Data Processing Agreement (DPA)
Updated 8 July 2026
1. Roles of the parties
The Controller is the site owner who embeds the widget: they determine the purposes and means of processing their visitors' data and their content. The Processor is the service operator, processing that data solely on the Controller's documented instructions. Google Cloud is engaged as a sub-processor (processing inside Vertex AI Search / Gemini / Cloud Storage).
For the Controller's own account data (email, settings) and for query text used to a limited extent for quality metrics and abuse protection, the Processor acts as an independent controller — governed by the Privacy Policy, not by this DPA. Payments are handled by Paddle as Merchant of Record and an independent controller of payment data, not a sub-processor.
2. Subject matter, duration, nature and purpose
- Subject matter. Processing of personal data contained in the Controller's site content and in its visitors' queries, to provide AI search with answers and source links.
- Duration. For the term of the Terms of Service and while the project is active; on termination the "Return and deletion" section applies.
- Nature of processing. Collection (crawling public pages), indexing, storage, search, answer generation, logging, and deletion.
- Purpose. Solely to provide and support the service on the Controller's instructions; processing for other purposes is not permitted.
3. Categories of data and data subjects
Categories of data subjects: visitors to the Controller's site; individuals mentioned in the site's public content.
Categories of data:
- content of the site's public pages (may include personal data published by the Controller);
- visitor query text;
- visitor technical data — IP address (processed transiently and not stored) and request metadata (for abuse protection and security);
- widget session identifiers and usage metrics.
Special-category data (Art. 9 GDPR) is not intended to be processed; the Controller undertakes not to submit it to the service and not to prompt visitors to enter sensitive data into search.
4. Processing on instructions
The Processor processes personal data only on the Controller's documented instructions, including for transfers, unless required to do otherwise by applicable EU/Member-State or Israeli law (in which case the Processor informs the Controller before processing, unless the law prohibits it). This DPA, the Terms, and the settings the Controller configures in the dashboard constitute the complete set of instructions. The Processor promptly informs the Controller if, in its opinion, an instruction infringes the GDPR, other EU/Member-State law, or the Israeli PPL.
5. Confidentiality
The Processor ensures that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that access is granted on a need-to-know, least-privilege basis.
6. Security measures (Art. 32 GDPR)
The Processor implements appropriate technical and organizational measures proportionate to the risk, including: transmission over TLS; project isolation (each project has its own index and key); query sanitization and rate limiting before any paid service is called; least-privilege access; and logging. Measures are applied consistent with the Israeli Protection of Privacy (Data Security) Regulations 2017 (see the "Israeli law" section). The list of measures may be updated, but their level is not lowered.
7. Sub-processors
The Controller gives general authorization to engage sub-processors. The current list is published on the Sub-processors page and includes Google Cloud (Vertex AI Search / Discovery Engine, Gemini, Cloud Storage). The Processor imposes on each sub-processor data-protection obligations no less protective than those in this DPA (in particular, it accepts Google's Cloud Data Processing Addendum) and remains liable for its sub-processors' acts.
The Processor gives advance notice of any intended addition or replacement of a sub-processor (procedure on the "Sub-processors" page); the Controller may object on reasonable data-protection grounds. If an objection cannot be resolved, the Controller may stop using the service for the affected processing.
8. Assistance with data-subject rights
Taking into account the nature of the processing, the Processor assists the Controller, insofar as possible and by appropriate technical and organizational measures, in fulfilling its obligation to respond to data-subject requests (access, rectification, erasure, restriction, portability, objection under Arts. 15–22 GDPR). If a data-subject request reaches the Processor directly, it forwards it to the Controller without undue delay and does not respond itself except on the Controller's instructions. Dashboard tools (log clean-up, project deletion) support the fulfillment of such requests.
9. Personal data breach notification (dual regime)
The Processor notifies the Controller of a personal data breach without undue delay after becoming aware of it, providing the information reasonably needed for the Controller to meet its own notification obligations (Arts. 33–34 GDPR — typically notification to the supervisory authority by the Controller within 72 hours).
In addition, because the Processor is established in Israel, for a serious security incident it notifies the Israeli Privacy Protection Authority (PPA) immediately, as required by the PPL as amended by Amendment 13, and assists with notifying data subjects as directed by the PPA. Notification is not an admission of liability.
10. Return and deletion of data
On the end of the provision of services, the Processor, at the Controller's choice, deletes or returns the personal data and deletes existing copies, unless storage is required by applicable law. In practice, when a project is closed, the site index and related Vertex resources, intermediate indexing artifacts, and logs are deleted (subject to the retention periods in the Privacy Policy: query text — 90 days, indexing artifacts — typically 7 days; IP addresses are not stored).
11. Audit and information
The Processor makes available to the Controller the information reasonably necessary to demonstrate compliance with its Art. 28 GDPR obligations, and allows for and contributes to audits, including inspections, conducted by the Controller or an auditor it mandates, to a reasonable extent, on prior notice, during business hours, and under confidentiality, in a manner that does not compromise the security of other clients. Sub-processors' assurances (for example, Google's compliance reports and certifications, including ISO 27001) may be used to demonstrate compliance.
12. International transfers
Transfers of personal data from the EEA to the Processor in Israel rely on the European Commission's adequacy decision for Israel; separate Standard Contractual Clauses are not required for this leg, but if adequacy is withdrawn the parties fall back to SCCs.
Transfers to Google's services are governed by Google's Cloud Data Processing Addendum and, where needed, SCCs and/or the EU-US Data Privacy Framework. At the Controller's choice, an EU Google region is used for EU clients' data to minimize cross-border transfer.
Transfers from Israel to Google rely on the Israeli Privacy Protection (Transfer of Data Abroad) Regulations 2001, Reg. 2(4) (the recipient's obligation to ensure storage and use conditions equivalent to Israeli law). For EEA data, the Israeli EEA Data Regulations 2023 (Regs. 3–7) additionally apply to the processing of EEA data subjects' data.
13. CCPA / US state-law terms
To the extent the CCPA/CPRA applies, the Processor acts as a service provider and processes personal information only for the specified business purpose of providing the service. The Processor does not sell and does not "share" personal information, does not retain, use, or disclose it outside the direct business relationship with the Controller or for any other purpose, and does not combine it with data from other sources except as permitted by the CCPA. The Processor ensures equivalent obligations for its sub-processors.
14. Israeli law (PPL / Amendment 13)
Because the Processor is established in Israel, the Protection of Privacy Law (PPL) as amended by Amendment 13 (in force since 14 August 2025) applies to the processing; it aligned Israeli law with the GDPR (controller/processor terminology, AI-processing transparency, stronger PPA enforcement, breach notification). The Processor complies with the Protection of Privacy (Data Security) Regulations 2017 for the data it processes. For a serious incident, the PPA notification regime in the "Breach notification" section applies. The parties confirm that a privacy contact (Privacy Officer / contact — see the Privacy Policy) is appointed.
15. General
The choice of Israeli law and the jurisdiction of the Tel Aviv-Jaffa courts (see the Terms) does not override mandatory obligations under the GDPR, the CCPA, and the PPL — allocation of responsibility is determined by law. In case of conflict, this DPA prevails for the processing of personal data. The Processor's (service controller's) contacts and the privacy contact are set out in the Privacy Policy.