AEO Platform

This Data Processing Agreement (DPA) governs the processing of personal data by CPG Estudio IA ("Processor") on behalf of the Customer ("Controller"), in accordance with Article 28 GDPR.

1. Scope

The Processor processes personal data only as needed to provide the AEO Platform Service to the Controller.

2. Types of data

End-user credentials (email, name) of Controller's team.
URLs and queries configured by the Controller.
AI responses analyzed (no end-user PII unless Controller inputs it).

3. Subprocessors

Listed in our Privacy Policy. We notify Controllers 30 days before adding a new subprocessor.

4. Security measures

Encryption in transit (TLS 1.2+).
Encryption at rest (Supabase Postgres).
Row-Level Security (RLS) per organization.
2FA optional for admins.
Audit log of admin actions (5 years).
Backups daily, point-in-time recovery 7 days.

5. Data subject rights

The Controller can export and delete data at any time from /settings → RGPD. The Processor commits to assisting within 30 days.

6. Data breach notification

The Processor will notify the Controller without undue delay (under 72h) if it becomes aware of a breach.

7. Termination

Upon termination, all data is deleted within 30 days unless legal retention applies (invoices: 10 years).

8. Signing this DPA

By accepting our Terms of Service, the Controller accepts this DPA. Enterprise plans can request a signed PDF copy by email to coyotepalido@gmail.com.