by making available reasonably necessary information within SemlyPro’s possession.
9A.2. Where a serious incident (as defined in Article 3(49) EU AI Act) occurs and involves Customer Personal Data, the notification obligations in clause 10 of this DPA apply, and additionally SemlyPro will support the Controller in meeting its own reporting obligations under Article 73 EU AI Act.
10. Personal Data Breach
10.1. Notification. SemlyPro will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data.
10.2. Content of notice. The notice will include, to the extent then known: (a) a description of the nature of the breach, including where possible the categories and approximate number of data subjects and personal-data records concerned; (b) the likely consequences of the breach; © the measures taken or proposed to address the breach and to mitigate its possible adverse effects; (d) the contact point for further information.
10.3. Cooperation. SemlyPro will cooperate reasonably with the Customer’s investigation and reporting of the breach, including — where the DPDP Law applies — the Customer’s intimation of the breach to the Data Protection Board of India and to affected Data Principals (see clause 16.3). Notification is not an admission of liability.
11. Audits
11.1. Reports. SemlyPro will, on reasonable request, make available to the Customer the current versions of its security documentation and any third-party audit reports (for example, an ISO 27001 certificate or SOC 2 report) in SemlyPro’s possession that are relevant to Customer Personal Data.
11.2. Audits. No more than once per calendar year (or more frequently if required by a supervisory authority, the SCCs or the UK Addendum), the Customer may audit SemlyPro’s compliance with this DPA at the Customer’s cost, subject to: (a) at least thirty (30) days’ advance written notice; (b) the auditor being an independent, mutually acceptable, professional firm bound by confidentiality obligations at least as strict as those in this DPA; © the audit being conducted during business hours, in a manner that does not disrupt SemlyPro’s operations; (d) the auditor not being a competitor of SemlyPro; (e) the Customer paying SemlyPro’s reasonable costs of assisting the audit. The commercial limits in this clause 11.2 apply save as otherwise required by the SCCs (including Clause 8.9), the UK Addendum or a supervisory authority.
Findings from the audit are Confidential Information of SemlyPro; however, nothing in this clause restricts the Customer’s right to disclose audit findings to a competent supervisory authority or the Data Protection Board of India, or as otherwise required by law.
12. Return or deletion of Customer Personal Data
12.1. On termination of the Terms, SemlyPro will, at the Customer’s option, return all Customer Personal Data to the Customer or delete it, in accordance with the export/retention window in the applicable Terms or Master Services Agreement (“MSA”), unless retention is required by law. For clarity, and consistent with the SemlyPro retention scheme: standard plans have a 30-day post-termination export window; enterprise/MSA customers have a 90-day post-termination export window (see MSA clauses 4.5 and 12.4). Live Customer Personal Data is deleted after the applicable export window expires.
12.2. SemlyPro will delete existing back-ups of Customer Personal Data in accordance with its ordinary back-up rotation, which may take up to ninety (90) days after termination. For the avoidance of doubt, this 90-day period applies only to residual copies in encrypted back-ups; it is distinct from, and must not be confused with, the enterprise/MSA 90-day live-data export window in clause 12.1. Where SemlyPro is required by law to retain certain records (for example, financial and tax records for up to 7 years), it will retain only the minimum data necessary for that purpose and keep it protected and segregated until deletion.
13. Liability
13.1. The liability of the Parties under this DPA is subject to the exclusions and limitations in the Terms (or, for MSA customers, the MSA). Where the applicable agreement contains a higher liability cap for data-protection breaches (for example, the MSA’s data-protection sub-cap), that higher cap — and not any general or nominal floor — applies to claims under this DPA. This cap is drafted to bind the sole proprietorship and to carry over to Semly Pro B.V. on incorporation.
13.2. Nothing in this DPA or the Terms excludes or limits either Party’s liability where doing so is prohibited by Applicable Data Protection Law, including a data subject’s or Data Principal’s direct right to compensation (Article 82 GDPR) and any liability for administrative fines (Article 83 GDPR). The Parties acknowledge that such liability is uncapped and, while SemlyPro operates as a sole proprietorship, rests personally on its owner(s); incorporation of the B.V. and adequate cyber/E&O insurance are the primary mitigations of that exposure.
14. Term
This DPA takes effect on the date the Customer first uploads personal data of third parties to the Service and continues in force for the duration of the Terms, plus any period during which SemlyPro retains Customer Personal Data.
15. General
15.1. In the event of a conflict between this DPA and the Terms, this DPA prevails with respect to the processing of Customer Personal Data.
15.2. This DPA is governed by the laws of the Netherlands. Disputes are subject to the exclusive jurisdiction of the courts of Amsterdam, the Netherlands, save that this does not deprive an EU or UK consumer of the protection of the mandatory laws of the country of habitual residence, nor deprive an Indian Data Principal or consumer of mandatory protections under Indian law (see clause 16).
15.3. This DPA may be executed by clickwrap acceptance in the Service, by counterpart signature, or by electronic signature.
