Asky - Data Processing Agreement
This Data Processing Agreement (the "DPA") forms part of, and is incorporated into, the Asky Terms of Service (the "Terms") between the Customer and Asky Labs AB ("Asky"). It applies whenever Asky processes Customer Personal Data as the Customer's processor in connection with the Service. Capitalised terms not defined here have the meaning given in the Terms. If the DPA and the rest of the Terms conflict on a matter of data protection, this DPA prevails.
1. Definitions
In this DPA, the following defined terms shall apply:
"Applicable Data Protection Law" means all laws on the protection of personal data that apply to the processing under this DPA, including the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("EU GDPR"), the EU GDPR as incorporated into UK law ("UK GDPR") and the UK Data Protection Act 2018, and Swedish data-protection legislation, in each case as amended or replaced.
"Customer Personal Data" means Personal Data within the data shared by the Customer that Asky processes on the Customer's behalf under the Terms, as described in Annex 1.
"Controller", "Processor", "Data Subject", "Personal Data", "Processing", "Personal Data Breach" and "Supervisory Authority" have the meanings given in the EU GDPR.
"EU SCCs" means the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914.
"Privacy Notice" means the Company's privacy notice (available here).
"Restricted Transfer" means a transfer of Customer Personal Data to a country that, under Applicable Data Protection Law, requires an appropriate transfer safeguard.
"Subprocessor" means any processor engaged by Asky to process Customer Personal Data.
"UK Addendum" means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018.
Capitalised terms used but not defined in this DPA shall have the meaning ascribed to them in the Terms.
2. Roles and scope
The parties agree that, for Customer Personal Data, the Customer is the Controller (or a processor acting for a third-party controller) and Asky is the Processor. For account registration and relationship data (such as the names, business contact details and job titles of the Customer's authorised users and business contacts) that Asky processes to administer the account and its relationship with the Customer, Asky is an independent controller, and that processing is governed by Asky's Privacy Notice rather than this DPA. The subject matter, duration, nature and purpose of the processing, the types of personal data and the categories of data subjects are set out in Annex 1. The Customer warrants that it has a lawful basis for the processing and that its instructions comply with Applicable Data Protection Law.
3. Asky's processing instructions
Asky will process Customer Personal Data only on the Customer's documented instructions, including as set out in the Terms, this DPA and Annex 1, and as needed to provide the Service, unless required to do otherwise by law, in which case Asky will (where lawful) tell the Customer first. Asky will tell the Customer if, in its opinion, an instruction infringes Applicable Data Protection Law. Asky will not sell Customer Personal Data and will not process it for its own purposes.
4. Confidentiality
Asky will ensure that the personnel authorised to process Customer Personal Data are bound by appropriate confidentiality obligations and are made aware of the confidential nature of the data.
5. Security
Taking account of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risk to data subjects, Asky will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These include encryption of Customer Personal Data in transit and at rest, access controls, and measures to ensure the ongoing confidentiality, integrity, availability and resilience of its systems, as further described in Annex 2 (Technical and Organisational Measures).
6. Subprocessors
6.1 The Customer gives Asky general authorisation to engage Subprocessors (including third-party AI providers, hosting and infrastructure providers) to process Customer Personal Data. Asky's current list of Subprocessors is available here (the "Subprocessor List"). Where Asky engages an AI-provider Subprocessor to process Customer Personal Data via API, Asky will only do so under terms or service tiers under which Customer Personal Data transmitted to that provider is not used to train, fine-tune or improve the provider's models. The Customer acknowledges that, as an inherent function of the Service, monitoring queries configured by the Customer are submitted to publicly available AI search engines in order to measure the Customer's visibility in those engines; those engines are not Asky's Subprocessors and process such queries under their own terms.
6.2 Asky will give notice of any intended addition or replacement of a Subprocessor that will Process Customer Personal Data (a "Subprocessor Change") at least thirty (30) days before that Subprocessor begins processing Customer Personal Data. Asky will give that notice by both: (a) updating the Subprocessor List; and (b) sending an email notification to each Customer that has subscribed to Asky's Subprocessor-change notifications. Customer may subscribe to those notifications by emailing [email protected]. It is the Customer's responsibility to subscribe and to keep its notification email address current.
6.3 If the Customer objects to a Subprocessor Change on reasonable grounds relating to the protection of Personal Data, it must notify Asky at [email protected] within fourteen (14) days after Asky gives notice of that change under Section 6.2. For this purpose, notice is treated as given: (a) to a Customer that has subscribed under Section 6.2, on the date of Asky's email notification; and (b) to any other Customer, on the date the Subprocessor List is updated to reflect the Subprocessor Change.
