Legal

Data Processing Agreement

This Data Processing Agreement (DPA) describes how Plato Tribune processes personal data on behalf of its customers when generating AI-powered SEO content clusters and auto-publishing them to their WordPress sites. It supplements our Terms of Service.

Last updated: June 2026

Purpose and scope

This DPA governs the processing of personal data by Plato Tribune (the processor) on behalf of the customer (the controller) in the course of providing the service.

It applies whenever we process personal data subject to the GDPR or comparable data protection laws and prevails over conflicting terms regarding such processing.

Definitions

“Personal data”, “processing”, “controller”, “processor” and “data subject” have the meanings given in the GDPR.

“Sub-processor” means any third party engaged by Plato Tribune to process personal data on the controller’s behalf.

Processor obligations

We process personal data only on the documented instructions of the controller, including with regard to international transfers, unless required otherwise by law.

We ensure that personnel authorised to process personal data are bound by appropriate confidentiality obligations, and we assist the controller in meeting its own GDPR obligations.

Sub-processing

The controller grants general authorisation for us to engage sub-processors. Our current sub-processors are Stripe (billing), Vercel (hosting), MongoDB (database), Keycloak (authentication) and our AI model providers (content generation).

We impose data protection obligations on each sub-processor that are no less protective than this DPA, and we will give notice of intended changes so the controller can object.

Assistance with data subject requests

Taking into account the nature of the processing, we assist the controller with appropriate technical and organisational measures to respond to data subject requests.

If we receive a request directly from a data subject, we will forward it to the controller and will not respond ourselves except on the controller’s instructions.

Security measures

We implement appropriate technical and organisational measures, including encryption in transit (TLS) and at rest. WordPress credentials are encrypted with AES-256-GCM.

We maintain access controls, isolated environments, monitoring and backups, and we notify the controller without undue delay after becoming aware of a personal data breach.

Audits

We make available to the controller information reasonably necessary to demonstrate compliance with this DPA.

We allow for and contribute to audits, including inspections, conducted by the controller or a mandated auditor, subject to reasonable confidentiality and scheduling arrangements.

International transfers

Where processing involves transfers of personal data outside the European Economic Area, such transfers are governed by the European Commission’s Standard Contractual Clauses (SCCs).

We apply supplementary measures, such as encryption, where necessary to maintain an adequate level of protection.

Return and deletion on termination

On termination of the service, we will, at the controller’s choice, delete or return all personal data and delete existing copies, unless retention is required by law.

WordPress credentials are deleted when a site is disconnected, and customer data is deleted or anonymised within a defined period after account closure.

Liability and requesting a signed DPA

Each party’s liability under this DPA is subject to the limitations set out in our Terms of Service.

To request a countersigned copy of this DPA for your records, contact us through our contact page and we will provide an executable version.