Data Processing Agreement

Last updated: May 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you (the "Customer", acting as data controller) and AutoProv Ltd (company number 16724369), a company registered in England and Wales with registered office at 241a Selbourne Road, Unit 5, Luton, Bedfordshire LU4 8NP, trading as CiteFlow ("CiteFlow", acting as data processor). It reflects the parties' agreement on the processing of personal data in connection with the Service in accordance with Article 28 of the UK GDPR.

1. Subject matter and duration

CiteFlow processes personal data on behalf of the Customer to provide the Service for the duration of the Customer's subscription, plus the retention periods set out in our Privacy Policy.

2. Nature and purpose of processing

Processing is strictly limited to operating the Service as described in the Terms: site audits, content generation, optional publishing to the Customer's connected CMS, citation tracking, and rank monitoring.

3. Categories of data and data subjects

• Publicly accessible content of the Customer's website(s).
• Authentication credentials for the Customer's CMS, encrypted at rest.
• Personal data that the Customer's site visitors leave on pages we crawl, only insofar as such data appears in the public site content.
• The Customer's own account contact details.

4. Customer obligations

The Customer warrants that it has all necessary rights and lawful bases to instruct CiteFlow to process the relevant personal data, and that its instructions comply with applicable data protection law.

5. CiteFlow obligations

• Process personal data only on documented instructions from the Customer.
• Ensure that personnel authorised to process personal data are bound by confidentiality.
• Implement appropriate technical and organisational security measures (see clause 7).
• Assist the Customer in responding to data subject requests where reasonably possible.
• Make available all information necessary to demonstrate compliance with Article 28 obligations.

6. Sub-processors

The Customer authorises the sub-processors listed in our Privacy Policy. We will give at least 30 days' notice of any addition or replacement so the Customer can object on reasonable data protection grounds.

7. Security measures

We use HTTPS in transit, encryption at rest for sensitive credentials via pgcrypto, database row-level security, principle of least privilege for staff access, and regular dependency and configuration reviews.

8. Personal data breach

CiteFlow will notify the Customer without undue delay, and in any event within 72 hours, of becoming aware of a personal data breach affecting Customer data, providing the information required to meet the Customer's own notification obligations under UK GDPR Article 33.

9. Audit rights

The Customer may audit CiteFlow's compliance with this DPA once per year on at least 30 days' written notice, conducted during business hours, in a manner that does not unreasonably disrupt operations or compromise the confidentiality of other customers.

10. International transfers

Transfers of personal data outside the UK are made on the basis of UK adequacy decisions where available and otherwise the UK International Data Transfer Agreement or EU Standard Contractual Clauses with the UK Addendum.

11. Return and deletion of data

On termination of the Service, CiteFlow will delete or return all Customer personal data within 30 days, except to the extent that retention is required by law.

12. Governing law

This DPA is governed by the laws of England and Wales and forms part of the Terms.

13. Contact

Data protection contact: privacy@citeflow.co.uk.