Data Processing Agreement
Version 1.0 — Effective date: 17 May 2026
This DPA is incorporated by reference into the RunnerDuck subscription agreement. By subscribing to RunnerDuck, the Customer agrees to the terms of this agreement. No separate signature is required.
Parties
Controller (Customer): The agency or individual who has created a RunnerDuck account and subscribes to the service ("you").
Processor (RunnerDuck): RunnerDuck, operated at runnerduck.pro, with contact email hello@runnerduck.pro ("we", "RunnerDuck").
1. Definitions
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
"Personal Data", "Controller", "Processor", "Data Subject", "Processing", and "Supervisory Authority" have the meanings given in the GDPR.
"Sub-processor" means any third party engaged by RunnerDuck to carry out processing activities on behalf of the Controller.
"Services" means the SEO metadata monitoring and change tracking service provided by RunnerDuck.
2. Roles and scope
The parties acknowledge that, in relation to the Personal Data processed under this agreement, the Customer acts as the Controller and RunnerDuck acts as the Processor.
RunnerDuck also acts as an independent Controller for its own business purposes (account administration, billing, security) as described in the Privacy Policy. This DPA applies only to processing carried out on the Customer's behalf.
3. Details of processing (Annex I)
Subject matter
Processing of Personal Data in the course of providing the RunnerDuck website metadata monitoring service to the Customer.
Duration
For the term of the Customer's subscription to RunnerDuck, and for the period necessary to fulfil any retention obligation or exercise any legal right after termination.
Nature and purpose of processing
- Crawling websites specified by the Customer and extracting metadata (titles, descriptions, canonical tags, structured data, etc.)
- Storing change history and health scores for those websites
- Sending alert notifications to Customer-configured email addresses and webhook endpoints
- Generating AI-assisted recommendations based on crawl data
- Retrieving search traffic data from Google Search Console when authorised by the Customer
Types of Personal Data
- Email addresses of individuals configured to receive alert notifications
- Webhook URLs which may resolve to systems containing personal data
- Metadata extracted from crawled pages that may incidentally contain personal data (e.g. staff names appearing in page titles on websites managed by the Customer)
- Google Search Console OAuth credentials (access and refresh tokens) when GSC is connected
Note: The primary data processed by RunnerDuck (page titles, meta descriptions, HTTP status codes, canonical tags, structured data) describes web pages, not individuals, and is not Personal Data in the ordinary case. The types above represent edge cases and ancillary personal data.
Categories of Data Subjects
- Employees or contractors of the Customer designated as alert recipients
- Any individuals whose personal data appears incidentally in website metadata on sites managed by the Customer
4. Processor obligations
RunnerDuck shall, in accordance with Art. 28(3) GDPR:
Process Personal Data only on documented instructions from the Controller, including with regard to transfers outside the EU/EEA, unless required to do so by applicable law (in which case RunnerDuck shall inform the Controller before processing, unless prohibited by law).
Ensure that persons authorised to process Personal Data are bound by appropriate confidentiality obligations.
Implement appropriate technical and organisational security measures in accordance with Art. 32 GDPR, as described in Clause 7 of this agreement.
Engage Sub-processors only as listed in Annex II (Clause 8), or as subsequently updated in accordance with Clause 5, and impose equivalent data protection obligations on each Sub-processor by contract.
Assist the Controller, by appropriate technical and organisational measures, in responding to requests from Data Subjects exercising their rights under Chapter III GDPR, taking into account the nature of the processing.
Assist the Controller in ensuring compliance with Arts. 32–36 GDPR (security, breach notification, DPIAs, prior consultation), taking into account the nature of processing and the information available to RunnerDuck.
At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires storage of the data.
Make available to the Controller all information necessary to demonstrate compliance with the obligations in Art. 28 GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, upon reasonable written notice (minimum 30 days) and subject to appropriate confidentiality obligations.
5. Sub-processors
The Controller provides general written authorisation for RunnerDuck to engage Sub-processors. The current list of Sub-processors is set out in Annex II (Clause 8).
RunnerDuck shall give the Controller at least 30 days' prior written notice (by email to the account's registered address) of any intended addition or replacement of a Sub-processor. The Controller may object to the change within that period by emailing hello@runnerduck.pro. If RunnerDuck proceeds with the change despite a reasonable objection, the Controller may terminate the subscription with a pro-rata refund for the unused portion of the current billing period.
6. International transfers
RunnerDuck's primary infrastructure is hosted in the European Union (Hostinger VPS, Vilnius, Lithuania). Some Sub-processors are located in the United States (see Annex II).
Transfers to US-based Sub-processors are made subject to the EU Standard Contractual Clauses (Commission Decision C(2021) 3972) or other lawful transfer mechanisms. RunnerDuck has entered into or relied upon Data Processing Agreements with each US Sub-processor that include appropriate transfer safeguards.
7. Security measures (Art. 32 GDPR)
RunnerDuck implements the following technical and organisational measures:
- All data in transit encrypted via TLS 1.2 or higher (HTTPS)
- OAuth tokens and sensitive credentials encrypted at rest using AES-128-CBC (Fernet)
- Database access restricted to the application server; no public database port
- Row-level security (PostgreSQL RLS) ensuring each agency can access only their own data
- Authentication via Clerk with industry-standard JWT (RS256) token validation
- Automated nightly database backups retained for 7 days
- Access to production infrastructure limited to authorised personnel only
- Dependency vulnerability scanning via npm audit and pip audit
8. Sub-processor list (Annex II)
| Sub-processor | Country | Purpose | Transfer basis |
|---|---|---|---|
| Hostinger International | Lithuania (EU) | VPS hosting, database, infrastructure | EU — no transfer |
| Clerk Technologies Inc. | USA | User authentication, session management | SCCs + Clerk DPA |
| Resend Inc. | USA | Transactional email delivery | SCCs + Resend DPA |
| Amazon Web Services (SES) | USA / EU | Email infrastructure (via Resend) | SCCs + AWS DPA |
| Stripe Inc. | USA / Ireland (EU) | Subscription billing and payment processing | EU entity + Stripe DPA |
| Google LLC | USA / EU | CrUX API (Core Web Vitals), GSC API (when connected) | EU adequacy + Google DPA |
| Anthropic PBC | USA | AI recommendations (anonymised health data only — no personal data) | No personal data transferred |
9. Data breach notification
RunnerDuck shall notify the Controller without undue delay — and in any event within 48 hours — after becoming aware of a Personal Data breach affecting data processed under this agreement. The notification shall include, to the extent available: the nature of the breach; categories and approximate number of Data Subjects and records affected; likely consequences; and measures taken or proposed to address the breach. This assists the Controller in meeting its own 72-hour notification obligation to the Supervisory Authority under Art. 33 GDPR.
10. Controller obligations
The Controller warrants and represents that:
- It has a lawful basis for instructing RunnerDuck to process any Personal Data on its behalf;
- It has provided, or will provide, all required privacy notices to Data Subjects whose data is processed under this agreement;
- The websites and email addresses it configures within RunnerDuck relate to its own business or to clients for whom it has appropriate authorisation to act;
- It will promptly inform RunnerDuck of any instructions that it believes would violate applicable data protection law.
11. Termination and data deletion
Upon termination of the Customer's subscription, RunnerDuck will delete all crawled site data, change history, and health scores associated with the account within 30 days. Account records necessary for billing or legal obligations will be retained for up to 7 years as required by applicable law, after which they will be permanently deleted. The Customer may request earlier deletion of personal data by emailing hello@runnerduck.pro.
12. Governing law and supervisory authority
This agreement is governed by the law of the Republic of Latvia. The competent Supervisory Authority for RunnerDuck as the Processor is the Data State Inspectorate of Latvia (Datu valsts inspekcija, dvi.gov.lv). Controllers established in other EU member states may also lodge complaints with their local Supervisory Authority.
13. Updates to this agreement
RunnerDuck may update this DPA to reflect changes in applicable law or processing activities. Material changes will be notified by email at least 30 days before taking effect. Continued use of the service after the effective date constitutes acceptance of the updated terms.
14. Contact
Data protection queries, deletion requests, and audit requests: hello@runnerduck.pro