This Data Processing Addendum (“DPA“) forms part of the Terms and Conditions (the “Agreement“) between Cloud Infra LLC, doing business as ExpertRec (“ExpertRec,” “we,” or “Processor“), and the entity or individual agreeing to the Agreement (“Customer” or “Controller“). This DPA applies to the extent ExpertRec processes Personal Data on behalf of Customer in the course of providing the ExpertRec Services.

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.

1. Definitions

Capitalized terms not defined in this DPA have the meanings given in the Agreement. In addition:

Applicable Data Protection Law” means all laws and regulations applicable to the processing of Personal Data under the Agreement, including (as applicable) the EU General Data Protection Regulation 2016/679 (“GDPR“), the UK GDPR, the California Consumer Privacy Act (“CCPA“), the California Privacy Rights Act (“CPRA“), and any other applicable data protection or privacy legislation.

Data Subject” means an identified or identifiable natural person to whom Personal Data relates.

Personal Data” means any information relating to a Data Subject that is processed by ExpertRec on behalf of Customer as part of the ExpertRec Services, as further described in Annex 1.

Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

Sub-processor” means any third party engaged by ExpertRec to process Personal Data on behalf of Customer.

Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission (Commission Implementing Decision (EU) 2021/914).

2. Scope and Roles

2.1 For the purposes of Applicable Data Protection Law, Customer is the Controller and ExpertRec is the Processor with respect to Personal Data processed under the Agreement.

2.2 ExpertRec shall process Personal Data only to the extent necessary to provide the ExpertRec Services in accordance with the Agreement and Customer’s documented instructions, unless required to do so by applicable law, in which case ExpertRec shall (to the extent permitted by law) inform Customer of that legal requirement before processing.

2.3 The subject matter, duration, nature, and purpose of the processing, the types of Personal Data, and the categories of Data Subjects are described in Annex 1 of this DPA.

3. Customer Obligations

3.1 Customer represents and warrants that: (a) it has complied and will continue to comply with all Applicable Data Protection Law in respect of its use of the ExpertRec Services and any processing instructions it issues to ExpertRec; (b) it has obtained all necessary consents and authorizations, and has provided all required notices, for the lawful processing of Personal Data by ExpertRec as contemplated by the Agreement and this DPA.

4. ExpertRec Obligations

4.1 Processing Instructions. ExpertRec shall process Personal Data only on documented instructions from Customer (including the instructions set out in the Agreement and this DPA), unless processing is required by applicable law. ExpertRec shall immediately inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Law.

4.2 Confidentiality. ExpertRec shall ensure that all personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3 Security Measures. ExpertRec shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, or disclosure. These measures are described in Annex 2 of this DPA and shall include, at a minimum:

  • Encryption of Personal Data in transit (TLS 1.2 or higher) and at rest;
  • Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
  • The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
  • A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures.

4.4 Data Subject Rights. Taking into account the nature of the processing, ExpertRec shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law. If ExpertRec receives a request from a Data Subject directly, ExpertRec shall promptly redirect the Data Subject to Customer and notify Customer of the request, unless otherwise required by law.

4.5 Assistance with Compliance. ExpertRec shall, taking into account the nature of processing and the information available to ExpertRec, assist Customer in ensuring compliance with Customer’s obligations under Articles 32 to 36 of the GDPR (or equivalent provisions under other Applicable Data Protection Law), including obligations relating to security of processing, notification of Personal Data Breaches, data protection impact assessments, and prior consultation with supervisory authorities.

5. Sub-processors

5.1 General Authorization. Customer provides a general written authorization for ExpertRec to engage Sub-processors to process Personal Data on behalf of Customer. The current list of Sub-processors is set out in Annex 3 of this DPA.

5.2 Notice of Changes. ExpertRec shall notify Customer at least thirty (30) days in advance of any intended addition or replacement of a Sub-processor by updating the Sub-processor list and notifying Customer via email. Customer may object to the appointment of a new Sub-processor on reasonable data protection grounds by notifying ExpertRec in writing within fifteen (15) days of receiving notice. If Customer objects, ExpertRec shall use commercially reasonable efforts to make available to Customer a change in the ExpertRec Services or recommend a commercially reasonable change to Customer’s use of the ExpertRec Services to avoid processing of Personal Data by the objected-to Sub-processor. If ExpertRec is unable to provide such an alternative within thirty (30) days of Customer’s objection, either party may terminate the affected portion of the Agreement with respect to the ExpertRec Services that cannot be provided without the use of the objected-to Sub-processor, without penalty.

5.3 Sub-processor Obligations. ExpertRec shall: (a) enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those set out in this DPA; and (b) remain fully liable to Customer for the performance of each Sub-processor’s obligations.

6. Personal Data Breach Notification

6.1 ExpertRec shall notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer’s Personal Data.

6.2 Such notification shall include, to the extent available: (a) a description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned; (b) the likely consequences of the breach; (c) a description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects; and (d) the name and contact details of ExpertRec’s point of contact for further information.

6.3 ExpertRec shall cooperate with Customer and take commercially reasonable steps to assist in the investigation, mitigation, and remediation of each Personal Data Breach.

7. Audits and Inspections

7.1 ExpertRec shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by Customer or a qualified third-party auditor mandated by Customer.

7.2 Audits shall be conducted: (a) with reasonable advance notice of at least thirty (30) days; (b) during normal business hours; (c) in a manner that does not unreasonably disrupt ExpertRec’s operations; and (d) no more than once per twelve (12) month period, unless a Personal Data Breach has occurred or a supervisory authority requires an additional audit.

