Purpose and status
This Data Processing Addendum explains the baseline processing terms equal AI applies when it processes personal data on behalf of a business customer through the equal AI platform. It is designed to support GDPR, UK GDPR, India's Digital Personal Data Protection Act, CCPA/CPRA service provider obligations where applicable, and similar privacy requirements.
This public page is an operational summary and contracting baseline. A signed order form, enterprise agreement, or negotiated DPA may supplement or override these terms. If you need an executed DPA for procurement, vendor review, or enterprise onboarding, contact the equal AI team.
Roles of the parties
For customer workspace data, the customer is generally the controller or business, and equal AI acts as processor or service provider. The customer determines what data is submitted, which prompts are tracked, which domains and competitors are monitored, who has access, and how outputs are used.
For account administration, billing, security, abuse prevention, website analytics, product analytics, legal compliance, and service communications, equal AI may act as an independent controller where permitted by law.
If an agency uses equal AI for its clients, the agency is responsible for ensuring it has authority, lawful basis, and client instructions to configure prompts, domains, competitor sets, reports, exports, integrations, and users.
Processing details
The subject matter of processing is the provision of AI visibility tracking, response analysis, citation analysis, sentiment tracking, reporting, recommendations, exports, integrations, APIs, support, security, and related services.
The duration of processing is the subscription term and any additional retention period required for backup, deletion, audit, legal, billing, security, or dispute purposes, unless a signed agreement states otherwise.
Customer data may include business contact details, workspace user details, tracked domains, brand and competitor names, prompt libraries, AI responses, cited URLs, notes, tags, annotations, report settings, support communications, API activity, integration metadata, and product usage logs.
The categories of data subjects may include customer personnel, workspace users, agency personnel, client contacts, support contacts, and limited personal data that appears in configured prompts, domains, AI responses, citations, logs, or communications.
Customer instructions
equal AI processes customer personal data only to provide, secure, support, and improve the service, comply with documented customer instructions, fulfill contractual obligations, comply with law, and protect the rights, safety, and integrity of equal AI, customers, users, vendors, and third parties.
The customer's instructions include the applicable agreement, product configuration, workspace settings, API calls, support requests, and lawful written instructions. Equal AI may decline instructions that are unlawful, technically infeasible, outside the scope of the service, or create material security or compliance risk.
Customers must not submit sensitive personal data, special category data, payment card data, health data, government identifiers, secrets, credentials, children's data, or regulated confidential data unless the parties have expressly agreed in writing that the service may process that data.
Confidentiality and security measures
equal AI restricts personnel access to customer personal data based on operational need and requires personnel with access to protect confidential information. Access is limited, reviewed where available, and removed when no longer needed.
We maintain technical and organizational measures designed to protect customer personal data, including encryption in transit, cloud-provider controls for encryption at rest, access controls, environment separation, logging and monitoring, backup practices, vulnerability management, incident response processes, vendor review, and least-privilege operational access.
Security measures may evolve over time as threats, vendors, infrastructure, and product architecture change, provided we do not materially reduce the overall level of protection during an active subscription.
Subprocessors
equal AI uses subprocessors to provide cloud hosting, storage, databases, authentication, analytics, AI and search retrieval, payment processing, tax and invoicing, customer support, communications, monitoring, logging, security, and product infrastructure.
We require subprocessors to protect personal data under written terms that are no less protective in substance than the relevant data protection obligations for the services they provide. We remain responsible for subprocessors as required by applicable data protection law and the applicable agreement.
Enterprise customers may request a current subprocessor list and notice process during contracting. If a customer reasonably objects to a new subprocessor on data protection grounds, the parties will work in good faith to address the concern, which may include alternative configuration, mitigation, or termination rights where required by law or contract.
Analytics and payments
Website and product analytics, including GA4 where used, help equal AI understand usage, reliability, attribution, and conversion paths. Analytics data is processed for measurement and improvement and is not used to sell customer workspace data.
Payment processing is handled by third-party payment providers. Equal AI receives billing metadata, invoice status, transaction identifiers, card brand, last four digits, and similar records needed for subscriptions, tax, fraud prevention, accounting, and support. Full card numbers and CVCs are handled by the payment processor.
Customers are responsible for their own privacy notices and consent flows where their use of equal AI, exports, or client reporting requires additional disclosures to users, employees, clients, or data subjects.
Data subject requests
Where equal AI acts as processor, the customer is responsible for responding to data subject requests. Equal AI will provide reasonable assistance, using appropriate technical and organizational measures, to help the customer fulfill access, correction, deletion, export, restriction, objection, and similar requests where required by law.
If a data subject contacts equal AI directly about customer workspace data, we may direct the requester to the relevant customer or notify the customer where appropriate. We may respond directly where required by law or where equal AI is the controller for the relevant data.
International transfers
Customer personal data may be transferred to and processed in countries outside the customer's location, including through cloud, analytics, AI, search, payment, support, and communications providers.
Where required, equal AI uses appropriate transfer safeguards, such as Standard Contractual Clauses, UK transfer mechanisms, vendor assessments, supplementary measures, or other lawful transfer mechanisms. Customers may request applicable transfer documentation during enterprise review.
Audits and compliance assistance
equal AI will provide reasonable information needed to demonstrate compliance with this DPA, such as security summaries, subprocessor information, privacy documentation, and answers to vendor security questionnaires, subject to confidentiality and reasonable limits.
Any audit rights must be exercised in a way that protects equal AI's systems, other customers, vendors, confidential information, and security posture. On-site or invasive audits are available only where required by law or expressly agreed in writing.
Security incidents
If equal AI becomes aware of a personal data breach affecting customer personal data processed by equal AI as processor, we will notify the affected customer without undue delay after confirming the incident, consistent with applicable law and contractual requirements.
Notice will include information reasonably available to equal AI, such as the nature of the incident, affected data categories, likely consequences where known, mitigation steps, and recommended customer actions. Customers are responsible for any required notices to regulators or data subjects unless the law places that duty on equal AI.
Return, deletion, and retention
Upon termination or written request, equal AI will delete or return customer personal data in accordance with the agreement, product capabilities, legal obligations, backup cycles, security needs, and legitimate business record retention.
Deletion from active systems may occur before deletion from backups, logs, and archival systems. Backup and log data is protected from ordinary use and deleted or overwritten according to normal retention cycles unless legal, security, or dispute needs require longer retention.
equal AI may retain aggregated or de-identified data that does not identify a person, customer, workspace, or brand, and may retain controller data such as billing, tax, legal, security, and account records as described in the Privacy Policy.
US state privacy terms
Where CCPA/CPRA or similar US state privacy laws apply and equal AI processes personal information as a service provider or processor, equal AI will process such personal information for the business purposes described in the agreement and will not sell or share it as those terms are defined by applicable law.
equal AI will not retain, use, or disclose customer personal information outside the permitted business purposes, except as allowed by law, such as for security, debugging, legal compliance, internal operations, or as otherwise directed by the customer.
Survival and changes
Obligations that by their nature should survive termination, including confidentiality, security, deletion, audit limits, liability limits, and records required by law, will survive termination of the relevant agreement.
We may update this DPA page to reflect product, legal, vendor, security, or operational changes. Enterprise customers with signed agreements receive notice and change rights according to their contract.