Data Processing Agreement (DPA)
Last updated: 27 April 2026
This Data Processing Agreement ("DPA") forms part of the contract between Apps 365 Ltd ("Processor") and the customer ("Controller") for the LLM Submitter service. It applies whenever the Controller's use of the service involves Processing Personal Data on behalf of the Controller, as defined in the UK GDPR and the EU GDPR.
1. Roles
The Controller determines the purposes and means of Processing of its data. The Processor processes the data only on documented instructions from the Controller (the documented instruction being the use of the service as described in our Terms and Privacy Policy).
2. Subject matter, duration, nature and purpose
The Processor performs AI-readiness auditing, generation of optimisation artifacts (llms.txt, schema, robots.txt), submission of URLs to search engines, AI crawler analytics and citation tracking - all as configured by the Controller via the service UI / API. Processing lasts for the duration of the contract plus retention windows specified in the Privacy Policy.
3. Categories of data subjects and personal data
Data subjects: the Controller's account holders and (incidentally) any individual whose name appears in audit data, generated content, or citation prompts. Personal data: email addresses, names, IP addresses, billing addresses (if applicable). Special-category data is not Processed by default; the Controller agrees not to upload such data.
4. Subprocessors
The Controller authorises the use of the subprocessors listed at /subprocessors. We give 30 days' notice of new subprocessors via email; the Controller may object on reasonable grounds within that window.
5. Security measures
The Processor implements the technical and organisational measures described at /security, including: encryption in transit (TLS 1.2+), passwords stored only as bcrypt hashes, MySQL-level isolation between tenants, row-level authorisation enforced in repository code, rate limiting on authentication, IP allowlisting on admin paths, and audit logging of sensitive actions.
6. Data subject requests
If the Processor receives a request from a data subject relating to the Controller's data, the Processor will forward it to the Controller within 5 business days and assist as reasonably required.
7. Personal data breach
The Processor will notify the Controller without undue delay (and in any event within 72 hours of becoming aware) of any Personal Data Breach affecting the Controller's data, with the information needed for the Controller to fulfil its own breach-notification obligations.
8. International transfers
Where Processing involves transfers outside the UK or EEA, the parties incorporate the UK International Data Transfer Addendum to the EU SCCs (or, where relevant, the EU SCCs in the Controller-to-Processor module) by reference, with the Processor as importer.
9. Audit
On reasonable request, the Processor provides the Controller with the documentation needed to demonstrate compliance with this DPA, and at the Controller's reasonable expense permits an audit by an independent auditor under mutually agreed scope.
10. Return / deletion
Upon termination, the Processor deletes all Personal Data within the retention windows in the Privacy Policy, except where storage is required by UK law (e.g. invoices retained for HMRC).
11. Counterpart
The Controller's use of the service constitutes acceptance of this DPA. For a counter-signed version (e.g. for procurement), email dpa@llmsubmitter.com - we'll PDF and sign.