Legal · DPA

Data processing, agreed.

Our standard data processing agreement covers any engagement where CiteSurge acts as processor on your behalf.

Last updated · April 18, 2026

Parties

Controller — you, our client. Processor — Marathon Variety LDA, registered in Portugal, operating the CiteSurge product.

Subject and duration

CiteSurge processes personal data only to deliver the services in your statement of work. Processing ends when the engagement ends, unless retention is required by law.

Categories of data and data subjects

Site analytics — aggregate visitor behavior on your domain. No direct identifiers.
Business contacts — names, work emails, and roles of your team members who interact with us.
Public authorship records — names and bylines of subject-matter experts cited in content work.

Obligations

We process only on your documented instructions.
We confidentiality-bind every employee and contractor.
We apply appropriate technical and organizational measures — SSO, encryption in transit and at rest, least-privilege access, audit logs.
We notify you without undue delay — and within 72 hours of awareness — of any personal data breach.
We support you on data subject requests, DPIAs, and regulator enquiries.

Sub-processors

We engage a short list of sub-processors: payment providers, authentication, hosting, analytics, and AI-engine citation tracking. The current list is available to clients on request. We notify you before changing it, and you may object in writing.

International transfers

Where processing involves transfers outside the EEA, we rely on the European Commission’s standard contractual clauses and conduct a transfer impact assessment where required.

Audits

Once per year, or after a material incident, you may audit our compliance with this DPA. We accept written questionnaires, SOC 2 reports from sub-processors, or — on reasonable notice — an on-site visit.

End of processing

On termination, we return or delete all personal data within 30 days, unless law requires retention.

Signing

Clients on paid engagements counter-sign this DPA as part of the statement of work. A standalone signed copy is available on request: [email protected].