15.4. Assignment and succession to the B.V. SemlyPro may assign or novate this DPA to Semly Pro B.V. upon its incorporation, and to any successor of SemlyPro’s business by merger, reorganisation or sale of substantially all assets. Upon such incorporation, Semly Pro B.V. assumes this DPA by operation of this clause, references to “SemlyPro” are read as references to Semly Pro B.V., and the Customer’s further consent is not required. The Customer may not assign this DPA without SemlyPro’s prior written consent, save to an affiliate or successor to which the underlying Terms/MSA are validly assigned.
16. India — Digital Personal Data Protection Act 2023
This clause applies where and to the extent SemlyPro processes personal data of Data Principals located in India on behalf of the Customer as the Customer’s Data Processor under the DPDP Law. It supplements, and does not replace, the GDPR/UK GDPR provisions above; where a specific DPDP requirement is stricter, that requirement applies to the India-scoped processing.
16.1. Status of the DPDP Law. The DPDP Act 2023 is enacted, and the Digital Personal Data Protection Rules 2025 were notified in November 2025 with a phased commencement (certain provisions on notification, and the substantive Data Fiduciary/Data Processor and security-safeguard obligations phased in over the following months, with the core operative obligations expected to apply from around mid-2027). The Parties will implement this clause in line with the provisions in force from time to time.
16.2. Processor undertakings. SemlyPro will: (a) process the India-scoped Customer Personal Data only under this valid contract and on the Customer/Data Fiduciary’s instructions, consistent with section 8(2) DPDP Act; (b) implement reasonable security safeguards to prevent a personal data breach, consistent with the DPDP Rules 2025 (Rule 6) and Annex 2; and © on completion of the purpose or termination, cease retention and erase the India-scoped Customer Personal Data (and cause its Sub-processors to do so), unless retention is required by law, consistent with clause 12 and section 8(7) DPDP Act.
16.3. Data Principal rights and breach support. Taking into account the nature of the processing, SemlyPro will assist the Customer/Data Fiduciary to (a) respond to Data Principal requests to access, correct, complete, update or erase personal data, to raise grievances, and to nominate another individual; and (b) meet its obligations to intimate a personal data breach to the Data Protection Board of India and to affected Data Principals. SemlyPro will notify the Customer of any breach affecting India-scoped Customer Personal Data in accordance with clause 10. SemlyPro’s published contact for DPDP-related grievances and queries is anil@semlypro.com.
16.4. Cross-border transfers under the DPDP Law. SemlyPro may transfer India-scoped Customer Personal Data outside India except to any country or territory that the Central Government of India restricts by notification under section 16 DPDP Act (the “negative-list” model). SemlyPro will not transfer such data to a restricted country and will maintain the safeguards in Annex 2 and clause 6 for any onward transfer. Where a Sub-processor is used for India-scoped processing, the obligations in clause 6 apply, adapted to DPDP requirements as set out in Annex 3.
16.5. Interaction with GDPR clauses. For India-scoped processing, references in this DPA to the “Controller” include the Data Fiduciary, references to a “data subject” include a Data Principal, and the assistance, security, sub-processor and deletion obligations in clauses 4A, 5, 6, 8, 10 and 12 apply equally, read consistently with the DPDP Law. The Customer remains the Data Fiduciary and remains responsible to Data Principals under the DPDP Law regardless of any contrary term.
Annex 1 — Description of processing
Subject-matter. Processing of Customer Personal Data as necessary for SemlyPro to provide the Service to the Customer.
Duration. For the term of the Terms, plus any retention or deletion window under clause 12.
Nature and purpose of processing.
- Hosting and storing Customer Materials submitted to the Service, including files uploaded by the Customer (for example, Excel/CSV/spreadsheet uploads).
- Ingesting and analysing, on the Customer’s authorised instruction, the Customer’s data from connected third-party integrations — including Google Ads (campaign, spend, performance and conversion data), Google Analytics 4 (traffic, audience, session and event data) and Google Search Console (query, impression, click, position and index data).
- Generating Content on the Customer’s behalf using AI Providers (currently OpenAI Ireland Limited and Anthropic, PBC — see semlypro.com/subprocessors).
- Publishing Content on the Customer’s behalf to third-party CMS platforms.
- Analysing search-engine rankings and AI Search Engine citations for the Customer.
- Providing customer support, and troubleshooting, debugging, maintaining and securing the Service (clause 4A).
- Reviewing and improving the Service and its models for SemlyPro’s internal, non-public purposes, using anonymised or pseudonymised data only (clauses 3.2(e), 9A.1).
- Enforcing the Terms and the AUP.
- Complying with SemlyPro’s legal obligations.
Categories of personal data.
- Contact and profile data of the Customer’s team members, end-clients, or other identifiable persons whom the Customer may submit as Customer Materials.
- Content-related personal data appearing in Customer Materials (for example, quoted names in competitor content).
