Data Processing Agreement

1. Definitions

In this Data Processing Agreement (DPA), the following terms have the meanings set forth below:

• Controller: The entity (Client/Customer) that determines the purposes and means of data processing.
• Processor: NextGenIQ, which processes data on behalf of the Controller.
• Data Subject: The individual to whom personal data relates.
• Personal Data: Any information relating to an identified or identifiable natural person.
• Processing: Any operation performed on personal data, such as collection, storage, use, analysis, transmission, or deletion.

2. Scope and Purpose

This DPA applies to all processing of personal data by NextGenIQ on behalf of the Controller through the NextGenIQ platform and services. The purpose of processing is to monitor and analyze how AI engines (ChatGPT, Perplexity, Gemini, Claude) recommend brands and provide visibility metrics to the Controller.

3. Obligations of Processor (NextGenIQ)

NextGenIQ shall:

• Process personal data only on documented instructions from the Controller.
• Ensure that persons authorized to process personal data have committed to confidentiality.
• Implement and maintain appropriate technical and organizational security measures.
• Not process personal data for purposes other than those specified by the Controller.
• Assist the Controller in meeting its data subject rights obligations.
• Delete or return personal data upon termination of services, unless required by law to retain.

4. Obligations of Controller

The Controller shall:

• Provide clear written instructions regarding the processing of personal data.
• Ensure it has a lawful basis for processing and has obtained necessary consents.
• Maintain accurate records of processing activities.
• Ensure all personal data is accurate and kept up to date.
• Cooperate with NextGenIQ in exercising data subject rights.

5. Categories of Data Processed

NextGenIQ processes the following categories of personal data:

• Account Data: Name, email address, company name, phone number, billing address, payment information.
• AI Monitoring Query Data: Customer brand/keyword information submitted for monitoring across AI engines.
• Brand Visibility Metrics: AI response data, mention frequency, position, sentiment analysis results.
• Usage Data: Log data, IP addresses, cookie identifiers, access times, and platform interaction data.

6. Data Subject Categories

Personal data processed may relate to employees, contractors, and customers of the Controller, as well as individuals whose brands or businesses are being monitored for AI visibility.

7. Security Measures

NextGenIQ implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk:

• Encryption of personal data in transit (TLS 1.2+) and at rest.
• Access controls limiting data access to authorized personnel only.
• Regular security assessments and vulnerability testing.
• Multi-factor authentication for user accounts.
• Secure deletion procedures for data no longer needed.
• Incident response procedures and breach notification protocols.

8. Sub-Processors

NextGenIQ uses the following sub-processors to provide the service:

• AWS (Amazon Web Services): Cloud infrastructure, data storage, and computing services.
• Vercel: Application deployment and hosting.
• Supabase: Database and authentication services.
• Clerk: User authentication and session management.
• OpenAI: AI engine integration for brand monitoring.
• Anthropic: AI engine integration for brand monitoring.
• Google: AI engine integration (Gemini) for brand monitoring.
• Stripe: Payment processing and billing services.

The Controller authorizes NextGenIQ to use these sub-processors. NextGenIQ shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors.

9. International Data Transfers

Personal data may be transferred to and processed in countries other than the country in which the Controller operates. Such transfers are protected by appropriate safeguards, including Standard Contractual Clauses (SCCs) or other mechanisms recognized by applicable data protection laws. By using the service, the Controller consents to such transfers.

10. Data Breach Notification

NextGenIQ shall notify the Controller without undue delay, and in no case later than 72 hours, after becoming aware of a confirmed data breach or unauthorized processing of personal data. The notification shall include the nature of the breach, likely consequences, and measures taken or proposed to address the breach.

11. Audit Rights

The Controller has the right to request reasonable information about NextGenIQ's compliance with this DPA, including details about security measures, sub-processor arrangements, and data handling practices. NextGenIQ shall provide an annual SOC 2 Type II compliance report or equivalent upon request.

12. Data Subject Rights

NextGenIQ shall assist the Controller in responding to requests from data subjects regarding:

• Right of access to their personal data.
• Right to rectification or correction of inaccurate data.
• Right to erasure ("right to be forgotten").
• Right to restrict processing.
• Right to data portability.
• Right to object to processing.

13. Return or Deletion of Data

Upon termination of the service agreement or at the Controller's request, NextGenIQ shall, at the Controller's election, delete or return all personal data processed and certify the deletion, unless applicable law requires retention of the data.

14. Term and Termination

This DPA shall commence on the date the Controller begins using the NextGenIQ service and shall continue for the duration of the service agreement. Upon termination of the service agreement, the provisions of this DPA shall continue to apply until all personal data has been deleted or returned in accordance with Section 13.

15. Contact Information

For questions or concerns regarding this Data Processing Agreement or data protection practices, please contact:

Email: privacy@nextgeniq.io

16. Amendments

NextGenIQ may amend this DPA to comply with changes in applicable laws. The Controller will be notified of material changes with at least 30 days' notice. Continued use of the service after the notice period constitutes acceptance of the amended DPA.