Strata
Data Processing Agreement

Data Processing Agreement

Last updated: 2026-05-05

This Data Processing Agreement ("DPA") forms part of your agreement with Modulus1 ("we", "us", "Processor") for the use of Strata. It governs the processing of personal data on your behalf ("Controller") and satisfies the requirements of GDPR Article 28 where applicable.

This DPA applies automatically when you use Strata in a context where GDPR, UK GDPR, or comparable data protection law applies to your use. No separate signature is required. Your acceptance of the Strata Terms of Service constitutes acceptance of this DPA.

For DPA inquiries or to request a countersigned copy: adamaeraa@gmail.com.

1. Definitions

"Personal Data", "Controller", "Processor", "Processing", "Data Subject", and "Supervisory Authority" have the meanings given in applicable data protection law. "Services" means the Strata SEO intelligence platform and all related features.

2. Scope and purpose of processing

Modulus1 processes personal data solely to provide the Services under your subscription, in accordance with your documented instructions (including your configuration of the platform). The subject matter, nature, and purpose of processing are described in the Strata Privacy Policy.

  • Categories of data subjects: Your end users, your workspace members, and data subjects whose data you upload or connect via integrations.
  • Categories of personal data: Name, email, account usage telemetry, and any personal data contained in datasets you connect (e.g., Google Analytics 4 data you authorize).
  • Duration: For the term of your subscription plus 30 days.

3. Processor obligations

Modulus1 agrees to:

  • Process personal data only on your documented instructions, unless required by law.
  • Ensure that personnel authorized to process personal data are bound by appropriate confidentiality obligations.
  • Implement appropriate technical and organizational security measures (see Section 7).
  • Assist you in responding to data subject rights requests, to the extent reasonably possible given the nature of the processing.
  • Assist you in meeting obligations under Articles 32–36 GDPR (security, breach notification, DPIA, prior consultation).
  • Delete or return all personal data upon termination of the Services, at your choice, and delete existing copies unless storage is required by law.
  • Make available all information necessary to demonstrate compliance with this DPA and allow for audits conducted by you or a mandated auditor.

4. Subprocessors

You authorize Modulus1 to engage the subprocessors listed in the Privacy Policy subprocessors table. Modulus1 will notify you of any intended changes to the subprocessor list at least 10 days in advance, giving you opportunity to object. Modulus1 imposes data protection obligations on all subprocessors equivalent to those in this DPA.

5. International data transfers

Where personal data is transferred outside the European Economic Area or UK, Modulus1 will ensure appropriate transfer mechanisms are in place (e.g., Standard Contractual Clauses, adequacy decisions, or equivalent safeguards). Our default processing region is Singapore; EU/US options are available on request.

6. Data subject rights

Modulus1 will promptly notify you of any data subject rights requests received directly, and will assist you in fulfilling them. You retain primary responsibility for responding to data subjects within the applicable legal timeframe.

7. Security measures

Modulus1 maintains the following technical and organizational measures:

  • TLS 1.2+ encryption for all data in transit.
  • Encryption at rest for all stored personal data via underlying infrastructure providers (Appwrite Cloud, Cloudflare).
  • Access controls: role-based access, least-privilege principles, and audit logging of administrative actions.
  • Regular security reviews of the platform and third-party dependencies.
  • Incident response procedures including notification to affected Controllers within 72 hours of becoming aware of a personal data breach.

8. Data breach notification

In the event of a personal data breach affecting your data, Modulus1 will notify you without undue delay and in any case within 72 hours of becoming aware, providing sufficient information for you to meet your own notification obligations under applicable law.

9. Audits

Upon reasonable written notice (no less than 30 days except where required by law), Modulus1 will provide information demonstrating compliance with this DPA. Physical audits of infrastructure are conducted via our subprocessors' own audit programs (e.g., Appwrite Cloud, Cloudflare).

10. Term and termination

This DPA remains in force for the duration of your Strata subscription. On termination, Modulus1 will, at your election, delete or return personal data within 30 days, except where retention is required by applicable law.

11. Contact

Modulus1 · Adam Aera Daffa Aldrich
Email: adamaeraa@gmail.com