Data Processing Agreement (DPA)
Last updated 2026-06-17
This Data Processing Agreement (“DPA”) governs the processing of personal data carried out by getAdvantage on your behalf under Article 28 of Regulation (EU) 2016/679 (“GDPR”). It forms part of, and is incorporated by reference into, the agreement under which you use getadvantage.app (the “Agreement”).
Parties
- Processor: Benjamin Hellmich, operator of getadvantage.app (“getAdvantage”, “we”). Full identity and contact details are in our Impressum (data contact: legal@getadvantage.app).
- Controller:you, the business customer who has entered into the Agreement (“you”, “Customer”).
1. Acceptance by reference
You accept this DPA when you create an account and use any feature through which getAdvantage processes personal data on your behalf — in particular running scans of pages you control and deploying the auto-apply embed snippet, which can process data relating to your own end-users (visitors of your site). No separate signature is required for this DPA to take effect; a counter-signed copy is available on request to the contact above. Where this DPA conflicts with the rest of the Agreement on the subject of data protection, this DPA prevails.
2. Roles and scope
For personal data that you submit, or that is collected through your use of the service on your instructions, you are the controller and getAdvantage is the processor. You are responsible for the lawfulness of the data you provide and for having a valid legal basis to instruct the processing described here. The subject-matter, duration, nature and purpose of the processing, the types of personal data and the categories of data subjects are set out in Annex 1.
Where getAdvantage determines the purposes and means of processing for its own account operations (for example, account security, billing records, fraud and abuse prevention, and product analytics), getAdvantage acts as an independent controller for that processing; that controller-side processing is described in our Privacy Policy and is outside the scope of this DPA.
3. Processing only on documented instructions
getAdvantage processes personal data only on your documented instructions, including for international transfers, unless required to do so by Union or Member State law to which it is subject; in that case getAdvantage informs you of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest. Your instructions are constituted by (a) this DPA, (b) the Agreement, (c) your configuration and use of the product’s features, and (d) any further written instruction you give. If getAdvantage believes an instruction infringes the GDPR or other data-protection law, it will inform you without undue delay.
4. Confidentiality
getAdvantage ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that access is limited to personnel who need it to provide the service.
5. Security of processing (Art. 32)
getAdvantage implements appropriate technical and organisational measures (“TOMs”) to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing. A summary of the current measures is set out in Annex 2 and on our security page. getAdvantage holds no SOC 2, ISO 27001 or comparable third-party certification and does not claim one; Annex 2 describes the measures it actually operates.
6. Sub-processors
You grant getAdvantage a general written authorisation to engage sub-processors to carry out specific processing activities, subject to this clause. The sub-processors engaged at the date of this DPA are listed in Annex 3 and kept current at getadvantage.app/subprocessors.
- getAdvantage imposes on each sub-processor, by contract, data-protection obligations that are materially the sameas those in this DPA, in particular the Art. 32 security obligations, and remains fully liable to you for the performance of each sub-processor’s obligations.
- Change notice:getAdvantage will give you reasonable prior notice of any intended addition or replacement of a sub-processor — by updating the /subprocessorspage and, where you have subscribed to change notifications, by email — so you can object on reasonable data-protection grounds.
- Objection: if you object on reasonable grounds and the objection cannot be resolved, you may, as your sole remedy, terminate the affected part of the service by ceasing to use the relevant feature and, where the objected-to sub-processor is essential to the service, terminate the Agreement.
7. Assistance with data-subject requests
Taking into account the nature of the processing, getAdvantage assists you by appropriate technical and organisational measures, insofar as this is possible, in fulfilling your obligation to respond to requests for exercising data-subject rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability and objection). If a data subject contacts getAdvantage directly regarding data processed on your behalf, getAdvantage will forward the request to you without undue delay and will not respond on your behalf except on your instruction.
8. Personal-data breaches (Art. 33/34)
getAdvantage notifies you without undue delay after becoming aware of a personal-data breach affecting personal data processed on your behalf, and assists you in meeting your obligations under Articles 33 and 34 by providing the information reasonably available to it about the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences and the measures taken or proposed. getAdvantage operates structured error logging and, where configured, real-time alerting on money-path and security events to support timely detection.
9. Assistance with DPIAs and prior consultation
getAdvantage assists you, taking into account the nature of processing and the information available to it, in ensuring compliance with your obligations under Articles 32 to 36 (security of processing, breach notification, data-protection impact assessments and prior consultation of the supervisory authority).
10. Deletion or return at end of processing
At your choice, getAdvantage deletes or returns all personal data processed on your behalf after the end of the provision of the relevant services, and deletes existing copies, unless Union or Member State law requires storage of the personal data. In particular, billing-related records are retained for the statutory periods (see Annex 1 and clause 11). On account closure, account and scan data is deleted on request or within a reasonable period after closure; you can also delete data within the product at any time.