- Personal data contained in Customer-uploaded files (for example, Excel/CSV spreadsheets), which may include names, email addresses, contact lists and other structured personal data.
- Advertising and web-analytics personal data obtained via the Customer’s authorised Google Ads, Google Analytics (GA4) and Google Search Console integrations, including online identifiers, pseudonymous user/client IDs and IP-derived data.
- Authentication credentials and OAuth access/refresh tokens for connected CMS and data platforms, which identify Customer team members.
- Personal data appearing in Content generated by the Service where the Customer’s inputs concern identifiable persons.
- Diagnostic and log data associated with the Customer’s use of the Service.
Categories of data subjects.
- The Customer’s team members.
- The Customer’s end-clients (where the Customer uses the Service as an agency).
- Individuals whose personal data appears in Customer-uploaded files.
- Individuals whose personal data is contained in the Customer’s connected advertising/analytics accounts (for example, website visitors, ad audiences).
- Identifiable persons named in Customer Materials or Content.
Special-category personal data (Article 9 GDPR).
- Not permitted. The prohibition on special-category personal data is set out in the Acceptable Use Policy (special-category prohibition — AUP section 3.12) and the Privacy Policy (section 3.4); the Customer’s general legal-basis warranty for personal data in Customer Materials is in ToS clause 6.4(d) and is restated in clause 2A of this DPA. (These cross-references were reconciled against the renumbered AUP: the special-category prohibition is AUP section 3.12.)
Processing / hosting locations. The processing and hosting region(s) for the Service, and the countries of any non-EEA Sub-processors (such as AI Providers), together with the applicable transfer mechanism for each, are set out at semlypro.com/subprocessors, so that this Annex accurately doubles as SCCs Annex I.B.
Annex 2 — Technical and organisational measures
SemlyPro implements the following technical and organisational measures to ensure a level of security appropriate to the risk. These measures are reviewed and updated periodically.
Pseudonymisation and encryption.
- Encryption in transit (TLS 1.2 or higher) for all Customer Personal Data.
- Encryption at rest for stored Customer Personal Data.
- Password storage as salted hashes using industry-standard hashing algorithms.
- Anonymisation or pseudonymisation of Customer Personal Data used for internal service/model review and improvement (clauses 3.2(e), 9A.1).
Confidentiality, integrity, availability and resilience.
- Access controls based on role, need-to-know, and least privilege.
- Logical separation/isolation of each Customer’s data in the multi-tenant environment.
- Access logging and monitoring of staff/contractor access to Customer Personal Data (clause 4A).
- Multi-factor authentication for administrative access.
- Isolation of production and non-production environments.
- Automated back-ups with time-limited retention.
- Change-management process for production changes.
- Vulnerability scanning and dependency management.
- Application-layer input validation and output encoding.
- Rate limiting and abuse detection.
Restoration of availability after incident.
- Documented incident-response plan.
- Regular back-up integrity checks.
- Disaster-recovery testing.
Regular testing and evaluation.
- Periodic security review.
- Penetration testing by an independent party at least annually.
- Coordinated vulnerability disclosure programme.
Sub-processor controls.
- Due diligence on Sub-processors before engagement.
- Written data-processing agreements with all Sub-processors.
- Ongoing monitoring of Sub-processor compliance where practicable.
Personnel controls.
- Confidentiality obligations in employment and contractor agreements.
- Data-protection training on hire and periodically thereafter.
- Access removal on termination or role change.
Data-minimisation and quality.
- Collection of only the categories of personal data necessary for the Service.
- Retention of personal data in line with the SemlyPro Privacy Policy retention schedule and clause 12.
- Deletion or anonymisation after the retention period.
Annex 3 — India (DPDP) processing particulars
This Annex applies to India-scoped processing under clause 16.
- Roles. Customer = Data Fiduciary (or acting on behalf of the Data Fiduciary); SemlyPro = Data Processor.
- Purpose and duration. As in Annex 1, limited to the Customer’s instructions; retention and erasure as in clause 12 and section 8(7) DPDP Act.
- Security safeguards. As in Annex 2, satisfying the reasonable-security-safeguards requirement (DPDP Rules 2025, Rule 6).
- Breach handling. SemlyPro notifies the Customer of any personal data breach without undue delay (clause 10) and assists the Customer’s intimation to the Data Protection Board of India and affected Data Principals (clause 16.3).
- Data Principal rights assistance. Access, correction, completion, updating, erasure, grievance redressal and nomination (clause 16.3).
- Grievance contact. anil@semlypro.com (and the named India Grievance/Contact Officer once appointed).
- Cross-border transfers. Permitted except to countries restricted by the Central Government under section 16 DPDP Act (clause 16.4).
- Sub-processors. Engaged only under written contracts imposing equivalent DPDP-consistent obligations (clause 6).
Last updated 13 July 2026 · Operated by Semly Pro (eenmanszaak), KvK 99448351, Hawaiiweg 41, 1339 NW Almere, Netherlands · Questions about this document: anil@semlypro.com