6.4 On receipt of an objection, the Customer and Asky shall work together in good faith to find a mutually acceptable resolution to address such objections. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, the Customer may, as its sole and exclusive remedy, terminate the Agreement and cancel the Service by providing written notice to Asky and receive a pro-rata refund of any prepaid fees covering the period after termination.
6.5 Asky will impose data protection obligations on each Subprocessor that are no less protective than those in this DPA.
7. Assisting with data-subject rights
Taking account of the nature of the processing, Asky will assist the Customer by appropriate technical and organisational measures, insofar as possible, to respond to requests by data subjects exercising their rights under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability and objection). If Asky receives such a request directly, it will (unless legally prohibited) promptly forward it to the Customer and will not respond itself except on the Customer's instructions.
8. Assisting with security, breaches and assessments
Asky will assist the Customer, taking account of the nature of processing and the information available to Asky, in meeting the Customer's obligations under Articles 32 to 36 of the EU GDPR, including security of processing, notification of Personal Data Breaches, data protection impact assessments, and prior consultation with Supervisory Authorities.
9. Personal Data Breaches
Asky will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide the Customer with the information it reasonably needs to meet its own breach-notification obligations, including the nature of the breach, the likely consequences, and the measures taken or proposed. Asky will cooperate with the Customer and take reasonable steps to mitigate the breach.
10. International transfers
10.1 A transfer of Customer Personal Data by the Customer to Asky is a transfer to Asky within the EEA and is not a Restricted Transfer. Asky will not transfer Customer Personal Data, or allow it to be transferred, to a country outside the EEA or the UK except in accordance with this section and Applicable Data Protection Law.
10.2 Asky may transfer Customer Personal Data to a Subprocessor located outside the EEA or the UK in order to provide the Service. For each such transfer Asky acts as data exporter and will, before the transfer begins, put in place and maintain an appropriate safeguard under Chapter V of the EU GDPR and, where the transfer is subject to UK data protection law, the UK GDPR, directly between Asky and that Subprocessor. That safeguard will be one or more of: (a) reliance on an adequacy decision of the European Commission (and, for UK Personal Data, adequacy regulations of the Secretary of State) covering the Subprocessor and the relevant Customer Personal Data, including the EU-US Data Privacy Framework and the UK Extension to it where the Subprocessor is certified under it for the relevant data; (b) the EU SCCs (and, for UK Personal Data, the UK Addendum) entered into between Asky and the Subprocessor and completed for the applicable module; or (c) another transfer mechanism permitted under Applicable Data Protection Law.
10.3 Where the Customer is established outside the EEA or the UK, any making available of Customer Personal Data by Asky to the Customer under the Terms (including the return of Customer Personal Data on request) is a Restricted Transfer in which Asky acts as data exporter and the Customer acts as data importer. For each such transfer: (a) if the Customer is in a country covered by an adequacy decision of the European Commission (or, for UK Personal Data, by UK adequacy regulations) for the relevant Customer Personal Data, that decision provides the safeguard; and (b) otherwise, the parties enter into the EU SCCs on the basis of Module Four (Processor to Controller), which are incorporated into this DPA by reference and, for UK Personal Data, as amended and completed by the UK Addendum. For those clauses: Annex 1 completes the description of the transfer; Annex 2 contains the technical and organisational measures for the purposes of Annex II of the EU SCCs, to the extent relevant to Module Four; the optional docking clause does not apply; and the clauses are governed by, and subject to the courts of, Sweden.
10.4 Asky remains responsible to the Customer for putting in place and maintaining an appropriate safeguard under this section for as long as the relevant transfer continues, and for ensuring that the level of protection afforded to the Customer Personal Data is not undermined by the transfer or by any onward transfer by a Subprocessor.
10.5 If a transfer mechanism relied on under this section becomes invalid, is suspended or is enjoined, Asky will without undue delay put in place an alternative lawful transfer mechanism. Until it does so, Asky may suspend the affected transfers and any related processing, and that suspension will not be a breach of the Agreement.
10.6 On the Customer's reasonable written request, Asky will provide information about the transfer safeguards it relies on for its Subprocessors, including, where available, a copy of the relevant mechanism (which Asky may redact to remove commercially confidential or security-sensitive information).
11. Audits and information
Asky will make available to the Customer the information reasonably necessary to demonstrate compliance with Article 28 of the EU GDPR, and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates. To minimise disruption, the Customer will give reasonable prior notice, audits will take place during business hours and no more than once a year (unless required by a Supervisory Authority or following a Personal Data Breach), and the Customer will bear its own costs.
12. Return or deletion
On termination or expiry of the Terms, Asky will, at the Customer's choice, delete or return Customer Personal Data in line with Section 6.4 of the Terms (a 30-day export window, then deletion), except to the extent Asky is required by law to retain it, in which case Asky will continue to protect it under this DPA.
13. Liability
Each party's liability under or in connection with this DPA is subject to the exclusions and limitations of liability in the Terms, and any aggregate liability cap in the Terms applies to the combined liability of the parties under the Terms and this DPA together, except to the extent Applicable Data Protection Law does not allow it.
14. Governing law
This DPA is governed by the law of England and Wales, consistent with the Terms, except that Applicable Data Protection Law continues to govern the substance of the data-protection obligations. Nothing in this DPA limits any mandatory rights of data subjects or powers of Supervisory Authorities.
15. Term
This DPA takes effect with the Terms and continues for as long as Asky processes Customer Personal Data. Provisions that by their nature should survive (including audit, liability, return/deletion and governing law) survive termination.
Annex 1 - Details of processing
Subject matter: Asky's provision of the Service (AI search-visibility monitoring, analytics, insights and content generation) to the Customer under the Terms.
Duration: the term of the Subscription Plans, plus any legally required retention period.
Nature and purpose: collection, storage, organisation, analysis, transmission to AI providers for processing, generation of outputs, and deletion, in each case to deliver the Service.
Types of personal data: any personal data contained in prompts, monitored content, brand/competitor data, URLs submitted by the Customer, or documents and files uploaded to the Service by the Customer (for example, knowledge-base documents). The Customer should not submit special-category data unless agreed in writing.
Categories of data subjects: individuals appearing in monitored content, in Customer inputs, or in documents uploaded by the Customer.
Frequency: continuous, for the duration of the Service.
Annex 2 - Technical and organisational measures
Asky implements and maintains the following technical and organisational measures to protect Customer Personal Data. Asky may update these measures from time to time, provided the overall level of protection is not reduced.
Hosting and data residency
- Primary storage and processing of Customer Personal Data takes place within the EEA. The production database, authentication and file storage are hosted on AWS in Stockholm, Sweden; application compute runs in the EU; supporting infrastructure is located in the EEA as set out in the Subprocessor List.
- Processing locations and transfer safeguards for each Subprocessor are documented in the Subprocessor List and section 10 of this DPA.
Encryption
- Customer Personal Data is encrypted in transit using TLS.
- Customer Personal Data is encrypted at rest, including database storage, file storage and backups.
- Third-party access credentials (for example, OAuth tokens for customer-connected integrations) are additionally encrypted at the application layer before storage.
Access control and isolation
- Customer data is logically separated per workspace, enforced at the database layer through row-level security policies that apply to every query.
- Access to production systems is restricted to authorised personnel on a need-to-know basis, protected by strong authentication, and reviewed periodically.
- Role-based permissions govern user access within the Service; workspace membership is verified on every data-access path.
- Personnel with access to Customer Personal Data are bound by confidentiality obligations (section 4).
Application and operational security
- Changes to the Service are version-controlled and reviewed before deployment; automated checks run in the deployment pipeline.
- API access is authenticated and rate-limited; input validation and authorisation checks are applied to data-accessing endpoints.
- Application errors, performance and infrastructure health are continuously monitored, with alerting to the engineering team.
Availability, backup and resilience
- Production data is backed up regularly; backups are encrypted.
- Backup copies expire within 90 days and are not restored into live use after deletion of the underlying data.
- The Service is built on managed infrastructure providers offering redundancy and availability commitments.
Incident response
- Asky maintains an incident-response process covering detection, escalation, containment, mitigation and customer notification in accordance with section 9 of this DPA.
Data lifecycle
- Customer Personal Data is retained in accordance with section 12 of this DPA and Section 6.4 of the Terms (a 30-day export window on termination, followed by deletion, subject to legal retention duties).
Vendor management
- Each Subprocessor is bound by a written data-processing agreement imposing obligations no less protective than this DPA (section 6.5), with an appropriate transfer safeguard where required (section 10).
- Asky maintains a register of Subprocessors, including processing locations and transfer mechanisms, and reviews it periodically.