SeedliSeedli

Data Processing Agreement

Last updated: March 21, 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between the customer identified below (“Data Controller”, “Customer”) and [LEGAL ENTITY NAME], [CVR NUMBER], Denmark (“Data Processor”, “Seedli”) for the provision of the Seedli platform (“Service”). This DPA is entered into in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”).

1. Definitions

Personal Data: Any information relating to an identified or identifiable natural person, as defined in GDPR Art. 4(1).

Processing: Any operation performed on Personal Data, as defined in GDPR Art. 4(2).

Data Controller: The Customer, who determines the purposes and means of processing Personal Data through their use of the Service.

Data Processor: Seedli, who processes Personal Data on behalf of the Data Controller.

Sub-processor: A third party engaged by Seedli to process Personal Data on behalf of the Data Controller.

2. Scope and purpose of processing

2.1 Subject matter

Seedli processes Personal Data as necessary to provide the Service: a decision intelligence platform that analyzes brand and provider positioning across AI platforms.

2.2 Duration

Processing continues for the duration of the Customer’s use of the Service and for the deletion period specified in Section 8.

2.3 Nature and purpose of processing

  • Authentication and account management
  • Processing of project data to generate market intelligence
  • Transmission of market descriptions (which may include company names) to AI model providers for analysis
  • Storage of analysis results
  • Error monitoring and service stability

2.4 Types of Personal Data processed

  • Email addresses (account holders)
  • Names (if provided)
  • IP addresses (processed by infrastructure, not stored long-term by Seedli)

Note: Brand names and domain names are transmitted to AI model providers for analysis. These are typically not Personal Data, but may qualify as such where a brand name is identical to a sole proprietor’s personal name.

2.5 Categories of data subjects

  • Employees and representatives of the Customer who have Seedli accounts

3. Obligations of the Data Processor

Seedli shall:

  1. Process Personal Data only on documented instructions from the Data Controller, unless required by EU or member state law
  2. Ensure that persons authorized to process Personal Data have committed themselves to confidentiality
  3. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
    • Encryption of data in transit (TLS/HTTPS)
    • Encryption of data at rest (managed by Supabase, AWS)
    • Access controls and authentication (role-based access, service role separation)
    • Redaction of Personal Data in error monitoring (Sentry PII scrubbing)
    • Regular security updates and dependency management
  4. Not engage another processor without prior specific or general written authorization of the Data Controller (see Section 5)
  5. Assist the Data Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection)
  6. Assist the Data Controller in ensuring compliance with GDPR Articles 32–36 (security, breach notification, impact assessment, prior consultation)
  7. At the choice of the Data Controller, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless EU or member state law requires storage
  8. Make available to the Data Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits

4. Obligations of the Data Controller

The Data Controller shall:

  1. Ensure that there is a lawful basis for processing Personal Data through the Service
  2. Provide documented processing instructions to the Data Processor
  3. Ensure that data subjects are informed about the processing in accordance with GDPR Articles 13–14

5. Sub-processors

5.1 General authorization

The Data Controller provides general authorization for Seedli to engage sub-processors, subject to the requirements in this section.

5.2 Current sub-processors

Sub-processorPurposeData processedLocationSafeguards
Supabase Inc.Database hosting, authenticationAccount data, project data, analysis resultsEU (AWS Stockholm, Sweden)Data stored in EU
Vercel Inc.Web application hostingHTTP request dataGlobal CDN (US-based)EU-US DPF / SCCs
Google Cloud PlatformBackground job processingProject data during processingConfigurableEU-US DPF / SCCs
OpenAI Inc.AI model analysisMarket descriptions, brand names, domain namesUSAPI DPA / SCCs
Anthropic PBCAI model analysisMarket descriptions, brand names, domain namesUSAPI DPA / SCCs
Functional Software Inc. (Sentry)Error monitoringAnonymized technical dataEU (Germany)Data processed in EU
Usercentrics A/S (Cookiebot)Cookie consent managementConsent state, anonymized consent logEU (Denmark)EEA-based
Google LLC (Tag Manager)Tag management / analytics orchestrationNo Personal Data directlyUSEU-US DPF / SCCs
Google LLC (Analytics 4)Usage analytics (IP masking enabled)Anonymized usage data, device info, session dataUSEU-US DPF / SCCs, IP anonymization
Sanity ASContent managementNo Personal DataNorway (EEA)EEA-based
Automattic Inc. (Gravatar)Avatar imagesEmail hash (MD5)USEU-US DPF / SCCs

