Legal

Data Processing Agreement

Last updated: April 2026

This Data Processing Agreement (“DPA”) applies when SchemaX processes personal data on behalf of customers (“Controller”) in connection with the SchemaX Schema or SchemaX Convert services, upon commencement of an active paid subscription. It supplements the Terms of Service and forms part of the agreement between SchemaX and the Controller. It takes effect when the Controller begins using the services to process personal data.

1. Definitions

  • “Controller” means the customer who determines the purposes and means of processing.
  • “Processor” means SchemaX, which processes personal data on behalf of the Controller.
  • “Personal Data” has the meaning given in Article 4(1) GDPR.
  • “Processing” has the meaning given in Article 4(2) GDPR.

2. Subject Matter and Duration

SchemaX processes personal data of the Controller’s website visitors for the purpose of delivering structured data injection (Schema) and conversion optimisation (Convert) services. Processing continues for the duration of the service agreement.

3. Nature and Purpose of Processing

Personal data may be processed for the following purposes:

  • Injecting schema.org markup into web pages served to visitors
  • Running A/B tests to compare conversion variants
  • Measuring performance metrics (page views, event completions)

Categories of data subjects: visitors to the Controller’s website.

Categories of personal data: IP addresses (pseudonymised), session identifiers, page URLs visited.

4. Obligations of SchemaX as Processor

SchemaX shall:

  • Process personal data only on documented instructions from the Controller
  • Ensure persons authorised to process data have committed to confidentiality
  • Implement appropriate technical and organisational security measures (Art. 32 GDPR)
  • Assist the Controller in responding to data subject rights requests
  • Delete or return all personal data upon termination of the service
  • Make available all information necessary to demonstrate compliance with Art. 28 GDPR

5. Sub-processors

The Controller authorises SchemaX to engage the following sub-processors. SchemaX will inform the Controller of any intended changes and give the Controller the opportunity to object:

  • Vercel Inc.: infrastructure hosting (EU edge network)
  • Resend Inc.: transactional email (for service communications only)

SchemaX ensures all sub-processors are bound by data protection obligations equivalent to this DPA.

6. Security

SchemaX implements appropriate technical and organisational measures including:

  • Encryption in transit (TLS 1.2+) and at rest
  • Access controls limiting data access to authorised personnel
  • Regular security reviews
  • Incident response procedures

7. Data Subject Rights

SchemaX will notify the Controller without undue delay upon receiving a data subject request relating to data processed under this DPA, and will provide reasonable assistance to the Controller in fulfilling such requests.

8. Data Breaches

SchemaX will notify the Controller without undue delay and within 72 hours of becoming aware of a personal data breach affecting data processed under this DPA.

9. International Transfers

Personal data is processed within the EU/EEA. Any transfers outside the EEA are made only under appropriate safeguards (Standard Contractual Clauses or adequacy decisions).

10. Governing Law

This DPA is governed by Austrian law (Republic of Austria), consistent with the Terms of Service.

11. Contact

DPA enquiries: hi@schemax.io