Last Updated: April 2026
This Data Processing Agreement ("DPA") forms part of the agreement between Visibil Technologies Ltd. ("Visibil") and the customer entity accessing the Services ("Customer"), and is incorporated into Visibil's Terms of Service. Where there is a conflict between this DPA and the Terms of Service on matters relating to data processing, this DPA takes precedence.
This DPA applies where Visibil processes personal data on behalf of the Customer in the course of providing the Services, and is intended to satisfy the requirements of applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA), as applicable.
1. Definitions
For the purposes of this DPA:
"Applicable Data Protection Law" means any law or regulation governing the processing of personal data that applies to the activities described in this DPA, including the GDPR (Regulation (EU) 2016/679), the UK GDPR, the CCPA (Cal. Civ. Code §1798.100 et seq.), and any successor legislation.
"Controller" means the Customer, who determines the purposes and means of processing personal data in connection with the Services.
"Data Subject" means an identified or identifiable natural person whose personal data is processed under this DPA.
"Personal Data" means any information relating to an identified or identifiable natural person that is processed by Visibil on behalf of the Customer under this DPA.
"Processing" means any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
"Processor" means Visibil, who processes personal data on behalf of the Customer as instructed.
"Security Incident" means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data processed under this DPA.
"Subprocessor" means any third party engaged by Visibil to process personal data in connection with the Services.
"Services" has the meaning given in the Terms of Service.
2. Scope and Nature of Processing
2.1 Role of the Parties
The Customer acts as Controller and Visibil acts as Processor with respect to personal data processed in the course of delivering the Services.
2.2 Subject Matter
Visibil processes personal data for the purpose of providing its SEO and AEO automation platform, including connecting to the Customer's CMS, generating and implementing content changes, monitoring AI citation visibility, and correlating outcomes with analytics data.
2.3 Duration
Visibil processes personal data for the duration of the Customer's subscription to the Services and for such period as is necessary to fulfill its obligations under this DPA or applicable law following termination.
2.4 Types of Personal Data
The personal data processed under this DPA may include:
Names and email addresses of Customer account users;
Website content, metadata, and structured data fields accessed via the Customer's connected CMS;
Traffic and performance data accessed via connected analytics integrations (e.g., Google Search Console, Google Analytics 4); and
Usage and interaction data generated by Customer users within the Visibil platform.
2.5 Categories of Data Subjects
Data subjects may include:
The Customer's employees or contractors who hold Visibil accounts; and
Visitors to the Customer's website, to the extent that their data is incidentally present in website content or analytics data accessed by Visibil.
3. Processor Obligations
Visibil agrees to:
3.1 Process Only on Instructions. Process personal data only on the documented instructions of the Customer, as set out in this DPA and the Terms of Service, unless required to do otherwise by applicable law. Visibil will notify the Customer if it believes an instruction infringes Applicable Data Protection Law, unless prohibited from doing so by law.
3.2 Confidentiality. Ensure that all personnel authorized to process personal data under this DPA are subject to appropriate confidentiality obligations.
3.3 Security. Implement and maintain technical and organizational measures designed to protect personal data against unauthorized access, disclosure, alteration, or destruction, taking into account the nature of the data and the risks involved. Current measures include encrypted data transmission (TLS), OAuth-based credential management, and role-based access controls.
3.4 Subprocessors. Not engage additional Subprocessors without providing the Customer with advance notice and an opportunity to object. A list of current Subprocessors is maintained in Schedule A of this DPA. Where a Subprocessor fails to meet its data protection obligations, Visibil remains liable to the Customer to the extent Visibil is responsible under this DPA.
3.5 Data Subject Rights. Assist the Customer in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability, and objection), to the extent that such requests relate to personal data processed by Visibil on the Customer's behalf.
3.6 Compliance Assistance. Provide reasonable assistance to the Customer in meeting its obligations under Applicable Data Protection Law in relation to data security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of processing and the information available to Visibil.
3.7 Deletion or Return. Upon termination of the Services or upon written request, delete or return all personal data processed under this DPA in accordance with Section 7 of this DPA, unless applicable law requires Visibil to retain it.
3.8 Audit Rights. Upon reasonable written notice (and no more than once per calendar year absent a Security Incident), provide the Customer with information reasonably necessary to demonstrate compliance with this DPA. Visibil may fulfill this obligation by providing relevant certifications, audit reports, or written responses to reasonable questionnaires in lieu of on-site audits.