5.3 Changes to sub-processors

Seedli will notify the Data Controller at least 30 days in advance of any intended addition or replacement of sub-processors. The Data Controller may object within 14 days. If a reasonable objection cannot be resolved, the Data Controller may terminate the Service.

5.4 Sub-processor obligations

Seedli ensures that each sub-processor is bound by data protection obligations no less protective than those in this DPA.

6. International data transfers

Where Personal Data is transferred outside the EU/EEA, Seedli ensures appropriate safeguards are in place in accordance with GDPR Chapter V, including:

  • EU-US Data Privacy Framework (for certified US providers)
  • Standard Contractual Clauses (SCCs) adopted by the European Commission
  • Adequacy decisions (for transfers to countries recognized by the European Commission)

7. Security measures

Seedli implements the following technical and organizational measures:

Access control

  • Role-based access control (anon, authenticated, service role, runner role)
  • Authentication via magic link (email-based OTP)
  • Session management via httpOnly, secure, sameSite cookies

Data protection

  • All data in transit encrypted via TLS (HTTPS)
  • Database encryption at rest (managed by AWS/Supabase)
  • Personal data redacted from error monitoring (email addresses, auth tokens, and cookies stripped from Sentry events)

Infrastructure

  • Primary database in EU (AWS Stockholm, Sweden)
  • Sentry error monitoring in EU (Germany)
  • Application-level security middleware enforcing authentication on protected routes

Operational

  • Dependency vulnerability monitoring
  • Separate service roles for application, server, and background workers
  • No long-term storage of IP addresses

8. Data deletion and return

Upon termination of the Service:

  • Seedli will delete all Customer Personal Data within 30 days of account termination
  • The Data Controller may request data export in a machine-readable format prior to termination
  • Sub-processor data deletion follows each sub-processor’s retention policy (documented in Section 5.2)
  • Seedli may retain anonymized, aggregated data that does not constitute Personal Data

9. Data breach notification

In the event of a Personal Data breach, Seedli shall:

  1. Notify the Data Controller without undue delay and in any event within 72 hours of becoming aware of the breach
  2. Provide the Data Controller with sufficient information to meet its own notification obligations under GDPR Art. 33–34, including:
    • Nature of the breach
    • Categories and approximate number of data subjects affected
    • Likely consequences
    • Measures taken or proposed to address the breach

10. Data Protection Impact Assessment

Seedli will provide reasonable assistance to the Data Controller in conducting a Data Protection Impact Assessment (DPIA) where required under GDPR Art. 35, including providing information about processing operations, technical measures, and sub-processors.

11. Audit rights

The Data Controller has the right to audit Seedli’s compliance with this DPA. Audits shall be:

  • Conducted with reasonable notice (at least 30 days)
  • Limited to once per year unless a data breach or regulatory investigation necessitates additional audits
  • Conducted at the Data Controller’s expense
  • Subject to reasonable confidentiality obligations

Seedli may satisfy audit requests by providing relevant third-party audit reports, certifications, or written attestations.

12. Liability

Liability under this DPA is governed by the limitation of liability provisions in the Terms of Use between the parties.

13. Term and termination

This DPA takes effect upon the Data Controller’s acceptance of the Terms of Use and remains in effect for the duration of the Service. Provisions relating to data deletion, confidentiality, and audit rights survive termination.

14. Governing law

This DPA is governed by the laws of Denmark. Disputes shall be resolved in accordance with the dispute resolution provisions in the Terms of Use.

Signatures

Data Controller

Name:  

Organization:  

Date:  

Data Processor

Name: Flemming Rubak

Organization: [LEGAL ENTITY NAME]

Date: