Skip to main content

Data Processing Addendum

Effective date: June 1, 2026. Last updated: June 1, 2026.

This Data Processing Addendum ("DPA") forms part of the agreement between you ("Customer" or "Controller") and 1st Place AI ("we", "Processor"), the company that operates AI Domination, for the provision of the Service (the "Agreement"). It governs the processing of personal data on Customer's behalf and reflects the requirements of EU GDPR Article 28, UK GDPR Article 28, and analogous laws.

This DPA is automatically executed when you, as an authorized signatory of the Customer, accept it inside the dashboard ("Sign DPA" button in /settings — feature gated to Owners) or via a signed paper counterpart returned to legal@example.com.

If there is a conflict between this DPA and the rest of the Agreement, this DPA prevails on data-protection matters.

1. Definitions

Capitalized terms have the meaning given in GDPR Article 4. "Customer Personal Data" means any personal data the Customer (or a user of the Customer's workspace) submits to or generates within the Service. "Sub-processor" has the meaning given in Article 28(2).

2. Roles and scope

For Customer Personal Data, the Customer is the Controller and 1st Place AI is the Processor. 1st Place AI processes Customer Personal Data solely on the Customer's documented instructions, which include this DPA, the Agreement, and the configuration the Customer chooses inside the Service (integrations connected, content drafted, audits run, recipients of generated content).

1st Place AI does not determine the purposes or means of processing Customer Personal Data and does not use Customer Personal Data for any purpose other than providing the Service.

For aggregated, de-identified data that 1st Place AI derives from operating the Service (e.g., system performance metrics, AI-engine response trends across the customer base), 1st Place AI is an independent Controller. Such data is not re-identifiable and is used solely to improve the Service. This DPA does not govern that processing.

3. Categories of data subject and personal data

Subject matter: provision of the Service to the Customer.

Duration: until the Agreement terminates (plus the retention periods set out in the Privacy Policy).

Nature and purpose: to operate the Service for the Customer — audits, content generation, publishing to connected channels, AI-engine visibility tracking, brand monitoring, reporting, the in-app assistant.

Categories of personal data:

  • Identification and contact data of the Customer's users (name, email, profile image).
  • Authentication credentials (argon2-hashed passwords, AES-256-GCM-encrypted TOTP secrets, hashed recovery codes).
  • OAuth tokens for integrations the Customer connects.
  • Content the Customer's users upload or generate within the Service.
  • Audit log entries reflecting actions taken inside the workspace.
  • Communications metadata (IP addresses, user agents, request timestamps) for security purposes.

Categories of data subject:

  • The Customer's authorized users (employees, contractors, agency clients granted access).
  • End users of the Customer's own websites and social channels where 1st Place AI publishes content on the Customer's behalf (limited to the metadata necessary to publish — e.g., a LinkedIn audience ID).

Special-category personal data: 1st Place AI does not require or solicit special-category personal data (GDPR Article 9). The Customer agrees not to submit special-category data without first agreeing a written variation to this DPA.

4. Processor obligations

1st Place AI will:

  1. Process Customer Personal Data only on the Customer's documented instructions, except where required by law (in which case we will inform the Customer of the legal requirement before processing, unless that law prohibits doing so on important grounds of public interest).
  2. Ensure that personnel authorized to process Customer Personal Data are bound by confidentiality obligations.
  3. Implement appropriate technical and organisational measures (TOMs) as set out in Annex 1 below, taking into account the state of the art, costs, and the risks of the processing.
  4. Engage Sub-processors only in accordance with Section 5 below.
  5. Assist the Customer, by appropriate technical and organisational measures, in responding to data-subject rights requests (GDPR Articles 12-23) and in complying with the Customer's own obligations under Articles 32-36 (security, breach notification, impact assessments, prior consultation).
  6. Notify the Customer without undue delay — and in any event within 72 hours of becoming aware — of any Personal Data Breach involving Customer Personal Data, including the information required by GDPR Article 33(3) so far as it is then known.
  7. At the Customer's choice, delete or return all Customer Personal Data at the end of the Agreement, subject to the retention obligations set out in the Privacy Policy (audit logs, backups, billing records).
  8. Make available all information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, conducted by the Customer or an auditor mandated by the Customer. The Customer may exercise this right no more than once per twelve-month period (unless following a Personal Data Breach), on reasonable prior written notice, and subject to confidentiality obligations.

5. Sub-processors

The Customer authorizes 1st Place AI to engage the Sub-processors listed at /legal/subprocessors at the time the Agreement is signed.

1st Place AI will:

  • Maintain that list as current.
  • Notify the Customer at least 30 days before engaging a new Sub-processor or replacing an existing one (notification via email to the Customer's account contact and via the in-app notification feed).
  • Give the Customer 30 days to object on reasonable data-protection grounds. If the Customer objects, 1st Place AI will work with the Customer in good faith to find a resolution. If no resolution is possible, the Customer may terminate the Agreement on written notice; 1st Place AI will refund any prepaid fees pro-rata for the unused portion.
  • Impose data-protection obligations on every Sub-processor that are at least as protective as those in this DPA, by way of a written contract.
  • Remain fully liable to the Customer for the acts and omissions of its Sub-processors.

6. International transfers

Where 1st Place AI transfers Customer Personal Data outside the EEA or the UK, the parties enter into the 2021 EU Standard Contractual Clauses (Module 2 — Controller to Processor) and, for UK transfers, the UK International Data Transfer Addendum, both incorporated into this DPA by reference. 1st Place AI conducts a Transfer Impact Assessment for each cross-border Sub-processor and makes it available on written request.

7. Liability

The liability cap in the Agreement (Section 7 of the Terms of Service) applies to claims under this DPA, except for liability that cannot be limited under applicable data-protection law (e.g., supervisory-authority fines passed through under Article 82, where the limit operates only between the parties).

8. Term and survival

This DPA enters into force when the Agreement is signed or when the Customer accepts it in the dashboard, and terminates simultaneously with the Agreement. Clauses that by their nature should survive termination (confidentiality, audit cooperation, post-termination deletion, liability) survive.

Annex 1 — Technical and organisational measures

1st Place AI implements the following TOMs to protect Customer Personal Data:

A. Confidentiality (Article 32(1)(b))

  • Argon2 password hashing.
  • AES-256-GCM encryption at rest for OAuth tokens, TOTP secrets, webhook signing secrets, CMS configuration, and Slack bot tokens.
  • Field-level access control via Prisma typed queries that prevent accidental leakage of restricted columns.
  • Multi-tenant isolation: every read and write is scoped to the requesting workspace by a centralized tenant-resolver function, with row-level filters enforced in every server action.

B. Integrity (Article 32(1)(b))

  • HMAC-SHA256 signing of outbound webhook payloads.
  • Append-only audit log for every consequential action.
  • Two-factor authentication available to every user; required for OWNER actions on enterprise plans.

C. Availability (Article 32(1)(c))

  • Hosted on a Tier-IV-equivalent cloud platform with automated failover between regions.
  • Daily Postgres backups, 35-day retention, point-in-time recovery to one-second granularity within the retention window.
  • Documented disaster-recovery runbook; RTO 4 hours, RPO 15 minutes.

D. Network security (Article 32(1)(b))

  • HTTPS-only (HSTS-preloaded).
  • Modern TLS suites, with weak ciphers disabled.
  • Web Application Firewall in front of every public route.
  • Bot management and rate limiting on authentication endpoints.

E. Personnel (Article 32(4))

  • Written confidentiality undertakings for every person with access to Customer Personal Data.
  • Annual security training for all engineers and customer-success staff.
  • Background checks for personnel with production access (where permitted by local law).

F. Sub-processor management (Article 28(4))

  • Written DPA with every Sub-processor, imposing equivalent obligations.
  • Pre-engagement security review (SOC 2, ISO 27001, or equivalent attestation required where available).
  • Annual review of every active Sub-processor.

G. Incident response (Article 33)

  • Documented incident-response runbook.
  • 24-hour on-call rotation for security alerts.
  • Customer notification within 72 hours of breach awareness.

H. Logging and monitoring

  • Application-level audit logs retained for the life of the workspace plus one year post-termination, anonymized on user deletion.
  • Centralized log aggregation with alerting on suspicious patterns (anomalous sign-in geographies, unusual API key usage, etc.).

I. Data-subject rights tooling

  • In-product data export (Article 15 and 20) accessible to every user from /settings/data-export.
  • In-product account deletion (Article 17) accessible to every user from /security.
  • Audit-log anonymization on deletion preserves the security trail without identifying the data subject.

These TOMs may evolve to reflect the state of the art; 1st Place AI undertakes not to materially reduce the level of protection without a written variation to this DPA.

For execution, please countersign and return to legal@example.com, or accept the in-product version inside /settings.

Data Processing Addendum · AI Domination