4. Customer Obligations
The Customer agrees to:
Ensure that it has a valid legal basis for processing personal data and for instructing Visibil to process it on its behalf;
Provide all required notices to, and obtain all required consents from, Data Subjects as required by Applicable Data Protection Law;
Ensure that its instructions to Visibil comply with Applicable Data Protection Law; and
Promptly inform Visibil if it becomes aware of any Security Incident involving personal data processed under this DPA.
5. Subprocessors
5.1 Authorization
The Customer provides general authorization for Visibil to engage Subprocessors, subject to the requirements of this Section.
5.2 Notice of Changes
Visibil will provide at least 14 days' advance notice of any intended addition or replacement of Subprocessors. The Customer may object to a new Subprocessor on reasonable grounds related to data protection within that notice period. If the Customer objects and Visibil cannot accommodate the objection, either party may terminate the affected Services on written notice without penalty.
5.3 Current Subprocessors
A current list of Subprocessors is set out in Schedule A. Visibil will keep this list updated as changes occur.
6. International Data Transfers
Where personal data is transferred outside of the European Economic Area (EEA), the United Kingdom, or another jurisdiction with data transfer restrictions, Visibil will ensure that appropriate safeguards are in place, including:
Standard Contractual Clauses (SCCs) as adopted by the European Commission, where applicable; or
UK International Data Transfer Agreements (IDTAs), where applicable; or
Other transfer mechanisms recognized under Applicable Data Protection Law.
By entering into this DPA, the parties agree to be bound by the applicable SCCs or IDTAs to the extent required for such transfers.
7. Data Deletion and Return
Upon termination of the Services, Visibil will, at the Customer's election, either delete or return personal data processed under this DPA within 30 days, and will certify in writing that deletion has occurred upon request. Visibil may retain personal data beyond this period only to the extent and for the duration required by applicable law, and will continue to protect such data in accordance with this DPA.
8. Security Incidents
Visibil will notify the Customer without undue delay, and in any event within 72 hours, upon becoming aware of a Security Incident affecting personal data processed under this DPA. Such notification will include, to the extent known at the time: the nature of the incident, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed to address the incident. Visibil will cooperate with the Customer and take reasonable steps to mitigate the effects of the incident.
Notification of a Security Incident is not an acknowledgment of fault or liability.
9. CCPA Compliance
To the extent the CCPA applies, Visibil agrees that it is a "service provider" as defined under the CCPA and will not: sell personal information received from the Customer; retain, use, or disclose personal information for any purpose other than providing the Services or as otherwise permitted by the CCPA; or combine personal information received from the Customer with personal information received from other sources, except as permitted under the CCPA.
10. Limitation of Liability
Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. Nothing in this DPA is intended to limit either party's liability to Data Subjects or to supervisory authorities under Applicable Data Protection Law.
11. Term and Termination
This DPA remains in effect for as long as Visibil processes personal data on behalf of the Customer. It terminates automatically upon the expiry or termination of the Terms of Service, subject to any obligations that survive termination under Section 7.
12. Governing Law
This DPA is governed by the same governing law as the Terms of Service.
Schedule A - Current Subprocessors
The following Subprocessors are authorized by the Customer under Section 5 of this DPA. Visibil will update this list as changes occur and provide notice in accordance with Section 5.2.
Schedule B - Security Measures
The following technical and organizational security measures are implemented by Visibil as of the date of this DPA:
Access Controls
Role-based access control for internal Visibil personnel
Principle of least privilege applied to system access
Multi-factor authentication required for administrative access
Data Transmission
All data transmitted between the Customer, Visibil, and connected integrations uses TLS encryption
OAuth 2.0 used for all CMS and third-party platform authentication; credentials are not stored by Visibil
Data Storage
Data stored on infrastructure hosted with reputable cloud providers operating in secure, access-controlled environments
Database access restricted to authorized services and personnel
Incident Response
Security incident monitoring and alerting in place
Incident response procedures maintained and tested periodically
Personnel
Staff with access to Customer data are subject to confidentiality obligations
Security awareness is a standing expectation for all personnel with system access
Visibil may update these measures over time to reflect improvements in industry practice. Visibil will not materially reduce the overall security standard provided under this Schedule without notice to the Customer.
© Visibil, Inc. 2026. All rights reserved
