Data Processing Agreement (DPA)
Last updated: June 30, 2026
1. Scope and Applicability
This Data Processing Agreement ("DPA") forms part of the Terms of Service between CEYMOB LLC ("Processor") and the customer ("Controller") and applies where the Processor processes personal data on behalf of the Controller in the provision of MobVex services. This DPA complies with Article 28 of the General Data Protection Regulation (GDPR).
This DPA is applicable to enterprise and business customers. To execute this DPA, please contact info@ceymob.com.
2. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person.
- Processing: Any operation performed on personal data (collection, storage, use, etc.).
- Controller: The customer who determines the purposes and means of processing.
- Processor: CEYMOB LLC, which processes data on behalf of the Controller.
- Data Subject: The individual whose personal data is being processed.
- Subprocessor: A third party engaged by the Processor to process personal data.
3. Nature and Purpose of Processing
The Processor processes personal data for the purpose of providing the MobVex Service to the Controller. Processing activities include:
- Account Data: Email addresses, names, and authentication tokens for account management.
- Billing Data: Payment information processed via Stripe (subprocessor).
- Usage Data: Tool usage logs, credit consumption, and feature interaction metrics.
- App Inventory: Package names and app identifiers provided by the Controller.
- Analysis Results: Reports, keyword rankings, and review analyses generated for the Controller.
4. Duration of Processing
Processing continues for the duration of the Controller's account and for up to 30 days after account termination, unless longer retention is required by law.
5. Processor Obligations
The Processor agrees to:
- Process personal data only on documented instructions from the Controller, including with regard to transfers.
- Ensure that persons authorized to process personal data are bound by confidentiality obligations.
- Implement appropriate technical and organizational security measures (see Section 7).
- Assist the Controller in responding to data subject rights requests.
- Assist the Controller in meeting GDPR obligations regarding security, breach notification, and DPIA.
- Notify the Controller without undue delay, and in any event within 72 hours, upon becoming aware of a personal data breach.
- Delete or return all personal data to the Controller upon termination of services.
- Make available to the Controller all information necessary to demonstrate compliance.
- Allow and contribute to audits conducted by the Controller or an authorized auditor.
6. Subprocessors
The Controller authorizes the Processor to engage the following subprocessors:
| Subprocessor | Purpose | Location |
|---|---|---|
| Google Firebase (GCP) | Authentication, database, hosting, analytics | United States (us-central1) |
| Stripe | Payment processing | United States |
| DeepSeek AI | AI analysis of anonymized app store reviews (primary) | China |
| Google AI (Gemini) | AI analysis of anonymized app store reviews (fallback) | United States |
| Serper (Google Search API) | Search engine results for analysis | United States |
| Scrape.do | Play Store / App Store data retrieval | Global |
| Oxylabs | Play Store data retrieval | Global |
| ScrapingBee | Play Store data retrieval | Global |
| Firecrawl | Play Store data retrieval | Global |
| SerpAPI | Play Store search data retrieval | United States |
| Smartproxy | Play Store reviews retrieval | Global |
| BrightData | Play Store reviews retrieval | Global |
| SmartGPlay | Play Store search data retrieval | Global |
| GPlayScraper | Play Store top charts retrieval | Global |
The Processor will inform the Controller of any intended changes concerning the addition or replacement of subprocessors, giving the Controller the opportunity to object.
7. Security Measures
The Processor implements and maintains the following technical and organizational measures:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Firebase Authentication for access control with secure session management
- Content Security Policy (CSP) and security headers (X-Frame-Options, XSS Protection)
- Regular security updates and dependency vulnerability scanning
- Firewall and DDoS protection via Google Cloud infrastructure
- Access logging and monitoring for administrative actions
- Principle of least privilege for internal access to production systems
- Data stored exclusively in us-central1 region unless otherwise specified
8. Data Subject Rights
The Processor will, taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures for the fulfillment of the Controller's obligation to respond to data subject requests under GDPR (Articles 12-23).
Data subject requests should be directed to info@ceymob.com.
9. International Data Transfers
Personal data is processed and stored in the United States. For transfers from the EEA to the US, the Processor relies on Standard Contractual Clauses (SCCs) and supplementary measures where applicable. Google Cloud Platform's GDPR-compliant data processing terms apply to Firebase services.
10. Liability
Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service. Nothing in this DPA limits either party's liability for data breaches caused by its negligence or willful misconduct, or where liability cannot be limited by law.
11. Execution
This DPA is incorporated by reference into the Terms of Service for qualifying customers. For a separate signed agreement, enterprise customers may contact us at info@ceymob.com.
12. Contact
CEYMOB LLC30 N Gould St, Suite 50327
Sheridan, WY 82801
Phone: (307) 487-8607
Data Protection: info@ceymob.com