This Data Processing Addendum and its annexures ("DPA") reflect the agreement between Ahrefs and Customer (as defined below), together referred to as the "Parties", with respect to the Processing of Customer Personal Data (as defined below) by Ahrefs under its Terms and Conditions of use and Privacy Policy (the "Agreement").

In the event of any conflict between the terms of this DPA and the Agreement, the terms of this DPA will control.

1. Definitions and interpretations

For the purposes of this DPA, the following terms have the following meanings.

  1. "Affiliate" means an entity that owns or controls, is owned or controlled by or is under common ownership or control with the subject entity, where “control” means the power to direct the management or affairs of an entity and “ownership” means the beneficial ownership of fifty percent (50%) or more of the voting securities or other equivalent voting interests of the subject entity;
  2. "Ahrefs" means Ahrefs Pte Ltd (UEN No. 201227417H) 16 Raffles Quay #33-03 Hong Leong Building Singapore 048581;
  3. "Controller" means the entity which determines the purposes and means of the processing of Personal Data;
  4. "Customer" means the entity that enters into the Agreement with Ahrefs for use of or access to the Service;
  5. "Customer Personal Data" means any and all Personal Data processed (or required to be processed) by Ahrefs on the Customer’s behalf in providing the Service or performing any other obligations under the Agreement;
  6. "Data Protection Law" means all applicable legislation, laws and regulations relating to data protection and data privacy including, without limitation, the GDPR and the PDPA as applicable;
  7. "GDPR" means the European Union General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regards to the processing of Personal Data and on the free movement of such data, as may be amended or replaced from time to time;
  8. "PDPA" means the Personal Data Protection Act 2012 that sets out the law on data protection in Singapore, as may be amended from time to time;
  9. "Personal Data Breach" means personal data or personal information (as defined under the applicable Data Protection Law) that is subject to the applicable Data Protection Law;
  10. "Personal Data" means personal data or personal information (as defined under the applicable Data Protection Law) that is subject to the applicable Data Protection Law;
  11. "Processor" means an entity which processes Personal Data on behalf of a Controller;
  12. "Service" means the services provided by Ahrefs to the Customer, governed by the terms under the Agreement;

2. How to execute this DPA / SCCs

This DPA consists of 2 parts: the main body of the DPA and its annexes, Annexes A, B and C. To the extent they are applicable, the main body of the DPA and Annex C apply by way of incorporation to the Agreement.

The EU Standard Contractual Clauses ("SCCs") at Annex A and Annex B have been pre-signed on behalf of Ahrefs. To enter into the relevant SCCs, Customer must:

  1. Complete and sign Annex I of the SCCs; and

  2. Send the signed page to their Ahrefs' representative.

The SCCs will become legally binding upon receipt of Ahrefs of the validly signed SCCs by email.

3. Data Transfers

  1. The EU Standard Contractual Clauses Module 2 (Controller to Processor) at Annex A applies where Customer or Customer's Affiliate in the European Economic Area or Switzerland (for purposes of this DPA, together the "EEA") transfers Personal Data to Ahrefs and where the Customer is the Controller and Ahrefs is the Processor.
  2. The EU Standard Contractual Clauses Module 3 (Processor to Processor) at Annex B applies where Customer or a Customer Affiliate in the EEA transfers Personal Data to Ahrefs and where the Customer is a Processor and Ahrefs is also a Processor.
  3. The Data Transfer Agreement at Annex C applies where Customer or a Customer Affiliate in non-EEA countries transfers Personal Data to Ahrefs.
  4. In the event of any conflict between the terms of this DPA and the annexures, the terms of the annexures will control.

4. No agency

Nothing in this DPA shall constitute or be deemed to constitute a partnership or joint venture among the Parties or constitute or be deemed to constitute any Party as the agent or employee of any of the other Parties for any purpose whatsoever and no Party shall have authority or power to bind any of the other Parties or to contract in the name of, or create a liability against, any of the other Parties in any way or for any purpose unless agreed by the applicable Parties in writing.

5. Governing law

This DPA and any dispute or claim arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the law of Singapore.

6. Jurisdiction

Parties irrevocably agree that the courts of Singapore shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this DPA or its subject matter or formation.

7. Termination

This DPA shall automatically terminate on the expiration or earlier termination of the Agreement.

Annex C. Data Transfer Agreement

1. Customer’s obligations

  1. Customer shall, in its use of the Service, process Customer Personal Data in accordance with the requirements of applicable Data Protection Law. Customer’s instructions for the processing of Customer Personal Data shall comply with the applicable Data Protection Law. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer obtained the Customer Personal Data.

  2. The Customer warrants that it has all necessary rights to provide the Customer Personal Data to Ahrefs for the processing of Customer Personal Data in relation to the Service. To the extent required by the applicable Data Protection Law, the Customer is responsible for ensuring that consent of all individuals whose data is to be processed is obtained and for ensuring that a record of such consent is maintained. Should such a consent be revoked by the individual, Customer is responsible for communicating the fact of such revocation to Ahrefs, and Ahrefs remains responsible for implementing any Customer instruction with respect to the further processing of Customer Personal Data that is consistent with the terms of this DPA.

2. Ahrefs’ obligations

To the extent that Ahrefs processes Customer Personal Data on behalf of Customer, it shall:
  1. comply with Data Protection Law;

  2. at all times have in place an appropriate security policy with respect to the processing of Customer Personal Data, outlining in any case the measures referenced in Section 3 below.

3. Security

  1. Ahrefs and Customer shall implement appropriate technical and organizational measures for the security and protection of the Customer Personal Data.

  2. To the extent required by applicable Data Protection Laws, Ahrefs shall notify the Customer without undue delay upon becoming aware of any Personal Data Breach.

4. Information obligations and incident management

When Ahrefs becomes aware of a Personal Data Breach, it shall notify the Customer at their registered address about the Personal Data Breach without undue delay, shall provide commercially reasonable cooperation to the Customer, and shall take commercially reasonable steps to remediate the Personal Data Breach, if applicable, to the extent that remediation is within Ahrefs' control. At the Customer’s request and subject to the Customer paying all of Ahrefs’ fees at prevailing rates, and all expenses, Ahrefs will promptly provide the Customer with all reasonable assistance necessary to enable the Customer to notify relevant Personal Data Breaches to the relevant regulators and/or affected individuals, if Customer is required to do so under applicable Data Protection Law. Customer is solely responsible for complying with Personal Data Breach notification requirements applicable to Customer and fulfilling any third-party notification obligations related to any Personal Data Breach. The obligations of this Section 4 do not apply to Personal Data Breaches that are caused by the Customer, individuals, and/or any products and services other than Ahrefs'.

5. Limitation of Liability

The liability of each Party and its respective Affiliates’, taken together in the aggregate, arising out of or relating to this DPA shall be subject to the section(s) of the Agreement governing limitations of liability, and any reference in such section(s) to the liability of a Party means the aggregate liability of that Party and all of its Affiliates under the Agreement and all DPAs together.