Data Processing Addendum
Template DPA between ClimbVista and customer. Governs processing of personal data under the Service.
Last updated: 2026-06-21
1. Parties
This Data Processing Addendum (“DPA”) forms part of the master service agreement (“Agreement”) between ClimbVista (the “Processor”) and the customer identified in the Order Form (the “Controller”). Where this DPA conflicts with the Agreement, the DPA controls for matters of personal-data processing.
2. Subject matter and duration
Subject matter: technical SEO monitoring, issue detection, edge policy distribution, and uptime/telemetry analytics. Duration: the term of the Agreement, plus any wind-down period required to return or delete personal data.
3. Nature and purpose of processing
ClimbVista processes limited technical metadata required to render the Service — including URLs scanned, HTTP response characteristics, page structural data, and uptime probes of the Controller’s domain. Personal data processing is incidental and minimised by design.
4. Categories of data subjects
Visitors to the Controller’s website whose technical requests may surface in log and metric records; authorised users of the Controller who log into ClimbVista.
5. Categories of personal data
IP addresses (of audit-log actors and of incidental request logs), user-agent strings, cookie/session identifiers passed through the edge worker when explicitly enabled, and authenticated-user contact data (name, email).
6. Processor obligations
ClimbVista will: (a) process personal data only on documented instructions from the Controller; (b) ensure personnel are bound by confidentiality; (c) implement the technical and organisational measures described in §9; (d) engage sub-processors only under equivalent obligations; (e) assist the Controller in responding to data-subject requests; (f) notify the Controller of any personal-data breach without undue delay, and within 72 hours.
7. Sub-processors
ClimbVista uses the following sub-processors: Vercel Inc. (application hosting, São Paulo region), Neon Database (PostgreSQL hosting, São Paulo region), Cloudflare Inc. (edge policy distribution and DNS), Fly.io (on-demand page rendering for crawling, São Paulo region), OpenAI (AI analysis, data processed ephemerally and not retained for training), Resend (transactional email delivery). Controller grants general authorisation for these sub-processors and will be notified of additions at least 30 days in advance.
8. International transfers
Primary processing occurs in Brazil (gru1 region). Transfers outside Chile / Brazil are performed on the basis of Standard Contractual Clauses or equivalent safeguards where applicable.
9. Security measures
Encryption in transit (TLS 1.3) and at rest (AES-256, provider-managed); role-based access control with least-privilege defaults; append-only audit logging of privileged actions; API keys stored as SHA-256 hashes with per-key rate limiting; regular dependency and infrastructure reviews; production access restricted to authorised personnel under confidentiality.
10. Data-subject rights
ClimbVista will assist the Controller, taking into account the nature of the processing, in fulfilling its obligations to respond to requests for exercising the data subject’s rights (access, rectification, erasure, restriction, portability, and objection).
11. Return and deletion
Upon termination of the Agreement, ClimbVista will, at the Controller’s election, return or delete all personal data within 30 days, subject to legal retention obligations under Chilean law.
12. Audit
Controller may, at its cost and no more than once per year, review the Processor’s available compliance documentation (security policies and, where available, penetration-test summaries). Physical audits are available for procurement-tier customers upon reasonable notice.
13. Governing law
This DPA is governed by the law of the Republic of Chile. Disputes are subject to the exclusive jurisdiction of the courts of Santiago.