← Back to Home

Data Processing Agreement (DPA)

Effective Date: March 21, 2026 | Last Updated: March 21, 2026

This Data Processing Agreement ("DPA") applies to B2B customers and organizations using Pondral where personal data processing is subject to GDPR, UK GDPR, or other data protection laws. It outlines how Groubii Holdings LLC, d/b/a Pondral ("Processor") handles personal data on behalf of the Controller.

1. Definitions

Key Definitions:

  • Controller - The entity determining purposes and means of processing (typically your organization)
  • Processor - Groubii Holdings LLC, d/b/a Pondral, processing data on your behalf
  • Data Subject - Identified individuals whose data is processed
  • Personal Data - Information relating to identified or identifiable natural persons
  • Processing - Collection, storage, retrieval, use, or deletion of personal data
  • Sub-processor - Third parties engaged to process personal data (e.g., Supabase, Stripe, Resend)

2. Scope and Purpose of Processing

Personal Data is processed solely for providing the Pondral service, a Software-as-a-Service platform for AI Engine Optimization (AEO) analysis.

Processing purposes include:

  • Account creation and management
  • Payment processing and billing
  • Delivering analysis results and reports
  • Customer support and technical assistance
  • Service improvement and optimization
  • Security and fraud prevention
  • Legal compliance and regulatory requirements

3. Categories of Personal Data

The Processor handles the following categories of personal data:

  • Account Information: Name, email, company, job title, phone, billing address, profile picture
  • Submitted Content: URLs, keywords, tags, metadata provided for analysis
  • Analysis Results: Citation metrics, scores, timestamps, trend data, reports
  • Usage Data: IP address, geolocation, browser type, pages viewed, time spent, interactions
  • Communications: Email content, support messages, chat history
  • Technical Data: Cookies, session tokens, authentication data, analytics events

4. Categories of Data Subjects

Personal data relates to:

  • End users and employees of the Controller
  • Account administrators
  • Support contacts
  • Organizations themselves (company name, billing address)

5. Obligations of the Processor

The Processor commits to:

  • Process data only on documented instructions from the Controller
  • Ensure confidentiality of all personnel accessing data
  • Implement data protection by design and by default
  • Maintain comprehensive security measures (detailed below)
  • Assist with Data Subject rights requests
  • Assist with legal compliance and regulatory obligations
  • Notify of data breaches within 48 hours
  • Not process data beyond the Controller's authorization

6. Security Measures Implemented

Technical Security:

  • HTTPS/TLS 1.2+ encryption in transit
  • AES-256-GCM encryption at rest for sensitive data
  • Role-based access controls and least privilege principles
  • Bcrypt password hashing with salting
  • Multi-factor authentication for administrative access
  • Firewalls, DDoS protection, and network segmentation
  • Row-level database security and parameterized queries
  • Regular vulnerability scanning and penetration testing
  • Intrusion detection and monitoring
  • Detailed access logs and audit trails

Administrative Security:

  • Personnel screening and vetting
  • Confidentiality agreements with all employees
  • Data security training and awareness
  • Incident response and breach notification procedures
  • Secure credential management
  • Device security policies

7. Sub-processors

The Processor uses the following Sub-processors:

Sub-processorFunctionLocation
SupabaseDatabase, storage, account data, analysis resultsUS (N. Virginia)
VercelFrontend hosting, CDN, static assetsUS
StripePayment processing, billing, invoicingUS
ResendTransactional and marketing emailsUS
PostHogAnalytics, user behavior tracking, insightsUS

The Processor provides 30 days' notice before engaging new Sub-processors and allows the Controller to object on reasonable grounds.

8. International Data Transfers

Data Location: Personal data is primarily processed in the United States.

Transfer Safeguards:

  • Standard Contractual Clauses (SCCs) executed for EU/EEA to US transfers
  • Equivalent SCCs included in all Sub-processor agreements
  • Supplementary technical measures (encryption, access controls)
  • Data minimization practices
  • Regular security audits and assessments

The Controller acknowledges that data protection laws may differ in the United States.

9. Data Subject Rights

The Processor assists the Controller with:

  • Right of Access: Providing personal data in machine-readable format within 10 business days
  • Right to Rectification: Correcting inaccurate data
  • Right to Erasure: Deleting data within 30 days (unless legally required to retain)
  • Right to Restrict Processing: Limiting processing to storage only
  • Right to Data Portability: Providing data in structured format for transfer to another controller
  • Right to Object: Responding to objections including for direct marketing
  • Rights Related to Automated Decision-Making: Notifying of any such processing

10. Data Breach Notification

The Processor shall notify the Controller of any confirmed or suspected data breach:

  • Timing: Without undue delay, and in any case within 48 hours
  • Method: Email to the account email and privacy@pondral.com
  • Content: Nature, scope, categories and number of affected data subjects, likely consequences, remediation measures
  • Cooperation: Full cooperation with Controller's investigation and notifications to authorities

11. Audit Rights

The Controller may:

  • Conduct audits (max once per year under normal circumstances) with 30 days' notice
  • Inspect Processor facilities and systems during business hours
  • Request documentation of security measures and training
  • Request certifications (ISO 27001, SOC 2, etc.)

The Processor shall cooperate with:

  • Supervisory authority audits and investigations
  • Regulatory requests (with notice to Controller where legally permitted)
  • Controllers' compliance with their own legal obligations

12. Return and Deletion of Data

Upon termination, the Controller may elect to:

  • Delete: All personal data deleted within 30 days
  • Return: Data provided in CSV, JSON, or similar format within 30 days
  • Anonymize: Data anonymized so it cannot be attributed to individuals

Backup data will be deleted or anonymized within 90 days (180 days for archived backups). The Processor will provide a written certification of deletion or anonymization within 45 days.

Data may be retained only if required by law, under legal hold, or for legitimate business continuity purposes.

13. Duration and Termination

This DPA remains in effect during the Service Agreement and terminates upon:

  • Automatic termination with the Service Agreement
  • Written notice if either party materially breaches (with 30-day cure period)
  • Required by law to cease processing

Confidentiality obligations and breach notification procedures survive termination indefinitely.

14. Liability

The Processor is liable for damages caused by breach of this DPA or data protection laws, subject to limitations in the Service Agreement.

Limitations:

  • No liability for indirect, incidental, or consequential damages
  • Total liability capped at fees paid in preceding 12 months
  • No liability for breaches caused by Controller's failure to follow security instructions
  • No liability for breaches caused by force majeure beyond Processor's control

15. Governing Law

This DPA is governed by Florida law. However, data protection substantive law shall be governed by the jurisdiction where the Data Subject is located (typically GDPR for EU/EEA residents).

16. Contact Information

For DPA and data protection inquiries:

Email: privacy@pondral.com (Subject: "DPA Inquiry" or "Data Protection Request")

For technical support:

Email: support@pondral.com

Mailing Address:
Groubii Holdings LLC, d/b/a Pondral
Florida, USA

17. Appendices

Appendix A: Standard Contractual Clauses

The parties incorporate by reference the Standard Contractual Clauses (Model Two: Controller to Processor) as approved by the European Commission for EU/EEA to non-adequate jurisdiction transfers.

Appendix B: Sub-processor List

A current list of Sub-processors is available at pondral.com/subprocessors and is updated as Sub-processors change.

This Data Processing Agreement is effective as of March 21, 2026.

By using Pondral, B2B customers and organizations subject to GDPR or other data protection laws requiring a DPA agree to these terms. Individual consumers are governed by the Privacy Policy and Terms of Service.