Data Processing Agreement

This DPA is entered into between (i) Elevate Rank LLC, a Wyoming limited liability company operating under the brand “ElevateRank” (the “Processor”), and (ii) the Client identified in the Client'sElevateRank account (the “Controller”).

Capitalised terms not defined in this DPA have the meanings given in the Terms of Service and the Privacy Policy. “Applicable Data Protection Laws” means the EU General Data Protection Regulation (“GDPR”), the UK GDPR, the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), and any other data-protection statute applicable to the Services.

The Processor processes Personal Data on behalf of the Controller solely for the purpose of providing the Services described in the Terms of Service — namely, managing the Controller's paid-advertising campaigns on Meta (Facebook and Instagram) and Google Ads, producing reports, and facilitating communication between the Controller and its assigned account team.

The Processor acts as a data processor under GDPR Art. 28 and as a service provider under CCPA/CPRA with respect to Personal Data the Controller provides or that the Processor collects from end users on the Controller's behalf. The Processor acts as an independent data controller only in respect of its own business operations (billing, account security, fraud prevention, and its own compliance obligations).

The Processor will process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to third countries. The Controller's instructions are set out in this DPA, the Terms of Service, and the configuration choices the Controller makes in the Services (e.g., campaign targeting parameters, audience uploads).

Categories of Personal Data

• Account identifiers: Controller's email address, name, phone number, company name, country, and billing metadata (Stripe customer ID).
• Campaign inputs: free-text brief fields (business description, ideal customer profile, competitors, prior campaign performance), uploaded creative assets, and platform credentials/access tokens to the Controller's ad accounts (encrypted at rest).
• End-user audience data (where applicable, and only when the Controller explicitly uploads or connects such data): hashed emails, phone numbers, or platform user IDs used for audience targeting on Meta or Google.
• Platform-reported metrics: ad-level performance data (spend, impressions, clicks, conversions) returned by Meta or Google.

Categories of Data Subjects

• The Controller's authorised users (employees, contractors, agents accessing the ElevateRank platform on the Controller's behalf).
• The Controller's customers, prospects, or audience members whose data the Controller chooses to upload or target.

The Controller grants a general authorisation for the Processor to engage the subprocessors listed below to provide the Services. Each subprocessor is bound by a written contract containing data-protection terms substantially equivalent to those in this DPA.

• Supabase Inc. — managed Postgres, authentication, and object storage (US).
• Stripe, Inc. — payment processing and card-on-file storage (US / EEA).
• Resend Inc. — transactional email delivery (US).
• Vercel, Inc. — web application hosting, edge network, and function runtime (US / global CDN).
• Meta Platforms, Inc. — Facebook and Instagram advertising APIs, used only with the Controller's explicit connection (US).
• Google LLC — Google Ads platform and Google Tag Manager / Google Analytics on marketing pages (US).
• Make.com (Celonis SE) — operational workflow automation (EEA); used only for internal ops notifications, not for Controller-provided audience data.

The Processor will notify the Controller of any intended addition or replacement of subprocessors by updating this page at least 30 days before the change takes effect. The Controller may object to the change in writing to info@elevaterank.io. If the parties cannot reach a resolution, the Controller may terminate the affected portion of the Services without penalty.

The Processor implements appropriate technical and organisational measures under GDPR Art. 32 to protect Personal Data against unauthorised access, alteration, disclosure, and destruction. These include:

• Encryption in transit using TLS 1.2 or higher for all connections to the Services.
• Encryption at rest of all database storage; additional application-layer AES-256-GCM encryption for platform access tokens (Meta OAuth tokens).
• Row-level security policies and role-based access controls limiting access to Personal Data to authorised personnel on a need-to-know basis.
• Separation of staging and production environments; service-role credentials rotated and stored only in encrypted environment-variable stores.
• Password hashing (bcrypt) via the identity provider; multi-factor authentication available for all user accounts.
• Logging of administrative actions and webhook events to a private audit table retained for no less than 30 days.
• Regular review of access rights; immediate revocation on personnel departure.

Where the Processor transfers Personal Data originating in the European Economic Area, the United Kingdom, or Switzerland to a country outside those regions that has not been deemed adequate by the relevant regulator, the transfer is governed by the Standard Contractual Clauses (“SCCs”) approved by the European Commission (Decision 2021/914), incorporated into this DPA by reference:

• Module 2 (Controller → Processor) applies where the Processor receives Personal Data directly from the Controller.
• Module 3 (Processor → Processor) applies where the Processor engages a subprocessor outside the adequacy jurisdictions.

For transfers from the United Kingdom, the parties further incorporate the ICO's International Data Transfer Addendum to the SCCs, Version B1.0, as in force from time to time.

The Processor will notify the Controller of any Personal Data breach affecting the Controller's Personal Data without undue delay and in any event within 72 hours of the Processor becoming aware of it. The notification will include, to the extent known, (i) the nature of the breach, (ii) the categories and approximate number of data subjects and records affected, (iii) the likely consequences, and (iv) the measures taken or proposed to mitigate the breach. The Processor will cooperate reasonably with the Controller's own breach-notification obligations.

Taking into account the nature of the processing, the Processor will provide the Controller with reasonable assistance in responding to requests from data subjects exercising their rights under Applicable Data Protection Laws (including rights of access, rectification, deletion, restriction, portability, and objection). If a data subject contacts the Processor directly, the Processor will redirect them to the Controller unless otherwise instructed.

The Processor will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

Audits may be conducted no more than once every twelve (12) months, except where required by a supervisory authority or following a Personal Data breach. The Controller will bear its own audit costs; both parties will bear their own internal costs of cooperation. Where equivalent evidence is available (e.g., a third-party security assessment), the Processor may satisfy its audit obligations by providing that evidence in lieu of an on-site audit.

At the Controller's written request, and upon termination of the Services, the Processor will (at the Controller's option) return all Personal Data to the Controller or delete it from the Processor's systems and those of its subprocessors, subject to any retention obligation imposed by law. Backups containing Personal Data are overwritten in the ordinary course within ninety (90) days of deletion.

This DPA takes effect on the Effective Date above and remains in force for the duration of the Controller's subscription to the Services and for any subsequent period during which the Processor continues to process Personal Data on the Controller's behalf. Termination of the Terms of Service automatically terminates this DPA.

The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, including the aggregate liability cap. No provision of this DPA excludes or limits liability to the extent that such exclusion or limitation is prohibited by Applicable Data Protection Laws or by any mandatory rule of statutory law.

This DPA is governed by and construed in accordance with the laws of the State of Wyoming, United States, without regard to its conflict-of-law provisions, except to the extent that the SCCs incorporated in Section 06 specify a different governing law for the transfers they cover. Dispute resolution follows the procedure set out in Section 14 of the Terms of Service (AAA arbitration in Cheyenne, Wyoming).

Clients whose own compliance programme requires a signed copy of this DPA may request one by emailing info@elevaterank.io with the subject line “DPA Request”. We will countersign and return within ten (10) business days. For all other privacy inquiries, please write to info@elevaterank.io.