11. Audit and information rights
getAdvantage makes available to you all information necessary to demonstrate compliance with the obligations laid down in Article 28, and allows for and contributes to audits, including inspections, conducted by you or an auditor mandated by you. To protect the confidentiality and security of getAdvantage’s other customers, audits are conducted on reasonable prior written notice, no more than once per year (save where required by a supervisory authority or following a breach), during normal business hours, subject to confidentiality undertakings, and primarily by getAdvantage providing its documentation, security summaries and answers to a reasonable security questionnaire before any on-site inspection is considered.
12. International transfers
Personal data processed on your behalf is hosted in the EU (managed PostgreSQL in Frankfurt; application compute pinned to an EU region). Where a sub-processor processes personal data outside the EU/EEA — principally certain US-based providers listed in Annex 3 — the transfer is made under an appropriate Art. 46 safeguard, namely the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and, where the provider is certified, the EU–US Data Privacy Framework. These safeguards flow downto sub-processors through getAdvantage’s contracts with them.
13. Term and liability
This DPA takes effect on acceptance (clause 1) and remains in force for as long as getAdvantage processes personal data on your behalf under the Agreement. Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA limits either party’s liability where such limitation is not permitted by applicable data-protection law.
Annex 1 — Details of the processing
| Subject-matter | Provision of getAdvantage’s AI-readability scanning and fix-delivery service to the Customer, including processing data of the Customer’s own end-users via the embed snippet. |
|---|---|
| Duration | For the term of the Agreement and until deletion or return of the personal data in accordance with clause 10 (subject to statutory retention of billing records). |
| Nature & purpose | Collection, storage, organisation, analysis and transmission of personal data as strictly necessary to: authenticate Customer users; run page scans and store scores and history; generate AI-perception and copy outputs; deliver auto-apply fixes through the embed; and operate billing on the Customer’s instruction. |
| Types of personal data | Customer-user account email addresses and hashed credentials; any personal data incidentally contained in URLs, page content or scores submitted for scanning; the embed records no end-user content by design, though end-user IP addresses are processed transiently in memory for rate-limiting and abuse prevention and are not persisted; billing identifiers held by the payment processor. The Customer must not submit special categories of data (Art. 9) for processing. |
| Categories of data subjects | The Customer’s authorised users and account administrators; the Customer’s own website end-users (visitors) reached by the embed; and individuals whose personal data may appear in scanned public pages. |
Annex 2 — Technical & organisational measures (TOMs)
Summary of the measures getAdvantage operates under Art. 32. The authoritative description is on the security page.
- Authentication & credentials: passwords hashed with bcrypt at cost 12; sessions are jose HS256 JWTs stored in an httpOnly, Secure (in production), SameSite=Lax cookie; signing secret held only in environment variables.
- Tenant isolation: every tenant database query is scoped by
account_idso customers can never read one another’s data; the only unscoped lookup is by an unguessable embed key that is itself the credential. - Encryption in transit: TLS for all traffic; HSTS enforced.
- Hosting & data residency: managed PostgreSQL (Neon) in the EU (Frankfurt); application compute pinned to an EU region.
- Network & request hardening: SSRF-guarded outbound fetches with DNS and IP re-validation that blocks localhost and private/reserved ranges; a global Content Security Policy and security response headers; per-IP rate limiting.
- Billing integrity: webhook signatures verified against the raw request body before any entitlement change; card data never touches getAdvantage servers (handled by the payment processor).
- Secrets management: all secrets live only in environment variables, never in the repository; pre-commit scanning for credential patterns.
- Logging & detection: structured logging and, where configured, real-time alerting on security and money-path failures.
Annex 3 — Approved sub-processors
The current list is maintained at getadvantage.app/subprocessors. As at the date of this DPA:
| Sub-processor | Purpose | Region | Transfer safeguard |
|---|---|---|---|
| Vercel Inc. | Application hosting & content delivery | USA (EU region pinned: fra1) | EU Standard Contractual Clauses / EU-US Data Privacy Framework where certified |
| Neon Inc. | Managed PostgreSQL database (accounts, scans, billing mirror) | EU (Frankfurt) | EU — no third-country transfer |
| Stripe Payments Europe, Ltd. (with Stripe, Inc., USA) | Subscription billing & payment processing | EU / USA | EU Standard Contractual Clauses / EU-US Data Privacy Framework |
| OpenAI, L.L.C. | AI perception & copy generation on scanned content (API; not used to train models) | USA | EU Standard Contractual Clauses |
| Resend (Plus Five Five, Inc.) | Transactional email delivery | USA | EU Standard Contractual Clauses |
| ImprovMX SAS | Inbound email forwarding for getadvantage.app | EU / USA | EU Standard Contractual Clauses |
| Advantage Studio (Mission Control) | Internal operations console operated by the getAdvantage operator — receives a captured lead email + domain for founder operations | EU / USA | Intra-operator; EU Standard Contractual Clauses where applicable |
This DPA is accepted by reference when you use getAdvantage’s processing features. A counter-signed copy is available on request via our Impressum or by email to legal@getadvantage.app.