Data Processing Agreement (DPA)
Last updated: April 9, 2026
1. Parties
This Data Processing Agreement ("DPA") is entered into between:
- Data Controller ("Customer"): The entity that has agreed to the Weblyzo Terms of Service.
- Data Processor ("Weblyzo"): The provider of the Weblyzo website scanning platform.
This DPA supplements and forms part of the Weblyzo Terms of Service.
2. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person processed on behalf of the Customer.
- "Processing" means any operation performed on Personal Data (collection, storage, analysis, deletion, etc.).
- "Sub-processor" means a third-party service provider engaged by Weblyzo to process Personal Data on behalf of the Customer.
3. Scope and Purpose of Processing
Weblyzo processes the following data on behalf of the Customer:
| Data Category | Purpose |
|---|---|
| Customer account data (email, name) | Authentication, billing, notifications |
| Website scan results (public website data) | Speed, SEO, security, and accessibility analysis |
| AI-generated analysis reports | Website performance insights, recommendations |
| Competitor comparison data | Competitive benchmarking, side-by-side analysis |
| Backlink profile data (from public sources) | Domain authority tracking, link monitoring |
Weblyzo checks websites from the outside and does not collect data from the Customer's website visitors. No visitor IP addresses, names, email addresses, or other personally identifying information is collected.
4. Duration of Processing
Processing begins when the Customer adds a website to their Weblyzo account and continues for the duration of the subscription. Upon termination:
- All Customer data will be deleted within 30 days of subscription end.
- Customer may request immediate deletion at any time via the Settings page or by email.
- Data retention limits are enforced per the Customer's subscription tier (4 weeks to 12 months).
5. Obligations of the Processor
Weblyzo shall:
- Process Personal Data only on documented instructions from the Customer.
- Ensure that persons authorized to process Personal Data are bound by confidentiality obligations.
- Implement appropriate technical and organizational security measures (encryption at rest and in transit, access controls, audit logging).
- Assist the Customer in responding to data subject access requests (DSARs).
- Notify the Customer without undue delay (within 24 hours) after becoming aware of a personal data breach.
- Delete or return all Personal Data upon termination of the agreement.
- Make available all information necessary to demonstrate compliance with this DPA.
6. Sub-processors
Weblyzo engages the following sub-processors. The Customer is deemed to have approved these sub-processors by accepting this DPA. For the current list, see the Sub-processors page.
Weblyzo will notify the Customer by email at least 30 days before engaging a new sub-processor. The Customer may object in writing within 14 days. If an objection cannot be resolved, the Customer may terminate the agreement.
7. Data Transfers
All data is stored in Google Cloud europe-north1 (European Union (europe-north1)). Weblyzo does not transfer Personal Data outside the European Economic Area (EEA) except through sub-processors that have appropriate safeguards in place (Standard Contractual Clauses or equivalent).
8. Security Measures
- Encryption in transit (TLS 1.2+) and at rest (AES-256 via Google Cloud)
- Firebase Authentication with token-based access control
- Role-based access (admin/client separation)
- Firestore security rules enforcing data isolation between customers
- No personal data stored in application logs
- Automatic data retention enforcement via scheduled processes
- SSRF protection on all URL-based analysis endpoints
9. Data Breach Notification
In the event of a personal data breach, Weblyzo will:
- Notify the Customer within 24 hours of discovery.
- Provide details of: nature of the breach, categories of data affected, approximate number of data subjects, measures taken.
- Assist the Customer in notifying the relevant supervisory authority (Tietosuojavaltuutettu) within 72 hours as required by GDPR Article 33.
10. Audits
The Customer (or an independent auditor) may conduct an audit of Weblyzo's processing activities upon reasonable notice. Weblyzo will cooperate and provide necessary documentation.
11. Governing Law
This DPA is governed by Finnish law. Disputes shall be resolved in the Helsinki District Court, or the Customer may file a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutettu) at tietosuoja.fi.
12. Contact
For questions about this DPA, contact us at: privacy@weblyzo.com