Data Processing Addendum

Last updated: June 4, 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service between you ("Customer") and PL Tech Labs, the operator of Metricstab ("Metricstab"), and applies whenever Metricstab processes personal data on your behalf. The DPA reflects the obligations of a Processor under the EU General Data Protection Regulation (GDPR), the UK GDPR, equivalent obligations under the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), and a Data Processor's obligations under India's Digital Personal Data Protection Act, 2023 ("DPDPA").

1. Roles of the parties

You are the Controller (GDPR) / Business (CCPA) / Data Fiduciary (DPDPA) of personal data you provide or that Metricstab collects through services you authorize (such as Google Search Console). Metricstab is the Processor / Service Provider / Data Processor and processes that personal data only on documented instructions from you.

2. Subject matter, duration, and nature of processing

Metricstab processes personal data to provide SEO analytics, reporting, and insights for the duration of your subscription, plus the retention windows described in our Privacy Policy. The categories of data subjects and personal data are described there as well.

3. Subprocessors

You authorize Metricstab to engage the subprocessors listed at /legal/subprocessors/. We will give at least 30 days' notice before adding new subprocessors; if you have a reasonable objection on data-protection grounds you may terminate the affected portion of the service.

4. Confidentiality

Metricstab ensures that personnel authorized to process personal data are bound by appropriate confidentiality obligations.

5. Security measures

Metricstab maintains technical and organizational measures appropriate to the risk, including encryption in transit (TLS 1.2+) and at rest, least-privilege access controls, dependency scanning, and audit logging. These measures meet the "Reasonable Security Practices and Procedures" requirements under India's Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

6. International transfers

Metricstab is operated from India with production infrastructure in the United States. For transfers of EEA / UK personal data to jurisdictions without an adequacy decision, the parties rely on the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable), which are deemed incorporated into this DPA by reference. For DPDPA transfers, Metricstab will not transfer personal data of Indian data principals to any country the Government of India has notified as restricted.

7. Data subject / data principal rights

Metricstab will assist Customer with responding to requests to exercise data subject rights (GDPR/UK GDPR), consumer rights (CCPA), or data principal rights (DPDPA) at no additional charge, taking into account the nature of the processing.

8. Personal data breach notification

Metricstab will notify Customer without undue delay (and in any event within 72 hours where feasible) after becoming aware of a personal data breach affecting Customer's data, and will provide information reasonably necessary for Customer to comply with its own breach-notification obligations.

9. Audit

Customer may, on reasonable prior notice and no more than once per year, request information demonstrating compliance with this DPA. Where independent audits are required, the parties will agree the scope and a confidential third-party auditor.

10. Termination and deletion

On termination of the Terms of Service, and at Customer's option, Metricstab will delete or return personal data within 30 days, save where retention is required by applicable law.

11. Order of precedence

In the event of any conflict between this DPA and the Terms of Service, this DPA prevails to the extent of the conflict on matters of data protection.


Questions? Email hello@metricstab.com or visit our support page.