7.3 To the extent ExpertRec maintains certifications or audit reports (such as SOC 2 Type 2 or ISO 27001), ExpertRec may satisfy audit requests by providing copies of such reports or certifications, provided they are no more than twelve (12) months old.

8. International Data Transfers

8.1 To the extent that the processing of Personal Data involves a transfer of Personal Data from the European Economic Area (“EEA“), the United Kingdom, or Switzerland to a country that has not been recognized as providing an adequate level of data protection, the parties agree that such transfers shall be governed by the Standard Contractual Clauses (Module Two: Controller to Processor), which are hereby incorporated by reference into this DPA.

8.2 For transfers from the United Kingdom, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (as issued by the UK Information Commissioner’s Office) shall apply.

8.3 ExpertRec shall implement appropriate supplementary measures (such as encryption and access controls) to ensure that the transferred Personal Data is afforded a level of protection that is essentially equivalent to that guaranteed within the EEA.

9. Data Retention and Deletion

9.1 Upon termination or expiration of the Agreement, ExpertRec shall, at Customer’s election, delete or return all Personal Data processed on behalf of Customer within thirty (30) days, and delete existing copies unless applicable law requires further storage. ExpertRec shall certify such deletion in writing upon Customer’s request.

9.2 ExpertRec may retain Personal Data to the extent required by applicable law, provided that ExpertRec shall ensure the confidentiality of such Personal Data and shall process it only for the purpose required by law.

10. CCPA-Specific Provisions

10.1 To the extent the CCPA or CPRA applies, ExpertRec is a “Service Provider” as defined under the CCPA. ExpertRec shall not: (a) sell or share Personal Data; (b) retain, use, or disclose Personal Data for any purpose other than performing the ExpertRec Services as specified in the Agreement, or as otherwise permitted by the CCPA; or (c) retain, use, or disclose Personal Data outside of the direct business relationship between ExpertRec and Customer.

10.2 ExpertRec certifies that it understands and will comply with the restrictions set out in this Section 10.

11. General

11.1 Liability. Each party’s liability under this DPA is subject to the limitations of liability set out in the Agreement.

11.2 Governing Law. This DPA shall be governed by the same governing law as the Agreement, except where Applicable Data Protection Law requires otherwise.

11.3 Amendments. ExpertRec may update this DPA from time to time to reflect changes in Applicable Data Protection Law or our processing practices. We will notify Customer of material changes by posting the updated DPA on our website and, where required, by email.

11.4 Severability. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

Annex 1: Details of Processing

Subject Matter of Processing: Provision of AI-powered search, recommendation, personalization, and analytics services as described in the Agreement.

Duration of Processing: For the term of the Agreement, plus any period required for data deletion or return as described in Section 9.

Nature and Purpose of Processing: ExpertRec processes Personal Data to provide the ExpertRec Services, including indexing and serving search results, generating product recommendations, personalizing user experiences, delivering analytics and reporting, and providing customer support.

Types of Personal Data:

  • Search queries entered by end users
  • IP addresses and device/browser metadata
  • Clickstream and interaction data (views, clicks, add-to-cart, purchases)
  • Customer account information (name, email address)
  • Any other Personal Data contained within Customer Data submitted to the ExpertRec Services

Categories of Data Subjects:

  • Customer’s end users (website visitors and shoppers)
  • Customer’s employees and authorized users of the ExpertRec control panel

Annex 2: Technical and Organizational Security Measures

ExpertRec maintains the following technical and organizational measures to protect Personal Data:

Encryption

  • All data in transit is encrypted using TLS 1.2 or higher (SSL/HTTPS)
  • Data at rest is encrypted using AES-256 encryption on storage volumes

Access Controls

  • Role-based access control (RBAC) for all internal systems
  • Principle of least privilege enforced for employee access to production systems
  • Multi-factor authentication (MFA) required for access to infrastructure and administrative systems
  • Unique user credentials; shared accounts are prohibited

Infrastructure Security

  • ExpertRec Services are hosted on Amazon Web Services (AWS) and DigitalOcean, both of which maintain SOC 2 Type 2, ISO 27001, and other industry certifications
  • Network firewalls and security groups restrict access to production environments
  • Intrusion detection and monitoring systems are in place
  • Regular vulnerability scanning and patching

Business Continuity and Disaster Recovery

  • Automated backups of Customer Data with geographically distributed redundancy
  • Disaster recovery procedures tested periodically
  • 99.99% uptime SLA as described in the Agreement

Organizational Measures

  • Confidentiality obligations for all employees and contractors with access to Personal Data
  • Security awareness training for personnel
  • Incident response procedures and escalation protocols
  • Periodic review and assessment of security measures

Annex 3: List of Sub-processors

The following Sub-processors are authorized to process Personal Data on behalf of Customer as of the date of this DPA:

Sub-processor Purpose Location
Amazon Web Services (AWS) Cloud infrastructure hosting, data storage, and compute services United States (with regional availability)
DigitalOcean Cloud infrastructure hosting and data storage United States (with regional availability)
OVHcloud Cloud infrastructure hosting, data storage, and compute services France / European Union (with global availability)
Google LLC (Google Analytics 4) Analytics data processing (when enabled by Customer) United States

ExpertRec will update this list and notify Customer in accordance with Section 5.2 of this DPA when Sub-processors are added or changed.

Last Updated: July 2025

If you have questions about this Data Processing Addendum, please contact us at support@expertrec.com.

Boost Your Website's Search Experience in Just 15 Minutes!

Discover how ExpertRec’s AI-powered search can transform your website’s user experience, increase engagement, and drive higher conversions.
Our expert will walk you through a personalized demo showcasing:

  • Faster, more relevant search results.
  • Enhanced user satisfaction and retention.
  • Easy integration with your existing site.
www.expertrec.com