Data Processing Agreement
Last updated: 3 June 2026
This Data Processing Agreement ("DPA") forms part of the agreement between RankNibbler ("RankNibbler", "we", "Processor") and the customer that uses the RankNibbler service ("Customer", "you", "Controller"). RankNibbler is based in the United Kingdom and serves customers worldwide. This DPA applies where, and to the extent that, RankNibbler processes personal data on the Customer's behalf in the course of providing the service, and it reflects the requirements of applicable data protection laws, including Article 28 of the UK GDPR and the EU GDPR.
1. Definitions
"Controller", "processor", "data subject", "personal data", "processing", "personal data breach" and "supervisory authority" have the meanings given in applicable data protection law, including the UK GDPR and the EU GDPR. "Sub-processor" means any third party engaged by RankNibbler to process personal data on the Customer's behalf.
2. Roles of the parties
The Customer is the controller and RankNibbler is the processor in respect of the Customer Personal Data described in Annex A. Each party will comply with its obligations under applicable data protection law.
3. Our obligations as processor
RankNibbler will:
- Instructions: process Customer Personal Data only on the Customer's documented instructions, including as set out in this DPA and the service's configuration, unless required to do otherwise by law;
- Confidentiality: ensure that people authorised to process the data are bound by confidentiality;
- Security: implement appropriate technical and organisational measures as required by Article 32 (see Annex B);
- Sub-processors: engage sub-processors only under the conditions in section 4;
- Assistance: taking into account the nature of the processing, assist the Customer by appropriate measures to respond to data subject requests and to meet its obligations on security, breach notification and data protection impact assessments;
- Breach notification: notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data;
- Deletion or return: at the Customer's choice, delete or return Customer Personal Data at the end of the service, unless retention is required by law. You can delete scans and account data yourself at any time, and may request deletion via our contact form;
- Audits: make available information necessary to demonstrate compliance with Article 28 and allow for and contribute to reasonable audits.
4. Sub-processors
The Customer provides general authorisation for RankNibbler to engage sub-processors in the categories listed below to provide the service. RankNibbler imposes data-protection obligations on each sub-processor that are no less protective than those in this DPA, and remains responsible for their performance. We will give reasonable notice of any intended addition or replacement of a sub-processor so the Customer may object on reasonable data-protection grounds. A current list of the specific sub-processors we use is available on request via our contact form.
| Category of sub-processor | Purpose |
|---|---|
| Cloud hosting & database | Running the service and storing data |
| Content-delivery & security network | Delivering and protecting the site |
| Page-fetching service | Fetching pages that block direct requests |
| Performance-data service | Performance data for analysed pages |
| Analytics service | Optional, consent-based analytics |
| AI service | Optional AI summaries and reports |
| Email delivery service | Sending account and notification emails |
| Icon / favicon services | Displaying site icons in your dashboard |
| Social sign-in providers | Optional social login |
5. International transfers
RankNibbler operates globally and Customer Personal Data may be processed in the United Kingdom, the European Union, the United States and other countries. Where RankNibbler or a sub-processor transfers Customer Personal Data across borders, it does so on the basis of an adequacy decision or appropriate safeguards under applicable data protection law, such as the UK International Data Transfer Agreement / Addendum or Standard Contractual Clauses.
6. Annex A — Details of processing
- Subject matter: provision of on-page SEO analysis, site-scan and related services.
- Duration: for the term of the Customer's use of the service, plus any retention period described in our Privacy Policy.
- Nature and purpose: hosting, fetching and analysing web pages, storing scan results, sending service emails, and providing account and team features.
- Types of personal data: account and team-member identifiers (names, email addresses); IP addresses; and any personal data incidentally contained in the websites the Customer chooses to scan.
- Categories of data subjects: the Customer's authorised users and team members, and individuals whose personal data may appear on the websites scanned by the Customer.
7. Annex B — Security measures
RankNibbler maintains appropriate technical and organisational measures, including: encryption of data in transit; storing passwords and secret keys only in a secured, non-plain-text form; access controls and role-based permissions; restricted and monitored access to systems and data; and logging of access and activity. Further detail is available to customers on request.
8. General
This DPA forms part of and is subject to the agreement between the parties for use of the service. In the event of a conflict between this DPA and that agreement on the subject of data protection, this DPA prevails. Questions about this DPA can be submitted via our contact form.